Privacy Policy
Last Updated: July 2026
1. Our Privacy Model
Kovalent is built on a split-plane architecture: a control plane that we operate, and your nodes, which run within your own private mesh. We establish and coordinate the secure connection between you and your nodes, but the prompts, embeddings, documents, and other content flowing between your devices and your nodes are not visible to us. Traffic within your mesh is encrypted in transit. This model shapes everything below: we collect and process only the limited operational data described here, because the substance of your AI workloads stays inside your boundary.
2. AI Workloads and Customer Data
We do not sell your personal information.Kovalent provisions isolated environments “nodes” for the large language models and vector databases you choose to run. The prompts, inputs, contextual documents, and outputs processed by your nodes remain within your private network boundary, protected by tenant isolation and encryption at rest. We do not inspect, log, or use the contents of your workloads to train any models, whether our own or third parties, and we do not sell it.
3. Information We Collect
While we cannot see the contents of your AI workloads, the control plane collects the minimum information needed to provide the Service:
- Account information: name, email address, and authentication credentials.
- Billing information: processed by our PCI-compliant payment provider (Stripe). We do not store full payment card numbers.
- Platform telemetry: operational metrics needed to provision, scale, and monitor the health of your nodes, such as resource utilization and status.
- Usage and log data: IP addresses, device and browser information, and security cookies used to authenticate sessions and protect against unauthorized access.
- Website analytics: aggregate, cookieless measurements of how visitors use our public websites, such as pages viewed, the referring site, approximate location and device or browser type, and interactions like outbound link clicks, downloads, and form submissions. These measurements are not tied to your identity and are not used to track you across other websites.
- Account information: name, email address, and authentication credentials.
- Billing information: processed by our PCI-compliant payment provider (Stripe). We do not store full payment card numbers.
- Platform telemetry: operational metrics needed to provision, scale, and monitor the health of your nodes, such as resource utilization and status.
- Usage and log data: IP addresses, device and browser information, and security cookies used to authenticate sessions and protect against unauthorized access.
- Website analytics: aggregate, cookieless measurements of how visitors use our public websites, such as pages viewed, the referring site, approximate location and device or browser type, and interactions like outbound link clicks, downloads, and form submissions. These measurements are not tied to your identity and are not used to track you across other websites.
4. How We Use Information
We use the information we collect to:
- provide, operate, and secure the Service;
- provision, scale, and monitor the health of your nodes;
- process payments and manage your account;
- send you service, security, and administrative notices;
- understand, in aggregate, how our public websites are used so we can improve them;
- detect, prevent, and investigate abuse, fraud, and security incidents; and
- comply with our legal obligations.
We do not use the contents of your AI workloads for any of these purposes, because they are not visible to us.
- provide, operate, and secure the Service;
- provision, scale, and monitor the health of your nodes;
- process payments and manage your account;
- send you service, security, and administrative notices;
- understand, in aggregate, how our public websites are used so we can improve them;
- detect, prevent, and investigate abuse, fraud, and security incidents; and
- comply with our legal obligations.
We do not use the contents of your AI workloads for any of these purposes, because they are not visible to us.
5. Cookies and Similar Technologies
We use a small number of strictly necessary cookies to authenticate your session and protect against unauthorized access, configured to reduce exposure to cross-site attacks. We do not use advertising cookies, and we do not sell information gathered through cookies. To understand how our public websites are used, we rely on a privacy-friendly analytics provider that measures traffic without cookies and without tracking you across other websites. You can control cookies through your browser settings, though disabling necessary cookies may prevent you from signing in.
6. How We Share Information
We do not sell your personal information. We share information only with the service providers that help us operate the Service, and only as needed for them to perform their functions on our behalf. All such providers are bound by contractual data-protection obligations. We may also disclose information where required by law, to enforce our agreements, or to protect the rights, safety, and security of Kovalent, our customers, or the public.
7. Subprocessors
We rely on a limited set of third-party subprocessors to deliver the Service, including:
- Amazon Web Services (AWS): cloud infrastructure hosting.
- Stripe: payment processing.
- Plausible Analytics (Plausible Insights OÜ): privacy-friendly, cookieless website analytics, hosted in the European Union.
Each subprocessor is bound by a data-processing agreement. We may engage additional subprocessors as the Service evolves; a current list is available on request, and we will provide notice of material changes where required.
- Amazon Web Services (AWS): cloud infrastructure hosting.
- Stripe: payment processing.
- Plausible Analytics (Plausible Insights OÜ): privacy-friendly, cookieless website analytics, hosted in the European Union.
Each subprocessor is bound by a data-processing agreement. We may engage additional subprocessors as the Service evolves; a current list is available on request, and we will provide notice of material changes where required.
8. Data Retention
We retain account and operational data for as long as your account is active and as needed to provide the Service. After you close your account, we delete or anonymize the information we hold within a reasonable period, except where we must retain it to meet legal, tax, or accounting obligations, resolve disputes, or enforce our agreements. Certain security and audit records are retained for a defined period to preserve their integrity and meet compliance obligations, and may persist after account closure. Because the contents of your AI workloads reside on your nodes, they are removed when those nodes are deprovisioned, under your control.
9. International Data Transfers
We and our service providers may process information in countries other than the one in which you reside. Where we transfer personal information across borders, we rely on appropriate safeguards, such as standard contractual clauses, to protect it consistent with applicable law.
10. Your Rights
Depending on where you live, you may have rights over your personal information, including the right to access, correct, delete, or export it, to object to or restrict certain processing, and to withdraw consent. If you are in the European Economic Area or the United Kingdom, these rights arise under the GDPR; if you are a California resident, they arise under the CCPA, including the right not to be discriminated against for exercising them. You can exercise most of these rights from your account settings or by contacting us, and we will respond within the timeframe required by law. Because we do not have access to the contents of your workloads, requests concerning that data are fulfilled on your nodes, under your control.
11. Data Security
We protect the information we hold using industry-standard safeguards, including encryption in transit and at rest, tenant isolation, access controls, and monitoring. No method of transmission or storage is completely secure, but we work to protect your information and to notify you of material incidents as required by law.
12. Children's Privacy
The Service is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, provide additional notice. We encourage you to review this policy periodically.
14. Contact Us
If you have questions or concerns about this Privacy Policy or how we handle your information, contact our privacy team at:
Email: info@kovalentai.com
Email: info@kovalentai.com