At Kovalent we understand that we have a responsibility to protect your privacy and confidentially process and store your personal data. Please read this privacy policy carefully as it contains information on who Kovalent is and how and why we collect, store, process and use your personal data. Your rights in relation to any of your personal data along with contact details are contained within this privacy policy in the event you need to contact us.

We collect, use and manage certain types of personal data about you. When we store data we comply with the requirements of the jurisdictions where we operate including those of Australia and the General Data Protection Regulation (GDPR) which covers the storage and processing of personal data for subjects of the European Economic Area (EEA) and United Kingdom (UK).

Definitions

We, our, us: Kovalent Pty Ltd trading as Kovalent or Kovalent Systems with registered offices at Suite 4, Level 1, 30 Bayfield Street, Rosny Park, Tasmania, 7018, Australia. Our ABN is 38 636 900 528.

Our data protection officer: Attn DPO Officer, Kovalent Pty Ltd, Suite 4, Level 1, 30 Bayfield Street, Rosny Park, Tasmania, 7018, Australia. You can contact the data protection officer at privacy@kovalent.systems.

Personal data: any information relating to an individual or that can identify you as a specific individual.

Data we may collect about you

The personal data we collect about you varies depending on which product and service we provide to you. When you use our products and services we may collect and use the following personal data about you, including but not limited to:

• Your name and contact information
• If you are using a paid-for service we may store and process your payment information
• Uniquely identifying numbers such as your account number with us
• Your purchase and billing history
• Usernames and passwords for our products and services
• Content of communications with us
• Access and usage logs containing IP addresses when you use our services

We collect this personal data for the required operation and usage of our products and services. Further details are described below. If you do not consent to provide certain personal data you may not be able to use some of our products or services.

How we collect your personal data

We collect your personal data from you directly in person, by communication methods such as telephone, post or email or by you using our products and services. We do not collect information on you from third parties unless requested by you during the use of one of our products or services. We may collect identifying personal data during routine accessing of our products and services in access logs.

When and why we use your personal data

We only use your personal data where we have your consent, at your direct request, to comply with a legal or regulatory requirement or where your data is needed for the usage of one of our services or products.

We may use and process your personal data which you have provided to us or which we have collected through your use of our products and services. Uses include but is not limited to:

• To perform services or to provide products to you
• Identify, fraud and security checks on you when you enter into a contract with us
• Screening for financial or political embargoes for compliance with legal and regulatory obligations
• Complying with lawful legal proceedings
• Ensuring terms and conditions you have agreed to when using our products and services are complied with
• Internal operational reasons, for example training and improving our products and services
• Analysis to prevent unauthorized access to information systems and data we control
• Ensuring safe work practices
• Marketing to existing customers, for example using your personal data in direct marketing messages to you
• External audits by authorized auditors
• To transfer between our products and services when you request their interoperability

Any other legitimate use of your personal data will be in compliance with this privacy policy.

References and links to third party content

Any links or references to third party content outside of any product or service operating by us is not covered by this privacy policy. Refer to the privacy notices of the third party services for more information.

Marketing

We may use your personal data such as your name, email address and unique customer number to send you marketing emails which include updates and notices about our products and services where you are already an existing customer. This is a legitimate use of your personal data to which you have consented to by using our products or services. You may opt out of marketing communications from us by using the "unsubscribe" link which is included in every digital marketing communication.

Under legal requirements we may ask you to confirm your marketing contact preferences and contact details from time to time.

We will never provide your contact details to a third party to send marketing notices other than in the operation of our direct marketing communications. For example we may store your personal data with a listed data processor for the act of sending our direct marketing communications but we will not sell or otherwise distribute your personal data to any other party.

Who we share your personal data with

When you sign up to our products and services you consent to us storing and processing your personal data with:

• Companies owned and operated by us
• Third parties that help us operate our products and services such as internet service companies and payment providers
• Third parties involved in business operations such as banks, accountants, auditors and insurance providers

Personal data will only be shared with authorized third parties who have compliant and compatible privacy policies and who take appropriate measures to protect your personal data.

In addition to the above, our specified third parties may share personal data with external auditors, accountants and other professional entities such as lawyers during the operation of their businesses as required by legal or regulatory obligations.

Specific third parties your personal data is shared with

During the running and operation of our products and services we routinely use the following third parties to store and process your personal data:

• Amazon Web Services Australia Pty Ltd. Registered in Australia. Used by us for general data storage and processing services such as internet services hosting.
• DigitalOcean LLC. Registered in the United States. Used by us for general data storage and processing services such as internet services hosting.
• Rackspace International GmbH. Registered in Switzerland. Used by us for general data storage and processing services such as internet services hosting.
• Hetzner Online GmbH. Registered in Germany. Used by us for general data storage and processing services such as internet services hosting.
• OVH Australia Pty Ltd. Registered in Australia. Used by us for general data storage and processing services such as internet services hosting.
• Mailgun Technologies, Inc. Registered in the United States. Used by us for email delivery.
• Cloudflare, Inc.. Registered in the United States. Used by us as a global CDN and for information security services.
• Gandi International SARL. Registered in Luxembourg. Used by us for domain name registrations.
• Nominet UK Ltd. Registered in the United Kingdom. Used by us for domain name registrations.
• Fastmail Pty Ltd. Registered in Australia. Used by us for email services.
• BunnyWay d.o.o.. Registered in Slovenia. Used by us as a global CDN.

This list of third party companies used by us may be updated regularly.

Where your personal data is held

Your personal data may be processed and stored globally either by us directly or with one of the listed companies above. Some third parties may store and process your personal data outside of Australia, the United States, the UK or EEA or other specific region. All third parties used by us to store personal data have compatible upstream privacy policies.

In situations where we are are sub-processor for another company personal data may be kept within specific regions such as Australia, The United States, the UK or EEA or other specific region.

How long your personal data will be stored

Your personal data will only be kept for the usage of our products and services. If you no longer use our products and services we will delete or anonymize your your personal data within 12 months or as required by any legal or obligatory requirements, whichever is sooner.

After the required retention period has elapsed your personal data will be deleted or anonymized.

Personal data transfers out of specific regions

Countries outside of the specific regions where we operate, including Australia, the United States, the UK and EEA have different data protection laws which can provide alternative levels of protection for your personal data. When your personal data is stored within Australia, the United States, the UK or EEA or other specific region it is occasionally required that we transfer personal data to a different region during the operation of our products and services. When this occurs we will comply with applicable laws and regulations designed to ensure the privacy and security of your personal data.

Where we are a sub-processor for a product or service provided to a third party company, usually our client, they may have an additional more comprehensive agreement with us. For example when providing internet services including data storage and processing to our clients they may have agreements with us that their services and products only have data stored and processed within a specific region such as Australia, the UK or EEA.

Where your personal data is stored in the UK or EEA we will only transfer it outside of the UK or EEA in compliance with article 45 of the GDPR covering adequacy regulation. You should refer to the GDPR for the up to date list of countries which have adequately compliant regulations for personal data.

Where our products and services are global in operation your personal data may be processed globally before being stored in a region with adequate protection for your personal data. Where we act as a sub-processor your personal data may be processed globally before being stored in a specific region. For example, a sub-processor agreement may require your personal data to be stored in the EEA however due to how the internet functions at a technical level your personal data may transit through a different region and be processed prior to storage in the EEA.

Your rights

You may, at no cost to you, exercise the following rights to your personal data:

• Request a copy of any personal data we store about you and optionally in a format that can be easily processed by you
• Provide updates for any personal data we store about you
• Request we delete any personal data we store about you
• Request we or a third party utilized by us to stop processing your data which may restrict your access to our products or services
• Request we stop sending you communications
• To withdraw previously provided consent on how we store and process your personal data

Where we are a sub-processor for another company and we have not directly collected your personal data, your request may be forward to the third party to action where reasonable. For example, where we provide data storage or processing services to another company any requests regarding data collected by the third party will be referred to the third party to process. Requests from any jurisdiction where we operate that are accompanied by legally binding authorization will be complied with regardless of your personal data being collected directly or through a sub-processor agreement with a third party company.

Additional compliance

In some jurisdictions we operate your legal rights may vary. We operate global services and apply a single global privacy policy to govern your personal data when using our products and services. Where appropriate and reasonable we offer expanded rights beyond our legal requirements including but not limited to appointing a data protection officer for all global services and offering the right to be forgotten for all data subjects that use our products and services, including those outside of the UK and EEA.

Data security

We apply appropriate and suitable security measures to prevent personal data from being accidentally lost, used or accessed unlawfully. Access to personal data stored and processed by us is limited to authorized employees and authorized third parties who have a legitimate business need to access it. All personal data stored and processed by us, including personal data collected by third parties and stored and processed by us as a sub-processor, is secured using industry standard methods such as suitable levels of encryption and authentication in both transit and at rest.

We, and third parties approved by us, only process and store your personal data in an authorized way and under the requirements of operating our products and services. We continually test our systems and infrastructure and apply regular updates to our security policies to ensure we follow industry standards and best practices for information and data security.

In the event of any suspected data security breaches we will notify you and any applicable regulatory authority where we are legally required to do so.

Contact and requests

You can contact us or our data protection officer if you have any questions about this privacy policy or about how we store and process your personal data. You can also exercise your rights under the laws of your jurisdiction to make a complaint. You can email us at privacy@kovalent.systems or write to us at Suite 4, Level 1, 30 Bayfield Street, Rosny Park, Tasmania, 7018, Australia.

Updates to this privacy policy

We regularly review our privacy policy and update it from time to time. Any changes to our privacy policy will be reflected on this page. The updated privacy policy will come into effect as and when it has been published.