Privacy Policy

Last updated: February 25, 2026

1. Overview

Covala Inc. (“Covala,” “we,” “us,” or “our”) operates the Covala API and the covala.com website (collectively, the “Services”). This Privacy Policy describes how we collect, use, share, and protect information when you use our Services.

This policy applies to API customers and website visitors. If you are an API customer, please also review our API Terms of Use and, where applicable, our Data Processing Agreement.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and (for API customers) company name. For paid plans, we collect billing information which is processed directly by Stripe and not stored on our servers.

2.2 API Usage Data

When you use the Covala API, we log: API endpoint accessed, timestamp, response status code, response time, API Key prefix (first 16 characters), and IP address. This data is used for rate limiting, abuse prevention, usage billing, and service improvement.

2.3 Website and Service Data

We may collect usage data including pages visited, referral source, browser type, operating system, device type, and IP address through standard web server logs and optional analytics tools.

2.4 Information We Do Not Collect

The Covala API serves product data (specifications, pricing, availability). It does not collect, process, or store personal information about end consumers. Product Data contains no personally identifiable information.

3. How We Use Your Information

Service delivery: Providing, maintaining, and improving our Services.
Authentication: Verifying your identity and managing your account.
Billing: Processing payments and managing subscriptions.
Usage tracking: Enforcing rate limits, calculating usage for billing, and identifying abuse.
Communications: Sending service-related notifications, security alerts, and (with your consent) product updates.
Security: Protecting against fraud, unauthorized access, and abuse.
Improvement: Analyzing usage patterns to improve API performance and product features.

4. Third-Party Service Providers

We share information with the following categories of service providers, solely as necessary to operate our Services:

Provider	Purpose	Data Shared
Supabase	Database, authentication	Account data, application data
Stripe (when billing is active)	Payment processing	Billing information
Cloudflare	CDN, DDoS protection	IP addresses, request metadata
Vercel	Application hosting	Request logs
Upstash	Rate limiting, caching	API Key prefix, request counts

We do not sell your personal information to third parties. We do not share your information with third parties for their independent marketing purposes.

5. Product Data Sources

The product intelligence available through our API is sourced from publicly available retailer websites and manufacturer documentation. This data relates to products, not individuals, and does not contain personally identifiable information. Covala is not affiliated with, endorsed by, or sponsored by any retailer or manufacturer whose product information appears in the Services.

6. Data Retention

Account data: Retained while your account is active and for 90 days following account deletion, after which it is permanently deleted.
API usage logs: Retained for 90 days for operational purposes, then aggregated into anonymized analytics.
Product Data: Product intelligence (specifications, error codes, maintenance schedules) is retained indefinitely as part of our knowledge base, as this is factual product information, not personal data.
Billing records: Retained for 7 years as required by tax and accounting regulations.

7. Data Security

We implement appropriate technical and organizational measures to protect your information:

All data is encrypted in transit (TLS 1.2+) and at rest.
API Keys are hashed using SHA-256 before storage. We cannot retrieve your full API Key after issuance.
Authentication uses secure session management via Supabase Auth.
Row-level security (RLS) is enforced on all database tables to prevent unauthorized data access.
Rate limiting protects against brute-force attacks and API abuse.
All input is validated using schema validation (Zod) to prevent injection attacks.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

All Users

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate information.
Deletion: Request deletion of your account and associated data.
Export: Request a portable copy of your data in a standard format.
Opt-out: Unsubscribe from marketing communications at any time.

EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to: restrict processing of your personal data, object to processing based on legitimate interests, and lodge a complaint with your local data protection authority. Our legal bases for processing are: contract performance (providing the Services), legitimate interests (security, analytics, service improvement), and consent (marketing communications).

California Residents (CCPA/CPRA)

California residents have the right to: know what personal information we collect, request deletion of personal information, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@covala.com.

9. International Data Transfers

Our Services are hosted in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate data protection for international transfers. Our Data Processing Agreement includes the relevant SCCs.

10. Cookies

We use cookies and similar technologies for the following purposes:

Essential cookies: Required for authentication and session management. Cannot be disabled.
Analytics cookies: Help us understand how our website is used. You can control these through your browser settings.

We do not use advertising cookies or tracking pixels. The API does not use cookies.

11. Children’s Privacy

Our Services are not directed at children under 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and (for registered users) sending a notification to your account email.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your privacy rights, please contact us at privacy@covala.com.