All Legal Documents

Privacy Policy

Effective date: April 10, 2026

1. Introduction

This Privacy Policy explains how Cove ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use the Cove platform at joincove.io and app.joincove.io (the "Service").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Bulgarian Data Protection Act (Закон за защита на личните данни), and all other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

  • Legal name: Версей ЕООД / Versey EOOD
  • UIC (ЕИК): 208443341
  • VAT number: BG208443341
  • Registered address: ul. Alabin 42, ap. 8, Triaditsa district, Sofia 1000, Bulgaria
  • Email: filip@joincove.io
  • Supervisory Authority: Commission for Personal Data Protection (CPDP), Bulgaria — kzld@cpdp.bg, www.cpdp.bg

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account and Profile Data

Data you provide when creating and managing your account:

  • Full name, email address, phone number
  • Profile photo
  • Company name, company address, company logo, business ID, VAT number
  • Business description, website, social media URLs (LinkedIn, X/Twitter)
  • Country, address, postal code
  • Preferred currency, locale, and timezone
  • User type (individual or business) and onboarding preferences

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to create and manage your account and provide the Service.

3.2 Financial and Business Data

Data you create or upload in the course of using the Service:

  • Invoices: Issuer and recipient details, line items, amounts, tax rates, bank account details, payment status
  • Expenses and revenue: Transaction amounts, categories, vendor information, payment methods, receipt images
  • Tax records: Tax types, payment amounts, periods, deadlines
  • Client data: Client names, company names, contact persons, email addresses, phone numbers, addresses, VAT numbers, business IDs
  • Product/service catalog: Product names, descriptions, prices, tax rates, stock levels
  • Payroll records: Employee salary breakdowns, tax withholdings, social security contributions, net pay

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the invoicing, expense tracking, tax compliance, and other core features of the Service.

3.3 Employee and HR Data

If you use the HR features, you may input data about your employees:

  • Personal information: full name, date of birth, gender, marital status, nationality, national ID, tax ID
  • Contact information: email, phone, address
  • Employment details: job title, department, employment type, contract terms, start/end dates
  • Financial details: salary, bank account information, health insurance, retirement plan details
  • Emergency contacts, certifications, skills, performance ratings

Important: When you input employee data, you are the data controller for that data, and we act as your data processor. You are responsible for ensuring you have a lawful basis to process your employees' personal data and for informing them about such processing. Our Data Processing Agreement governs this relationship.

Legal basis: Contract performance (Art. 6(1)(b) GDPR) for providing HR features; Legitimate interest (Art. 6(1)(f) GDPR) for data security.

3.4 Email Integration Data

When you connect a supported email account (currently Gmail, Outlook, Titan Mail, and Zoho Mail):

  • OAuth access tokens and refresh tokens (for Gmail, Outlook, Zoho)
  • Connected email address
  • OAuth scopes granted
  • Token expiry timestamps
  • For Titan Mail: forwarding configuration and confirmation status
  • Message identifiers of processed emails (for deduplication — we do not store email content)
  • Extracted data from email attachments identified as business documents (invoices, receipts)

Legal basis: Consent (Art. 6(1)(a) GDPR) — you explicitly choose to connect your email account. You may withdraw consent at any time by disconnecting the email account.

Google API Limited Use Disclosure: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we only use Gmail data to provide the automated document extraction features you have explicitly enabled, and we do not use Gmail data for advertising, market research, or any unrelated purpose.

3.5 Document Data

Documents you upload or that are extracted from your emails:

  • File content and metadata (name, type, size, upload date)
  • Folder organization and categorization
  • AI extraction results: classified type, extracted fields, confidence scores
  • Approval workflow status and history

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

3.6 Authentication and Security Data

  • Hashed passwords (we never store passwords in plain text)
  • Multi-factor authentication data: TOTP secrets (encrypted), email-based 2FA codes (SHA-256 hashed with expiry)
  • Trusted device tokens (HMAC-SHA256 signed cookies)
  • Session tokens and JWT refresh data
  • Login timestamps and IP addresses for security monitoring

Legal basis: Contract performance (Art. 6(1)(b) GDPR) and Legitimate interest (Art. 6(1)(f) GDPR) — necessary for account security and fraud prevention.

3.7 Automatically Collected Data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Referring URL
  • Date and time of access

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — necessary for service operation, security, and improvement.

4. How We Use Your Data

We use your personal data for the following purposes:

| Purpose | Legal Basis | |---|---| | Providing and maintaining the Service | Contract performance | | Processing and managing your invoices, expenses, and financial records | Contract performance | | AI-powered extraction and classification of documents | Consent (for email data); Contract performance (for uploaded documents) | | Sending transactional emails (invoices, verification codes, reminders) | Contract performance | | Account security, fraud detection, and abuse prevention | Legitimate interest | | Responding to support requests | Contract performance | | Complying with legal obligations (tax record retention, law enforcement requests) | Legal obligation | | Improving the Service and fixing bugs | Legitimate interest | | Sending product updates and feature announcements | Legitimate interest (with opt-out) |

We do not use your personal data for:

  • Advertising or ad targeting
  • Selling to third parties
  • Building user profiles for marketing purposes
  • Training AI models with your data

5. AI Processing and Data Transfers

5.1 How AI Processing Works

When you upload documents or connect email accounts, the Service uses artificial intelligence to extract structured data. This process works as follows:

  1. Documents or email attachments are identified as business-relevant (invoices, receipts, contracts)
  2. Document images are compressed and sent to our AI provider's API
  3. The AI provider returns structured data (vendor name, amounts, line items, tax details, dates)
  4. Extracted data is presented to you for review and confirmation
  5. Upon your confirmation, data is stored in your account

5.2 AI Provider

We currently use Anthropic's Claude API for AI processing. Anthropic's API terms state that data submitted through their API is not used to train their models. We maintain a Data Processing Agreement with Anthropic.

5.3 International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure appropriate safeguards are in place for all international transfers:

| Sub-processor | Purpose | Location | Transfer Mechanism | |---|---|---|---| | Supabase | Database, authentication, file storage | US/EU | Standard Contractual Clauses (SCCs) | | Anthropic | AI document extraction | US | Standard Contractual Clauses (SCCs) | | Vercel | Application hosting | US/EU | EU-US Data Privacy Framework | | Resend | Transactional email delivery | US | Standard Contractual Clauses (SCCs) | | Google | Gmail API integration, OAuth | US | EU-US Data Privacy Framework | | Microsoft | Outlook API integration | US/EU | EU-US Data Privacy Framework |

This is a summary. A complete, up-to-date list including all sub-processors is available at joincove.io/legal/sub-processors.

6. Data Sharing

We do not sell your personal data. We share your data only in the following circumstances:

  • Sub-processors: With the third-party service providers listed in Section 5.3, strictly for the purposes of providing the Service, under binding Data Processing Agreements
  • Your recipients: When you send invoices or documents through the Service, the content of those communications is shared with the recipients you designate
  • Legal requirements: When required by law, regulation, legal process, or enforceable governmental request, including requests from Bulgarian, EU, or other competent authorities
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with prior notice to you and continued protection of your data under equivalent terms
  • With your consent: In any other circumstance where you have given explicit prior consent
  • Safety: To protect our rights, property, or safety, or that of our users or the public, as required or permitted by law

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

| Data Category | Retention Period | Reason | |---|---|---| | Account and profile data | Duration of your account + 30 days after deletion | Service provision; grace period for accidental deletion | | Financial records (invoices, expenses, tax) | Duration of your account | Service provision; deleted upon account deletion | | Employee/HR data | Duration of your account | You control this data as the data controller | | Email integration tokens | Until disconnection + immediate deletion | Service provision | | Processed email message IDs | Duration of your account | Deduplication | | Documents and files | Duration of your account | Service provision | | Security logs (IP, login events) | 12 months | Security and fraud prevention | | Authentication data (hashed passwords, MFA) | Duration of your account | Account security |

Important: You are solely responsible for retaining copies of your financial and tax records in accordance with applicable laws (e.g., the 10-year retention requirement under Bulgarian tax law, Art. 38 ДОПК). We strongly recommend exporting your data before deleting your account. Cove is a tool that helps you manage your records — it is not a tax archive and does not retain records on your behalf after account deletion.

Upon account deletion, all your data is permanently deleted, including from backups, within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit: All connections use TLS encryption
  • Encryption at rest: Database-level encryption for all stored data
  • Access control: Row-Level Security (RLS) on all database tables, ensuring users can only access their own data
  • Authentication security: Passwords are hashed using industry-standard algorithms; support for multi-factor authentication (TOTP and email-based 2FA); trusted device management with cryptographically signed tokens
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, strict Referrer-Policy, and restrictive Permissions-Policy on all responses
  • Minimal data access: Employees and contractors access personal data only on a need-to-know basis under confidentiality obligations
  • Sub-processor security: All sub-processors are bound by Data Processing Agreements with security obligations

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations
  • Right to restriction (Art. 18): Request that we restrict the processing of your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format, or request that we transfer it to another controller
  • Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for processing activities based on consent (e.g., email integration). Withdrawal does not affect the lawfulness of processing before withdrawal
  • Right not to be subject to automated decision-making (Art. 22): The Service does not make decisions based solely on automated processing that produce legal or similarly significant effects. AI is used as an assistive tool with human review

How to exercise your rights: Contact us at filip@joincove.io. We will respond within one month. If your request is complex, we may extend this period by an additional two months with notice.

Right to lodge a complaint: You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at kzld@cpdp.bg or www.cpdp.bg, or with the supervisory authority in your country of residence.

10. Account Deletion

You can delete your account through the Service settings. The deletion process includes:

  1. You initiate a deletion request in the application
  2. A verification code is sent to your email address
  3. Upon verification, all your data is permanently deleted through a cascading delete process, including all financial records, documents, employee data, and connected integrations

Account deletion is irreversible. We strongly recommend exporting all your data — especially financial and tax records — before initiating deletion, as you may be legally required to retain them independently.

11. Cookie Policy

Our use of cookies is described in our separate Cookie Policy, available at joincove.io/legal/cookie-policy. In summary, we use:

  • Strictly necessary cookies: Authentication session cookies (Supabase auth tokens), MFA trusted device cookies, locale preference cookies
  • No analytics, advertising, or tracking cookies are currently used

12. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at filip@joincove.io.

13. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
  • Right to delete: You may request deletion of your personal information, subject to exceptions
  • Right to correct: You may request correction of inaccurate personal information
  • Right to opt-out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

Categories of personal information collected (using CCPA categories): Identifiers; commercial information; financial information; internet/electronic activity; professional/employment information; inferences drawn from the above.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise your CCPA rights, contact us at filip@joincove.io or use the account settings within the Service.

14. Additional Information for UK Residents

If you are a UK resident, your data is protected under the UK GDPR and the Data Protection Act 2018. Your rights are substantially the same as those described in Section 9. The relevant supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to your registered email address and displaying a notice within the Service at least 30 days before the changes take effect.

We encourage you to review this policy periodically. The "Effective date" at the top of this page indicates when the policy was last updated.

16. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

  • Data protection inquiries: filip@joincove.io
  • General support: filip@joincove.io
  • Legal matters: filip@joincove.io
  • Bulgarian DPA (CPDP): kzld@cpdp.bg | www.cpdp.bg