Last updated: 2 May 2026
Privacy Policy
Introduction
KOVA is a running app for iPhone and Apple Watch built by Appè Latte, an independent software studio in Calgary, Alberta, Canada. This policy explains what we collect when you use the iOS app or the web dashboard at kova-run.app, what we do with it, and the rights you have over it. This policy applies worldwide; if you are in the European Economic Area, the United Kingdom, or California, additional rights apply under GDPR, the UK Data Protection Act 2018, and the California Consumer Privacy Act respectively — see “Your rights” below.
Data we collect
Account data. Email address, password (stored as a one-way hash — we cannot read it), and the unique account identifier issued by our authentication provider. If you sign in with Apple or Google, the identifier returned by that provider plus the email address they share with us.
Profile data. Display name, weight, height, age, biological sex, resting heart rate, and a custom maximum heart rate if you set one — all optional, all entered by you in iOS Settings → Profile, all used for sports-science calculations on your runs.
Run data. For each run you record: distance, time, pace, splits, heart rate, cadence, elevation, calories, route coordinates, weather snapshot, optional notes, the timestamp of the run, and computed metrics like grade-adjusted pace and heart-rate drift.
Device and crash data. Device model, iOS / watchOS version, app version, anonymised crash logs and stack traces, and coarse network metadata (IP address truncated to the network block, retained for 7 days for fraud and abuse prevention only).
Subscription data. Your active subscription tier and renewal status, received from Apple via RevenueCat. We do not receive your payment method or billing address — Apple holds those.
Profile data. Display name, weight, height, age, biological sex, resting heart rate, and a custom maximum heart rate if you set one — all optional, all entered by you in iOS Settings → Profile, all used for sports-science calculations on your runs.
Run data. For each run you record: distance, time, pace, splits, heart rate, cadence, elevation, calories, route coordinates, weather snapshot, optional notes, the timestamp of the run, and computed metrics like grade-adjusted pace and heart-rate drift.
Device and crash data. Device model, iOS / watchOS version, app version, anonymised crash logs and stack traces, and coarse network metadata (IP address truncated to the network block, retained for 7 days for fraud and abuse prevention only).
Subscription data. Your active subscription tier and renewal status, received from Apple via RevenueCat. We do not receive your payment method or billing address — Apple holds those.
How we use your data
We use your data to provide the KOVA service, sync your runs between your iPhone, Apple Watch, and the kova-run.app dashboard, compute your Personal Bests and training metrics, send transactional emails (password resets, account-deletion confirmations), and diagnose crashes. We do not use your data for advertising. We do not profile you. We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
Sharing and disclosure
We share data with a small set of subprocessors who operate the service on our behalf. Each is contractually bound to use your data only to deliver their service to us:
Supabase— database, authentication, file storage. Hosted in Canada / United States; data covered by Supabase’s DPA which is GDPR-compliant.
Apple — App Store distribution and in-app billing.
RevenueCat — subscription state management.
Vercel — kova-run.app website hosting.
Open-Meteo— weather snapshots for runs (we send your run’s coordinates to fetch weather; we do not associate your identity with the weather request).
Firebase Crashlytics — crash report symbolication. Only anonymised stack traces and device metadata are sent.
We may disclose data in response to a valid legal order. Where lawful, we will notify you in advance.
Supabase— database, authentication, file storage. Hosted in Canada / United States; data covered by Supabase’s DPA which is GDPR-compliant.
Apple — App Store distribution and in-app billing.
RevenueCat — subscription state management.
Vercel — kova-run.app website hosting.
Open-Meteo— weather snapshots for runs (we send your run’s coordinates to fetch weather; we do not associate your identity with the weather request).
Firebase Crashlytics — crash report symbolication. Only anonymised stack traces and device metadata are sent.
We may disclose data in response to a valid legal order. Where lawful, we will notify you in advance.
Apple Health
With your permission, KOVA reads heart rate and step count from Apple Health to power live and run-summary metrics. With your permission, KOVA writes completed runs back to Apple Health as workout sessions. Per Apple’s HealthKit terms, we never sell your health data, never share it with third parties for advertising, never use it outside the app’s primary function, and never grant third parties access to it. Health data stays on your device unless you choose to sync runs to your private cloud account; even then, the synced data is the run summary, not the underlying biometric samples.
Location data
KOVA records your location only while you have an active run in progress. We do not collect location in the background outside active runs. Run routes are stored privately under your account and shown to you on the run detail and the kova-run.app dashboard. We never share your routes with third parties. You can delete a run (and its route) at any time from the iOS app — soft delete tombstones the row immediately and a permanent purge follows on our backups within 7 days.
Your rights
You have the right to access, correct, delete, and export the personal data we hold about you. Most of these are exercisable directly in the iOS app:
Access. Email support@appe-latte.ca for a copy of everything we hold against your account. We respond within 30 days.
Correction. Edit your profile in iOS Settings → Profile, or email us.
Deletion. iOS Settings → Account → Delete Account, or email support@appe-latte.ca. See our data-deletion page for full detail.
Portability. The same access request returns your run history in a machine-readable format (JSON or CSV).
EEA / UK users (GDPR). You also have the right to object to processing, restrict processing, and lodge a complaint with your supervisory authority (in the UK, the ICO at ico.org.uk). The legal basis for our processing is contract performance (running the service for you) for account, profile, and run data; legitimate interest for crash reporting and abuse prevention; and consent for Apple Health access.
California users (CCPA). You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.
Access. Email support@appe-latte.ca for a copy of everything we hold against your account. We respond within 30 days.
Correction. Edit your profile in iOS Settings → Profile, or email us.
Deletion. iOS Settings → Account → Delete Account, or email support@appe-latte.ca. See our data-deletion page for full detail.
Portability. The same access request returns your run history in a machine-readable format (JSON or CSV).
EEA / UK users (GDPR). You also have the right to object to processing, restrict processing, and lodge a complaint with your supervisory authority (in the UK, the ICO at ico.org.uk). The legal basis for our processing is contract performance (running the service for you) for account, profile, and run data; legitimate interest for crash reporting and abuse prevention; and consent for Apple Health access.
California users (CCPA). You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.
Data retention
We keep your account data for as long as your account is active. When you delete your account, we delete your account record and all owner-scoped data immediately; database backups roll off within 7 days; anonymised crash logs roll off within 90 days. We may retain minimal records beyond that only where legally required (for example, a record of the deletion request itself for compliance audit purposes).
Children's privacy
KOVA is not directed at children under 13 in the United States (COPPA) or under 16 in the European Economic Area (GDPR Article 8). We do not knowingly collect personal data from minors below those thresholds. If you believe a child has created an account, email support@appe-latte.ca and we will delete the account.
Security
Data in transit is encrypted with TLS 1.3. Data at rest is encrypted in the Supabase managed database. Passwords are stored as scrypt-format one-way hashes; we cannot read them. Access to production systems is restricted to the Appè Latte team and requires multi-factor authentication. We log production access for audit. We are a small studio; no security posture is perfect — if you discover a vulnerability, please email support@appe-latte.ca with the details and we will respond promptly.
International transfers
KOVA is built in Canada. Our subprocessors may store and process your data in Canada, the United States, and the European Economic Area. For transfers out of the EEA / UK, we rely on standard contractual clauses approved by the European Commission and the UK ICO.
Changes to this policy
We may update this policy as the service changes. Material changes will be notified by email and an in-app banner at least 30 days before they take effect. The date at the top of this page reflects the most recent revision.
Contact
Privacy questions, access requests, deletion requests, or anything else covered by this policy:
support@appe-latte.ca
Appè Latte
Calgary, Alberta, Canada
support@appe-latte.ca
Appè Latte
Calgary, Alberta, Canada
Questions? Email support@appe-latte.ca.