Privacy Policy

1. Introduction

Covrly ("we," "us," or "our") operates the Covrly service, a B2B SaaS platform for analyzing HOA documents. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. By using Covrly, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account & Profile Data

• •Email address, full name, hashed password (managed by Supabase Auth)
• •Subscription plan and billing status

2.2 Organization & Team Data

• •Organization name, slug, and subscription plan
• •Team member email addresses and roles (owner, admin, member, client)
• •White-label branding settings: brand name, primary color, logo image
• •Invitation tokens and acceptance timestamps

2.3 Document Data

• •PDF files: Uploaded PDFs are stored temporarily and permanently deleted from our servers immediately after text extraction is complete. We do not retain the original PDF.
• •Extracted text and analysis: The text content, extracted rules, risk classifications, and AI-generated summaries are retained to power the Service.
• •Document metadata: file name, file size, upload date, processing status

2.4 Usage Data

• •Questions asked via the Q&A feature and AI-generated answers (stored per document)
• •Compliance report generation events and quarterly digest data
• •Feature interaction logs, timestamps, and document upload counts

2.5 Technical Data

• •IP address, browser type, device type (collected via Vercel infrastructure logs)
• •Authentication session tokens (managed via Supabase, stored as secure cookies)

3. How We Use Your Data

• •To provide, operate, and improve the Service
• •To process payments and manage subscriptions
• •To send transactional emails: document ready notifications, team invitations, quarterly compliance digests
• •To enforce usage limits (monthly document quotas per plan)
• •To provide customer support
• •To detect and prevent fraud or abuse
• •To send product updates and important service announcements (you may opt out of marketing emails)

We do not use your documents or Q&A history to train AI models. Document content sent to AI providers for analysis is processed transiently and not retained by those providers for training purposes under our agreements with them.

4. Data Sharing Within Your Organization

Covrly is a team product. When you are a member of an organization:

• •All documents uploaded by any team member are visible to all members (owner, admin, member) within the same organization.
• •Client-role users can view and query documents within the organization but cannot upload documents or access billing information.
• •Your name and email address are visible to organization owners and admins.
• •Compliance digest reports aggregate data from all team members and may be sent to org owners quarterly.

5. Third-Party Services

We use the following third-party services to operate Covrly:

• •Supabase: Database, file storage, and authentication. Data is stored in their managed infrastructure.
• •Anthropic (Claude API): AI analysis, rule extraction, and Q&A. Document text is sent to Anthropic for processing. Anthropic does not use API inputs to train models.
• •Paddle: Payment processing and subscription management. We do not store your card details; Paddle handles all payment data.
• •Resend: Transactional email delivery (invitations, document notifications, quarterly digests).
• •Vercel: Application hosting and edge infrastructure.

Each provider has its own privacy policy. We recommend reviewing them. We only share the minimum data necessary for each service to function.

6. Data Retention

• •PDF files: Deleted immediately after text extraction. Never stored long-term.
• •Account and document data: Retained while your account or organization is active.
• •After cancellation: Data is retained for 90 days, then permanently deleted. You may request immediate deletion at any time.
• •Org logo uploads: Stored in Supabase Storage and retained until replaced or organization is deleted.

7. Data Security

All data is encrypted in transit (HTTPS/TLS) and at rest within Supabase's infrastructure. Access to your data is controlled via Row Level Security (RLS) policies; users can only access data they are authorized to see. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• •Access the personal data we hold about you
• •Correct inaccurate or incomplete data
• •Request deletion of your data (right to be forgotten)
• •Export your data in a portable format
• •Object to or restrict certain processing
• •Withdraw consent at any time (where processing is based on consent)

To exercise these rights, contact us at support@covrly.com. We will respond within 30 days.

9. Cookies

Covrly uses essential cookies only: authentication session tokens required to keep you logged in. We do not use advertising cookies or third-party tracking cookies. You can clear cookies via your browser settings, which will log you out of the Service.

10. GDPR (EU Users)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases: (a) contract performance: to provide the Service you subscribed to; (b) legitimate interests: to operate and improve the Service; (c) legal obligation: where required by law. You have the right to lodge a complaint with your local data protection authority.

11. Children's Privacy

Covrly is a B2B service intended for business use only. We do not knowingly collect data from individuals under 18. If you believe a minor has provided us with data, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.