Privacy Policy
Privacy Policy
Cova AI Pty Ltd ABN 55 686 877 270 | ACN 686 877 270
Last Updated: 14 January 2026
1. Introduction
Cova AI Pty Ltd (ABN 55 686 877 270) ("Cova", "we", "us", "our") provides AI-powered software tools for insurance brokers and underwriters ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Service.
We are committed to handling personal information in accordance with applicable privacy laws in the jurisdictions where we operate, including Australia, New Zealand, the United Kingdom, and the European Union. Additional information for users in specific jurisdictions is provided in the "Additional Information for Certain Jurisdictions" section below.
Important Notice: Our Service is designed for professional use by insurance brokers. Users should not enter personally identifiable information ("PII") about their clients into our system unless necessary for the relevant function. Where client information is entered, brokers are responsible for ensuring their clients are aware of the broker's use of Cova and that appropriate consents have been obtained. We have implemented processes to detect and protect against the inadvertent upload of sensitive client data.
2. Information We Collect
2.1 Information You Provide
When you register for and use our Service, we may collect:
- Account Information: Business name, ABN/ACN (or international equivalent), your name, professional contact information (business email, phone number), and user authentication credentials
- Billing Information: Payment and billing details processed through our payment provider
- Query and Interaction Data: The content of your queries and interactions with our AI-powered tools, including voice recordings where you use voice input and meeting recording features
- Support Communications: Information you provide when contacting our support team, including through chat, email, or other channels
- Feedback: Any feedback, testimonials, or survey responses you provide, including where you provide feedback on the quality of the responses generated in the Cova platform
2.2 Information Collected Automatically
When you use our Service, we automatically collect:
- Usage Data: Service usage patterns, feature interactions, session data, and performance metrics
- Technical Data: IP addresses, browser types and versions, device information, operating system, and time zone settings
- Log Data: Query logs, AI interaction history, error logs, and diagnostic information
2.3 Information from Third Parties
We may receive information about you from third parties, including:
- Broker Organisations: Where your employer, organisation or network creates an account on your behalf or invites you to join their team, we receive your name and email address from that organisation
- Service Providers: Information from our technology and service providers in connection with the delivery of our Service
2.4 Sensitive Information
We do not intentionally collect sensitive information (such as health information, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation) about you or your clients. Users are directed not to upload sensitive data, including health information, financial details, or government identification numbers relating to their clients. We have implemented processes to detect and protect against the inadvertent upload of such information.
3. How We Use Your Information
We use the information we collect to:
- Provide and maintain the Service: Deliver AI-powered insurance tools, process transactions, and manage your account
- Improve and develop our Service: Analyse usage patterns, fix errors, address feedback and develop new features
- Communicate with you: Send service-related communications, respond to inquiries, and provide customer support
- Process payments: Manage subscriptions, billing, and payment processing
- Ensure security: Monitor for and prevent fraud, unauthorised access, and other harmful activity
- Comply with legal obligations: Meet our legal and regulatory requirements, such as under applicable business, tax and privacy laws
- Marketing: With your consent, send you information about our products, services, and industry news (you can opt out at any time)
We will only use your personal information for the purposes for which it was collected, or for purposes you would reasonably expect, unless we have your consent or are required or permitted by law to use it for other purposes.
4. Disclosure of Your Information
We may disclose your personal information to:
4.1 Service Providers
We engage third-party service providers to assist in delivering our Service. These providers process personal information on our behalf and are bound by contractual obligations to protect your information. Our key service providers include:
Provider
Purpose
Location(s)
Anthropic (Claude)
AI model provider for processing queries
United States
Google (Gemini)
AI model provider for processing queries
United States
OpenAI
AI model provider for processing queries
United States
Amazon Web Services (AWS)
Cloud infrastructure and hosting
Australia, EU, United States
AWS Bedrock
AI model hosting
Australia, EU
Supabase
Database and backend services
Australia, EU
Clerk
User authentication
United States
Stripe
Payment processing
United States
PostHog
Product analytics and session recording for support
United States / EU
Tally
Forms and surveys
European Union
We maintain data processing agreements or equivalent contractual protections with our service providers to ensure your information is protected.
4.2 Related Entities
We may share information with our related bodies corporate for the purposes described in this Privacy Policy.
4.3 Broker Organisations
If you use our Service through an organisation (such as your employer), we may share information about your use of the Service with that organisation's administrators.
4.4 Professional Advisers
We may disclose information to our professional advisers, including our lawyers, accountants, auditors, and insurers where necessary for them to provide their services.
4.5 Legal and Regulatory Disclosure
We may disclose your information where required or permitted by law, including to:
- Comply with court orders, subpoenas, or legal process
- Respond to requests from law enforcement or government agencies
- Meet regulatory obligations
- Protect our rights, property, or safety, or that of our users or others
4.6 Business Transactions
In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and the choices you may have regarding your information.
5. Cross-Border Disclosure
Some of our service providers are located overseas, including in the United States and the European Union. When we disclose personal information to overseas recipients, we take reasonable steps to ensure that the recipient handles your information in accordance with applicable privacy laws. This includes:
- Entering into data processing agreements or equivalent contractual arrangements
- Assessing the recipient's privacy and security practices
- Where applicable, relying on recognised transfer mechanisms
By using our Service, you acknowledge that your personal information may be transferred to, stored, and processed in countries outside your country of residence, including in countries that may not have the same level of data protection as your home country.
See the "Additional Information for Certain Jurisdictions" section for jurisdiction-specific details on cross-border transfers.
6. AI Technology and Data Processing
6.1 AI Processing
Our Service uses artificial intelligence models, including those provided by Anthropic (Claude) and Google (Gemini) to deliver intelligent assistance to insurance brokers. When you interact with our AI features:
- Your queries are processed through secure, encrypted connections
- The AI providers do not use your data to train or improve their third-party AI models — this is contractually agreed with our AI providers
- AI providers process queries in accordance with their enterprise data processing agreements with us
6.2 Analytics and Session Recording
We use PostHog for product analytics and may use session recording features for support and troubleshooting purposes. Session recordings help us understand how users interact with our Service and diagnose technical issues. You can contact us to opt out of session recording.
6.3 Automated Decision-Making
Our AI tools provide analysis and information to assist insurance brokers in their work. The AI does not make automated decisions that have legal or similarly significant effects on individuals. Insurance brokers remain responsible for all decisions made using information provided by our Service.
7. Data Security
We implement appropriate technical and organisational measures designed to protect your personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures are regularly reviewed and updated to reflect changes in technology and best practices.
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
8. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the information, whether we can achieve those purposes through other means, and applicable legal requirements.
When personal information is no longer required, we securely destroy or de-identify it in accordance with our data retention practices.
You may request deletion of your personal information at any time (see "Your Rights" below), subject to our legal obligations to retain certain records.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- Enable authentication and security features
- Remember your preferences and settings
- Analyse Service usage and performance
- Support troubleshooting and customer support
9.1 Types of Cookies We Use
- Essential Cookies: Required for the Service to function, including authentication and security
- Analytics Cookies: Help us understand how users interact with our Service
- Preference Cookies: Remember your settings and preferences
9.2 Managing Cookies
You can manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Service.
For users in the UK and EU, please see the additional cookie information in the UK and European Union section below.
10. Your Rights
You have rights in relation to your personal information under applicable privacy laws. These may include:
- Access: The right to request access to the personal information we hold about you
- Correction: The right to request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading
- Deletion: The right to request deletion of your personal information, subject to our legal obligations
- Data Portability: The right to request a copy of your personal information in a portable format
- Opt-Out of Marketing: The right to opt out of marketing communications at any time
You can update your name directly in the platform. For other corrections or to exercise any of these rights, please contact us at privacy@cova.ai.
See the "Additional Information for Certain Jurisdictions" section for jurisdiction-specific details on your rights and response timeframes.
11. Anonymity and Pseudonymity
Due to the professional nature of our Service, which is designed for use by insurance brokers and underwriters who must be identifiable and linked to their organisations, it is not practicable for users to use our Service anonymously or pseudonymously. User identification is necessary for:
- Account management and billing
- Compliance with professional and regulatory requirements applicable to insurance brokers
- Security and fraud prevention
- Providing appropriate support and service levels based on your organisation's subscription
12. Unsolicited Personal Information
If we receive personal information that we did not solicit (for example, in an unsolicited job application or a support request containing third-party information), we will assess whether we could have lawfully collected that information.
If we determine that we could not have lawfully collected the information, or that it is not reasonably necessary for our functions, we will destroy or de-identify the information as soon as practicable, unless retention is required by law.
13. Data Breach Notification
We take data breaches seriously. In the event of a data breach that is likely to result in serious harm to any individual whose information is affected, we will:
- Take immediate steps to contain the breach and mitigate harm
- Assess the breach to determine whether notification is required under applicable law
- (if applicable) Notify the relevant privacy regulator and affected individuals as required by applicable law
See the "Additional Information for Certain Jurisdictions" section for jurisdiction-specific breach notification requirements.
14. Marketing Communications
We may send you marketing communications such as about our products, services, features, and industry news. We will only do so with your consent or where otherwise permitted by law.
You can opt out of marketing communications at any time by:
- Clicking the unsubscribe link in our emails
- Contacting us at privacy@cova.ai
Opting out of marketing will not affect service-related communications (such as account notifications, security alerts, and billing information).
15. Third-Party Links and Services
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.
16. Children's Information
Our Service is designed for professional use by insurance brokers and is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child, we will take steps to delete it.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make material changes, we will take appropriate measures to inform you, such as by posting a notice on our website or sending you a notification. Your continued use of our Service after any changes indicates your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
18. Complaints
If you have a complaint about how we have handled your personal information, please contact us using the details below. We will:
- Acknowledge your complaint promptly
- Investigate the complaint and provide you with a response in writing
- Set out the steps we will take to resolve the complaint (if any)
If you are not satisfied with our response, you may escalate your complaint to the relevant privacy regulator in your jurisdiction. See the "Additional Information for Certain Jurisdictions" section for regulator contact details.
19. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise any of your rights, please contact us:
Privacy Officer: Matt Almond, Chief Revenue Officer
Email: privacy@cova.ai
Address: 255 David Low Way, Peregian Beach, QLD 4562, Australia
20. Governing Law
This Privacy Policy is governed by the laws of Queensland, Australia.
Additional Information for Certain Jurisdictions
Australia
If you are located in Australia, the following additional information applies to you:
Applicable Law: We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") in our handling of personal information.
Sensitive Information: "Sensitive information" has the meaning given in the Privacy Act 1988 and includes health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal record.
Cross-Border Disclosure (APP 8): Before disclosing your personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the APPs, or we rely on an exception under APP 8.
Your Rights:
- Access (APP 12): You may request access to your personal information. We will respond within 30 days, unless an extension applies.
- Correction (APP 13): You may request correction of your personal information. We will respond within 30 days.
Notifiable Data Breaches: In the event of an eligible data breach (as defined in Part IIIC of the Privacy Act 1988), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
Complaints:
If you are not satisfied with our response to a complaint, you may escalate to:
Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Website: www.oaic.gov.au
Regulatory Disclosure: We may disclose information to Australian regulators including ASIC and APRA where required by law.
New Zealand
If you are located in New Zealand, the following additional information applies to you:
Applicable Law: We comply with the Privacy Act 2020 (NZ) and the Information Privacy Principles ("IPPs") in our handling of personal information about New Zealand individuals.
Cross-Border Disclosure (IPP 12): Before disclosing your personal information to recipients overseas, we ensure that the recipient is subject to privacy laws that provide comparable safeguards to New Zealand law, or we have your authorisation, or appropriate contractual protections are in place.
Your Rights:
- Access (IPP 6): You may request access to your personal information. We will respond within 20 working days, unless an extension applies.
- Correction (IPP 7): You may request correction of your personal information. If we refuse your request, we will provide reasons and inform you of your right to complain to the Privacy Commissioner.
Notifiable Privacy Breaches: We will notify the New Zealand Privacy Commissioner and affected individuals of privacy breaches that have caused, or are likely to cause, serious harm, in accordance with Part 6 of the Privacy Act 2020.
Complaints:
If you are not satisfied with our response to a complaint, you may escalate to:
Office of the Privacy Commissioner
Phone: 0800 803 909
Website: www.privacy.org.nz
United Kingdom and European Union
If you are located in the United Kingdom or the European Economic Area (EEA), the following additional information applies to you. This section provides information required under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Privacy and Electronic Communications Regulations.
If there is any conflict between this section and the main body of the Privacy Policy, this section prevails for individuals in the UK and EEA.
Data Controller
The data controller responsible for your personal data is:
Cova AI Pty Ltd
ABN 55 686 877 270
255 David Low Way, Peregian Beach, QLD 4573, Australia
Email: privacy@cova.ai
UK Representative
We have appointed a representative in the United Kingdom in accordance with Article 27 of the UK GDPR:
Olivia Brown
Email: liv@cova.ai
You may contact our UK Representative with any questions or concerns about our processing of your personal data.
Data Protection Officer
We have voluntarily appointed a Data Protection Officer:
Matt Almond
Chief Revenue Officer
Email: privacy@cova.ai
You may contact our Data Protection Officer with any questions about our data protection practices.
Lawful Basis for Processing
Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. The table below sets out our lawful basis for each processing activity:
Processing Activity
Lawful Basis
Explanation
Account creation and management
Performance of contract
Necessary to provide you with access to the Service under our terms of service
Processing user queries through AI
Performance of contract
Core functionality of the Service; necessary to deliver the contracted service
Billing and payment processing
Performance of contract
Necessary to process your subscription payments and manage your account
Customer support
Performance of contract
Necessary to respond to your enquiries and provide support as part of the Service
Product analytics
Legitimate interests
Understanding how users interact with the Service to improve usability and fix issues. You can opt out of analytics at any time.
Session recording for troubleshooting
Legitimate interests
Diagnosing technical issues to improve service quality. Session recordings are not used for marketing or profiling. You can opt out at any time.
Security monitoring and fraud prevention
Legitimate interests
Protecting our systems and all users from security threats, unauthorised access, and fraudulent activity
Service-related email communications
Performance of contract
Necessary to send you important information about your account, service updates, and changes to our terms
Marketing communications
Consent
We only send marketing communications where you have given your explicit consent. You can withdraw consent at any time.
Product improvement and development
Legitimate interests
Analysing usage patterns to develop new features and improve existing ones. We use aggregated and anonymised data where possible.
Compliance with legal obligations
Legal obligation
Necessary to comply with applicable laws, regulations, court orders, or regulatory requirements
Legitimate Interests Balancing
Where we rely on legitimate interests as our lawful basis, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. Key factors we considered include:
- Reasonable expectations: The processing is within your reasonable expectations as a user of a professional SaaS platform
- Minimal impact: The processing has minimal impact on your privacy
- Safeguards: We have implemented appropriate safeguards, including data minimisation and opt-out mechanisms
- Transparency: We are transparent about our processing activities
You have the right to object to processing based on legitimate interests at any time. See "Your Rights (UK/EU)" below.
Your Rights (UK/EU)
Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:
Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive information about how we process it. You may request a copy of your personal data.
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete personal data completed.
Right to Erasure (Article 17)
You have the right to have your personal data erased in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent (and consent was the lawful basis for processing).
Right to Restriction of Processing (Article 18)
You have the right to restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate interests.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller, where the processing is based on consent or contract and carried out by automated means.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will stop processing your data for that purpose immediately.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not make automated decisions with legal or similarly significant effects. Our AI tools provide analysis and information to assist insurance brokers in their work; all decisions are made by humans.
Right to Withdraw Consent
Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Email: privacy@cova.ai
We will respond to your request within one month of receipt, or within three months for complex or numerous requests. We will inform you within one month if an extension is required and explain the reasons for the delay.
We may ask you to verify your identity before processing your request. We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive.
International Transfers (UK/EU)
Your personal data may be transferred to and processed in countries outside the United Kingdom and European Economic Area. We ensure that any such transfers are protected by appropriate safeguards as required by data protection law.
Transfer Mechanisms
We use the following mechanisms to ensure adequate protection for international transfers:
Recipient Location
Transfer Mechanism
United States (providers certified under the EU-US Data Privacy Framework)
EU-US Data Privacy Framework adequacy decision
United States (providers not DPF-certified)
Standard Contractual Clauses (EU Commission Decision 2021/914)
Australia (Cova AI Pty Ltd)
Standard Contractual Clauses
Other countries
Standard Contractual Clauses or adequacy decision (where applicable)
Sub-Processors (UK/EU)
The following sub-processors may process your personal data on our behalf:
Sub-Processor
Service
Location
Transfer Mechanism
Anthropic
AI model provider
United States
EU-US Data Privacy Framework
OpenAI
AI model provider
United States
Standard Contractual Clauses
AWS
Cloud infrastructure
Australia, EU, United States
EU-US Data Privacy Framework
Supabase
Database services
Australia, EU
Standard Contractual Clauses
Clerk
Authentication
United States
EU-US Data Privacy Framework
Stripe
Payment processing
United States
EU-US Data Privacy Framework
PostHog
Analytics
United States
EU-US Data Privacy Framework
Google (Gemini)
AI model provider
United States
EU-US Data Privacy Framework
Tally
Form collection
European Union
N/A (EU-based)
You may request our current sub-processor list or subscribe to change notifications by emailing privacy@cova.ai.
Cookies (UK/EU)
We use cookies and similar technologies in accordance with the Privacy and Electronic Communications Regulations (UK) and the ePrivacy Directive (EU).
We obtain your consent before placing non-essential cookies on your device. You can manage your cookie preferences at any time using our cookie consent tool, accessible via the "Cookie Settings" link on our website.
Data Breach Notification (UK/EU)
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
Complaints (UK/EU)
If you are not satisfied with how we handle your personal data or your data protection requests, you have the right to lodge a complaint with a supervisory authority.
United Kingdom
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113
European Union
If you are located in an EU member state, you may lodge a complaint with your local data protection authority. You may also lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission (Ireland)
Website: www.dataprotection.ie
Email: info@dataprotection.ie
Collection Statement
Cova AI Pty Ltd
ABN 55 686 877 270
To assist us in providing our products and services and otherwise conducting our business functions and activities, we need to collect personal information about you.
By providing your personal information, you agree that it will be used and disclosed by Cova AI Pty Ltd (ABN 55 686 877 270) ("Cova", "we", "us", "our") in accordance with this statement and our Privacy Policy, available at www.cova.ai/utility-pages/privacy
If you do not agree, you must not provide your personal information, and we may not be able to provide our products or services to you.
We may disclose your personal information to other parties, including to third parties who provide products and services to us or through us in the ordinary operation, administration, or promotion of our business and otherwise in accordance with our Privacy Policy.
From time to time, these third parties may be located (and therefore your personal information may be disclosed) overseas, including but not limited to the United States of America, the European Union, and Australia.
We may use and disclose your personal information for direct marketing purposes, unless you opt out (which you can do at any time in accordance with our Privacy Policy).
Our Privacy Policy contains information about:
- The types of personal information we collect and how we collect it
- How we use and disclose your personal information
- How you may access and seek correction of your personal information
- How you may complain about a breach of your privacy and how we will deal with that complaint
- Whether we disclose your personal information to overseas recipients
For questions about our privacy practices or to exercise your privacy rights, please contact us at privacy@cova.ai.
