Blog›Privacy

Privacy

Cova's Privacy Promises: What We Will and Won't Do With Your Child's Data

Cova Team

May 21, 2026

Cova's Privacy Promises: What We Will and Won't Do With Your Child's Data

A full privacy policy is a long document. Parents deciding whether to put an AI in their home shouldn’t have to read one to understand what’s actually happening with their child’s data.

Here are the five things that matter most, in plain language.

1. No ads

Cova doesn’t run advertising · no display ads, no sponsored content, no “suggested for you” placements. The product is paid for by a parent subscription, and that’s the only revenue stream.

Part of the reason is practical: an ad-supported product earns more when users spend more time in it, and that’s not the direction a children’s AI should be optimised in.

2. Conversations are never used to train AI

The questions your child types aren’t used as training data · not in raw form, not anonymised, not aggregated. They aren’t fed back into our model, shared with the company that built the underlying model, or bundled into any dataset.

“Not used for training” is a phrase that gets used loosely in this industry. For Cova, it means exactly what it sounds like.

3. Data is retained for 14 days, then deleted

Some conversation data has to exist briefly for the product to work · for the parent dashboard to surface patterns, for a session to resume where it left off, for a flagged exchange to be reviewable when it matters.

That data is retained for 14 days, and then it’s deleted. Not archived, not moved to cold storage. Deleted. The dashboard summaries and pattern signals stay as aggregate insight; the underlying conversation content does not.

Fourteen days is long enough for a parent to notice a pattern over a week or two and review the exchange behind it. It’s short enough that there isn’t a long history sitting on a server waiting to be breached, requested, or repurposed later.

4. No third party uses your child’s data for their own purposes

No advertising partners, analytics vendors, data brokers, affiliates, or contractors get a feed of your child’s conversations. No human reviewer at any company reads transcripts for quality control.

Two AI setups are part of how Cova actually runs. On the cloud-enabled tiers, replies and summaries are generated by ministral-3-14b-instruct, served through the AWS Bedrock API · the data path goes to AWS, not to Mistral the company. On the On Device tier, an optimised, compressed version of Ministral runs locally on your child’s computer via Byteshape’s on-device runtime, and nothing is transmitted. Both arrangements operate under data processing agreements that prohibit training on, retaining, or otherwise reusing your child’s data · content is received only to return a response.

5. We don’t sell data

Cova doesn’t sell, rent, or license the data generated by your child’s use of the product. There’s no secondary revenue stream built on conversation content, metadata, or behavioural patterns.

The subscription is the business.

How the five fit together

These promises aren’t independent · they reinforce each other. No ads means no incentive to harvest behavioural data. No training use means no reason to keep conversations longer than the product needs them. A 14-day window means there isn’t much data to misuse even if someone wanted to. No third-party access means what little exists stays in one place. No data sale means there’s no financial reason to weaken any of the above.

Any one of these can be promised by a company that quietly works around it through a different door. Together, they describe an architecture and a business model pointing the same way.

The line at which we’d stop

Commitments like these only mean something if there’s a clear point at which the company would stop the product rather than break them. It’s worth naming what that looks like now, before the question is convenient to dodge later.

There are five situations that would trigger winding Cova down rather than continuing in a weakened form:

If Cova turns out to be causing harm to children at a rate we can’t fix.
If regulatory pressure forces a break in the privacy architecture and we can’t find a path that preserves it.
If independent reviewers or child-safety experts lose confidence in the safety posture and we can’t restore it.
If the underlying model and compression technology can’t keep pace with what the safety policy requires.
If we can’t afford the safety infrastructure at the scale we’re operating at.

In any of those cases, the intent is a structured shutdown · telling parents and children what’s happening, helping them transition off the product · rather than letting the experience quietly degrade while the business runs on.

Cova isn’t built on technology nobody else can build. What’s different is a willingness to make some commercial choices other companies in this space haven’t: publishing the safety policy in full, accepting the revenue limits of a strict subscription model, and treating shutdown as a real option if the commitments behind the product can’t be kept.

Common questions

Is anyone at Cova actually reading my child's conversations?

No one at Cova sits down and reads through your child’s chats. The processing that produces dashboard summaries, category labels, and flagged moments is automated · software, not a person.

The only times a human sees content are: (1) when you, as the parent, choose to open a flagged exchange in the dashboard within the 14-day window, or (2) the narrow case where a serious safety event is reviewed under our safeguarding pathway. Outside of those two situations, conversations aren’t read by employees, contractors, reviewers, or anyone else.

If the dashboard surfaces patterns, doesn't that mean Cova sees the content?

Yes · to generate the summaries, category signals, and flagged moments you see in the dashboard, Cova’s systems do process the conversation content. That processing is what makes the pattern recognition possible. The content used to produce those signals is the same content that’s deleted after 14 days; it isn’t retained beyond that, used to train AI, or shared with any third party.

What the dashboard shows you, by default, is the summarised signal rather than full transcripts. If something is worth a closer look, you can open the exchange behind a flag while it’s still within the 14-day window. After that, the conversation content is gone and only the aggregate insight remains.

What actually happens after 14 days?

Conversation data is deleted. Not archived, not moved to cold storage, not held “just in case.” The dashboard summaries and aggregate signals from within that window remain as insight; the underlying conversation content does not. One practical effect: there isn’t a long history of past conversations sitting on a server that could be breached or requested later, because that history doesn’t exist.

Can I keep everything on the device instead?

Yes. Cova’s On Device tier runs an optimised, compressed version of the Ministral model locally on your child’s computer through Byteshape’s on-device runtime · chat content and history stay on the device, and nothing related to conversations is transmitted to Cova’s servers at all.

The trade-off is that the parent dashboard’s insights, weekly summaries, and safety-alert features aren’t available in this tier, because they depend on cloud processing. Parents can switch between tiers at any time from the dashboard.

Can any third-party service providers see my child's conversations?

Cova doesn’t share conversation content with advertising partners, analytics vendors, data brokers, affiliates, or contractors. No human reviewer at any company reads transcripts for quality control.

On the cloud tiers, ministral-3-14b-instruct is served through the AWS Bedrock API to generate replies and summaries · the data path goes to AWS, not to Mistral the company. Both arrangements operate under data processing agreements that prohibit training on, retaining, or reusing your child’s data. AWS also provides encrypted storage (AES-256) and key management; Stripe processes billing and never sees conversation content.

What if Cova is acquired or changes ownership?

An acquirer would have the ability to change a future privacy policy, just as any company that buys another can. What we can commit to today is the architecture and the public position. If the day ever comes where those commitments can’t be kept, the intent is to tell parents directly and wind the product down rather than weaken things quietly in the background.

What about subpoenas or law-enforcement requests?

Cova complies with valid legal process where required. In practice, there isn’t very much to hand over: no long-term transcript archive exists, retention is bounded at 14 days, and no third party holds a secondary copy. For the narrow cases where notification to a parent could create safety risk for the child, the routing follows a separate safeguarding pathway and varies by jurisdiction.

How can I verify any of this?

Some of it you can check directly: the full privacy policy is published, the on-device mode is a setting you can switch on and watch behave, and the absence of advertising is something you can see in the product itself. The parts that are harder to verify from outside rest on the commitments above. If something here seems unclear or doesn’t match what you find, write to us at help@covakids.ai and we’ll respond.

If you don't run ads or sell data, how does Cova make money?

Parents pay a subscription. That’s the entire business model · there’s no secondary revenue stream built on conversation content, behavioural patterns, or anything else derived from your child’s use of the product.

The short version of Cova’s privacy approach.

No advertising. No training on your child’s conversations. 14-day retention, then deletion. No third-party access. No data sale. The full privacy policy has the long version; this is the readable one.

Read our full privacy policy