LAST UPDATED: May 6, 2026
SOVA Systems LLC, a California limited liability company (“SOVA” or “we”), provides this California Privacy Rights notice (“Notice”) to describe how SOVA collects, uses, shares, and protects the personal information of California residents, and to summarize the rights available to California residents under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA/CPRA”).
This Notice supplements the SOVA
Website Privacy Policy and the SOVA
Services Privacy Policy. To the extent of any conflict between this Notice and either of those policies with respect to the rights of California residents, this Notice controls.
Scope and Roles
SOVA processes two general categories of personal information:
- Account Data — information about Customers and their authorized administrators that SOVA collects to manage the contractual relationship, provision the SOVA Services, and bill for the SOVA Services. With respect to Account Data, SOVA acts as a “business” under CCPA/CPRA.
- Customer Data — information that Customers and their authorized end users submit, upload, or generate through the SOVA Services in the course of operating their security and incident management programs. With respect to Customer Data, SOVA acts as a “service provider” under CCPA/CPRA, processing personal information on the Customer’s behalf and only for the business purposes described in the Customer’s agreement with SOVA.
If you are a California resident whose personal information has been submitted to the SOVA Services by a Customer (for example, by your employer, a property where you work, or a venue where you visited or received a delivery), please direct rights requests in the first instance to that Customer, who is the “business” for that information under CCPA/CPRA. SOVA assists Customers in responding to verified requests as required by law.
Contents of this Notice
The table below describes the categories of personal information SOVA has collected from or about California residents during the twelve (12) months preceding the effective date of this Notice. Categories are presented using the framework of Cal. Civ. Code § 1798.140(v) (the CCPA/CPRA category list).
| Category |
Collected |
Examples specific to SOVA |
| A. Identifiers — real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers. |
Yes |
Customer admin name and contact information; User name, work email, employer, employee ID; IP address; device identifiers; usernames; account references for guests, visitors, persons of interest, and incident parties. |
| B. Personal information described in Cal. Civ. Code § 1798.80(e) — signature, physical characteristics or description, telephone number, employment, employment history, and other personal records. |
Yes |
Phone numbers; employer; employment-related information including job role and shift; physical descriptions of individuals captured in incident narratives; signatures, including digital signatures captured from guests acknowledging receipt of hotel-delivered packages, which are stored as image files in SOVA’s secure storage. |
| C. Characteristics of protected classifications under California or federal law — race, color, national origin, religion, age, gender, sexual orientation, etc. |
Limited |
SOVA does not request or collect race, ethnicity, religion, sexual orientation, union membership, or similar protected classification information. SOVA does not provide structured fields or free-text fields for recording such information. SOVA does not request or collect actual age but may record an observed age range. Where a User records an observation about an individual as part of an incident description, the recorded description may incidentally include physical or visual characteristics. SOVA does not surface, query, or filter records based on protected classification. |
| D. Commercial information — records of products or services purchased, obtained, or considered. |
No |
SOVA does not process Customer commerce data through the SOVA Services. |
| E. Biometric information. |
Yes, when Customer-enabled |
The SOVA Services support optional biometric features that may involve the processing of biometric identifiers or biometric information. Biometric features are disabled by default for all Customers. Biometric features may be enabled at a Customer site only following legal review of the applicable jurisdiction’s requirements and execution of the SOVA Biometric Data Addendum. |
| F. Internet or other electronic network activity information — browsing history, search history, interactions with a website, application, or advertisement. |
Yes |
Application interaction logs, including login events, screens viewed, features used, tour and patrol activity, checkpoint scans, lookups performed, and timestamps of these events. Logs are protected via private keys and access is limited to a small number of authorized SOVA personnel. |
| G. Geolocation data. |
Yes |
Real-time and historical precise geolocation captured from the SOVA mobile application while a User is logged in. Geolocation data is recorded against a SOVA-issued device identifier; during a User’s logged-in shift, the User’s identity is associated with that device identifier, so geolocation collected during the shift is identifiable to the User. Used for patrol verification, dispatch, and incident response. Collection stops when the User logs out. |
| H. Audio, electronic, visual, thermal, olfactory, or similar information. |
Yes |
Photographs and images (incident scenes, lost-and-found items, package shipping labels, tour checkpoints, optional User profile photos, visitor badge photos taken via webcam at check-in); voice notes and audio recordings (for incident report drafting, in-app speech-to-text, and witness statements); video clips (incident reporting); live video streams (transmitted from a User’s mobile device to a dispatch operator within the same property network). |
| I. Professional or employment-related information. |
Yes |
Employer name and information, job title, role within the security operation, employee identifier, security officer credentials, manager assignment, and similar professional information about Users authorized to use the SOVA Services on behalf of a Customer. |
| J. Education information — non-public education records as defined under FERPA. |
No |
SOVA does not process education records. |
| K. Inferences drawn from any of the above to create a profile. |
Yes (limited) |
SOVA uses automated processing and machine learning techniques for purposes such as generating descriptions of items uploaded to the Lost & Found module (for example, identifying that an uploaded image depicts a chrome hair dryer or a child’s toy), suggesting incident report content, performing analytics on aggregated and de-identified data, and detecting anomalies, fraud, and security threats. AI-generated item descriptions may indirectly imply characteristics about the individual associated with the record (for example, an item described as a child’s toy may indicate that the individual who lost it has a child). SOVA does not use Customer Data to make decisions that produce legal or similarly significant effects on individuals without human involvement. |
Note on driver license scanning. Where Customers enable the optional driver license scanning feature, the SOVA Services read data from the PDF417 barcode on the rear of a government-issued driver license or identification card. SOVA does not capture or store an image of the front or rear of the license. The data extracted from the barcode (including name, address, date of birth, license number, and similar fields) falls within Category A (identifiers), Category B (Cal. Civ. Code § 1798.80(e) information), and the sensitive personal information categories described in the next section.
CCPA/CPRA defines a separate subset of personal information as “sensitive personal information,” which carries additional rights for California residents. The table below describes the categories of sensitive personal information SOVA has collected from or about California residents during the twelve (12) months preceding the effective date of this Notice.
| Sensitive Category |
Collected |
Examples specific to SOVA |
| Government identifiers — social security number, driver’s license, state identification card, or passport numbers. |
Yes, when Customer-enabled |
Where Customers enable the optional driver license scanning feature, SOVA reads driver license number and similar identifiers from the PDF417 barcode on the rear of a government-issued license. SOVA does not collect Social Security numbers or passport numbers. |
| Account log-in credentials — account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. |
Yes |
Login credentials for User and administrator accounts. Passwords are stored as one-way cryptographic hashes; SOVA does not store passwords in plaintext. |
| Precise geolocation. |
Yes |
Real-time and historical precise geolocation captured from the SOVA mobile application while a User is logged in. Geolocation is recorded against a SOVA-issued device identifier and is associated with the logged-in User during their shift. Used solely for patrol verification, dispatch, and incident response. |
| Racial or ethnic origin, religious or philosophical beliefs, or union membership. |
No |
SOVA does not request or collect this information. SOVA does not provide structured fields or free-text fields for recording race, ethnicity, religion, philosophical beliefs, or union membership. SOVA does not surface, query, or filter records based on these characteristics. |
| Contents of mail, email, and text messages (other than directed to the business). |
No |
SOVA does not access or collect the contents of personal mail, email, or text messages. |
| Genetic data. |
No |
SOVA does not collect genetic data. |
| Biometric information for the purpose of uniquely identifying a consumer. |
Yes, when Customer-enabled |
Biometric features are disabled by default for all Customers. Where biometric features are enabled at a Customer site, biometric data may be processed for identity-verification purposes in accordance with the SOVA Biometric Data Addendum. |
| Personal information collected and analyzed concerning a consumer’s health. |
Yes, when Customer-enabled |
Where Customers use the Employee Accident Report (EAR) module or other modules that may involve health-related information, the SOVA Services may store information relating to an individual’s injury, accident circumstances, or medical treatment. SOVA is not currently a HIPAA business associate; the application of HIPAA, state health information privacy laws, and workers’ compensation confidentiality requirements is the Customer’s responsibility. |
| Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. |
Limited |
SOVA does not request or collect this information. If an individual voluntarily discloses such information, or a User records it as part of an incident description, it may be retained as part of Customer Data. |
SOVA uses sensitive personal information only to perform the SOVA Services or as otherwise reasonably expected by the Customer who provided or generated that information. SOVA does not use sensitive personal information for the purpose of inferring characteristics about an individual.
SOVA collects personal information from the following categories of sources:
- Directly from the individual — for example, when a visitor self-checks in at a Customer property, when a guest signs for a delivery, or when a member of the public submits a request through the SOVA marketing website’s contact form.
- From the Customer — when the Customer creates accounts for its administrators, employees, or contractors; when the Customer uploads employee, visitor, or other records; or when the Customer otherwise enters personal information into the SOVA Services.
- From authorized Users on the Customer’s behalf — when security officers, dispatchers, or other authorized end users enter information into the SOVA Services as part of their work for the Customer (for example, by recording an incident, scanning a license, or noting a person of interest).
- From devices and applications — automatic collection of geolocation, device identifiers, login telemetry, and similar information when individuals interact with the SOVA Services.
- From government-issued credentials presented voluntarily by the individual — when a visitor presents a driver license at check-in for the optional license-scanning workflow, the data on the PDF417 barcode is read.
Business and Commercial Purposes for Collection and Use
SOVA collects and uses personal information for the following business and commercial purposes:
- Providing, operating, maintaining, securing, and improving the SOVA Services
- Authenticating Users and Customer administrators, managing user sessions, and protecting account security
- Enabling features that the Customer has configured, including geolocation tracking, audio capture, video capture, license scanning, biometric features (when enabled under the Biometric Data Addendum), and incident reporting
- Providing Customer and User support, troubleshooting, and incident response
- Detecting, investigating, and preventing security incidents, fraud, abuse, and other harmful activity
- Auditing related to current interactions with consumers and concurrent transactions, including for the protection of consumers and to verify accuracy of data
- Performing services on behalf of Customers, including providing the SOVA Services and analyzing data to support Customer operations
- Undertaking internal research for technological development, including the use of automated processing and machine learning to improve the SOVA Services
- Maintaining the quality and safety of the SOVA Services and improving, upgrading, or enhancing the SOVA Services
- Sending service-related communications, including security alerts, system notifications, and updates
- Complying with applicable law and responding to lawful requests from public authorities
- Enforcing SOVA’s agreements, protecting SOVA’s rights and property, and protecting the rights, property, and safety of others
Categories of Third Parties to Whom We Disclose
During the twelve (12) months preceding the effective date of this Notice, SOVA has disclosed personal information for business purposes to the following categories of third parties:
- The Customer — SOVA makes Customer Data available to the Customer that controls the relevant SOVA account and to Users authorized by that Customer.
- Service providers and subprocessors engaged by SOVA to operate the SOVA Services, including cloud infrastructure providers, storage providers, communications providers, and analytics providers. The current list of subprocessors is available at https://support.sovasystems.com/portal/en/kb/articles/subprocess.
- Government and regulatory authorities in response to lawful requests, legal process, or as otherwise required or permitted by law.
- Professional advisors such as attorneys, auditors, and accountants engaged by SOVA in connection with SOVA’s legal, accounting, and audit obligations.
- Successors and acquirers in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction.
SOVA does not sell personal information. SOVA does not exchange personal information for monetary or other valuable consideration, and SOVA has not sold personal information of any consumer (including any consumer under 16 years of age) within the twelve (12) months preceding the effective date of this Notice.
SOVA does not share personal information for cross-context behavioral advertising. SOVA does not disclose personal information to third parties to enable advertising targeted to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, or applications.
The SOVA Site honors the Global Privacy Control (GPC) signal where applicable as a valid opt-out preference signal under California, Colorado, and other applicable U.S. state privacy laws.
Retention
SOVA retains personal information for the periods described below, or as long as needed to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce SOVA’s agreements.
| Category |
Retention Period |
| Customer Data (information uploaded or generated by Customers and their Users in the SOVA Services, including incident reports, photos, audio, video, visitor records, and similar information) |
Retained per the Customer’s configured retention policy in the SOVA Services. SOVA retains Customer Data only for as long as needed to provide the SOVA Services to the Customer, or as required by applicable law. |
| Account Data (information about Customer administrators and the contractual relationship) |
Retained for the duration of the Customer relationship and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce agreements. |
| Server logs and operational telemetry |
Retained for approximately 90 days for security, operational, and audit purposes. |
| System backups (full server backups, including application data and database) |
Backups are taken daily and retained for approximately 30 days. Backups are used solely for disaster recovery and operational continuity, and are deleted on a rolling basis as new backups replace older ones. |
| Aggregated and de-identified information |
SOVA may retain aggregated and de-identified information, which does not identify any individual, indefinitely, to the extent permitted by law. |
Following deletion of a record from the SOVA Services in the ordinary course (whether by Customer instruction, retention policy expiry, or termination of the Customer relationship), residual copies may persist in encrypted backups for up to 30 days before being permanently removed by the rolling backup retention process.
Your Rights Under CCPA/CPRA
Subject to certain limitations under California law, California residents have the following rights with respect to personal information SOVA holds about them:
Right to Know. You have the right to request that SOVA disclose to you the categories and specific pieces of personal information SOVA has collected about you, the categories of sources, the business or commercial purposes for collecting or selling that personal information, the categories of third parties with whom SOVA shares the personal information, and the categories of personal information SOVA has sold or disclosed for a business purpose (or that no sale or disclosure has occurred).
Right to Delete. You have the right to request that SOVA delete personal information SOVA has collected from you, subject to certain exceptions (for example, where the information is necessary to complete a transaction, detect security incidents, comply with legal obligations, or as otherwise permitted under CCPA/CPRA).
Right to Correct. You have the right to request that SOVA correct inaccurate personal information that SOVA maintains about you, taking into account the nature of the personal information and the purposes of processing.
Right to Opt Out of Sale or Sharing. You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. As described above, SOVA does not sell personal information and does not share personal information for cross-context behavioral advertising. SOVA honors the Global Privacy Control (GPC) signal as an opt-out preference signal.
Right to Limit Use of Sensitive Personal Information. You have the right to direct SOVA to limit its use of your sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those services or goods. SOVA uses sensitive personal information only for the purposes described in this Notice and as necessary to provide the SOVA Services.
Right of Non-Discrimination. SOVA will not discriminate against you for exercising any of your rights under CCPA/CPRA. See the Non-Discrimination section below.
Note on requests directed to Customers. Where SOVA processes personal information about you on behalf of a Customer (for example, your employer, a property where you work, or a venue where you visited), the Customer is the “business” for that information under CCPA/CPRA, and you should direct your rights requests to that Customer in the first instance. SOVA assists Customers in responding to verified requests as required by law.
How to Exercise Your Rights
If you are a California resident and would like to exercise any of the rights described above, you may submit a request to SOVA by either:
- Sending an email to privacy@sovasystems.com with “California Privacy Request” in the subject line; or
- Calling SOVA at +1 844-961-3690.
You do not need to create an account with SOVA to submit a request. To help SOVA respond to your request, please include sufficient information for SOVA to understand your request and verify your identity.
Verification. SOVA will take reasonable steps to verify your identity before responding to your request. The verification process depends on the nature of the request and the sensitivity of the personal information at issue. For most requests, SOVA will ask you to provide identifying information that SOVA can match to information in its records. SOVA may require additional verification for requests involving sensitive personal information or requests for specific pieces of personal information. SOVA will only use information you provide for verification to verify your identity, except as required by law.
Response Times. SOVA will confirm receipt of your verifiable request within ten (10) business days and will respond substantively to your request within forty-five (45) calendar days, subject to extensions permitted under CCPA/CPRA. If SOVA cannot verify your identity, SOVA will inform you of the reason and any options to proceed.
Fees. SOVA does not charge a fee to process or respond to a verifiable consumer request unless the request is excessive, repetitive, or manifestly unfounded. If SOVA determines that a request warrants a fee, SOVA will explain the basis for the determination and provide a cost estimate before completing the request.
Authorized Agents
You may designate an authorized agent to submit requests under CCPA/CPRA on your behalf. To use an authorized agent, the agent must provide SOVA with:
- Written permission from you authorizing the agent to act on your behalf, signed by you;
- Verification of the agent’s identity; and
- Verification of your identity, unless you have provided the agent with a power of attorney executed pursuant to California Probate Code §§ 4000-4465.
SOVA may deny a request from an agent that does not submit proof that the agent is authorized to act on your behalf.
Non-Discrimination
SOVA will not discriminate against you for exercising any of your rights under CCPA/CPRA. SOVA will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through the use of discounts or other benefits, or impose penalties;
- Provide you with a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Annual Request Metrics
To the extent required by CCPA/CPRA and the regulations issued by the California Privacy Protection Agency, SOVA will publish annual metrics regarding the number of requests received and SOVA’s response performance. As of the date of this Notice, SOVA has not received a sufficient volume of California consumer rights requests to be subject to the published-metrics threshold. SOVA will update this Notice with annual metrics if and when SOVA becomes subject to the publishing requirement.
Residents of Other U.S. States
A number of U.S. states other than California have enacted comprehensive consumer privacy laws, including (as of the effective date of this Notice) Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Each of these laws generally requires businesses meeting certain size or activity thresholds to provide privacy disclosures and respect consumer privacy rights.
Threshold and applicability. SOVA is a small business and, based on SOVA’s current operations, does not believe that it meets the size, revenue, or consumer-volume thresholds that would make it directly subject to the comprehensive privacy laws of most U.S. states. The applicable thresholds vary by state and typically require processing the personal data of at least 35,000 to 100,000 residents of the state, or deriving a substantial portion of revenue from the sale of personal data, neither of which applies to SOVA. SOVA does not sell personal data and does not engage in cross-context behavioral advertising.
SOVA’s policy. Notwithstanding the threshold question, SOVA extends substantially the same privacy practices and substantially the same consumer rights to residents of all U.S. states, regardless of whether the relevant state law would technically require it. The disclosures made in this Notice with respect to categories collected, sources, business purposes, third parties to whom we disclose, sale and sharing, and retention apply to all U.S. residents.
Rights available to residents of other U.S. states. Residents of states with comprehensive privacy laws generally have the following rights, which SOVA will honor on the same basis as the California rights described in this Notice:
- Right to access the personal information SOVA has collected about you
- Right to delete personal information SOVA has collected about you, subject to applicable exceptions
- Right to correct inaccurate personal information
- Right to data portability — to receive a copy of your personal information in a portable, readable format
- Right to opt out of the sale of your personal information, of targeted advertising, and of certain forms of profiling (SOVA does not sell personal information, does not engage in targeted advertising, and does not engage in profiling that produces legal or similarly significant effects on individuals without human involvement)
- Right to consent (or to revoke consent) for the processing of sensitive personal information, where required
- Right to appeal SOVA’s response to a privacy rights request, where required by state law
- Right of non-discrimination for exercising privacy rights
Universal opt-out preference signals. The SOVA marketing website honors the Global Privacy Control (GPC) signal as a recognized universal opt-out preference signal under the laws of California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas, and any other state that recognizes a similar signal. As noted above, SOVA does not sell personal information or engage in cross-context behavioral advertising; the GPC signal is honored to confirm that no such activity occurs with respect to the visitor sending the signal.
State-specific notes.
- Texas. The Texas Data Privacy and Security Act applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents and process personal data, with limited exemptions for small businesses as defined by the U.S. Small Business Administration. Texas residents have the rights described above and may submit requests using the contact methods described in How to Exercise Your Rights.
- Virginia, Colorado, Connecticut, Utah, Indiana, Kentucky, Iowa, Tennessee, Montana, New Jersey, New Hampshire, Maryland, Minnesota, Delaware, Nebraska, Rhode Island, and Oregon. These states’ comprehensive privacy laws generally follow a similar framework: rights of access, deletion, correction (in most), portability, and opt-out of sale, targeted advertising, and certain profiling, plus opt-in consent for processing of sensitive personal information. SOVA honors these rights on the same basis as the California rights described in this Notice. Residents of these states may submit requests using the contact methods described in How to Exercise Your Rights.
- Florida. The Florida Digital Bill of Rights has narrower applicability than other state laws and currently applies primarily to businesses with more than $1 billion in annual revenue. SOVA does not meet this threshold but extends the same rights described above to Florida residents.
- Illinois (Biometric Information Privacy Act). The Illinois Biometric Information Privacy Act (BIPA) imposes specific consent and disclosure requirements for the collection of biometric identifiers and biometric information. SOVA’s biometric features are disabled by default for all Customers and may be enabled at a Customer site only following execution of the SOVA Biometric Data Addendum and legal review of the applicable jurisdiction’s requirements, including BIPA where applicable. Customers operating in Illinois are responsible for obtaining required written releases and providing required disclosures to individuals before enabling biometric features at an Illinois site.
- Washington (My Health My Data Act). The Washington My Health My Data Act imposes specific requirements on the processing of consumer health data of Washington residents. Customers using the Employee Accident Report (EAR) module or other modules that may involve health-related information of Washington residents are responsible for compliance with applicable state health information privacy laws.
Submitting requests. Residents of other U.S. states may exercise their privacy rights using the same contact methods described in
How to Exercise Your Rights. SOVA will respond to verifiable requests within the time periods required by applicable state law (generally 45 days, with permitted extensions). Where a state law provides for a right to appeal SOVA’s response, that right is available by contacting
privacy@sovasystems.com with “Privacy Appeal” in the subject line.
Requests directed to Customers. As described above with respect to California, where SOVA processes personal information about you on behalf of a Customer (your employer, a property where you work, or a venue where you visited), the Customer is the “controller” or “business” for that information under the applicable state law, and you should direct your rights requests to that Customer in the first instance. SOVA assists Customers in responding to verified requests as required by law.
Changes to this Notice
SOVA may update this Notice from time to time to reflect changes in our practices or applicable law. The “Last Updated” date at the top of this Notice indicates when it was last revised. If we make material changes, we will provide notice through the SOVA Services or by other appropriate means.
If you have questions or requests regarding this Notice or SOVA’s privacy practices generally, contact us at:
SOVA Systems LLC
Attn: Privacy Team
PO Box 600063
San Diego, CA 92160
Phone: +1 844-961-3690