Privacy Policy
Last updated: March 2026
This policy describes how Covren collects, uses, and protects your information.
1. Information we collect
We collect information you provide when you create an account (name, email, company name) and data generated through your use of the service (change events, drafts, approval history). We also collect standard server logs (IP address, browser type, timestamps).
2. How we use your information
We use your information to provide and improve the service, authenticate your identity, process your content through our pipeline, and communicate service updates. We do not sell your personal information.
3. Data retention
We retain your account data and content for the duration of your subscription. You can configure a custom retention period (90, 180, 365, or 730 days) in your console settings. When a retention period is set, change events, drafts, and usage data older than the configured period are permanently deleted. Claims, audit logs, and approval records are preserved for regulatory compliance.
You may request deletion of your account and all associated data at any time through the console settings or by contacting support. Account deletion requests include a 14-day grace period during which you can cancel the request. After the grace period, all data is permanently and irreversibly deleted. Server logs are retained for up to 90 days.
4. AI processing
Covren uses artificial intelligence (Anthropic's Claude API) to classify customer impact and generate documentation drafts from your product changes.
4.1 Data flow
When you connect a code repository or submit changes, Covren processes the following data through our AI provider:
- Commit messages and PR/merge request descriptions
- Structural summaries of code changes (file paths, function names, diff statistics)
- Repository metadata (branch names, tags, release labels)
The following data is never sent to the AI provider:
- Raw source code or full file contents
- Secrets, API keys, tokens, or passwords (automatically stripped before processing)
- Personal information such as email addresses, names, or IP addresses (automatically redacted)
4.2 How AI is used
AI processing performs two functions:
- Classification — determines customer impact, breaking change detection, and categorization of each change event
- Draft generation — creates human-readable documentation drafts (release notes, help content, API changelogs) from classified changes
All AI-generated content goes through a human review and approval step before it is published or distributed. Covren does not auto-publish AI-generated content without explicit human approval.
4.3 AI provider data handling
Our AI provider (Anthropic) does not use your data to train or improve their models. Data sent via the API is retained by Anthropic for up to 30 days solely for safety and abuse monitoring, then permanently deleted. Anthropic's data handling practices are governed by their privacy policy and our data processing agreement with them.
You can disable AI processing at any time in your console settings. When disabled, the service falls back to template-based generation.
4.4 Automated decision-making
Covren uses AI to classify changes and generate draft content, but no fully automated decisions are made about individuals. All generated content requires human review and approval. You have the right to request human review of any AI-generated classification or content.
5. Sub-processors
We use the following third-party sub-processors to provide the service. Each is bound by a data processing agreement.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | AI classification and draft generation | Code change metadata (redacted) | United States |
| Stripe | Payment processing | Billing name, email, payment method | United States |
| Railway | Infrastructure hosting (application, database, Redis) | All application data (encrypted at rest and in transit) | United States |
| SendGrid | Transactional email delivery | Email address, email content | United States |
We do not sell your personal information or share your content with third parties except as required to provide the service or comply with applicable law. For additional details, see our sub-processor list.
6. Security
We use industry-standard measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed using bcrypt. Access to production systems is restricted, logged, and reviewed. We conduct regular security reviews of our infrastructure and application code.
7. Your rights
Depending on your location and applicable law, you may have the following rights regarding your personal information.
7.1 Rights under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of access (Article 15) — request a copy of the personal data we hold about you
- Right to rectification (Article 16) — request correction of inaccurate personal data
- Right to erasure (Article 17) — request deletion of your personal data ("right to be forgotten")
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format
- Right to object to automated processing (Article 22) — request human review of decisions made by automated means
- Right to information (Article 13) — be informed about how your data is collected and used (this policy fulfills this requirement)
Our legal basis for processing is contractual necessity (providing the service you subscribed to) and legitimate interest (improving the service). You can exercise any of these rights through your console settings or by contacting us at the address below.
7.2 Rights under CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know (Section 1798.100) — request disclosure of the categories and specific pieces of personal information we have collected
- Right to delete (Section 1798.105) — request deletion of your personal information
- Right to opt-out of sale (Section 1798.120) — we do not sell personal information, so this right is automatically satisfied
- Right to non-discrimination (Section 1798.125) — you will not receive different pricing or service quality for exercising your privacy rights
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.
7.3 How to exercise your rights
You can exercise most rights directly through your Covren console settings:
- Access and export — use the bulk data export feature in Settings > Data & Privacy
- Deletion — use the account deletion feature in Settings > Data & Privacy, or contact support
- Rectification — update your profile information in Settings > Team
We will respond to all privacy requests within 30 days. For complex requests, we may extend this by an additional 60 days with notice.
8. Data Processing Agreement
Enterprise customers may require a Data Processing Agreement (DPA). Our standard DPA is available at Covren DPA. The DPA covers GDPR Standard Contractual Clauses (Module 2: Controller to Processor) and details our obligations as a data processor.
9. Changes
We may update this policy. We will notify you of material changes via email or through the console at least 30 days before they take effect. Continued use after changes constitutes acceptance.
10. Contact
For questions about this policy or to exercise your privacy rights, you can:
- Use the privacy controls in your Covren console settings
- Contact support with your support ID from the console
- Email us at privacy@covren.com