Short summaries up top, full legal language in each section. Last reviewed [PLACEHOLDER LAST_REVIEWED_DATE, e.g. June 5, 2026].
Account details you give us, the medications and appointments and notes you choose to add, and basic technical logs that keep the service running.
[PLACEHOLDER WHAT_WE_COLLECT]
Final legal description of every data category Kova collects. Cover: account identifiers (email, password hash via Supabase auth), profile data (treatment path), health data the user voluntarily enters (medications, doses, dose-taken logs, appointments, prep checklists, journal entries with symptoms and mood, insurance policy data, questions for the doctor, cycle data, embryo data, documents the user uploads, surrogacy or donor match data, expenses). Cover technical data: IP addresses captured in Supabase logs, request logs, error telemetry. Disclose retention windows for each category.
Your data lives on Supabase's managed Postgres database in the United States. Both transport (HTTPS/TLS) and storage are encrypted. Row-level security policies in our database ensure one user cannot read another user's rows.
[PLACEHOLDER STORAGE_AND_SECURITY]
Final legal description of the security posture. Cover: Supabase as the hosting provider with link to their security page, AWS underlying infrastructure, encryption at rest details (AES-256), TLS version for in-transit, Row Level Security policies, authentication via Supabase Auth, password hashing standard, MFA availability, audit logging, incident-response commitments, breach-notification timeline (state-law dependent), regular security reviews. Acknowledge that no system is 100 percent secure and that the user accepts that inherent risk.
You. Authorized Kova staff with a documented operational reason (debugging an issue you reported, for example). Service providers we rely on to deliver the service.
[PLACEHOLDER ACCESS_CONTROLS]
Final legal language on internal access controls, the principle of least privilege, employee onboarding/offboarding, and the full list of third-party subprocessors with their roles. As of now, subprocessors include: Supabase (database, auth, storage), Netlify (web hosting and CDN), and any payment processor when Stripe is wired up. List each with link to their privacy and security pages. Commit to notifying users (or posting an update) when a new subprocessor is added.
We do not sell your personal information. We do not share it with advertisers, brokers, or third parties for their marketing.
[PLACEHOLDER NO_SALE_NO_SHARE_ADS]
Final legal version stating no sale of personal information under CCPA/CPRA and equivalent state-level frameworks (Virginia CDPA, Colorado CPA, Connecticut CTDPA, etc.), no sharing for cross-context behavioral advertising, no use of health data for advertising profiling. Note that this is a permanent product commitment.
Open Settings and use the Delete account section. We permanently delete your account and the rows associated with it. Deletion is final and cannot be undone.
[PLACEHOLDER DELETION_RIGHTS]
Final legal language on deletion rights under CCPA/CPRA and equivalent frameworks, GDPR right-to-erasure for EU users, specific deletion timeline commitment (e.g. within 30 days), confirmation that backups containing the data are also purged within a stated window, exceptions where Kova must retain certain records (legal hold, fraud, financial recordkeeping), and a contact path to exercise the right (deletion via Settings is the primary path; email path as fallback).
Depending on where you live, you may have additional rights to access, correct, port, or restrict the use of your data. We will honor these requests within applicable timelines.
[PLACEHOLDER USER_RIGHTS]
Final legal enumeration of access, correction, portability, opt-out, and restriction rights by jurisdiction. CCPA/CPRA specifics, the GDPR enumeration for EU users (if Kova chooses to serve EU users), and a designated contact for rights requests. Decide whether Kova will serve EU users and how.
[PLACEHOLDER CHILDREN]
Final legal version. Kova's default position should be that it is not directed to children under 13 (or 18, depending on App Store category) and does not knowingly collect data from them. Set the age threshold to align with the App Store age rating chosen at submission.
We'll update this page when our practices change. The Last reviewed date at the top reflects the most recent change.
[PLACEHOLDER CHANGES]
Final legal version on how material changes are communicated (in-app banner, email to active users, both), and the timeline between notice and effective date.
Questions about this policy or your data go to hello@heykova.co.
[PLACEHOLDER CONTACT_AND_ENTITY]
Final legal version with: the full corporate entity name operating Kova, registered business address, contact email, and an EU representative if one is required for EU users.
Kova is a wellness and organization tool. It helps you track and organize the medications, appointments, paperwork, and questions that come with fertility treatment. Kova does not diagnose, treat, or provide medical advice. Always follow the exact instructions from your clinic.