1. Controller
Kovetto – a brand of Coperte GmbHKopernikusstraße 14
30167 Hannover
Germany
Phone: +49 511 515 241 60
Email: [email protected]
Website: https://kovetto.com
2. General Information & Scope
This Privacy Policy informs you pursuant to Art. 13 and Art. 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and the relevant provisions of the German Federal Data Protection Act (BDSG) about the nature, scope, and purpose of the processing of personal data by Coperte GmbH within the context of kovetto.
Personal data is processed exclusively on the basis of the applicable legal grounds. In particular, the following legal bases are relevant:
- Art. 6(1)(a) GDPR – Consent of the data subject
- Art. 6(1)(b) GDPR – Performance of a contract or pre-contractual measures
- Art. 6(1)(c) GDPR – Compliance with a legal obligation
- Art. 6(1)(f) GDPR – Legitimate interests of the controller or a third party
The applicable legal basis is specified separately for each processing operation.
Scope: This Privacy Policy applies to the website kovetto.com including all subpages, as well as the SaaS application kovetto (visual feedback tool) provided under this domain and all associated services. This Privacy Policy does not extend to third-party websites linked from kovetto.com.
3. Hosting & Infrastructure
We use the following infrastructure service providers to operate kovetto.com, all acting under data processing agreements pursuant to Art. 28 GDPR:
3.1 Railway Corp. – Hosting & Compute
Provider: Railway Corp., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
Purpose: Operation of the application and API servers for kovetto.com.
Data categories processed: IP addresses, HTTP request metadata, server log data, and all application payload data insofar as it arises during runtime in memory or during transmission.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests). The reliable, scalable, and secure operation of the application infrastructure via a specialized hosting provider is in the overriding legitimate interest of the controller and the users.
Server location: EU region Frankfurt (Germany), operated on Google Cloud Platform (GCP).
Third-country transfer: Railway Corp. is headquartered in the USA. Any transfer of operational data (e.g. during support access) is safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, Module 2.
Sub-processor – Google Cloud Platform: Railway operates its infrastructure on Google Cloud Platform. As a further sub-processor, Google Cloud EMEA Ltd., 70 Sir John Rogerson's Quay, Dublin 2, Ireland processes infrastructure data in GCP region europe-west3 (Frankfurt), also on the basis of SCCs Module 2. DPA Google Cloud: cloud.google.com/terms/data-processing-addendum
Privacy Policy Railway: railway.com/legal/privacy | DPA: railway.com/legal/dpa
3.2 Supabase Inc. – Database, Authentication & Storage
Provider: Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992
Purpose: Supabase provides the relational database (PostgreSQL), authentication service, object storage for uploaded files (screenshots, audio files), and transactional auth emails.
Data categories processed: User profile and account data, email addresses, authentication tokens and session data, uploaded media files, all application database content, and IP addresses.
Legal basis: Art. 6(1)(b) GDPR (contract performance) for database and auth; Art. 6(1)(f) GDPR (legitimate interests) for log data for IT security purposes.
Server location: EU region eu-central-1, Frankfurt (Germany). No third-country transfer takes place.
Privacy Policy Supabase: supabase.com/privacy | DPA: supabase.com/legal/dpa
3.3 Cloudflare Inc. – Browser Rendering & Server-Side Screenshots
Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Purpose: Cloudflare provides a headless browser service (Browser Rendering API) through which kovetto.com generates automated server-side screenshots of web pages.
Data categories processed: URLs to be rendered, HTTP metadata, generated screenshot image data, and IP addresses of outbound requests.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Server-side screenshot generation is a core functional feature of the service.
Server location: EU data centers. Cloudflare uses the EU Data Localization Suite, ensuring that user data is processed and stored exclusively within the EU.
Third-country transfer: Operational data is safeguarded on the basis of SCCs Module 2.
Privacy Policy Cloudflare: cloudflare.com/privacypolicy | DPA: cloudflare.com/cloudflare-customer-dpa
4. Data Collection on Our Website
4.1 Server Log Files
Each time our website is accessed, the following data is automatically stored in server log files: IP address of the requesting device, date and time of access, URL accessed and data volume transferred, browser type and version, operating system, and HTTP status code.
Purpose: Ensuring system security, detecting and defending against attacks (e.g. DDoS), technical troubleshooting, and stable operation.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in IT security and uninterrupted platform operation. Log files are automatically deleted after a maximum of 7 days.
4.2 Registration & User Account
To use kovetto, creating a user account is required. We collect: email address, password (stored in encrypted form only; no plaintext access), and the time of registration.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Obligation to provide data (Art. 13(2)(e) GDPR): Providing your email address and a password is mandatory for concluding the contract and using the service. Without this information, no user account can be created and the service cannot be provided.
4.3 Minimum Age
kovetto is intended exclusively for persons who have reached the age of 18. By registering, you confirm on your own responsibility that you are at least 18 years old. If we become aware that a minor has created an account, we will immediately suspend the account and delete the data without delay.
4.4 Use of the Feedback Service
In the course of actively using kovetto, we process: uploaded screenshots and design files, feedback markers with coordinates, text messages and comments, voice messages along with automatic transcripts, project and session data, and usage metadata (timestamps, device type).
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Note on voice messages: Voice messages are processed solely for the purpose of transcribing and summarizing feedback content. No identification of persons based on vocal characteristics takes place. This therefore does not constitute processing of biometric data within the meaning of Art. 9(1) GDPR.
5. AI Services, Emails & Payment Processing
5.1 AI-Assisted Transcription & Summarization (OpenAI)
Provider: OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
Purpose: Automatic transcription of voice messages and AI-assisted summarization of feedback content. Processing takes place exclusively via the EU API of OpenAI with Zero Data Retention: data transmitted to OpenAI is not used for model training and is not stored permanently.
Data categories processed: Audio recordings of voice messages, associated transcription texts, and metadata.
Legal basis: Art. 6(1)(b) GDPR (contract performance); additionally Art. 6(1)(f) GDPR (legitimate interest in efficient feedback processing).
Third-country transfer: By exclusively using the EU API with Zero Data Retention, no permanent third-country transfer takes place.
No automated decision-making: AI processing serves exclusively for transcription and summarization. No decisions with legal effect are made on the basis of this processing (see section 10).
DPA OpenAI: openai.com/policies/data-processing-addendum
5.2 Transactional Emails (Plunk)
Provider: Plunk (hosted service at useplunk.com), contact: [email protected]
Purpose: Sending transactional emails, in particular account and authentication emails (confirmation, password reset, invitations, sign-in links), feedback notifications, tester invitations, session expiry notices, and welcome emails.
Data categories processed: Recipients' email addresses, email subject and content, send metadata (timestamps, delivery status). Plunk processes this data as a processor on our behalf.
Storage location: All data is stored in the EU/EEA; the infrastructure is operated at Hetzner (Germany).
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Third-country transfer: Hosting takes place exclusively in the EU. For email delivery only, Plunk uses Amazon SES as a sub-processor (data in transit only, not stored), safeguarded via the AWS DPA and SCCs Module 2 pursuant to Art. 46(2)(c) GDPR.
Plunk Privacy Policy: useplunk.com/privacy | DPA on request via [email protected]
5.3 Payment Processing (Stripe)
Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin D02 H210, Ireland
Purpose: Processing payments, managing subscriptions, checkout process, and customer portal.
Data categories processed: Email address, billing address, transaction data, subscription information. Payment data (card numbers, etc.) is processed exclusively by Stripe; we have no plaintext access to your payment data.
Legal basis: Art. 6(1)(b) GDPR (contract performance) for payment processing; Art. 6(1)(c) GDPR in conjunction with applicable retention obligations for 10-year storage of invoice records.
Third-country transfer: Stripe Payments Europe Ltd. is an EU company. No third-country transfer takes place.
Privacy Policy Stripe: stripe.com/privacy | DPA: stripe.com/legal/dpa
6. Analytics & Tracking
All analytics services described below are activated only upon your explicit consent via our cookie banner. These services are fully disabled before consent is given; no cookies are set and no data is transmitted. You may withdraw your consent at any time with effect for the future — as easily as you gave it.
6.1 PostHog
Provider: PostHog Inc., 965 Mission St., San Francisco, CA 94103, USA
Purpose: Product analytics, usage tracking, and LLM observability. We use exclusively the EU instance at eu.posthog.com (server location: Frankfurt, Germany).
Data categories processed: Pseudonymized IP address, pages visited, interaction events, browser and device type, referrer.
Legal basis: Art. 6(1)(a) GDPR (consent). Third-country transfer: none – processing takes place exclusively within the EU.
Privacy Policy PostHog: posthog.com/privacy | DPA: posthog.com/dpa
6.2 Google Tag Manager
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Central management of analytics and tracking tags. Google Tag Manager itself does not collect personal data; it serves as a technical management tool for the consent-requiring services below and is only loaded after consent.
Legal basis: Art. 6(1)(a) GDPR (consent), as GTM is used as a vehicle for consent-requiring services.
Privacy Policy Google: policies.google.com/privacy
6.3 Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Analysis of user behavior (page views, click paths, dwell time, conversion events) to improve our offering.
Data categories processed: Pseudonymized IP address (IP masking active: the IP is truncated before transmission to Google servers within the EU), pages visited, browser and device type, country of origin, referrer.
Legal basis: Art. 6(1)(a) GDPR (consent).
Third-country transfer: Google LLC also processes data on servers in the USA on the basis of SCCs Module 2 pursuant to Art. 46(2)(c) GDPR. Google has also joined the EU-U.S. Data Privacy Framework (DPF) as a parallel safeguard.
Browser opt-out: tools.google.com/dlpage/gaoptout | Privacy Policy: policies.google.com/privacy
9. Optional Third-Party Integrations
kovetto offers optional integrations with the following services. These integrations are disabled by default and only become active when you explicitly enable them in your account settings. By activating them, you consent to the transfer of feedback data (markers, texts, transcripts) to the respective service. Disabling counts as withdrawal of this consent.
Legal basis: Art. 6(1)(a) GDPR (consent through activation).
- WhatsApp / Meta: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Privacy: whatsapp.com/legal/privacy-policy
- ClickUp: Mango Technologies Inc., 350 Tenth Avenue, Suite 110, San Diego, CA 92101, USA. Third-country transfer: USA, SCCs Module 2. Privacy: clickup.com/privacy
- Jira / Atlassian: Atlassian Pty Ltd., Level 6, 341 George Street, Sydney NSW 2000, Australia. EU data residency available. Third-country transfer: Australia/USA, SCCs Module 2. Privacy: atlassian.com/legal/privacy-policy
- Linear: Linear Orbit Inc., USA. Third-country transfer: USA, SCCs Module 2. Privacy: linear.app/privacy
10. Automated Decision-Making (Art. 22 GDPR)
We do not make decisions based solely on automated processing — including profiling — that produce legal effects or similarly significantly affect you (Art. 22(1) GDPR).
We use AI services (OpenAI) to transcribe voice messages and summarize feedback content. This processing serves exclusively for documentation and user support purposes. The generated transcriptions and summaries have no legal effect on data subjects and do not result in any significant impairment within the meaning of Art. 22 GDPR. All legally or commercially relevant decisions are always made by a human.
11. Your Rights as a Data Subject
As a person affected by data processing, you have the following rights. To exercise them, please contact us by email at [email protected].
Right of Access (Art. 15 GDPR)
You have the right to request information about whether and what personal data we process about you, as well as about processing purposes, categories, recipients, and planned storage duration.
Right to Rectification (Art. 16 GDPR)
You may request the correction of inaccurate data or the completion of incomplete data.
Right to Erasure (Art. 17 GDPR)
You may request the immediate deletion of your data, provided the conditions of Art. 17(1) GDPR are met and no statutory retention obligations stand in the way.
Right to Restriction of Processing (Art. 18 GDPR)
Under certain conditions, you may request the restriction of processing.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, commonly used, and machine-readable format, provided that processing is based on consent or a contract and is carried out by automated means.
Right to Notification (Art. 19 GDPR)
If you have exercised your right to rectification, erasure, or restriction, we will notify all recipients to whom your data has been disclosed accordingly. You may be informed about these recipients.
Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal is not affected.
⚠ Right to Object (Art. 21 GDPR) – Important Notice
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR.
In the event of an objection, we will no longer process your data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims (Art. 21(1) GDPR).
You may lodge your objection informally by email to [email protected].
13. Contact by Email
If you contact us by email, the personal data you transmit (email address, name if provided, content of your message) will be stored for the purpose of processing your inquiry and will not be disclosed without your consent.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in properly responding to inquiries. Where your inquiry is directed at concluding a contract, the additional legal basis is Art. 6(1)(b) GDPR.
The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected (generally 6 months after final processing), unless statutory retention obligations prevent this.
You may object to the processing at any time (Art. 21 GDPR). Send your objection to: [email protected]
14. Data Processor Overview
We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with all of the following service providers. For transfers to third countries, we rely on Standard Contractual Clauses (SCCs) of the EU Commission, Module 2 (controller to processor).
| Service Provider | Purpose | Server Location | Third-Country Transfer |
|---|---|---|---|
| Railway Corp. (USA) | Hosting, servers, compute | EU Frankfurt (GCP) | SCCs Module 2 |
| Google Cloud EMEA Ltd. (IRL) | Sub-processor of Railway | EU Frankfurt | SCCs Module 2 |
| Supabase Inc. (USA) | Database, auth, storage | EU Frankfurt | No transfer |
| Cloudflare Inc. (USA) | Browser rendering, screenshots | EU (Data Localization Suite) | SCCs Module 2 |
| OpenAI Ireland Ltd. (IRL) | Transcription, AI analysis | EU (Zero Data Retention) | No transfer |
| Plunk (EU / Hetzner DE) | Transactional emails | EU/EEA (Hetzner DE); delivery via Amazon SES | DPA; SCCs Module 2 (Amazon SES) |
| Stripe Payments Europe Ltd. (IRL) | Payment processing | EU Ireland | No transfer |
| PostHog Inc. (USA) | Analytics, LLM observability | EU Frankfurt | No transfer |
| Google Ireland Limited (IRL) | Tag Manager, Analytics (GA4) | EU / USA | SCCs Module 2 + DPF |
15. Data Security
We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR:
- Transport encryption: All data transmissions take place exclusively over TLS 1.2 or higher (HTTPS).
- Password hashing: Passwords are hashed and salted using bcrypt; plaintext access is technically impossible.
- Storage buckets: User content is stored in isolated, non-publicly accessible storage buckets. Access is exclusively via short-lived, signed URLs.
- Access control: Access to production systems is restricted to authorized personnel and takes place via MFA and role-based access control (RBAC).
- Regular review: Security measures are reviewed regularly. In the event of a data breach, we will notify the competent supervisory authority pursuant to Art. 33 GDPR within 72 hours.
16. Data Retention Periods
We store personal data only for as long as it is necessary for the respective processing purpose or as required by statutory retention obligations:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Server log files | 7 days | Art. 6(1)(f) GDPR |
| User account (active) | Until deleted by the user | Art. 6(1)(b) GDPR |
| Feedback data (Starter plan) | 30 days after creation | Art. 6(1)(b) GDPR |
| Feedback data (Growth / Business) | Until account cancellation | Art. 6(1)(b) GDPR |
| Payment data (Stripe) | 10 years | Art. 6(1)(c) GDPR and applicable retention laws |
| Email contact inquiries | 6 months after processing | Art. 6(1)(f) GDPR |
| Analytics data (PostHog / GA4) | 12 months | Art. 6(1)(a) GDPR |
17. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy at any time with effect for the future. This may be necessary in particular when we introduce new features, when legal requirements change, or when regulatory requirements demand it.
The current version is always available on this page. In the case of material changes — in particular changes to the processing purpose, the legal basis, or newly added recipient categories — we will additionally notify registered users by email.
If you do not agree with an amended Privacy Policy, you are free to delete your account and discontinue using our services.
Last updated: June 2026
8. Social Media
8.1 External Links to Social Media Platforms
Our website contains links to our profiles on the following platforms. Data (IP address, referrer) is only transmitted to the respective provider when you click on one of these links. We do not use social plugins; no data is transmitted prior to clicking.
Legal basis for external links: Art. 6(1)(f) GDPR (legitimate interest in public presence and communication).
8.2 Our Own Profiles (Joint Controllership)
We operate profiles on X, Instagram, LinkedIn, and TikTok. In connection with the use of these profiles, we are jointly responsible with the respective platform operator as joint controllers within the meaning of Art. 26 GDPR, insofar as the platforms provide insights data. We have no influence over the processing carried out by the platform operators; their privacy policies apply.