Table of Contents
Introduction
Covinly ("we," "us," or "our") operates the Covinly platform, an AI-powered invoice verification service available at covinly.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
By accessing or using Covinly, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not use the service.
This policy applies to all users of Covinly, including account holders, team members, and any individual whose data may be included in invoices or vendor records processed through the platform.
Information We Collect
Account Information
When you create a Covinly account, we collect your name, email address, company name, phone number (if provided), and password (stored in hashed form). If you subscribe to a paid plan, we collect billing information through our payment processor, Stripe.
Invoice and Document Data
When you submit invoices for verification, we process the contents of those documents, including vendor names, addresses, invoice numbers, line items, amounts, tax identifiers, payment terms, and any other information contained within the document. This data is used exclusively for providing our verification service.
Vendor Information
We build and maintain a vendor database for your account based on the invoices you submit. This includes vendor names, contact information, historical pricing data, license numbers, and payment patterns. This data is specific to your account and is not shared across accounts.
Usage Data
We automatically collect information about how you interact with our service, including pages visited, features used, timestamps of activity, browser type and version, device information, IP address, and referring URLs. This data helps us improve the service and diagnose technical issues.
Communication Data
When you contact our support team or communicate with us by email, we collect the contents of those communications, including any attachments, to provide assistance and improve our service.
How We Use Your Data
Invoice Processing and Verification
We use your invoice data to perform our core verification service: extracting document data, detecting duplicates, verifying vendors, analyzing pricing patterns, and generating verification certificates. This includes processing documents through our AI analysis pipeline.
AI Analysis
We use artificial intelligence to analyze invoice data, detect anomalies, identify potential fraud, and improve verification accuracy. Invoice data sent to our AI provider (Anthropic) is processed under strict data processing agreements and is not used to train their models.
Billing and Account Management
We use your account and billing information to manage your subscription, process payments, send invoices, and communicate account-related updates such as plan changes, payment confirmations, and service notifications.
Service Improvement
We use aggregated and anonymized usage data to improve the accuracy of our verification algorithms, develop new features, optimize performance, and enhance the overall user experience. Aggregated data cannot be used to identify individual users or their specific invoice data.
Legal Compliance
We may use your information to comply with applicable laws, regulations, legal processes, or governmental requests, and to protect our rights, privacy, safety, or property.
Data Storage and Security
Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption. Passwords are hashed using industry-standard bcrypt algorithms and are never stored in plain text.
Cloud Infrastructure
Our service is hosted on secure cloud infrastructure with data centers located in the United States. We employ industry-standard security measures including firewalls, intrusion detection systems, regular security audits, and automated vulnerability scanning.
Document Storage
Uploaded invoice documents and generated verification certificates are stored in Cloudflare R2, a high-availability object storage service. Access to stored documents is controlled through cryptographically signed URLs with expiration times.
Access Controls
We implement strict access controls to limit who can access your data within our organization. Access is granted on a need-to-know basis and is subject to regular review. All access to production systems is logged and audited.
Third-Party Services
We use the following third-party services to operate Covinly. Each provider has been selected for its security practices and compliance standards.
Handles all payment processing and subscription billing. We never store your full credit card number on our servers. Stripe is PCI DSS Level 1 certified.
Provides AI capabilities for invoice data extraction and analysis. Data sent to Anthropic is processed under a data processing agreement and is not used for model training.
Delivers transactional emails including verification results, account notifications, and password reset emails. Email addresses and message content are processed in accordance with their privacy policy.
Stores uploaded invoice documents and generated verification certificates. Data is encrypted at rest and access is controlled through signed URLs.
Data Retention
We retain your data for as long as your account is active or as needed to provide you with our services. Specific retention periods are as follows:
When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are legally required to retain certain information (such as billing records for tax purposes).
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Right to Access
You can request a copy of the personal data we hold about you. This includes account information, processed invoice data, and usage records.
Right to Correction
You can request correction of inaccurate personal data. You can update most account information directly from your dashboard settings.
Right to Deletion
You can request deletion of your personal data. You can delete your account from your settings, or contact us for a complete data deletion request.
Right to Export
You can export your data in a machine-readable format. Covinly provides CSV and JSON export options for your invoices, vendor data, and verification history.
Right to Restrict Processing
You can request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Object
You can object to the processing of your personal data for certain purposes, including direct marketing and profiling.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format for transfer to another service.
To exercise any of these rights, please contact us at privacy@covinly.com. We will respond to verified requests within 30 days.
Cookie Policy
Covinly uses cookies and similar tracking technologies to provide and improve our service. You can manage your cookie preferences at any time through the cookie consent banner or your browser settings.
Essential Cookies
These cookies are required for the basic operation of our service. They enable core functionality such as session management, authentication, and security. These cookies cannot be disabled.
Analytics Cookies
These cookies help us understand how visitors interact with our service by collecting information about pages visited, time spent, and navigation patterns. This data is aggregated and anonymous. You can opt out of analytics cookies.
Marketing Cookies
These cookies may be used to deliver relevant advertisements and track the effectiveness of marketing campaigns. They are only set with your explicit consent and can be disabled at any time.
International Data Transfers
Covinly is based in the United States and our primary data processing occurs within the United States. If you access our service from outside the United States, your data will be transferred to, stored, and processed in the United States.
We implement appropriate safeguards for international data transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where required for transfers from the European Economic Area or the United Kingdom.
Children's Privacy
Covinly is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 18, we will take steps to delete that information promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect.
We encourage you to review this policy periodically. Your continued use of Covinly after any changes indicates your acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
For data protection inquiries in the European Economic Area, you may also contact your local data protection authority.