Privacy Policy

Your privacy matters to us

Effective 16 April 2026

WE DO NOT SELL YOUR DATA

Not now. Not ever. Your data belongs to you. Kovira does not sell, rent, trade, or otherwise disclose your personal information or your organisation's data to third parties for their commercial purposes. We do not participate in data brokering, behavioural advertising, or cross-site tracking. Your configuration items, incidents, documents, and audit trails exist to serve you and your team - nobody else.

1. Who we are

Kovira is operated by Kovira.app ("we", "us", "our"). We are the data controller (under GDPR) and APP entity (under the Australian Privacy Act 1988) responsible for the personal information we collect through kovira.app and the Kovira platform.

If you have questions about this policy or want to exercise your privacy rights, contact us at privacy@kovira.app.

2. What personal information we collect

We collect personal information in the following categories:

2.1 Account information

When you create a Kovira account, we collect your full name, email address, and the organisation name you provide during onboarding. If you sign in via Microsoft Entra ID (Single Sign-On), we receive your name, email, and directory identifier from Microsoft.

2.2 Authentication and security data

We collect information necessary to secure your account: hashed password credentials (we never store passwords in plain text), MFA enrolment status, TOTP factor identifiers, session tokens, and the IP address and user agent string of every sign-in attempt (successful or failed). This data is recorded in a tamper-proof audit trail that cannot be modified or deleted.

2.3 Configuration data you enter

Kovira is a configuration management database. The data you enter - devices, networks, services, people, contracts, incidents, documents, passwords, and all other configuration items - is your data. We process it only to provide and improve the service. We do not read, mine, or analyse the content of your configuration items for any purpose other than delivering the features you use.

2.4 Usage and technical data

When you use the platform, we collect technical information including your IP address, browser type, operating system, device type, referring URL, pages visited, and interaction timestamps. This data is used for security (rate limiting, abuse detection), operational monitoring, and, if you consent, anonymised analytics.

2.5 Cookie data

We use cookies as described in section 7 of this policy. Essential cookies are set automatically; analytics cookies require your explicit consent.

3. Why we collect it and our legal basis

Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your personal information:

  • Performance of a contract (Article 6(1)(b)): Processing your account information, authentication data, and configuration data is necessary to provide the Kovira platform and fulfil our service agreement with you.
  • Legitimate interests (Article 6(1)(f)): We process technical and usage data for security (preventing fraud, detecting abuse, protecting our infrastructure) and for improving the service. Our legitimate interest does not override your rights - we collect only what is necessary and never use this data for profiling or targeted advertising.
  • Consent (Article 6(1)(a)): We set analytics cookies only with your explicit, informed consent. You can withdraw consent at any time by clearing the kovira_consent cookie or by contacting us.
  • Legal obligation (Article 6(1)(c)): We may process data when required by law, regulation, or lawful government request.

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), we collect personal information only when it is reasonably necessary for our functions (APP 3), we notify you of collection (APP 5), and we use it only for the purpose for which it was collected or a directly related secondary purpose (APP 6).

4. Who we share your data with

We share your data only with the following categories of recipients, and only to the extent necessary to operate the service:

  • Infrastructure providers: Supabase (database hosting, authentication, file storage), Vercel (application hosting, edge network). These providers process data on our behalf under data processing agreements.
  • Analytics (consent-dependent): If you accept analytics cookies, anonymised page-view data is processed by Vercel Web Analytics. No personal identifiers are included.
  • Payment processor: If you subscribe to a paid plan, Stripe processes your payment information. We do not store your credit card number, CVV, or full card details on our servers.
  • Transactional email: Resend delivers our transactional emails (account confirmations, password resets, notification digests, workflow alerts you have opted into). The email body and recipient address transit Resend; the message body itself is not stored on Resend's servers beyond the deliverability window required to handle bounces and retries.
  • Mailbox monitoring (optional): If you connect a Microsoft 365 mailbox to Kovira for ticket ingestion, Microsoft Graph delivers messages to Kovira via authenticated webhooks. The monitoring is scoped to the specific mailboxes you authorise.

We do not share your data with advertisers, data brokers, social media platforms, or any other third party for their own commercial purposes. We do not participate in any data marketplace or data exchange.

5. International data transfers

Kovira's infrastructure spans multiple regions. Your data may be processed in Australia, the United States, and the European Union depending on which Supabase and Vercel regions serve your requests.

For transfers from the EEA to countries without an EU adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Our infrastructure providers (Supabase and Vercel) maintain their own GDPR compliance documentation including SCCs and, where applicable, supplementary measures.

For transfers of Australian personal information, we comply with APP 8 (cross-border disclosure) by ensuring that overseas recipients are bound by obligations substantially similar to the APPs.

6. How long we keep your data

  • Account data: Retained for as long as your account is active. If you delete your account or your organisation's workspace is deleted, personal data is permanently removed within 30 days. Backup copies are purged within 90 days.
  • Audit trail: Authentication events (sign-ins, password resets, MFA verifications) and platform actions (CI changes, incident updates, workflow executions) are retained in the audit log for the lifetime of the workspace. This is a compliance feature - the audit trail is designed to be permanent and tamper-proof.
  • Analytics data: Anonymised page-view data retained by Vercel Web Analytics is governed by Vercel's data retention policy. No personal identifiers are stored.
  • Cookie consent preference: The kovira_consent cookie is retained for 12 months, after which you will be asked again.

7. Cookies

Kovira uses cookies in two categories:

7.1 Essential cookies (always active)

These cookies are strictly necessary for the platform to function. They cannot be disabled. Under GDPR Article 5(3) and the ePrivacy Directive, consent is not required for cookies that are strictly necessary for the service explicitly requested by the user.

Essential cookies used by Kovira
CookiePurposeDuration
sb-*Supabase authentication sessionSession / refresh
kovira_active_tenantActive workspace selectionSession
kovira_active_customerActive client context (MSP)Session
kovira_themeColour theme preference1 year
kovira_cbColour vision accessibility mode1 year
kovira_tsText size preference1 year
kovira_apAnimation/motion preference1 year
kovira_consentRecords your cookie consent choice1 year

7.2 Analytics cookies (consent required)

These cookies are set only if you click "Accept all" on the cookie consent banner. They collect anonymised, aggregated page-view data through Vercel Web Analytics. No personal identifiers, IP addresses, or cross-site tracking data are included. You can withdraw consent at any time by clearing your cookies or contacting us.

8. How we protect your data

We implement multiple layers of security to protect your personal information and your organisation's data:

  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Multi-tenant data isolation ensures that each organisation's data is fully separated at every layer of the platform. No organisation can access another's data under any circumstances.
  • All user actions are recorded in a tamper-proof audit trail with actor, action, timestamp, IP address, and user agent.
  • Role-based access control (RBAC) restricts what each user can see and do based on their assigned role.
  • Multi-factor authentication (TOTP) is supported and can be enforced at the workspace level.
  • Rate limiting and brute-force protection are applied to all authentication endpoints.
  • Passwords stored in the password vault are encrypted separately and never exposed in logs or audit entries.
  • Security headers (CSP, HSTS, CORP, COOP, X-Frame-Options) are applied to every response.

9. Your rights

9.1 Under the GDPR (EEA residents)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate personal data.
  • Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Article 18): Request restriction of processing in certain circumstances.
  • Right to data portability (Article 20): Receive your personal data in a structured, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Article 7(3)): Withdraw consent for analytics cookies at any time.
  • Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority.

9.2 Under the Australian Privacy Act (Australian residents)

If you are in Australia, you have the following rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles:

  • Access (APP 12): Request access to the personal information we hold about you.
  • Correction (APP 13): Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
  • Complaint (APP 1): Lodge a complaint about our handling of your personal information. We will investigate and respond within 30 days.
  • OAIC complaint: If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9.3 Exercising your rights

To exercise any of the above rights, email privacy@kovira.app with your request. We will verify your identity before processing any request and respond within 30 days (or sooner if required by applicable law). There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

10. Children's privacy

Kovira is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@kovira.app and we will delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by updating the effective date at the top of this page and, where appropriate, by email or in-platform notification. We encourage you to review this policy periodically.

12. Contact us

If you have questions, concerns, or requests related to this privacy policy or your personal data, contact us at:

For GDPR-specific enquiries, you may also contact our data protection point of contact at the same email address.