Privacy Policy

Last updated: 17 July 2026

1. Who we are

Covey ("we", "us", "our") is the data controller for personal data processed through the Covey mobile application and related services (the "Service"). We are based in the United Kingdom and comply with the UK GDPR and the Data Protection Act 2018.

Contact for privacy matters: support@coveyapp.co.uk.

2. The data we collect

  • Identity data: name/display name, date of birth, profile photos.
  • Verification data: selfie and a photo of your government-issued ID, used solely to confirm you are an adult woman. Verification images are deleted from our systems once verification is approved or rejected — we retain only a flag confirming the outcome.
  • Contact data: email address.
  • Profile data: sports/activities, bio, location (you can choose to display an approximate location only or hide it entirely).
  • User content: posts, comments, chat messages, community content, and any images you upload.
  • Device & technical data: device type, OS version, app version, push-notification token, approximate IP-derived location, crash logs.
  • Subscription data: we receive your subscription status from Apple/Google via RevenueCat — we do not see or store your card details.

3. How we use your data and our lawful bases

  • Provide the Service (contract): account creation, matching, chat, communities, posts, push notifications.
  • Verify your identity and keep the platform safe (legal obligation + legitimate interests): age verification, fraud prevention, moderation, enforcing our Community Guidelines, banning bad actors.
  • Detect illegal content (legal obligation): images you upload may be scanned against known hashes of child sexual abuse material (CSAM) and other illegal content. Confirmed matches are reported to the appropriate authorities (UK National Crime Agency / NCMEC) and the user is banned.
  • Communicate with you (contract / legitimate interests): service updates, safety alerts, moderation decisions.
  • Improve the Service (legitimate interests): aggregated analytics, crash reporting, debugging.
  • Comply with law and respond to lawful requests (legal obligation).

4. Who we share data with

We do not sell your personal data. We share data only with the providers we need to run the Service:

  • Supabase — managed database, authentication and file storage hosting (EU region).
  • Google Firebase Cloud Messaging — to deliver push notifications.
  • RevenueCat, Apple, Google — to manage in-app subscriptions.
  • OpenStreetMap Nominatim — to convert place names into approximate coordinates for matching (we send only the place text you enter).
  • Law enforcement and regulators — where we are legally required, or where we believe there is a serious risk to life.

5. International transfers

Some of our service providers (e.g. Google, Apple, RevenueCat) are based outside the UK and may process data in the US or elsewhere. Where we transfer data outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses.

6. Retention

  • Verification images (selfie + ID): deleted once verification is decided.
  • Chat messages (1-to-1): automatically deleted 30 days after they are sent.
  • Profile, posts, communities: kept while your account is active.
  • Account deletion: when you delete your account, your profile, photos, posts, comments, friendships and chat history are wiped from our systems. We keep a minimal record (email hash + reason) where needed to enforce bans or comply with legal obligations.
  • Moderation evidence: reports and associated evidence may be retained for up to 12 months to support investigations and appeals.

7. Security

Data is encrypted in transit (HTTPS/TLS) and at rest. Passwords are hashed. Access to production systems is restricted to authorised personnel. We use row-level security to ensure users can only access their own data and the data of people they are connected with. No system is 100% secure — if a breach affecting your rights occurs, we will notify the ICO within 72 hours and inform you where required.

8. Your rights (UK GDPR)

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data (most fields are editable in the app under Profile → Edit).
  • Erasure — delete your data ("right to be forgotten"). Use Profile → Settings → Delete Account, or email us.
  • Restriction / objection — restrict or object to certain processing.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — where processing is based on consent (e.g. push notifications), you can withdraw consent at any time in device settings.
  • Complain — you can complain to the UK Information Commissioner's Office at ico.org.uk.

To exercise any right, email support@coveyapp.co.uk. We respond within 30 days.

9. Children

Covey is strictly for users aged 18 and over. We verify age via ID. If we become aware that an account belongs to someone under 18 we will delete it immediately. If you believe a minor is using Covey, please report it via in-app Report or email support@coveyapp.co.uk.

10. Cookies and tracking

The Covey mobile app does not use advertising cookies and does not run third-party advertising trackers. We use only essential storage required for authentication and app functionality.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified in-app or by email. Continued use of the Service after changes take effect constitutes acceptance.