Cove EstimatesLog in

Legal

Data & Compliance

Effective April 24, 2026·Last updated April 24, 2026

This page is the compliance-focused companion to our Privacy Policy. It lists our subprocessors, summarizes rights available to EU/UK and California residents, and describes the security measures that back everything up.

01Data controller

The data controller (GDPR) and business (CCPA) responsible for your personal information on Cove Estimates is:

[LEGAL ENTITY NAME]
[BUSINESS ADDRESS]
hello@coveestimates.com

We do not currently have a designated EU or UK representative because we qualify for the small-business exemption. For all data subject requests from any jurisdiction, write to the email address above and we will respond directly.

02GDPR (EU / UK)

Lawful bases we rely on

  • Contract performance — processing necessary to deliver the service you signed up for (hosting your estimates, sending transactional email, processing payment).
  • Legitimate interests — securing the platform, preventing abuse, measuring service reliability, improving the product in aggregate and de-identified ways.
  • Consent — for anything optional, including marketing email (which we currently do not send) and any future feature that calls for opt-in consent.
  • Legal obligation — to comply with tax, accounting, or lawful government requests.

Your rights under GDPR / UK GDPR

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (“the right to be forgotten”).
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — limit how we process your data while a dispute is resolved.
  • Objection — object to processing we carry out under legitimate interests.
  • Withdraw consent — for anything we process based on your consent.
  • Complaint — lodge a complaint with your local supervisory authority (e.g. a member-state DPA, the UK ICO).

03CCPA (California)

Categories of personal information collected (past 12 months)

  • Identifiers — email address, account ID, IP address.
  • Customer records — name, phone, mailing address, company name (if you provide them).
  • Commercial information — subscription plan, billing events synced to/from Stripe.
  • Internet / network activity — request logs, authentication events.
  • Professional information — the production content you generate: clients, crew, estimates, rate cards.

Purposes of collection

All categories above are collected to provide, secure, bill for, and support the service — as described in our Privacy Policy.

Sale or sharing of personal information

[LEGAL ENTITY NAME] does not sell your personal information, and does not share it with third parties for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months, and we have no plans to do so.

California rights

  • Right to know what categories we collect, the sources, purposes, and recipients.
  • Right to delete personal information we hold about you, subject to certain legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing — already the default; we do neither.
  • Right to limit use of sensitive personal information — we do not use sensitive information for any purpose beyond providing the service.
  • Right to non-discrimination for exercising any of the above.

04Subprocessors

We engage the following third-party processors to run Cove Estimates. Each provider is bound by their own data protection and security commitments and does not use your data except to provide services to us.

ProviderPurposeData accessedRegion
SupabaseDatabase, authentication, and file storageAll account & content dataUnited States
AnthropicAI inference (brief parsing, estimation, receipt analysis)Briefs, uploaded files and estimate data sent as promptsUnited States
StripePayments & subscription billingEmail, payment method, billing eventsUnited States
ResendTransactional email (share invites, crew portal invites)Recipient email, job title, sender nameUnited States
VercelApplication hosting, CDN, and edge runtimeRequest logs, IP address, user agentUnited States

Need this for your DPA paperwork? Pull the same list as JSON: /data-compliance/subprocessors.json.

We may add or change subprocessors over time. When we do, we will update this table and, for material changes, notify active users by email.

05International transfers

Our subprocessors are located in the United States. If you access the service from the European Economic Area, the United Kingdom, Switzerland, or another region with data localization requirements, your personal information will be transferred to and processed in the United States. We rely on our subprocessors’ published Standard Contractual Clauses and Data Processing Addenda as the legal mechanism for these transfers.

06Security measures

  • TLS 1.2+ in transit for all traffic (Vercel + Supabase).
  • Encryption at rest for database and storage (Supabase).
  • Row-Level Security on every database table — a given user can only read and write the rows they own.
  • Auth-gated API routes — every server route that touches user data validates the requesting user.
  • Passwordless sign-in via one-time email code — there are no passwords for us or an attacker to steal.
  • Least-privileged infrastructure access — operational access to the platform is limited to named administrators.

No online system is perfectly secure. We work to minimize risk and to fix issues quickly when they are reported. If you believe you’ve found a vulnerability, please email hello@coveestimates.com with details before disclosing publicly.

07Data retention

We retain your account and the content inside it for as long as your account is active. If you request deletion, we remove your data, typically within 30 days of an identity-verified request, with limited exceptions for records we are required by law to preserve (for example, billing and tax records).

08Breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay — and within 72 hours of becoming aware of the breach where feasible — along with information about what happened, what we’re doing about it, and what you can do to protect yourself. Where required, we will also notify the relevant supervisory authority.

09How to exercise your rights

To make an access, deletion, correction, portability, opt-out, or any other request, email hello@coveestimates.com from the address on your account. We may ask you to verify your identity before we act on requests that could affect an account (for example, sending you a one-time code to the email on file).

We respond within 30 days. We do not charge a fee unless the request is manifestly unfounded or excessive, in which case we will tell you before proceeding.

Questions or requests

Reach us anytime at hello@coveestimates.com. We aim to respond within five business days, and within 30 days for identity-verified GDPR or CCPA requests.