Skip to Content

Privacy Policy

Kovoco Inc. Privacy PolicyWho we areWhat information we collectHow we use information (purposes & legal bases)Cookies and similar technologies How we share informationData protection & securityInternational transfersData retentionYour privacy rightsThird-party linksChanges to this PolicyContact usCalifornia & Virginia disclosures (if applicable)Children’s privacyHow to reach our security team

Kovoco Inc. Privacy Policy

Effective date: October 9, 2025

This Privacy Policy explains how Kovoco Inc. (“Kovoco,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you visit our website, use our services, or otherwise interact with us.

We are committed to protecting your privacy and handling personal information responsibly, in line with applicable laws, including (as applicable): the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), and other state laws such as those in Colorado, Utah, and Connecticut. 

Who we are

 Controller: Kovoco Inc. Business purpose: Audit evidence collection and compliance support for SQL Server environments. Contact: privacy@kovoco.com (recommended) Postal: [Add your mailing address]


What information we collect

We collect information in three ways: you provide it, it’s collected automatically, or we receive it from third parties.

A. Information you provide

  • Account & contact details: name, email, phone, company, job title.

  • Support & communications: messages, tickets, meeting notes, survey responses.

  • Contract and billing: purchase orders, invoices, billing addresses (Kovoco does not process card numbers directly unless stated; payments are handled by a PCI-compliant third-party processor, and we receive only a tokenized identifier and transaction details).

B. Information collected automatically (website & services)

  • Usage and device data: IP address, browser type, pages viewed, timestamps, referring URLs, operating system, unique device identifiers.

  • Telemetry & logs: service diagnostics, authentication logs, error reports (e.g., from Microsoft Azure/Log Analytics), security alerts (e.g., Microsoft Defender).

  • Location data: General (non-precise) location derived from your IP address to provide regional services and comply with legal requirements.

C. Information from third parties

  • Business contacts (e.g., partner referrals, joint marketing initiatives), and systems you connect to Kovoco’s services (e.g., identity providers or Microsoft 365 tenants, from which we may receive user attributes like name and email).

  • Publicly available sources: Professional information (e.g., company, title) from business databases or social media for B2B outreach and lead generation.

We do not knowingly collect information from children under 13, and our services are intended for business users.


How we use information (purposes & legal bases)

We use personal information for the following specific purposes:

PurposeLegal Basis (GDPR/UK GDPR)Additional Context
Provide and improve servicesPerformance of a ContractFulfilling our contractual obligations and ensuring service quality.
Authenticate users and secure accountsLegitimate Interests; Compliance with Legal ObligationMaintaining security, integrity, and preventing unauthorized access.
Support, respond, and communicatePerformance of a Contract; Legitimate InterestsResponding to inquiries, processing requests, and providing technical support.
Operate our website and analyze performanceConsent where required; Legitimate InterestsFor essential functions, and non-essential analytics where you have consented.
Comply with laws and enforce termsLegal Obligations; Legitimate InterestsMeeting regulatory obligations (e.g., financial reporting) and protecting our rights.
Marketing (limited, B2B)Legitimate Interests (Soft Opt-in); ConsentSending product updates, news, and relevant information to B2B contacts. You can opt out anytime.
Auditing and ReportingLegitimate Interests; Legal ObligationsGenerating audit evidence for our customers and internal compliance (e.g., SOC 2).



Cookies and similar technologies

 We use cookies and similar technologies (like web beacons and pixels) to run the site, understand usage, and, with your consent, for advertising.

  • Strictly necessary: Essential for site functionality, security, authentication, and load-balancing. These are always active.

  • Analytics: Measuring visits, traffic sources, and performance (e.g., using privacy-friendly configurations of tools like Google Analytics).

  • Functional: To remember your preferences (e.g., language or region).

  • Marketing/Advertising (if enabled): To measure engagement with our content and deliver targeted marketing messages on other platforms.

You can control cookies via our cookie banner and your browser settings. You can withdraw non-essential cookie consent at any time. Some features may not function without essential cookies.


How we share information

 We may share personal information with the following categories of recipients:

  • Service providers / Processors (e.g., Microsoft Azure, Microsoft 365, HubSpot, payment processors) for hosting, identity, logging, security monitoring, and marketing purposes. They are contractually obligated to protect data and use it only for the purposes we specify.

  • Professional advisors (legal, accounting) and auditors (SOC 2).

  • Authorities when required by law or to protect our rights (e.g., subpoenas, court orders).

  • Business transfers (merger, acquisition, asset sale) with appropriate confidentiality and protection safeguards.

We do not sell personal information (as defined under CCPA). We will also not "share" personal information for cross-context behavioral advertising (CPRA) unless you are provided a clear and easily accessible “Do Not Sell or Share My Personal Information” option.


Data protection & security

We implement administrative, technical, and physical safeguards consistent with SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, and Privacy) to protect the personal information we hold.

Our security measures include:

  • Multi-Factor Authentication (MFA) and role-based access control via Microsoft Entra ID (Azure AD).

  • Principle of Least Privilege: Regular access reviews and rapid offboarding processes.

  • Monitoring: Continuous logging and alerting for security events (Microsoft Defender, Azure Log Analytics).

  • Encryption: Strong encryption in transit (TLS/SSL) and at rest for supported services and data stores.

  • Vendor Management: Due diligence and contractual confidentiality obligations with all subprocessors.

  • Incident Response: A formal plan to address security breaches.

No Internet transmission is 100% secure; while we work diligently to protect your data, we cannot guarantee absolute security.


International transfers

Your personal information may be stored and processed in any country where we have facilities or engage service providers. This includes transfer to the United States.

If your data is transferred outside your country (e.g., from the EU/UK to the US), we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission or the UK equivalent.

  • Adherence to the EU-U.S. Data Privacy Framework, where applicable.

Contact us for a copy of the safeguards relevant to your data.


Data retention

 We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Providing services to you;

  • Meeting legal, tax, accounting, audit, and compliance obligations (e.g., SOC 2 evidence retention);

  • Resolving disputes and enforcing our agreements.

Retention periods vary by data type and legal requirements. When we no longer need the information, we will securely delete or anonymize it.


Your privacy rights

Depending on your location and the applicable laws, you may have the following rights regarding your personal information:

  • Access/Know (what we hold, how we use and share it).

  • Correction/Rectification (update inaccuracies).

  • Deletion/Erasure (erase data, subject to exceptions).

  • Data Portability (receive a copy in a usable, electronic format).

  • Opt-out of the processing of personal information for purposes of targeted advertising or certain types of profiling (CPRA/VCDPA/Colorado/Connecticut).

  • Limit Use and Disclosure of Sensitive Personal Information (CPRA).

  • Object or Restrict certain processing (GDPR/UK GDPR).

  • Withdraw Consent (where processing is based on consent).

How to exercise rights

Email privacy@kovoco.com with your request. We will take steps to verify your identity and respond within the applicable timeframe (generally 45 days under CCPA/CPRA/VCDPA; 30 days under GDPR/UK GDPR, extendable where permitted). We will not discriminate against you for exercising your rights.

We honor opt-out preference signals, such as the Global Privacy Control (GPC), where legally required.

Virginia Residents: If we deny your request, you may have the right to appeal our decision by emailing us at the same address.


Third-party links

Our website may contain links to third-party websites, products, or services. We are not responsible for the privacy practices or the content of these third-party sites. Those sites have their own privacy policies; please review them.


Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. The “Effective date” at the top shows the latest revision. Significant changes will be highlighted on our website or communicated to you via email when appropriate.


Contact us

Email: privacy@kovoco.com Postal: [Add address] If you are in the EU/UK: You have the right to lodge a complaint with your local data protection authority.


California & Virginia disclosures (if applicable)

Sales and Sharing: We do not sell personal information, and currently do not share personal information for cross-context behavioral advertising.

Categories of Personal Information Collected and Disclosed: In the past 12 months, the categories of personal information collected include:

  • Identifiers: Name, email, IP address, unique device identifiers.

  • Commercial Information: Records of products or services purchased.

  • Internet/Network Activity: Browsing history, search history, information regarding a consumer’s interaction with an Internet Website or application (usage logs).

  • Professional or Employment Information: Job title, company name.

Purpose of Collection and Disclosure: We collect and disclose these categories to operate, manage, and maintain our business, to provide our services, and to accomplish our business purposes as detailed in Section 3.

Recipients: We disclose these categories to our service providers/processors and professional advisors, subject to contractual restrictions, as detailed in Section 5.

Sensitive Personal Information (SPI): We may collect authentication data (e.g., password hash, token) which is considered SPI under CPRA. We only use this SPI to perform our services (e.g., account authentication and security) and do not use it to infer characteristics about consumers. Therefore, a "Limit Use" right is not required.

Virginia Residents: Virginia residents may opt out of targeted advertising and profiling in furtherance of decisions that produce legal or similarly significant effects (see Section 9).


Children’s privacy

Our services and website are not directed to children under the age of 13. If you believe a child under 13 has provided us with personal information, please contact us immediately so we can take appropriate steps to remove the information.


How to reach our security team

For security questions or to report a vulnerability, contact security@kovoco.com.