Privacy & Trust

Your child’s curiosity deserves a safe space. Here’s exactly how we protect it · no jargon, no surprises.

Effective May 20, 2026 · A product of Personify, Inc. · Questions? help@covakids.ai

Our commitments

What Cova will always do · and never do

🚫

No ads, ever

Your child’s data is never sold or used to target them with advertising.

🧠

Not used to train AI

Conversations with Cova are never used to train external AI models.

🔒

No data brokers

We never share family data with data brokers or marketing companies.

👨‍👩‍👧

Parent always in control

You choose the privacy tier and can review, correct, or delete data at any time.

We built Cova for our own kids. We made the privacy choices we’d want for them · and documented every one of them here.

Scope & agreement

Who we are and what this policy covers

Cova is a product of Personify, Inc., a Delaware corporation (“Personify,” “we,” “us,” or “our”). This Privacy & Trust policy (“policy”) explains how we collect, use, share, and protect information when you use the Cova app, the Cova website at covakids.ai, and any related Personify services (together, the “Cova service”).

Throughout this policy, “you” means the parent or legal guardian who creates and manages the account. Cova is operated by you on behalf of your child · the parent account is always the legal point of data control.

By using Cova, you agree to this policy. If you do not agree, please do not use the service or provide personal information to us.

Privacy tiers

You choose how much sharing happens

Cova works at three levels of capability. The lower the tier, the less data leaves the device. Every tier is fully functional · higher tiers simply unlock deeper personalisation.

Tier 1

On Device

Maximum privacy

✓ All AI runs locally on the device
✓ No conversation data leaves the device
✓ Only account & subscription data transmitted
✓ No cloud storage of conversations
✓ Basic Parent Dashboard

Tier 2

AI Insight

Balanced

✓ Conversations stored encrypted in cloud (14 days)
✓ Patterns analysed · no raw text sent to AI
✓ Richer Parent Dashboard & weekly insights
✓ Conversation history stays on the device · not synced across devices
✓ No personally identifiable data in AI calls

Tier 3

Advanced AI Assistance

Most personalised

✓ Age, interests & context shared with AI
✓ Highly personalised responses
✓ Full dashboard including conversation summaries
✓ Still never used for AI model training

Tier comparison at a glance

Feature	Tier 1	Tier 2	Tier 3
Conversations stay on device only	✓	✗	✗
Conversations stored encrypted in cloud	✗	✓	✓
Raw conversation text sent to AI	✗	✗	✓
Child context (age, interests) shared with AI	✗	✗	✓
Parent Dashboard	Basic	Enhanced	Full
Weekly parent insights	✗	✓	✓
Cross-device conversation sync	✗	✗	✓
Used to train external AI models	Never	Never	Never

Data inventory

What we collect and where it lives

Information you provide directly

We collect personal information from you in the following situations:

Creating an account · your name and email address.
Purchasing a subscription · billing details (name, billing address, and payment card information) processed securely via Stripe. Cova does not store your card number directly.
Contacting support · any information you include in a support request or message to us.
Setting up a child profile · your child’s nickname, month and year of birth, and chosen persona.

The table below is the complete picture · no surprises. “On device” means the data never leaves your child’s device. “Cloud” means it is stored encrypted on our servers. “Sent to AI” means it may be included in a call to an AI model.

Data	On Device	Cloud	Sent to AI	Notes
Conversation text	T1, T2, T3	T2, T3	T3 only	14-day cloud retention, then permanently deleted
Conversation summaries	✗	T2, T3	T2, T3	Generated from conversation history (Tiers 2 & 3). Retained for 14 days.
Child month and year of birth	All	T2, T3	T3 only	Helps tailor language and content level
Parent account info (name, email)	✗	All	✗	Required to operate the account
Subscription / billing	✗	All	✗	Processed by Stripe; Cova stores only subscription status
Device identifiers	All	✗	✗	Used to link app instance to account; never shared
Biometric identifiers	✗	✗	✗	We do not collect biometric data of any kind

Information collected automatically on our website

When you visit covakids.ai or interact with our marketing pages, we (or our service providers) may automatically collect:

Device and browser information · IP address, browser type, operating system, and similar technical identifiers used to deliver and secure the site.
Cookies and similar technologies · small files stored by your browser that help the site function, remember your preferences, and let us understand which pages are useful. You can control cookies through your browser settings.

The Cova app itself does not use third-party advertising trackers, social media pixels, or cross-site tracking technologies.

What “personal information” does not include

For clarity, personal information under this policy does not include:

Publicly available information from government records.
De-identified or aggregated information that cannot reasonably be linked back to you or your child.
Information governed by sector-specific laws that fall outside the scope of this policy.

Data use

How we use your information

Deliver and personalise the Cova experience · answer your child’s questions in age-appropriate ways, at the personalisation level you’ve chosen.
Provide parent insights · generate weekly summaries and safety alerts (Tiers 2 and 3).
Manage your account and subscription · process payments, send receipts, and handle support requests.
Keep the service safe · detect misuse, respond to safety events, and comply with legal obligations.
Send transactional communications · account confirmations, security alerts, and policy update notices. We do not send marketing without your opt-in.
Improve and secure the service · monitor trends and usage in aggregate, debug issues, and protect against fraud or unauthorised access.
Meet legal and professional obligations · share information with our attorneys, accountants, and other professional advisors when needed to obtain advice, and respond to lawful requests such as subpoenas, court orders, or tax reporting requirements.

We never use your family’s data to profile users for advertising, to sell to third parties, or to train external AI models.

We will use your information only for the purposes described above. If we ever need to use it for a materially different purpose, we will tell you and explain the legal basis before doing so. We may, however, process your information without separate notice where required or permitted by law · for example, in response to a valid subpoena or court order.

Access

Who can see your family’s data

Cova engineers

A small, named set of engineers can access cloud data for debugging and support. Access is logged, audited, and requires multi-factor authentication. No one browses data out of curiosity · access must be tied to a specific ticket.

Vendors we use

Vendor	Role	What they receive
AWS Bedrock	Cloud AI inference (ministral-3-14b-instruct)	Conversation context for summary and alert generation (Tier 2); also for reply generation (Tier 3). Data is processed by AWS only · Mistral SA, the developer of the Ministral model, does not receive or process content. AWS does not retain or train on this data.
Byteshape	On-device AI runtime (optimised version of Ministral)	Runs an optimised, compressed version of the Ministral model entirely on your child’s device. No data is transmitted to Byteshape or to any other party. Byteshape’s role is the runtime that lets the model fit on consumer hardware.
Stripe	Payment processing	Parent billing details. Cova stores only your subscription status, never card numbers.
Transactional email provider	Account emails	Parent email address and the content of the specific transactional message.
AWS (infrastructure)	Cloud hosting & storage	Encrypted cloud conversation data (Tiers 2 and 3). Stored in AES-256 encrypted buckets.

We have data processing agreements with every vendor. No vendor may use your family’s data for their own purposes.

We do not share with

Advertisers or ad networks
Data brokers
Social media platforms
Any third party for marketing purposes

Other situations where we may share

For completeness, there are a few additional, narrowly defined situations where your information may be disclosed:

Affiliates and subsidiaries · if Personify has affiliates or subsidiaries now or in the future, we may share information with them for the purposes described in this policy. They are bound by the same protections.
Professional advisors · our attorneys, accountants, and similar advisors may receive information when needed to provide professional advice to Personify.
Legal process and safety · we may disclose information to comply with a lawful subpoena, court order, or government request, or where we believe it is necessary to protect the safety of a child, you, us, or others. See the Safety & legal section for how we handle safety events.
Business transfer · if Personify is acquired, merges with another company, or sells substantially all of its assets, your information may transfer to the new entity. Any new owner will be bound by this policy or by a policy at least as protective. We will notify you by email and in-app before such a transfer takes effect.
Aggregated or de-identified data · we may share statistics or insights that cannot be linked back to your family (for example, “X% of families use Tier 2”). This is not personal information.
With your consent · in any other situation, only with your explicit permission.

Data retention

How long we keep your data

days · cloud conversation data

∞

on device · until you delete the app

days after account deletion request

Cloud conversation data (Tiers 2 & 3): retained for 14 days, then permanently deleted.
On-device data (all tiers): stays on the device until you delete the app or manually clear data.
Account data (parent name, email, subscription): retained while your account is active. Deleted within 30 days of an account deletion request, except where legally required.

Parent Dashboard

What you can see at each tier

Tier 1 · profile and settings management only. No conversation data reaches our cloud, so there are no summaries, alerts, or activity insights.

Tiers 2 & 3 · the same dashboard content in both tiers. What differs is who generates your child’s replies, not what you see as a parent. Content is organised in weekly blocks (Sun–Sat); the dashboard shows the current and previous week. A summary email goes out when each week closes.

Feature	Tier 1	Tier 2	Tier 3
Profile & safety settings	✓	✓	✓
Safety alerts (with triggering snippet, categorised by severity)	✗	✓	✓
Usage overview · active days, session length, questions asked	✗	✓	✓
Daily activity chart	✗	✓	✓
AI Chat Styles · persona usage breakdown	✗	✓	✓
Topics explored & activities breakdown	✗	✓	✓
Example questions · representative snippets, including alert triggers	✗	✓	✓
Weekly summary email	✗	✓	✓

Device loss & new devices

What happens when devices change

If a device is lost or replaced

Tier 1: On-device data is gone with the device. This is by design · no cloud backup means maximum privacy, even in loss scenarios. Your account and subscription are safe.
Tier 2: Conversation history stays on the original device and is not recoverable if the device is lost. Your account, child profile, safety settings, and any cloud-side alerts and summaries are restored when you sign in on a new device.
Tier 3: Because replies are generated and stored in our cloud, recent conversation history (within the 14-day window) is accessible when you sign in on a new device. On-device data beyond that window is not recoverable.

Setting up a new device

Sign in with your parent account credentials on the new device.
Your tier setting, child profile, and safety settings restore automatically. For Tier 3, recent conversation history within the 14-day cloud window also restores.
Contact help@covakids.ai if you need help recovering an account.

Tier settings

Switching between tiers

You can change your tier at any time from the Parent Dashboard. Your account and subscription are unaffected.

Moving to On Device: Existing cloud data is not deleted · it ages out on its normal 14-day schedule. Existing summaries and alerts stay visible until their window closes. From the moment of switch, replies come from the on-device AI and your child’s chat history starts fresh on the device.

Moving to a cloud-enabled tier: Previous on-device conversations are not uploaded. Chat history, summaries, and safety alerts begin from the switch date. New messages are subject to 14-day cloud retention going forward.

In both directions, your child’s chat view starts from the switch · history from the previous source is not carried over.

Your rights

What you can ask us to do

👁️

See

Request a copy of the data we hold about your family.

✏️

Correct

Ask us to fix inaccurate information in your account.

🗑️

Delete

Request deletion of your data or your child’s data at any time.

💬

Ask

Ask any question about how your data is handled.

To exercise any of these rights, email help@covakids.ai. We’ll respond within 2 business days.

How we verify a request

To protect your family’s information, we need to confirm that a request is coming from you. When you email us, we’ll ask for enough information to reasonably verify your identity · typically by matching details to your account. Parents may make requests on behalf of their minor child. We’ll only use the information you provide for verification to handle the request itself.

When we may decline a deletion request

We will honour deletion requests in nearly all cases. We may retain certain information where it is necessary to complete an active transaction, detect or prevent fraud or security incidents, comply with a legal obligation, or fulfil another lawful purpose compatible with the context in which you provided it. If we cannot delete something, we will tell you which information we are keeping and why.

Updating your own information

You are the best source for what is accurate. You can update your name, email, child profile details, and tier setting at any time from the Parent Dashboard. If you spot something wrong that you can’t fix yourself, email help@covakids.ai.

Security

How we protect your data

Encryption in transit: All data moving between the app and our servers uses TLS 1.2 or higher.
Encryption at rest: Cloud data is stored with AES-256 encryption on AWS infrastructure.
Key management: Encryption keys are managed via AWS Key Management Service (KMS) with automatic rotation.
Access control: Only a named set of engineers can access cloud data, with mandatory multi-factor authentication and full audit logging.
Minimum access principle: Engineers can only access the data needed for a specific task · no broad browsing.
Security reviews: We conduct regular security assessments and promptly remediate findings.

No system is perfectly secure. If you believe your account has been compromised, email help@covakids.ai immediately.

Safety & legal

Safety and legal process

Cova monitors conversations for content that may indicate a child is in danger. If our systems detect a safety concern · such as references to self-harm, abuse, or imminent risk · we will:

Alert the parent through the Parent Dashboard.
Provide in-app guidance toward appropriate resources.
In cases of imminent risk, contact emergency services or report to authorities as required by law.

We may also disclose data in response to a lawful court order, subpoena, or government request. When permitted by law, we will notify you before complying. We will not voluntarily cooperate with requests that go beyond what the law requires.

Children’s Privacy

Children’s privacy

Cova is designed for families. The parent account is always the legal point of data control · not the child.

Cova is designed with child privacy at its core and is operated in accordance with applicable children’s privacy laws. We operate as follows:

We do not collect personal information directly from children. All personal information about a child is provided by their parent or legal guardian through the parent-managed account.
All child data is collected from and managed through the parent account.
As a parent, you may at any time review the information we hold about your child, request corrections, or request deletion.
You may stop further collection or use of your child’s data by closing the account or switching to Tier 1 at any time.
If you believe a child under 13 has provided personal information without parental consent, contact us at help@covakids.ai and we will delete it promptly.

Additional legal

A few more things worth knowing

Biometric data

Cova does not collect, store, use, or transmit biometric identifiers or biometric information of any kind · including retina scans, fingerprints, voiceprints, or facial geometry. This applies to all tiers and all features.

Third-party links

Cova may occasionally link to external websites or resources. This policy does not govern those sites, and we are not responsible for their privacy practices. Always check the privacy policy of any third-party site you visit.

Do Not Track

Cova is not currently configured to respond to browser or device “Do Not Track” signals. Your privacy tier setting is the primary way you control data sharing within Cova.

Marketing opt-out

We send very few marketing communications, and only with your opt-in. To opt out of any marketing emails, email help@covakids.ai with the subject line “Unsubscribe,” or use the unsubscribe link in any marketing message. Transactional messages (receipts, security alerts, policy notices) cannot be unsubscribed from while your account is active.

How this document changes

We will give at least 30 days’ notice before any material change to this policy · by email to the address on your account and by posting an in-app notice. Non-material changes (typos, clarifications that don’t affect your rights) may be made without notice. Continued use of Cova after a change takes effect constitutes your acceptance of the updated policy. The version in effect at the time of your use governs your data.

Questions about your privacy?

We’re a real team of people, not a legal boilerplate machine. Reach out · we’ll reply.

help@covakids.ai