Privacy Policy | KOVA Ltd, GDPR Compliant

Privacy Policy

Last updated: 11 April 2026 · UK GDPR compliant

1. Who We Are

KOVA Ltd ("KOVA", "we", "us", "our") is the data controller responsible for your personal information when you use this website. We are a company registered in England & Wales (Company No. 15847291) with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

2. Information We Collect

Information you provide to us: name, email address, shipping and billing address, phone number, and payment details — collected when you create an account, place an order, subscribe to our newsletter, or contact our support team.

Information we collect automatically: IP address, browser type and version, device type, operating system, referring URL, pages visited, time and date of visit, time spent on pages, and click data. This is collected via cookies and similar tracking technologies described in Section 5.

Information from third parties: if you log in via Google Pay or Apple Pay, we may receive limited identifying data from those services strictly to process your purchase.

3. How We Use Your Information & Legal Basis

We process your personal data on the following legal bases under UK GDPR Article 6:

Performance of a contract: to process and fulfil your orders, deliver products, send order confirmations and shipping updates, and handle returns and refunds.

Legitimate interests: to operate and improve our website, prevent fraud, secure our systems, analyse aggregated traffic patterns, and provide customer support.

Consent: to send you marketing emails about new products and promotions (you can withdraw consent any time via the unsubscribe link in any email), and to set non-essential cookies described below.

Legal obligation: to comply with UK tax, accounting and consumer protection laws (e.g. retention of order records for HMRC).

4. Who We Share Your Data With (Data Processors)

We share your personal data only with carefully selected service providers who help us operate our business. All processors are bound by Data Processing Agreements compliant with UK GDPR Article 28:

  • Whop, Inc. (United States) — payment processing. PCI-DSS Level 1 compliant. Receives: name, email, billing address, card details (tokenised, never seen by KOVA). Privacy Policy
  • Klaviyo, Inc. (United States) — email marketing & transactional emails. Receives: name, email, order history, browsing behaviour. Privacy Policy
  • Supabase, Inc. (United States) — database hosting (orders, customers). EU region servers. Privacy Policy
  • Vercel, Inc. (United States) — website hosting and CDN. Privacy Policy
  • Cloudflare, Inc. (United States) — DDoS protection and edge caching. Privacy Policy
  • Google LLC (United States) — Google Maps autocomplete for shipping addresses. Privacy Policy
  • Shipping carriers: CTT Expresso (Portugal), Royal Mail (UK), DPD, FedEx, USPS — receive shipping address and contact details only.

For transfers of personal data outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO.

We do not sell, rent or trade your personal information to any third party for their own marketing purposes.

5. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience, remember your preferences, secure your session, and understand how you use our site.

Strictly necessary cookies: required for the website to function — shopping cart contents, checkout session, security tokens, fraud prevention. These cannot be disabled.

Analytics cookies: help us understand visitor behaviour anonymously. We use first-party analytics and aggregated session data only.

Marketing cookies: used to measure the effectiveness of our advertising campaigns and to show you relevant ads on other sites you visit. Set only with your consent.

You can manage your preferences at any time via the cookie banner or your browser settings. Disabling non-essential cookies will not affect your ability to browse or place orders, but may affect personalisation.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes set out above:

  • Order data: 7 years (UK HMRC tax law requirement)
  • Account data: until you request deletion, or 3 years of inactivity
  • Marketing data: until you unsubscribe, then a suppression list is kept indefinitely to honour your opt-out
  • Analytics data: 26 months in aggregated form
  • Support enquiries: 2 years after resolution

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — correct any inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion of your data
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests, or to direct marketing at any time
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time

To exercise any of these rights, email orders@kovaeu.com with the subject "Data Subject Request". We will respond within 30 days as required by UK GDPR.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113.

8. California Residents (CCPA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information.

KOVA does not sell your personal information. To exercise your CCPA rights, contact orders@kovaeu.com with "California Privacy Request" in the subject line.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including: 256-bit SSL encryption for all data in transit, tokenised payment processing (we never store card numbers), restricted access controls, regular security audits, and incident response procedures. In the unlikely event of a data breach, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.

10. Children's Privacy

KOVA does not knowingly collect personal data from children under 16. If you believe we have collected data from a minor, please contact us immediately at orders@kovaeu.com and we will delete the information.

11. Contact Us

For any questions about this Privacy Policy or your personal data, contact us at orders@kovaeu.com or write to:

KOVA Ltd
71-75 Shelton Street
Covent Garden, London, WC2H 9JQ
United Kingdom