Who We Are
COVIS AI ("we", "us", "our") operates the COVIS AI tenant portal — an AI-powered multi-tenant SaaS platform designed to streamline business operations through intelligent agents, proposal generation, client management, and workforce collaboration tools. We are the data controller responsible for your personal data.
| Contact Type | |
|---|---|
| Privacy Requests & GDPR | privacy@covis.ai |
| General Support | support@covis.ai |
| Security Vulnerabilities | security@covis.ai |
| Legal Inquiries | legal@covis.ai |
Scope
This Privacy Policy applies to:
- All users of the COVIS AI platform (Super Admins, Company Admins, Professionals, Clients)
- Visitors to our web portal and landing pages
- Anyone who contacts us for support, partnership, or business inquiries
Data We Collect
3.1 Account & Identity Data
| Data | Purpose |
|---|---|
| Full name | Account identification, personalization |
| Email address | Authentication, notifications, support |
| Company / organization name | Tenant workspace identification |
| Job title / role | Access control, feature gating, personalization |
| Profile photo (optional) | UI personalization |
| Password (hashed — never plain text) | Authentication |
| Years of experience | Professional profile enrichment |
3.2 Billing & Payment Data
| Data | Purpose |
|---|---|
| Subscription plan & tier | Service delivery, feature access |
| Invoice & transaction history | Billing records, tax compliance |
| Payment method (tokenized via Stripe) | Payment processing — raw card numbers never stored |
| Billing address | Tax calculation, invoicing |
| Order IDs from payment provider | Payment confirmation and reconciliation |
3.3 Usage & Activity Data
| Data | Purpose |
|---|---|
| Token consumption (count, type, timestamp) | Billing, quota management, overage tracking |
| AI agent type and configuration used | Analytics, billing, service optimization |
| Feature usage patterns | Product improvement, UX optimization |
| Login timestamps and session frequency | Security, fraud detection |
| Call log metadata (duration, timestamp, participants) | Business records, analytics |
| LinkedIn profile interaction data | Lead sourcing analytics, professional matching |
| Support ticket activity | Customer success, platform improvement |
3.4 Content Data
| Data | Purpose |
|---|---|
| Chat inputs and AI prompts | AI response generation |
| AI-generated outputs (proposals, messages) | Service delivery, history |
| Uploaded files and documents | AI processing, knowledge base |
| Custom AI agent configurations | Service personalization |
| Knowledge base entries | Company-specific AI training and retrieval |
| LinkedIn profile imports | Professional lead management |
3.5 Technical & Device Data
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, geolocation |
| Browser type and version | Compatibility, debugging |
| Operating system | Compatibility |
| Error logs and crash reports | Debugging, service quality |
| Referring URLs | Analytics |
How We Collect Data
- Directly from you — when you register, configure your workspace, send messages, upload files, or contact support
- Automatically — via server logs, session tracking, and usage metrics as you use the platform
- From your organization — when a Company Admin or Super Admin creates your account and invites you to a workspace
- From payment processors — transaction confirmations and billing events from our payment provider
- From LinkedIn — when you import profile data using our LinkedIn integration
Legal Basis for Processing (GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account registration and authentication | Contract performance |
| Service delivery (AI processing, storage) | Contract performance |
| Billing and invoicing | Contract performance + Legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Product analytics and improvement | Legitimate interests |
| Marketing communications | Consent (opt-in only) |
| Legal compliance and record keeping | Legal obligation |
| Processing GDPR data requests | Legal obligation |
How We Use Your Data
- Deliver the Service: Process AI requests, store your history, manage your workspace, enable AI agents
- Billing: Calculate token and resource usage, generate invoices, process payments
- Security: Detect fraud, unauthorized access, and abuse patterns
- Support: Respond to your tickets, resolve technical issues
- Communications: Send transactional emails (invoices, alerts, security notices, service updates)
- Compliance: Meet our legal and regulatory obligations
- Product improvement: Analyze aggregated, anonymized usage patterns to improve features
Data Sharing & Third Parties
We share data only when necessary to provide the Service:
7.1 AI Model Providers
Your chat inputs, prompts, and uploaded file contents are transmitted to AI model providers to generate responses. These providers act as data processors under our instructions.
| Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (Claude) | Chat inputs, prompts | AI response generation |
| OpenAI (GPT) | Chat inputs, prompts | AI response generation |
| Additional providers (listed in-app) | Chat inputs as applicable | Specialized AI capabilities |
7.2 Payment Processors
| Provider | Data Shared | Purpose |
|---|---|---|
| Stripe | Billing details, transaction data | Payment processing — raw card data never stored by COVIS AI |
7.3 Cloud Infrastructure & Communications
We use cloud infrastructure providers for hosting, storage, and compute, and transactional email providers for system notifications. All providers are contractually bound under Data Processing Agreements (DPAs).
7.4 Legal Disclosures
We may disclose your data if required by law, court order, or governmental authority. Where legally permitted, we will notify you before complying.
AI Data Processing — Special Notice
- Your input is sent from our servers to the selected AI model provider
- The AI provider processes your input and returns a response
- Both the input and response are stored in your workspace history (subject to your retention settings)
- Custom AI agent configurations are stored on COVIS AI servers and shared with AI providers only at the time of a request
International Data Transfers
COVIS AI may transfer your data to countries outside your home jurisdiction. We safeguard all international transfers through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with all sub-processors
- Adequacy decisions where applicable
To request a copy of the safeguards in place, contact privacy@covis.ai.
Your Privacy Rights
| Right | Description | How to Exercise |
|---|---|---|
| Access | Receive a copy of all personal data we hold | Account Settings → Privacy → Request My Data |
| Rectification | Correct inaccurate or incomplete data | Account Settings → Profile |
| Erasure | Request deletion of your personal data | Account Settings → Privacy → Delete Account |
| Portability | Export your data in machine-readable format | Account Settings → Privacy → Export My Data |
| Restriction | Pause processing in certain circumstances | Email privacy@covis.ai |
| Objection | Object to processing based on legitimate interests | Email privacy@covis.ai |
| Withdraw Consent | Withdraw where processing is consent-based | Email privacy@covis.ai |
Response time: We respond to all requests within 30 days. Complex requests may be extended to 60 days with notice. Identity verification may be required before processing.
Data Security
Encryption in Transit
TLS 1.2+ for all browser-server communication
Encryption at Rest
AES-256 encryption for all stored data
Access Controls
Role-based access control (RBAC) — need-to-know basis
Multi-Factor Authentication
MFA available for all accounts
Audit Logging
All sensitive data access is logged and monitored
Security Audits
Regular third-party penetration testing
Children's Privacy
The COVIS AI Service is not directed at or intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we discover that we have collected data from a minor without verifiable parental consent, we will delete it immediately.
If you believe a minor has provided us with personal data, contact privacy@covis.ai immediately.
Data Retention
Data is retained according to our Data Retention Policy. Key periods:
| Data Type | Retention Period |
|---|---|
| Account & identity data | Duration of account + 30 days |
| Chat history & AI outputs | 12 months (configurable by Admin) |
| Call logs | 12 months |
| LinkedIn profile data | Account active + 30 days |
| Token usage logs | 12 months |
| Billing & invoice records | 7 years (legal requirement — cannot be shortened) |
| Audit logs | 24 months, then anonymized |
| Technical / error logs | 90 days |
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Notify you via email to your registered address
- Display an in-app notification banner requiring acknowledgement
- Update the "Last Updated" date at the top of this document
Previous versions are archived and available on request at privacy@covis.ai.
Contact Us
Privacy requests
privacy@covis.ai
Security issues
security@covis.ai
General support
support@covis.ai
Legal inquiries
legal@covis.ai
Response time: within 30 days · GDPR requests: within 30 days, may extend to 60 days with notice