← Back to Cova
Privacy Policy
Effective Date: March 20, 2026
Cova ("we," "us," "our") operates the monitoring intelligence platform available at getcova.ai (the "Service"). This Privacy Policy describes how we collect, use, store, and protect your information when you use the Service.
By using Cova, you agree to the collection and use of information as described in this policy.
1. Information We Collect
Account Information
When you create an account or sign in, we collect:
- Email address - used for account identification, verification, and communication
- Name and profile photo - provided by Google or GitHub when you use OAuth sign-in
- Password - if you sign up with email/password (stored as a one-way bcrypt hash; we never store or have access to your plaintext password)
Third-Party API Credentials
To use Cova's monitoring analysis features, you may provide API keys or tokens for third-party services including Datadog, PagerDuty, Grafana, Sentry, New Relic, Sumo Logic, and Splunk. These credentials are:
- Encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256)
- Used solely to retrieve monitoring configuration data from your accounts
- Never logged, displayed in full, or shared with any third party
- Deleted immediately when you disconnect a tool or delete your account
Usage Data
We collect information about how you interact with the Service:
- Analysis results and scan history (stored per-user for your dashboard)
- Login timestamps, IP addresses, and user agent strings (for security and abuse prevention)
- Feature usage events (which features you use and when)
Analytics
We use Google Analytics 4 to collect anonymous, aggregated usage statistics such as page views, session duration, and general geographic region. This data is not linked to your account and is used solely to improve the Service.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate your identity and manage your account
- Send transactional emails (account verification codes, security alerts)
- Analyze your monitoring tool configurations and generate recommendations
- Improve the Service based on aggregated usage patterns
- Detect, prevent, and respond to fraud, abuse, or security incidents
We do not use your information to:
- Sell or rent your personal data to third parties
- Send marketing or promotional emails (unless you opt in)
- Train AI models on your monitoring data or repository code
- Share your data with advertisers
3. Third-Party Services
The Service integrates with the following third-party providers to deliver functionality:
| Provider | Purpose | Data Shared |
|---|
| Google OAuth | Account authentication | We receive your email, name, and profile photo from Google. We do not access any other Google data. |
| GitHub OAuth | Account authentication and repository scanning | We receive your email, name, and avatar. If you install the GitHub App, we access repository contents solely for monitoring analysis. |
| GitLab OAuth | Repository scanning | We access project contents solely for monitoring analysis. |
| Anthropic (Claude AI) | AI-powered analysis and recommendations | Monitoring configurations and code architecture summaries are sent to the Claude API for analysis. No raw API keys or credentials are sent to Anthropic. |
| Resend | Transactional email delivery | Your email address, for sending verification codes. |
| Google Analytics | Anonymous usage analytics | Anonymized page view and session data. No personal identifiers. |
| Neon (PostgreSQL) | Database hosting | All account and application data is stored in a Neon-hosted PostgreSQL database with encryption at rest. |
4. Data Storage and Security
- Hosting: The Service is hosted on Render, Inc. infrastructure located in the United States.
- Database: User data is stored in Neon PostgreSQL with encryption at rest.
- Credential encryption: All third-party API keys are encrypted using Fernet (AES-128-CBC + HMAC-SHA256) before storage. Encryption keys are stored separately from the encrypted data.
- Password hashing: Passwords are hashed using bcrypt with automatic salting. Plaintext passwords are never stored or recoverable.
- Transport security: All connections to the Service use HTTPS/TLS encryption.
- Session management: Sessions use cryptographically random 256-bit tokens. Sessions are invalidated on logout.
- Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
5. Data Retention
- Account data: Retained for as long as your account is active.
- Analysis history: Retained for as long as your account is active. You may delete individual analyses at any time.
- API credentials: Deleted immediately upon tool disconnection or account deletion.
- Login logs: Retained for 12 months for security purposes.
- Verification codes: Expire and are invalidated after 10 minutes.
6. Your Rights
You have the right to:
- Access your personal data - view your profile and stored information within the Service
- Delete your account and all associated data - contact us at the email below and we will process your request within 30 days
- Disconnect any third-party tool and immediately remove its stored credentials
- Export your analysis results via the Service's report export feature
- Withdraw consent for Google or GitHub OAuth by revoking access in your Google/GitHub account settings
7. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. International Data Transfers
Your information is processed and stored in the United States. By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective Date" above. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: privacy@getcova.ai
Website: getcova.ai