Privacy Notice

The current Privacy Notice outlines how Covery collects, uses, stores, shares, and safeguards personal data, along with the privacy rights available to data subjects.

You should read and understand this Privacy Notice because it constitutes the core of our obligations to you when you use Covery website and access Covery products or services on behalf of your organization or when you provide your personal data to us.

You acknowledge that you have carefully read and understood this Privacy Notice by registering, accessing, or using Covery products or services.

Terms used in this Privacy Notice shall have the following meaning:

“Covery” means Covery AI Limited, a legal entity registered in Cyprus with registration number HE 432809 whose registered office is at Antrea Kariolou 38, Agios Athanasios, 4102, Limassol, Cyprus. “Covery” also covers affiliates and subsidiaries of Covery AI Limited. For the purposes of this Privacy Notice “we”, “our” and “us” shall refer to Covery.

Our contacts:

http://covery.ai/contact

dpo@covery.ai

“Covery Platform” means internet-based software, API and other technologies allowing obtaining of Covery products or services.

“Covery Services” means software and a service to process online credit and debit card payments, obtain and send payments through alternative payment methods as gateway service provider and to fight fraud with help of our anti-fraud solution.

“Covery Website” refers to Covery website (https://covery.ai/), including all its content and subdomains (e.g. blog).

“You”, “your” and “yours” shall refer to any user of Covery Website, Covery Platform or Covery Services. For the purpose of clarity, if you are acting on behalf of your organization that uses Covery Services, this Privacy Notice shall apply to you as the officer or other representative of such organization.

“End-user” means an individual who purchases goods or services from your organization.

“Data” means data and / or information submitted by you through the Covery Website, Covery Platform or APIs to us, including the End-users’ personal data.

“Personal data” is used to depict information that can be linked to a specific person and thus be used to identify that very person. Information that has been made anonymous is not considered to be personal data.

Roles and responsibilities

Covery as data controller

You should be aware that when we collect personal data of officers or other representatives of your organization, we act as data controller, therefore we are subject to controller’s rights and obligations under applicable data protection laws, rules and regulations.

Covery also acts as data controller when we process personal data of Covery Website visitors in the form of cookies and other similar technologies. We process personal data of Covery Website visitors for the website experience improvement, management of our advertising campaign and monitoring conversion results.

Covery as data processor

By providing your organization with Covery Services we act as data processor and your organization acts as data controller in the meaning given by General Data Protection Regulation (GDPR). We process your Data only to provide you with the Covery Solution and only on documented instructions from you. Your organization, as data controller, shall comply with all applicable data protection laws, rules and regulations. Privacy notice of your organization shall duly disclose its data practices, the purpose of data processing, including using third-party service providers for the detection and prevention of fraud.

When your organization acts as data controller it shall have a valid legal basis to collect, use, and transfer personal data to third countries by Covery. This may include obtaining prior consent from End-users. If your organization discloses personal data without its End-user’s proper consent or other legal basis, it is responsible for that unauthorized disclosure.

What data we collect and how

Starting to use Covery Services, your organization provides us with Data about the End-users. Your organization can decide what types or format of Data to send to Covery for analysis. Your organization may sent the End-user’s Data, such as email address, user login name, telephone numbers, IP address of the device used, the pages navigated by the End-user, time of login/logout, items viewed, added to cart or purchased, the form of payment, partial credit card numbers, and order status.

Furthermore, in case you access or use Covery Platform, the following types of data might be gathered: your company name, phone number, e-mail, name of contact person. It is used to maintain permanent communication with you and to send you legal and information notices.

When you visit Covery Website or use Covery Services on behalf of your organization, we gather information provided by your computer, mobile phone, or other viewports. This info includes your IP-address, user name, referrer details, device details (“Technical information”). We process this information in order to protect users’ data and accounts inside Covery Platform, as well as to improve services and user experience.

Note that we also gather information about your activities on Covery Platform and process your user ID, login, email, phone number, locale, timezone for access to Covery Platform functionality (“Access information”).

If your organization uses Covery Services, the following data of its officer or representative may be collected:

Contact Information: Name, phone number, email, address, (used for communication, sending notices, restoring account access, preventing duplicates, fraud detection during onboarding and business activity, contract signing, payment processing, and risk management).

Financial Information: Bank statement details (used for AML compliance before contract signing and fraud prevention during business activity).

Exhaustive Personal Information: data contained in your ID, utility bills (used for AML compliance during contract signing, fulfilling obligations, and fraud prevention during business activity).

We do not collect any extra data, but only that which is necessary for the purpose of providing Covey Services to your organization or fulfilling our legal obligations.

Please note that the provision of your personal data is voluntary. In most cases, if you do not provide the requested information, Covery will not be able to provide the requested service to your organization, e.g. our support cannot reach your organization in case of a security incident without collecting your contact details.

Cookies. When you visit Covery Website or Covery Platform, a small cookie file might be placed on your computer or mobile device. For the purpose of clarity, only necessary cookies used to ensure the proper operation of Covery Website are always active. To install performance and / or marketing cookies on your device we will ask for your consent. We analyze data from cookies and use it to improve quality of our services, track your activities with Covery, keep your account safe. Learn more about cookies and other similar technologies that we use from our Cookie Policy, which is integrated in and shall be read in conjunction with this Privacy Notice.

The ways we use data

The Data is collected for Covery to provide high-quality services to your organization, to ensure maintenance of contractual and legal requirements, perform of a contract, notify your organization, and protect security and privacy.

In particular, the personal data we process may be used for the following purposes:

• Provision your organization with high-quality and target-oriented services;
• Fraud prevention at the initial client`s onboarding and during further business activity;
• Improving the quality of services and user experience;
• Access to Covery Portal functionality;
• Providing client support;
• Risk management at various stages of using Covery Services;
• Protection of data and accounts of Covery Platform users;
• Website experience improvement, manage our advertising campaign and monitor conversion results;
• Preparation and signing agreements with your organization and further contractual communication (amendments, notices);
• Legal due diligence, KYC and KYB procedures;
• Managing financial transactions, issuing invoices, and processing payments in order to fulfill contracts with your organization.
  

Your personal data is not used for any additional purposes not mentioned in this Privacy Notice, Cookie Policy integrated herein or the contract between Covery and your organization.

Legal basis for processing

Our legal basis for collecting and using personal data depends on the type of personal information collected and the specific context in which we collect it.

• Contract

We process your personal data when it is necessary to fulfill a B2B services agreement with Covery. This includes:

• Using your data to provide the services your organization has requested (e.g., ensuring that you or other validated officers and representatives of your organization have access to the Covery Platform);
• Contacting you or other officers and representatives of your organization regarding customer service and product information;
• Responding to inquiries related to your account;
• Fulfilling obligations outlined in the contract.
  

Covery does not use personal data processed under a contract for the purposes of marketing and advertising without establishing your prior consent.

• Legitimate interest

We process your personal data on the basis of our legitimate interests provided that such processing shall not outweigh your rights and freedoms. We rely on this legal basis when we carry out procedures that are part of our Services or which are transparent, expected, and are a stable business practice. For example, to:

• ensure that you or other officers and representatives of your organization that has or is about to enter into B2B services agreement with Covery are validated;
• ensure that traffic is best routed for users to not experience extra delays (geolocation definitions for traffic analysis and forecasting);
• offer the Services relevant to a certain geographical region;
• ensure that the application works well on users devices (identify active devices and adapt to the needs of the client).
  

We will also process your data on the basis of our legitimate interest where the processing of personal data is strictly necessary and proportionate for the purposes of ensuring network and information security.

If we process your information based on our legitimate interests as explained above, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons. Please note that the right to object does not apply if data processing is necessary for the performance of a contract or to comply with a legal obligation.

• Legal obligation

We are entitled to process your data on the basis of legal obligation where it is necessary for compliance with a legal or regulatory obligation that we are subject to, including without limitation regulations on prevention of the money laundering and funding of terrorism and other fraud and crime prevention laws and regulations (including Regulation 13 of the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01), Article 40 of Directive (EU) 2015/849). On this basis we may process your contact information (email, phone number, address), details of your ID, financial information such as bank account number or e-wallet ID. We are processing your data in order to conduct risk management on various stages of using Covery Services and to conduct fraud prevention in the course of client onboarding and its business activity.

Please note that where you are acting on behalf of your organization in order for it to use Covery Services, you will need to provide us with the above information. Otherwise, we may not be able to provide the requested service to your organization.

• Consent

We can request from you consent for data processing when we are required to do so by law or when we do not have another legal basis for processing of your data.

For example, we rely on your consent when installing and using cookies as detailed in our Cookie Policy. Where we rely on your consent to process your personal data, you have the right to withdraw or decline consent at any time.

How we protect your data

We warrant and represent that Covery has implemented the technical and organizational security measures and technological development to ensure an appropriate level of security of personal data. Your data is protected by the means of physical, technical, and administrative resources to lower the risks of loss, misusage, unauthorized entry, disclosure, or alteration by a third party. To keep your data safe we apply data encryption protection and authorization control system, just to name a few.

Covery is PCI DSS (level 1) certified. It means that when we act as data processor in relation to personal data of the End-users of your organization in the course of providing Covery Services, we maintain all required technology, methods and business processes to protect cardholder data, and also use such technology and methods as regards the security of your personal data.

We monitor our systems 24x7 and our staff is always ready to respond to your notifications and queries within a short time.

Covery, when acting as a data processor, warrants and represents that:

• We will process personal data solely based on your organization’s documented instructions and will not use the data for any other purpose unless explicitly instructed in writing.
• We will not disclose your data to any unauthorized third parties, including other Covery users.
• We will maintain appropriate administrative, technical, and organizational measures to protect personal data, ensuring its confidentiality, integrity, and security.
• We will promptly notify your organization of any suspected or actual breach of the security of your data or the data of your organization’s End-users, without undue delay after becoming aware of it.
• We will not claim ownership of your data and will treat all personal data as belonging to your organization.
• We will assist your organization in fulfilling GDPR compliance obligations, including supporting responses to data subject rights requests (e.g., access, rectification, erasure), conducting data protection impact assessments (DPIAs), and consulting with supervisory authorities when required.
• We will impose the same data protection obligations on our sub-contractors as those outlined in the contract between Covery and your organization, ensuring they adhere to equivalent safeguards.
• We will inform your organization of any intended changes regarding the addition or replacement of sub-processors and allow your organization to object to such changes if necessary.
• We will delete or return all personal data to your organization at the end of the contract, unless retention is required by applicable law.
• We will notify your organization of any legally binding request for access to or disclosure of personal data received from law enforcement authorities, courts, regulatory bodies, or other third parties, unless prohibited by law from doing so.
• We will ensure international transfers of personal data are conducted in accordance with applicable laws and regulations.
• We will immediately inform you if, in our opinion, your organization processing instruction infringes GDPR or other applicable legislation and/or regulation.

Password security

To ensure the security of your data and the data of the End-users of your organization, you shall also maintain the confidentiality of your password from the Covery account. You are recommended to sign out of the Covery account when you have finished working with it. In any case, responsibility for any loss of passwords and misuse of the Covery account by third parties lies with you and your organization.

How we share your data

Covery warrants that it will not share or disclose your personal data or the data of the End-users to any third party, except as specified in this Privacy Notice, our Cookie Policy, the contract between Covery and your organization, or where there is a legal requirement for data transfer.

You should be aware that if you provide your consent to third-party cookies, this data will be transferred to the respective service providers, as detailed in our Cookie Policy integrated herein.

Covery during its business activity is entitled to transfer personal data to third parties who may use such information for the limited purpose of providing services to your organization and who are obligated to keep the information confidential. These persons include our professional advisers and contractors (such as lawyers, accountants, auditors, IT and management consultants), who are under a professional and/or contractual obligation to maintain confidentiality. It is our responsibility to ensure that the data we share is compliant with the conditions of processing and is shared securely. For the purpose of clarity, Covery's cooperation with its advisers and contractors is based on the service agreements that contain a data protection and confidentiality obligations.

Covery may disclose your personal data or data of End-users in response to requests from courts or other government bodies to comply with legal obligations or to protect our rights. However, Covery will consult with you or your organization before making any disclosures of such personal data, unless prohibited by the specific request or if your organization has previously authorized such disclosures in the contract. Covery will reject any requests that are not legally binding.

When you share data with us as a data processor

If your organization transfers to us any personal data of its End-users, officers, representatives or any other natural persons, it shall be obliged to obtain prior consent or have other legal grounds for the collection, retention, use and processing of data and for transferring it to Covery. Your organization shall ensure the security of data it transfers to Covery.

As a data controller, to the extent that your organization processes End-users’ personal data, it is required under privacy laws to honor End-user’s requests for data access, portability, correction, deletion, and objections to processing. In case a data subject directly contacts us with a request to exercise their individual rights under GDPR or with another claim on data protection, we will direct such data subject to your organization as data controller. Nevertheless, we will assist it by providing all necessary information or by other means envisaged by applicable law.

Your organization assumes full liability for failures to meet the GDPR in cases when it is envisaged by this Privacy Notice or GDPR.

How long we retain your data

We store your data for as long as it is reasonably necessary for the limited purpose of providing Covery Services and complying with the applicable laws and regulations, in particular:

• Access, Contact, Financial, and Exhaustive personal information – for at least five (5) years from the day of termination of the relationship with Covery;
• Technical information – logs are stored for one (1) year from the date of log creation;
• Cookies – retention varies based on the type of cookie and is detailed in our Cookie Policy.
  

Please also note that we will protect the confidentiality of the personal data during the entire retention period and will not actively process the personal data if such processing is not necessary anymore.

Your rights as a data subject

When we act as a data controller, you have the following rights for personal data that we have about you:

• The right to access any personal data that Covery processes about you.
• You can also obtain a copy of the personal data we retain about you.
• You can ask us to erase or delete all or some of your personal data (e.g. if it is no longer necessary to provide Covery Services). Nevertheless, we may be obliged to store your data longer for the purpose of compliance with the Card Schemes Rules, for taxation, accounting and other purposes envisaged by applicable law. We have to properly authenticate you before we fulfill your request to delete or erase data.
• You can ask us to change, update or fix your data in certain cases, particularly if it’s inaccurate. If you identify any discrepancies in your personal data, please contact us so that we can correct it promptly. Covery strives to ensure that the personal data we collect is accurate, complete, and up-to-date.
  

If you are a Covery Platform user, simply log in to your account and change profile settings at once. If the type of data you want to update or edit is not visible or editable in your profile settings, you can contact us and request to update or edit the relevant data.

We implement mechanisms, such as automated data integrity checks, to minimize any inaccuracies in the personal data we process.

If your personal data was transferred to third-party data processors they will be notified of any editing or deletion of your personal data.

• You can request that we stop using all or some of your personal data or limit our use of it in certain situations. This includes cases where we are relying on legitimate interests as the basis for processing, if you believe the personal data is inaccurate, if you think the processing is unlawful, or if it is necessary to establish, exercise, or defend a legal claim.
• If we process your data based on your consent, you have the right to withdraw your consent at any time. Please read the Cookie Policy for more details.
• If you are not satisfied with how Covery handles your personal data or wish to raise a complaint regarding the processing of your personal data, please contact our Data Protection Office at dpo@covery.ai.
  

To make the request or ask about your rights please contact us using the contact information above.

You shall also have the right to lodge a complaint to the local data protection authority in Cyprus. Contact details of the Office of the Commissioner for Personal Data Protection you can find under the following link: https://www.dataprotection.gov.cy/.

Cross-border transfers

For the purpose of providing your organization with Covery Services we may engage third-party service providers outside the EU. For example, we may share your personal data or data of End-users with Covery contractors in Ukraine that provide services to us, including billing, payment processing, customer support, marketing, security and performance monitoring, maintaining or servicing accounts, processing or fulfilling orders and transactions, verifying customer information, and data processing. We may also share personal data of End-users with the Covery service providers based in the USA. In addition, we may transfer your data to the USA if you give us your consent to third-party cookies, as detailed in our Cookie Policy.

Data protection laws in third countries may differ from EU laws, and there is currently no adequacy decision from the European Commission for Ukraine and the USA. Before transferring your data outside the EU, we will ensure compliance with relevant data protection laws and internal policies to protect your personal data. In the absence of an adequacy decision of the European Commission, we use European Commission-approved Standard Contractual Clauses, which are binding commitments by the data importer to safeguard the privacy and security of personal data. The last edition of the Standard Contractual Clauses is available under the following link:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN

You shall have the right to request from us a list of service providers thereto we transfer your data outside the EU.

When your organization acts as a data controller it shall inform the End-users about the risks of cross-border transfers and obtain their consent or have other legal grounds for that.

Automated decision-making

You should be aware that we do not make automated decisions regarding you or End-Users based on your or their respective personal data. Some of Covery's services involve the automated processing of end-users' personal data, such as ID verification. However, this process is not classified as automated decision-making. Covery merely fulfills the rules set by your organization and does not define the logic or criteria for processing the personal data. The result returned by Covery does not automatically lead to any legally significant consequences. Your organization retains the right to accept the result as-is, ignore it, consider other factors, set rules for manual review or automatic acceptance of the result.

In addition, please note that Covery does not make automated profiling based on your data. At the same time, such profiling can be made by our third-party service providers specified in the Cookie Policy thereto we transfer your data if you provide your consent to third-party cookies.

How this Privacy Notice may be changed

We can amend this Privacy Notice at any time by the means of publishing a revised edition on the Site. If you are a user of Covery Platform or Covery Services you will be notified of any substantial changes. The revised version will be in effect immediately and be noted by an updated date at the end of this Privacy Notice. Your organization is entitled to terminate the agreement with Covery if it does not agree to any changes. By continuing using Covery Services, you accept the changes.

Data breaches

We ensure that we have all necessary technologies and methods to prevent, detect, and investigate a personal data breach. In case of any data breach (including any unauthorized or accidental access,) we will make our best efforts to send a notification of becoming aware of the breach as soon as possible. If your Personal Data was transferred to third-party data processors, they will be notified of a data breach as well..

Please feel free to contact our Data Protection Officer at dpo@covery.ai to exercise any right you have as a data subject, raise a complaint, or ask any other questions regarding data processing.

Privacy Notice last modified on April 18, 2025