Privacy policy
Draft pending legal review before publication. Drawn up in accordance with Articles 12 to 14 of the GDPR.
Data controller
The data controller is [operating entity legal name] (“Kovant”),
[registered-office address]. Dedicated data-protection contact: dpo@kovant.eu.
Kovant acts as a data controller for account and billing data, and as a data
processor for the data you host in our managed services (the data-processing
agreement governs that relationship).
Purposes, lawful bases and retention periods
| Processing | Purpose | Lawful basis (Art. 6) | Retention |
|---|---|---|---|
| Account & authentication | Manage portal access | Contract performance 6(1)(b) | Account lifetime + 12 months |
| Billing & payment | Issue invoices, collect payment | Legal obligation 6(1)(c) + contract | 10 years (accounting obligation) |
| Support / tickets | Handle requests | Contract performance 6(1)(b) | Contract term + 3 years |
| Prospecting / leads | Respond to sales enquiries | Legitimate interest 6(1)(f) / consent | 3 years after last contact |
| Audience measurement | Pseudonymous statistics | Consent 6(1)(a) where cookies are not exempt | 13 months (cookies) / 25 months (data) |
| Security & logs | Detect abuse and intrusion | Legitimate interest 6(1)(f) | 12 months |
| Newsletter / marketing | Communications | Consent 6(1)(a) | Until withdrawal + proof of consent |
Recipients and sub-processors
Your data is accessible only to authorised Kovant staff and a small number of sub-processors: Hetzner / EU hosts (infrastructure), Stripe (payment), Cloudflare (DNS, TLS, anti-DDoS) and, where applicable, an email-delivery provider. The current list is on the sub-processors page. In line with our sovereignty pillar, we minimise the number of sub-processors and prefer self-hosting in the EU.
Transfers outside the EU
Primary and backup data stay within the European Union. The rare flows to providers with processing in the United States (Stripe, Cloudflare) are framed by the European Commission’s standard contractual clauses (SCCs).
Your rights
You have the rights of access, rectification, erasure, restriction, portability and
objection, as well as the right to set post-mortem directives. You can exercise them
in self-service from your client area (/account/privacy) or by writing to
dpo@kovant.eu. We respond within one month (extendable to three months for complex
requests, with notice). You also have the right to lodge a complaint with the French
data-protection authority (CNIL).
Automated decision-making
Kovant makes no decision based solely on automated processing that produces legal effects concerning you.
Cookies
The use of cookies and trackers is detailed in the cookie policy.
Security
We implement appropriate technical and organisational measures: encryption at rest and in transit, tenant isolation, access control, hardening, monitoring and encrypted backups in the EU.
Changes
This policy may be updated. The last-reviewed date is shown at the top of the page; any material change is brought to your attention.