Privacy Policy

Personal information you provide: email addresses, usernames, passwords, contact preferences, and authentication data. We do not process sensitive personal information.

Social login data: If you register using Google, we collect your name and email address from Google. We never see your Google password.

Automatically collected: IP address, browser and device characteristics, operating system, language preferences, referring URLs, and usage information. We also collect information through cookies; see our Cookie Policy.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We process your personal information to facilitate account creation and authentication, deliver services, respond to support requests, send administrative notices, prevent fraud and abuse, and improve the product through usage analysis.

EU / UK users: We rely on Consent, Performance of a Contract, Legitimate Interests, Legal Obligations, and Vital Interests under the GDPR and UK GDPR.

Canada users: We process information based on express or implied consent, and in exceptional cases as permitted by applicable law.

We share data only with vendors performing services on our behalf: MongoDB Atlas (database), Stripe (billing), Google Sign-In (authentication), and Resend (email delivery). We do not sell data or share it for advertising.

We may also share information in connection with business transfers or acquisitions, with prior notice to workspace owners.

We use cookies to maintain security and keep you signed in. We also use PostHog for product analytics. See our Cookie Policy for the full list.

When you register or log in with Google, we receive your name and email. We use this only to create and maintain your Koven account, as described in this policy.

Our servers are located in the United States. If you are in the EEA, UK, or Switzerland, your data may be transferred to the US. We use the European Commission's Standard Contractual Clauses to ensure such transfers meet GDPR requirements.

We keep your personal information for as long as you have an active account. When your account is deleted, we delete or anonymise your information within 30 days, except where we are required by law to retain it longer.

We use bcrypt password hashing, httpOnly cookies, HTTPS across all endpoints, rate limiting on auth routes, CSRF protection, and input sanitisation. No transmission over the Internet is 100% secure, but we maintain industry-standard protections.

We do not knowingly collect data from children under 18. If you become aware that a minor has provided us with personal data, contact privacy@koven.page and we will delete it.

Depending on your location, you may have the right to access, correct, delete, or port your personal information. To exercise these rights, visit your account settings or email privacy@koven.page. We respond within 30 days.

EU / UK users may lodge a complaint with their local data protection authority. To withdraw consent, contact us or update your preferences in account settings.

We do not currently respond to DNT browser signals, as no uniform technical standard has been finalised.

Residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have rights including: right to know, access, correct, delete, obtain a copy, and opt out of targeted advertising.

Data we collect: identifiers (yes), internet activity (yes), geolocation data (yes). All other categories: no. Identifiers are kept while your account is active; internet activity and geolocation are retained for 6 months.

California Shine the Light: we do not share data with third parties for direct marketing.

We will notify workspace owners by email at least 14 days before any material change takes effect.