Privacy Policy

Last updated: April 4, 2026

This Privacy Policy describes how Kovra ("we", "us", or "our") collects, uses, and protects your personal information when you use the Kovra platform, website, and related services (the "Service").

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). If you join an organization via invitation, we also record your organization membership and role.

Organization and Team Data

We store organization names, team structures, member roles, and invitation records to provide multi-tenant access management.

Cloud Credentials

If you connect cloud provider accounts (AWS, GCP, Azure), we store your credentials encrypted with AES-256-GCM encryption. These credentials are used exclusively to provision and manage infrastructure on your behalf.

Git Integration Data

When you connect GitHub or GitLab accounts via OAuth, we receive and store OAuth tokens (encrypted at rest) and repository metadata. We access your repositories only as authorized by the scopes you grant during the OAuth flow.

Application and Deployment Data

We store application configurations, deployment metadata, pipeline logs, environment variable names (values are encrypted), and Helm release information necessary to operate the Service.

Usage and Billing Data

We meter resource consumption (vCPU, RAM, storage, GPU) for billing purposes. Billing and payment processing is handled by our partner, Polar. We do not store credit card numbers directly.

Monitoring and Logs

When monitoring is enabled, we collect cluster and application metrics (CPU, memory, network, pod status) via VictoriaMetrics. Application logs may be aggregated through Loki if logging is configured. These are used to power dashboards and alerting within the Service.

Technical Data

We automatically collect IP addresses, browser type, and access timestamps when you interact with the Service. This data is used for security, debugging, and service improvement.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Provision and manage Kubernetes clusters, databases, and applications on your behalf
  • Authenticate your identity and enforce access controls via row-level security
  • Process billing and usage-based metering
  • Send transactional notifications (deployment status, alerts, invitation emails)
  • Monitor service health and respond to incidents
  • Enforce our Terms of Service and protect against abuse

3. Data Isolation and Multi-Tenancy

Kovra operates a shared-database, multi-tenant architecture. All tenant data is isolated through PostgreSQL Row-Level Security (RLS) policies, ensuring that each organization can only access its own data. Every authenticated request sets a tenant context at the database session level before any query is executed.

4. Data Storage and Security

  • Database: Your data is stored in PostgreSQL hosted on AWS RDS with encryption at rest and in transit.
  • Secrets: Sensitive values (cloud credentials, OAuth tokens, application secrets) are encrypted using AES-256-GCM with versioned encryption keys.
  • Authentication: JWT-based authentication with access and refresh token rotation.
  • Infrastructure: The platform runs on AWS EKS with TLS termination at the load balancer. All internal service communication uses encrypted channels.

5. BYOC (Bring Your Own Cloud) Data

When using BYOC clusters, your application workloads and data remain in your own cloud accounts. Kovra stores only the metadata required for orchestration (deployment configurations, pipeline status, cluster connectivity information). We do not access or store your application runtime data.

6. Third-Party Services

We share limited data with the following third-party services:

  • Polar: Billing and subscription management. Receives organization identifiers and usage metrics for invoicing.
  • AWS: Infrastructure hosting (EKS, RDS, ECR, Route53). Data is processed within the US East (N. Virginia) region.
  • GitHub / GitLab: Repository access and webhook delivery as authorized by your OAuth grants.
  • SMTP Provider: Email delivery for invitations, password resets, and notification channels.

7. Data Retention

  • Active account data is retained as long as your account is active.
  • After account deletion, data is retained for 30 days to allow recovery, then permanently deleted.
  • Pipeline logs and monitoring metrics are retained based on your plan's retention limits.
  • Billing records are retained as required by applicable tax and financial regulations.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access and receive a copy of your personal data
  • Correct inaccurate personal data
  • Request deletion of your personal data
  • Object to or restrict processing of your personal data
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@kovra.dev.

9. Cookies

The Kovra dashboard uses JWT tokens stored in browser local storage for authentication. The marketing website (kovra.dev) uses minimal cookies for essential functionality only. We do not use third-party tracking cookies or advertising pixels.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests, contact us at privacy@kovra.dev.