Privacy Policy
Effective Date: March 15, 2026 | Last Updated: March 15, 2026
Cova ("we," "us," or "our") operates the Cova mobile application, website, and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.
By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Email address, display name, Firebase user ID | Account creation, authentication, communication |
| Claim Information | Loss description, dates, room names, damage descriptions | Core Service functionality |
| Property Photos | Photos of property damage, rooms, and areas | AI damage analysis, documentation |
| Insurance Documents | Insurance policy PDFs, adjuster estimate PDFs | Policy parsing, estimate review |
| Policy Details | Deductible, coverage limits, policy number, property address | Coverage context, educational analysis |
| Personal Property Inventory | Item names, categories, values, purchase dates, receipt photos | Personal property documentation |
| Living Expense Records | Expense types, amounts, vendors, dates, receipt photos | Additional living expense tracking |
| Waitlist Information | Email address | Pre-launch communication |
1.2 Information Collected Automatically
- Device information: Device type, operating system, app version
- Usage data: Features accessed, timestamps, API requests
- Firebase Analytics: Anonymous usage statistics (if enabled)
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process your photos and documents through AI analysis
- Generate educational damage reports and estimate reviews
- Authenticate your identity and secure your account
- Communicate with you about the Service (updates, support)
- Comply with legal obligations
We do not use your information to:
- Sell or rent your personal information to third parties
- Display targeted advertising based on your claim data
- Contact your insurance company or any third party on your behalf
- Train AI models on your personal data (see Section 3)
3. Third-Party Data Processing
Your data is transmitted to third-party services for processing. Please review this section carefully.
3.1 OpenAI
We use OpenAI's API (GPT-4o model) to power our AI analysis features. When you use these features, the following data is sent to OpenAI:
- Photo analysis: Your property photos are sent as base64-encoded images
- Document parsing: Text extracted from your insurance policy and estimate PDFs
- Claim context: Loss descriptions, room names, and damage descriptions
- Policy context: Coverage limits, deductibles, and exclusion summaries
Per OpenAI's API data usage policy, data sent via their API is not used to train their models. However, OpenAI may retain API inputs for up to 30 days for abuse monitoring purposes. See OpenAI's API Data Usage Policies for current details.
3.2 Google Firebase / Cloud Services
We use Google Cloud services for infrastructure:
- Firebase Authentication: Account creation and login management
- Google Cloud Firestore: Storage of your claim data, analysis results, and account information
- Google Cloud Run: Backend application hosting
Data stored in Firestore is located in the United States (us-central1 region). See Google Cloud Privacy for details.
3.3 No Other Third-Party Sharing
We do not share your personal information with any other third parties except:
- When required by law, court order, or governmental request
- To protect our rights, safety, or property, or the rights, safety, or property of others
- In connection with a merger, acquisition, or sale of assets (with notice to you)
4. Data Storage and Security
4.1 Where Your Data is Stored
- Account and claim data: Google Cloud Firestore (US)
- Photos: Stored within Firestore documents; also cached locally on your device
- Authentication tokens: Managed by Firebase Authentication
4.2 Security Measures
- All data transmitted between your device and our servers is encrypted via TLS/HTTPS
- Authentication uses Firebase ID tokens with expiration and revocation support
- Claim data is segregated by user ID with server-side ownership verification
- Backend runs on Google Cloud Run with managed security infrastructure
4.3 Limitations
No method of transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account or request deletion |
| Claim data, photos, documents | Until you delete your account or request deletion |
| AI analysis results | Until you delete your account or request deletion |
| Waitlist emails | Until launch or upon request |
| Data sent to OpenAI | Up to 30 days per OpenAI's retention policy |
6. Your Rights
6.1 All Users
Regardless of your location, you may:
- Access your personal data by viewing it in the app
- Request deletion of your account and all associated data by contacting us
- Withdraw consent by stopping use of the Service
6.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- Right to Know: You may request details about the categories and specific pieces of personal information we collect.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@cova-app.com. We will respond within 45 days.
6.3 European Economic Area / UK (GDPR)
If you are located in the EEA or UK, our legal basis for processing your data is:
- Consent: You consent to data processing when you create an account and use the Service.
- Contract: Processing is necessary to provide the Service to you.
- Legitimate interest: To maintain and improve the Service.
You have additional rights including: access, rectification, erasure, restriction, data portability, and the right to lodge a complaint with a supervisory authority. Contact us at privacy@cova-app.com to exercise these rights.
7. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us personal information, contact us at privacy@cova-app.com.
8. Cookies and Tracking
Our website uses:
- Firebase: For waitlist form submission (stores email and timestamp in Firestore). No tracking cookies.
Our iOS app does not use cookies. We do not use any third-party advertising trackers or analytics cookies on our website at this time.
9. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users via email within 72 hours of becoming aware of the breach
- Notify relevant authorities as required by applicable law
- Provide information about the nature of the breach and steps you can take to protect yourself
10. International Data Transfers
Your data is processed and stored in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. We may also notify you via email for significant changes. Your continued use after changes constitutes acceptance.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights:
Email: privacy@cova-app.com
Subject line: "Privacy Request" for rights requests, "Privacy Question" for general inquiries