Privacy

CoverAware privacy notice

Last updated: 17 May 2026

Short version

CoverAware processes insurance documents so you can understand policies, track dates and ask questions. You might use it for yourself, your household, family members, or other people you support with permission. Documents may include sensitive information, including health, family, children, financial or household data. We use this data only to provide the product, keep it secure, and improve reliability.

This notice is designed to align with Swiss data protection requirements, especially the Swiss Federal Act on Data Protection (FADP/DSG). If you use CoverAware from the EU or EEA, similar GDPR rights may also apply.

Controller

Joseph Biondino is responsible for deciding why and how personal data is processed for this service. CoverAware is operated from Switzerland during its current launch phase. For privacy or data requests, contact support@coveraware.ch.

If CoverAware is transferred to a GmbH or another legal entity, this notice will be updated with the new controller details.

Data we process

  • Account details such as name, email, language and household profile.
  • Uploaded insurance PDFs, images, extracted text and generated policy metadata.
  • Policy summaries, renewal/cancellation dates, cover signals and chat questions/answers.
  • Consent records, email-ingestion status, reminder settings and support requests.
  • Operational logs needed for security, debugging, fraud prevention and service reliability.

Why we process it

  • To create your Household Cover Map.
  • To extract key policy facts, dates and summaries.
  • To answer your questions using your uploaded documents.
  • To send service emails and reminders when enabled.
  • To secure, maintain and improve the service.
  • To keep records needed to handle privacy, security and support requests.

Legal basis and consent

Under Swiss data protection law, we process data transparently, for the purposes described in this notice, and only to the extent needed to provide and protect the service. For sensitive insurance documents, including health, family or other third-party personal information, we ask for your explicit consent before processing.

By uploading documents, you confirm that you are allowed to provide them and you consent to CoverAware processing them for the purposes above. If you upload documents for household members, family members, friends, clients or other people you support, you confirm that you have their permission or another valid legal basis. You can withdraw consent for future processing by contacting support, but this may mean we can no longer provide the service.

Documents sent by email are not accepted until the sender maps to an existing CoverAware account with recorded sensitive-data processing consent. If consent is missing, we reject the inbound documents and reply by email explaining how to complete consent first.

AI processing

CoverAware uses AI to extract policy details, produce plain-language summaries, quality-check processing and answer questions. Where AI is used, we send only the content needed for that task, such as relevant policy text, metadata, profile context and your question.

Current production AI workflows use OpenAI and may use Google Gemini for document-processing review or fallback. We use API/business provider settings intended not to train models on customer content, and we do not sell your policy data. If a provider offers separate paid and unpaid processing modes, CoverAware production workflows should use the mode appropriate for customer data in Switzerland/EEA/UK.

AI answers can be wrong, incomplete or overconfident, so important insurance decisions should be checked against your policy documents, insurer, broker or adviser.

Service providers and subprocessors

We use carefully selected providers to run CoverAware securely. They process personal data only to provide, secure, support or improve the services we buy from them, and they are expected to use confidentiality, security, deletion and subprocessor controls under their published terms or data processing addenda.

Some providers may process data outside Switzerland, the UK or the EEA. Where that happens, we rely on the provider’s contractual, technical and organisational safeguards, such as data processing addenda, standard contractual clauses, adequacy frameworks, access controls and published security measures.

Clerk

Purpose: Secure sign-in, account sessions and account protection.

Data: Email address, account identifiers and session/security data.

Safeguard: Clerk acts as a processor for customer data under its DPA and publishes privacy and transfer safeguards, including Data Privacy Framework coverage.

Provider terms: Privacy, DPA

Supabase / Postgres / object storage

Purpose: Private application database and document storage.

Data: User profile, policy metadata, uploaded files, extracted text, processing status and reminder records.

Safeguard: Documents are stored in a private bucket with server-side access controls and row-level security on application tables. Supabase states that customer data is processed primarily as a processor under its data processing terms.

Provider terms: Privacy, DPA

Vercel

Purpose: Application hosting, deployment and routing.

Data: Request logs, network metadata, runtime metadata and error diagnostics.

Safeguard: Used to keep the web app available, secure and observable. Vercel publishes a DPA covering subprocessing, security, data subject requests, deletion and international transfer terms.

Provider terms: Privacy, DPA

Resend

Purpose: Transactional emails, reminders and inbound policy-document forwarding.

Data: Email addresses, message metadata, email content needed to deliver the message, and forwarded attachment content when you use email upload.

Safeguard: Used only for service email delivery and document-forwarding workflows. Resend publishes privacy, terms, DPA and security materials for its email platform.

Provider terms: Privacy, DPA, Security

OpenAI

Purpose: AI extraction, summaries, quality checks and Ask CoverAware answers where enabled.

Data: Relevant document text, policy metadata, chat questions and limited profile/context needed to answer.

Safeguard: Used through API/business settings where inputs and outputs remain under customer control and are not used to train models by default. OpenAI publishes DPA terms for customer data processing.

Provider terms: Enterprise privacy, DPA

Google Gemini

Purpose: AI review/quality checks or model fallback where enabled.

Data: Relevant document text, extracted metadata and quality-review prompts.

Safeguard: Used only where configured for production AI processing. For Switzerland/EEA/UK use, CoverAware should use paid/API terms rather than unpaid consumer-style services; Google publishes Gemini API terms and Google Cloud data processing terms.

Provider terms: Gemini API terms, Google Cloud DPA

GitHub Actions

Purpose: Scheduled/background document processing worker and deployment automation.

Data: Repository code, processing logs and encrypted secrets needed for the worker. The worker may process document text before sending it to configured AI providers.

Safeguard: Used for controlled background jobs and deployment automation, not as a public document store. GitHub publishes privacy, DPA and subprocessor information for business services.

Provider terms: Privacy, DPA, Subprocessors

Storage, retention and deletion

We keep documents and extracted data while your account is active or until you delete them. Deleting a document should remove the uploaded file, extracted text and linked metadata from active systems. Some limited traces may remain temporarily in backups, security logs, provider logs or records needed to handle support, security or legal obligations. You can request account/data deletion by contacting support.

We keep operational logs and support records only as long as reasonably needed for security, debugging, legal and service-reliability purposes.

Security

We use private document storage, server-side access controls, account authentication, row-level security for application tables, restricted service keys, encrypted provider secrets and operational logging to protect customer data. Access to production systems is limited to what is needed to operate and support the service.

No internet service can be guaranteed perfectly secure, but we design CoverAware to reduce unnecessary access and exposure.

Your rights

Depending on applicable law, you may have rights to access, correct, delete, restrict or receive your personal data, object to certain processing, withdraw consent for future processing, and ask how your data is handled. Contact us to exercise those rights.

Contact

For privacy requests, contact: support@coveraware.ch

Read the terms ->