LAST UPDATED: May 6, 2026
SOVA Systems LLC, a California limited liability company (“SOVA” or “we”), wants our customers (“Customers”) and the individuals who use the SOVA platform on Customers’ behalf (“Users”) to be familiar with how we collect, use, share, and store information in connection with our services.
This SOVA Services Privacy Policy (“
Privacy Policy”) describes SOVA’s practices regarding information collected through the SOVA platform, including the authenticated web portal accessible at
https://sovasystems.com/users/login, the SOVA mobile applications for Android and other supported platforms, and related back-end services (collectively, the “
SOVA Services”). Information collected through SOVA’s public marketing website is governed by the SOVA
Website Privacy Policy.
SOVA’s relationship is with the Customer, not directly with Users. When SOVA processes personal data through the SOVA Services on a Customer’s behalf, SOVA acts as a service provider or processor under applicable law, and the Customer is the controller or business responsible for that processing. Users who have questions about how their information is collected and used through their employer’s or property’s use of the SOVA Services should contact the Customer in the first instance. Users who are uncertain about whom to contact may reach SOVA at
privacy@sovasystems.com.
Contents of this Privacy Policy
Scope and Roles
SOVA processes two general categories of personal data through the SOVA Services:
- Account Data — information about Customers and their authorized administrators that SOVA collects to manage the contractual relationship, provision the SOVA Services, send service communications, and bill for the SOVA Services. SOVA acts as a controller with respect to Account Data and processes it in accordance with this Privacy Policy.
- Customer Data — information that Customers and their Users submit, upload, or generate through the SOVA Services in the course of operating their security and incident management programs, including information about employees, contractors, guests, visitors, persons of interest, vehicles, and incidents. SOVA acts as a service provider or processor with respect to Customer Data and processes it on the Customer’s instructions and in accordance with the Customer’s agreement with SOVA, including any applicable Data Processing Agreement.
The categories of personal data collected through the SOVA Services depend on whether the data is Account Data or Customer Data and on which Services and features the Customer enables. Categories may include:
Identifiers and contact information. Name, work email address, phone number, employer, job title, employee ID, username, and password (stored as a hash).
Device and technical information. IP address, device identifier (such as a SOVA-issued device ID), device make and model, operating system and version, browser type and version, screen resolution, language preference, and connection information. For the SOVA mobile applications, this also includes mobile network information, device permissions granted to the app, and crash and diagnostic data.
Usage information. Logs of actions performed in the SOVA Services, including login events, screens viewed, features used, tour and patrol activity, checkpoint scans, incident reports created, lookups performed, and timestamps of these events.
Geolocation data. Real-time and historical location data captured from the SOVA mobile applications when an officer or other User is logged in. See
Location Data below.
Photographs and images. Photos captured or uploaded through the SOVA Services, including incident scene photos, lost-and-found item photos, package shipping label photos, tour checkpoint photos, optional User profile photos, and visitor badge photos taken via webcam at check-in.
Audio recordings. Voice notes recorded by Users to assist with incident report drafting, audio captured for use with in-app speech-to-text transcription, and recorded witness statements.
Video. Short video clips captured for incident reporting, and live video streams transmitted from a User’s mobile device to a dispatch operator within the same property network. The SOVA Services do not currently integrate with venue closed-circuit television systems, and live streams are not made publicly available on the internet.
Driver license data. Information extracted from PDF417 barcodes on government-issued driver licenses or identification cards, where Customers enable the license-scanning feature for visitor check-in or related workflows. See
Driver License Scanning below.
Visitor and guest information. Information collected by Customers about visitors, guests, and other individuals interacting with a property, which may include name, photograph, contact information, vehicle information, reason for visit, and check-in and check-out times.
Incident content. Information generated and entered by Users in the course of incident reporting, including narrative descriptions, classifications, time stamps, location, witness statements, and information about parties involved.
Other content uploaded by Customers and Users. Documents, spreadsheets, PDFs, and other files uploaded to the SOVA Services may contain personal data depending on what the Customer or User chooses to upload.
SOVA uses information collected through the SOVA Services for the following purposes:
- To provide, operate, and maintain the SOVA Services
- To provide Customer and User support
- To authenticate Users, manage user sessions, and protect account security
- To enable features that Customers have configured, including geolocation, audio capture, video capture, license scanning, and incident reporting
- To diagnose, troubleshoot, and resolve technical issues
- To monitor, secure, and improve the SOVA Services, including by preventing fraud, abuse, and unauthorized access
- To send service-related communications, such as security alerts, system notifications, and updates regarding the SOVA Services
- For internal business purposes, such as analytics, benchmarking, audits, capacity planning, and product development
- To comply with applicable law and respond to lawful requests from public authorities
- To enforce SOVA’s agreements with Customers and to protect SOVA’s rights, property, and safety, and the rights, property, and safety of our Customers and others
- For other purposes with the Customer’s instructions or with appropriate consent
Where SOVA processes Customer Data, SOVA does so only for the purposes described in this Privacy Policy and in the Customer’s agreement with SOVA, and SOVA does not retain, use, or disclose Customer Data for any purpose other than the specific business purpose of providing the SOVA Services to that Customer or as otherwise permitted by applicable law.
SOVA does not sell personal data and does not share personal data for cross-context behavioral advertising. SOVA may share personal data as follows:
- With the Customer. Customer Data is made available to the Customer that controls the account and to authorized Users of that Customer in accordance with the Customer’s configuration of the SOVA Services.
- With service providers and subprocessors. SOVA engages third-party service providers, including cloud infrastructure providers, storage providers, communications providers, and analytics providers, to support the operation of the SOVA Services. These providers are bound by contract to use personal data only to provide services to SOVA and to apply appropriate confidentiality and security protections. See Subprocessors below.
- For legal and safety reasons. SOVA may disclose personal data when SOVA believes in good faith that disclosure is necessary to comply with applicable law, respond to lawful requests from public authorities, enforce SOVA’s agreements, or protect the rights, property, or safety of SOVA, our Customers, our Users, or others.
- In connection with business transfers. In connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, personal data may be transferred to the successor or acquirer. SOVA will provide notice of any such transfer that materially affects how personal data is handled.
- With the Customer’s direction. SOVA may share Customer Data with third parties at the Customer’s direction, including where the Customer authorizes integration with a third-party product or service.
Subprocessors
SOVA maintains a current list of subprocessors used to deliver the SOVA Services. The list, including the categories of personal data each subprocessor may process and the location of processing, is available at https://support.sovasystems.com/portal/en/kb/articles/subprocess.
Cookies in the Authenticated Portal
The authenticated SOVA web portal uses cookies to operate properly. The mobile applications do not use web cookies; they use platform-native storage mechanisms instead.
Strictly necessary cookies. The portal sets a session cookie (sova-php) used to maintain authenticated sessions. The session cookie is HttpOnly and is set as Secure when the connection is over HTTPS. The portal is served behind Cloudflare as a content delivery and security network, which sets cookies (such as __cf_bm and cf_clearance) used for bot mitigation, security challenges, and rate limiting. These cookies are required for the portal to function and cannot be disabled without affecting access.
Authentication convenience cookies. If a User checks the “remember me” option at login, the portal sets encrypted cookies (CakeCookie[email] and CakeCookie[password]) that allow the User to be recognized on return visits. These cookies expire after four weeks and are set only when the User affirmatively chooses to use the feature.
Workflow cookies. Short-lived cookies are used to support specific workflows, including a customer-service validation cookie (CakeCookie[customer_service_<userId>]) that expires after a few minutes, and a flow-specific cookie (Auth.EarManager and an associated location cookie) used by the Equipment, Asset, and Resource manager login flow that expires after 72 hours.
User interface preference cookies. The portal uses cookies to remember non-essential interface preferences across sessions, including dismissal of informational banners (such as the alpha environment banner), map zoom level on dispatch and map pages, and dismissal of visitor-page scan instructions. These cookies do not contain personal data and exist solely to keep the interface consistent for the User.
The authenticated portal does not use third-party advertising or behavioral-tracking cookies, and SOVA does not allow third parties to track Users across other websites for advertising purposes through the SOVA Services.
Location Data
The SOVA mobile applications collect real-time geolocation data when a User is logged in to the application. Location collection is continuous while the User remains logged in and is required for SOVA’s core security operations features, including patrol verification, officer dispatch, and incident response.
Geolocation data is recorded against a SOVA-issued device identifier. During a User’s logged-in shift, the User’s identity is associated with that device identifier, so geolocation collected during the shift is identifiable to the User. Location collection stops when the User logs out of the application. The SOVA mobile applications do not collect location data when no User is logged in.
While location collection is active, the device displays a persistent system notification consistent with the operating system’s requirements for foreground location services. Users acknowledge their understanding of location collection through the SOVA
Platform User Agreement, which is presented for acceptance at first login and on material updates.
Location data is shared with the Customer that operates the property at which the User is working and is used by the Customer for security operations purposes. Customers are responsible for providing required notices to, and obtaining required consents from, their employees, contractors, and other Users in compliance with applicable workplace privacy and electronic monitoring laws.
Audio, Video, and Image Capture
The SOVA Services support optional audio, video, and image capture features that Customers may enable for their operations, including:
- Voice notes and audio recordings made by Users to support incident reporting
- In-app speech-to-text transcription of audio captured by the User
- Recorded witness statements captured during incident response
- Photographs of incident scenes, lost-and-found items, packages, tour checkpoints, and visitors
- Short video clips captured during incident reporting
- Live video streamed from a User’s mobile device to a dispatch operator within the same property network
Customers are responsible for ensuring that audio, video, and image capture through the SOVA Services complies with applicable law, including consent requirements under wiretap laws (such as the federal Wiretap Act and any applicable state two-party consent laws), workplace privacy laws, and laws governing the collection of images of identifiable individuals.
Driver License Scanning
Where Customers enable the driver license scanning feature, the SOVA Services read the PDF417 barcode on government-issued driver licenses and identification cards in accordance with the AAMVA standard. Information extracted from the barcode may include name, address, date of birth, license number, license expiration date, license issuing jurisdiction, and physical descriptors encoded on the barcode.
This information is used to support the Customer’s visitor check-in, identity verification, and related workflows. Driver license data is treated as Customer Data and is processed on the Customer’s instructions. Customers are responsible for compliance with the federal Driver’s Privacy Protection Act (DPPA) and any applicable state laws governing the collection, use, and retention of driver license data.
Certain SOVA modules, including the Employee Accident Report (EAR) module and other Customer-enabled features, may involve the collection of information that relates to an individual’s health, injury, or medical treatment. Such information is treated as Customer Data and is processed on the Customer’s instructions in accordance with this Privacy Policy and the Customer’s agreement with SOVA.
SOVA is not currently a “business associate” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the SOVA Services are not represented to be configured to meet the requirements of the HIPAA Security Rule or Privacy Rule. SOVA does not currently sign Business Associate Agreements as part of the standard SOVA Services offering.
Health-related information may also be subject to other federal, state, and provincial laws, including the California Consumer Privacy Act and California Privacy Rights Act (which treat certain health information as “sensitive personal information”), Washington’s My Health My Data Act, state workers’ compensation confidentiality requirements, and similar laws in other jurisdictions. Customers are solely responsible for assessing the application of HIPAA, state health information privacy laws, workers’ compensation confidentiality requirements, and other applicable laws to their use of the SOVA Services, for providing required notices to and obtaining required consents from individuals, and for configuring their use of the SOVA Services to comply with those laws.
Biometric Data
The SOVA Services support optional features that may involve the processing of biometric identifiers or biometric information, as those terms are defined under applicable law (including the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington biometric privacy statute (RCW 19.375), and the California Consumer Privacy Act and California Privacy Rights Act). Biometric features are disabled by default for all Customers.
Biometric features may be enabled at a Customer site only after legal review of the applicable requirements in the jurisdiction in which the site is located and execution of the SOVA Biometric Data Addendum, which is executed alongside the Master Services Agreement and Data Processing Agreement. Where biometric features are enabled, SOVA processes biometric data only on the Customer’s instructions and in accordance with the Biometric Data Addendum. The Customer is responsible for providing required notices to, and obtaining required consents from, individuals whose biometric data is processed.
Automated Processing and Machine Learning
SOVA may use automated processing and machine learning techniques as part of the SOVA Services, including for purposes such as searching, classifying, and organizing content; suggesting incident report content; auto-populating fields based on uploaded images; performing analytics on aggregated and de-identified data; and detecting anomalies, fraud, and security threats.
SOVA does not use Customer Data to make decisions that produce legal or similarly significant effects on Users without human involvement. Customers are responsible for any decisions they make based on outputs from the SOVA Services and for ensuring that any such decisions comply with applicable law.
Your Rights and Choices
Depending on where you reside, you may have rights regarding personal data SOVA holds about you, including the rights to access, correct, delete, or obtain a copy of your personal data, and to opt out of certain uses of your personal data.
If SOVA processes your personal data on behalf of a Customer — for example, if you are an employee, contractor, visitor, or guest of a Customer property — please direct your request to that Customer in the first instance, as the Customer is the controller of your data. SOVA will assist Customers in responding to verified requests as required by law.
If SOVA holds your personal data as Account Data — for example, as the authorized administrator of a Customer account — you may submit your request to
privacy@sovasystems.com. We will respond within the timeframe required by applicable law and may need to verify your identity before processing your request.
California Residents
California residents have specific rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA/CPRA”). For SOVA’s detailed disclosures required by California law, including categories of personal information collected, sources, business purposes, third parties to whom we disclose, and retention information, please see our California Privacy Rights notice.
Service Provider designation. When SOVA processes Customer Data on a Customer’s behalf, SOVA acts as a “service provider” under CCPA/CPRA. SOVA does not retain, use, or disclose Customer Data for any purpose other than the specific business purpose of providing the SOVA Services to the Customer or as otherwise permitted by CCPA/CPRA. SOVA does not sell or share Customer Data within the meaning of CCPA/CPRA.
Other U.S. State Privacy Laws
Residents of certain other U.S. states have rights regarding personal data under their state laws, which may include the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, and similar successor or new laws as they take effect. When SOVA processes personal data on a Customer’s behalf under these laws, SOVA acts as a processor.
To exercise rights available to you under your state’s law with respect to information SOVA holds about you, follow the procedures described in
Your Rights and Choices above.
Canadian Residents
SOVA processes personal data of Canadian residents in connection with SOVA Services delivered at certain Customer properties located in Canada. Canadian residents may have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws, including Quebec’s Act respecting the protection of personal information in the private sector (Law 25).
Where SOVA processes personal data of Canadian residents on a Customer’s behalf, please direct rights requests to the Customer in the first instance. To contact SOVA, write to
privacy@sovasystems.com.
You and SOVA confirm that it is our wish that this Privacy Policy and all related policies be drawn up in English.
Vous reconnaissez avoir exigé la rédaction en anglais du présent document ainsi que tous les documents qui s’y rattachent.International Data Transfers
SOVA is established in the United States. The SOVA Services are hosted on infrastructure located in the United States, and personal data processed through the SOVA Services is stored in the United States. Where SOVA processes personal data of individuals located outside the United States, including Canadian residents at properties served by SOVA, that data is transferred to and processed in the United States, where data protection laws may differ from those in the individual’s jurisdiction. SOVA protects personal data in accordance with this Privacy Policy and applicable law regardless of where it is processed or stored.
SOVA does not currently target or offer the SOVA Services to customers or end users in the European Union, the European Economic Area, the United Kingdom, or Switzerland. If SOVA engages with a Customer that requires processing of personal data of EU, EEA, UK, or Swiss data subjects, SOVA will execute its EU/UK Transfer Addendum alongside the Data Processing Agreement, incorporating the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and equivalent protections under the revised Swiss Federal Act on Data Protection.
Retention
Retention of Customer Data is governed by the Customer’s agreement with SOVA and the Customer’s configured retention policies. Customers are responsible for setting appropriate retention periods for the categories of Customer Data they collect through the SOVA Services. SOVA retains Customer Data only for as long as needed to provide the SOVA Services to the Customer in accordance with that agreement.
SOVA retains Account Data for as long as the Customer relationship is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. SOVA may retain anonymized or aggregated data, which does not identify any individual, indefinitely.
Image, audio, video, and document files uploaded to the SOVA Services are stored in encrypted form in transit and at rest, on infrastructure operated by SOVA’s cloud storage subprocessor, and are retained according to the Customer’s retention policy.
Security
SOVA uses organizational, technical, and administrative measures to protect personal data processed through the SOVA Services, including encryption in transit and at rest, access controls, authentication and authorization mechanisms, network security controls, and regular monitoring. No system or method of internet transmission can be guaranteed to be 100% secure. The technical and organizational measures applicable to a particular Customer’s use of the SOVA Services are described in the Customer’s agreement with SOVA, including the Data Processing Agreement where executed.
If you have questions about the security of personal data processed through the SOVA Services, contact
privacy@sovasystems.com.
Use of the SOVA Services and Children
The SOVA Services are not directed at children. The SOVA Services are operated by Customers in commercial and hospitality settings, and SOVA does not knowingly collect personal data directly from children.
SOVA recognizes that Customer Data submitted to the SOVA Services may incidentally include information about minors — for example, a guest record for a family checking into a hotel, or a lost-and-found record for an item belonging to a child. Such information is treated as Customer Data and is processed on the Customer’s instructions in accordance with this Privacy Policy and the Customer’s agreement with SOVA. Customers are responsible for compliance with applicable laws governing the collection and processing of minors’ personal data.
Changes to this Privacy Policy
SOVA may update this Privacy Policy from time to time to reflect changes in our practices, the SOVA Services, or applicable law. The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised. If we make material changes, we will provide notice through the SOVA Services or by other appropriate means. Continued use of the SOVA Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.
If you have questions or requests regarding this Privacy Policy, contact us at:
SOVA Systems LLC
Attn: Privacy Team
PO Box 600063
San Diego, CA 92160
Phone: +1 844-961-3690
Please include sufficient information so that we can understand and respond to your specific question or request.