Summary: CoverVault is designed with privacy first. We collect only what is necessary to provide the service, never sell your data, and give you full control to export or delete everything at any time.
1. Who We Are
CoverVault ("we", "us", "our") is an insurance management application operated from the United Kingdom. We are the data controller for personal data processed through the CoverVault app and website.
For all privacy enquiries, contact us at privacy@covervault.co.uk.
This policy applies to users of the CoverVault mobile app and website (www.covervault.co.uk). It is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Data We Collect
Account data
- Full name and email address — provided when you register
- Password — stored as a one-way bcrypt hash; we cannot read it
- Account creation date and last login timestamp
Policy metadata
- Insurance policy information you enter or that our AI extracts from your documents (insurer name, policy type, renewal date, premium, policy number, named insured, vehicle registration)
- AI-generated plain-English summaries of your policy documents
- Notes and policy group names you add manually
Policy metadata is synced to our servers so your policies are available across all your devices. Your original PDF files are processed for analysis and are not stored permanently on our servers.
Document data
- PDF files you upload are sent to our server for AI analysis, then discarded — they are not retained after analysis is complete
- Images you attach to policies are stored locally on your device only
Subscription and billing data
- Subscription status, plan type, and entitlement period — managed through Google Play, Apple App Store, and RevenueCat
- Promo code redemption records
- Payment processing is handled entirely by Google Play / Apple App Store — we never receive or store your card details
Technical data
- App version, platform (iOS/Android/web), and device type — included only in bug reports you submit voluntarily
- We do not use analytics SDKs, advertising networks, or social media trackers of any kind
3. How We Use Your Data
We use your personal data only to provide and improve the CoverVault service:
- Creating and managing your account
- Processing uploaded documents through AI to generate policy summaries
- Syncing your policy metadata across your devices
- Sending renewal reminders and notifications you have enabled
- Managing your subscription and entitlements
- Responding to support requests or bug reports you submit
- Complying with our legal obligations
Our lawful basis for processing is the performance of a contract (providing the service you signed up for) and, where applicable, your consent (notifications) or our legitimate interests (security and fraud prevention).
4. AI Document Processing
When you upload a policy PDF, the document text is extracted and sent to OpenAI's API to generate a plain-English summary. We pass store: false on every request — OpenAI is contractually prohibited from retaining or training on this data.
OpenAI processes data on servers located in the United States. This constitutes a transfer of personal data outside the UK. We rely on OpenAI's UK GDPR-compliant data processing agreement and Standard Contractual Clauses as the safeguard for this transfer.
Your original PDF files are deleted from our servers after analysis is complete. Only the extracted metadata and AI-generated summary are retained (synced to your account).
5. Third-Party Services
OpenAI (AI analysis)
Processes document text to generate policy summaries. Zero data retention policy applied. OpenAI Privacy Policy →
RevenueCat (subscription management)
Manages in-app subscription entitlements. Receives your app user ID and purchase receipts from the app store. RevenueCat Privacy Policy →
Google Play / Apple App Store (payments)
Handles all payment processing. CoverVault never receives your payment card details.
Resend (transactional email)
Used to send account verification emails and password reset codes. Only your email address is shared for this purpose. Resend Privacy Policy →
We do not sell, rent, or share your personal data with any other third parties.
6. Data Retention
- Account data is retained for as long as your account is active
- Policy metadata and AI summaries are retained until you delete them or delete your account
- On account deletion, all server-side data is permanently erased within 30 days
- Device-only data (PDFs, images, local settings) is removed when you delete the app or use "Delete All Data" in Profile
- Bug reports may be retained for up to 12 months for quality improvement purposes
- PDF files uploaded for analysis are deleted immediately after the analysis response is returned
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — Request a copy of all data we hold about you
- Right to rectification — Correct inaccurate personal data
- Right to erasure — Request deletion of your account and all associated data (available directly in Profile → Delete Account)
- Right to data portability — Export your policy data in JSON format (available in Profile → Export Data)
- Right to restrict processing — Limit how we use your data in certain circumstances
- Right to object — Object to processing based on legitimate interests
- Rights related to automated decision-making — We do not make legally significant automated decisions about you
To exercise any of these rights, contact us at privacy@covervault.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Security
We take appropriate technical and organisational measures to protect your personal data:
- All data is transmitted over encrypted HTTPS connections (TLS 1.2+)
- Passwords are hashed using bcrypt — we cannot retrieve your password
- Authentication uses short-lived signed JWT tokens
- Android app backup is disabled to prevent sensitive data appearing in Google Drive backups
- Raw policy document content is not stored on our servers
- Policy metadata is stored in an encrypted PostgreSQL database
9. Children
CoverVault is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with their data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the app before they take effect. The date at the top of this page shows when it was last updated. Continued use of the app after changes constitutes acceptance of the updated policy.
For any privacy-related questions, data requests, or to exercise your rights:
Information Commissioner's Office (ICO): ico.org.uk