Privacy Policy

This policy applies when you use Kova through the web app, API, CLI, MCP clients, hosted AI agents, email ingestion, or related support channels. Kova is intended for users who are at least 18 years old. You may not use Kova if you are under 18.

Kova is available globally where use of the service is legally permitted. You are responsible for complying with laws that apply to you.

Account data. We collect the information needed to create, secure, and support your account, including email address, authentication records, subscription state, settings, and messages you send us.

Strategy, portfolio, and upload data. You may submit investment strategies, holdings, cash flows, liabilities, brokerage screenshots, CSV files, PDFs, forwarded emails, notes, prompts, and other portfolio context. Kova stores this information so it can normalize your portfolio, compare it with your strategy, and generate briefs.

Generated content and usage data. Kova stores generated briefs, alignment scores, strategy versions, share settings, product events, device and request metadata, logs, and diagnostic data needed to operate, debug, secure, and improve the service.

API, CLI, OAuth, and MCP data. If you create API tokens or connect Kova to an agent through OAuth or MCP, Kova stores token records, token prefixes, scopes or resource restrictions where applicable, last-used metadata, and related authorization records. Raw API tokens are shown once and can be revoked from settings.

We use your information to provide Kova: save and version strategies, normalize portfolio snapshots, enrich positions with market data, generate briefs, manage account and billing access, support API, CLI, and MCP workflows, answer support requests, monitor reliability, prevent abuse, protect security, and improve the product.

Kova is not a broker, custodian, or financial adviser. We use your data to measure your portfolio against the strategy you wrote, not to place trades or manage assets.

We use service providers to run Kova. They process information only as needed to provide their services to us and to you.

• OpenAI for portfolio normalization, strategy inference, live input extraction, and brief generation. Uploaded PDF and CSV files sent through this workflow are deleted after processing.
• Marketstack for stock and ETF market prices, and CoinGecko for Bitcoin pricing used by manual crypto assets.
• Stripe for checkout, subscriptions, invoices, payment methods, trial and billing status, and billing portal access.
• Mailgun for inbound portfolio email ingestion and transactional email delivery.
• PostHog for product analytics, with event properties designed to avoid personally identifiable information.
• Appsignal and hosting and database infrastructure providers for logs, monitoring, reliability, security, storage, and infrastructure operations.

Kova does not sell or rent personal information. Kova does not share personal information for cross-context behavioral advertising.

Kova uses encryption in transit and at rest, limits access to authorized personnel, and stores API tokens as hashes or digests rather than storing raw token values. No internet service can be guaranteed perfectly secure, but we work to protect your information using reasonable technical and organizational safeguards.

We keep account, strategy, portfolio, and brief data while your account is active or as needed to provide the service, meet legal obligations, resolve disputes, secure Kova, and maintain business records.

Kova also applies product-specific retention windows: inbound emails are retained for 30 days, public brief and portfolio report links expire after 90 days, generated briefs older than 90 days are cleaned up, and run records expire after 1 year.

If you ask us to delete your account, we will process the request within 30 days unless we need to retain certain records for billing, security, legal, or operational reasons. Deleted data may remain in backups and security logs for up to 90 days.

You can edit or delete strategies and portfolio inputs inside Kova, revoke API and MCP tokens from settings, stop sharing public links, manage billing through Stripe, and request account deletion by contacting us.

Privacy Mode masks portfolio details in the web UI. It does not change how Kova stores, processes, or protects your data.

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of certain personal information. You may also have the right to appeal a privacy decision or complain to a data protection authority. To make a request, contact us at info@kovatools.com.

When you connect an external AI agent or hosted MCP client, that client may send strategy, portfolio, and brief data to Kova at your direction and may receive Kova results back. Review the privacy terms of any external client you connect.

Questions or requests about privacy can be sent to info@kovatools.com. These practices work alongside the Terms of Service.