Privacy Policy
Kova ("we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and applicable Irish data protection law.
By creating an account you confirm that you have read and understood this policy. If you do not agree, please do not use the platform.
1. Who we are
Kova is the data controller for personal data collected through this platform. If you have questions about how we handle your data, contact us at privacy@kova.work.
2. Data we collect
All users
- Email address and password (via Supabase Auth)
- Account creation timestamp and login events
- IP address and browser/device metadata (collected by Supabase infrastructure)
Workers
- Full name, trade, headline, biography, skills, languages
- Location (city and country), nationality
- Years of experience, profile photo
- Availability date, willingness to relocate, preferred countries
- Expected pay range
- Work experience history and certifications (including certification documents you upload)
- Verification documents (trade certificates, identity documents) — see §4 below
- CVs you upload for sharing in conversations
Employers
- Company name, industry, size, location, website, company description, logo
- Business registration and trade licence documents for verification
- Job listings you post
3. Sensitive health data
This section explains how we handle health and medical information, which is a special category of personal data under GDPR Article 9.
Certain roles in the construction and trades sector require workers to hold medical fitness certificates, drug and alcohol clearance results, or occupational health assessments as a condition of employment. Kova provides an optional upload field for these documents so workers can share them with employers as part of their application.
What we collect: Medical or health-related documents that you voluntarily upload, such as fitness-to-work certificates, occupational health reports, or medical clearance letters.
Legal basis: Explicit consent under GDPR Article 9(2)(a). You will be asked to give separate, specific consent before uploading any health document. You may withdraw this consent at any time by deleting the document from your profile.
Who can see it:
- You, at all times
- Kova administrators, for platform moderation and verification only
- Verified employers, but only if you explicitly share the document with them within a conversation — health documents are never automatically visible to employers
Retention: We retain health documents for as long as your account is active. If you delete a document, it is permanently removed from our storage within 30 days. If you delete your account, all health data is deleted within 30 days.
No profiling: We do not use health data for automated profiling, matching decisions, or any purpose other than what you explicitly consent to.
4. Legal bases for processing
- Contract — processing your profile and job-matching data to provide the service you signed up for (GDPR Art. 6(1)(b))
- Legitimate interests — fraud prevention, platform security, and improving the service (GDPR Art. 6(1)(f))
- Legal obligation — complying with applicable law, including tax and employment law where relevant (GDPR Art. 6(1)(c))
- Consent — processing sensitive health data (GDPR Art. 9(2)(a)), and sending optional marketing communications
5. Verification documents
When you submit documents for verification (trade certificates, ID documents, or employer business registration), those documents are stored in a private, access-controlled storage bucket. They are:
- Reviewed only by Kova administrators
- Never shared with employers or other workers
- Retained while your account is active and for up to 12 months after account closure to comply with anti-fraud obligations
Your consent to upload verification documents is recorded with a timestamp at the time of upload and stored alongside the document record.
6. How we share data
We do not sell your personal data. We share data only in the following circumstances:
- Between workers and employers — your public profile (name, trade, skills, location, experience) is visible to verified employers on the platform. Sensitive data (gender, date of birth, health documents) is never included.
- Infrastructure providers — Supabase (database, authentication, and storage, hosted in AWS EU-West-1). Supabase processes data as a data processor under a signed Data Processing Agreement.
- Legal requirements — where required by law, court order, or regulatory authority.
7. Your rights
Under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that we limit processing of your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time, for processing based on consent (including health data); withdrawal does not affect prior processing
- Lodge a complaint — with the Data Protection Commission Ireland (dataprotection.ie)
To exercise any right, email privacy@kova.work. We will respond within 30 days.
8. Data retention
- Active account data is retained for as long as your account is open
- If you delete your account, personal data is removed within 30 days, except where we are required by law to retain it longer
- Verification documents are retained for up to 12 months after account closure
- Anonymised or aggregated analytics data may be retained indefinitely
9. Cookies and tracking
Kova uses essential session cookies for authentication. We do not use advertising cookies or third-party tracking scripts. The only third-party service that may set cookies is Supabase, which uses them for authentication session management.
10. Security
Personal data is encrypted in transit (TLS) and at rest. Storage buckets for documents are private and access-controlled. Admin access to sensitive data is logged. We apply row-level security policies in the database so that users can only access their own data (except where the platform is designed to share profile information between parties).
11. Changes to this policy
We may update this policy from time to time. We will notify you by email and update the "Last updated" date above. Continued use of the platform after a policy change constitutes acceptance of the revised terms.
12. Contact
For privacy-related queries: privacy@kova.work