Privacy Policy
Last updated: April 6, 2026
At covari, we take your privacy seriously. This policy explains what information we collect, how we use it, and what rights you have over your data.
1. Information We Collect
We collect several categories of information depending on how you use covari ("the Platform"): Account Information: When you create an account, we collect your name, email address, password (hashed, never stored in plain text), and the role you select (Creator, Brand, or Agency). You may also sign up using Google OAuth, in which case we receive your name, email, and profile photo from Google. Brands provide additional company information including company name, website, and logo. Agencies provide agency name and specify whether they represent creators or brands. Profile Information: Creators build public profiles that may include a bio, portfolio links, categories, pricing, and a cover image. Brands maintain company profiles with descriptions, industry, and branding assets. This information is displayed publicly on the Platform to facilitate partnerships. Social Media Data: When creators connect their Instagram, YouTube, or TikTok accounts through OAuth, we receive access to public analytics data from those platforms, including follower counts, engagement rates, audience demographics, and recent content performance. We store OAuth tokens securely to maintain this connection and periodically refresh analytics data. We do not post to your social media accounts. Payment Information: Payment details (credit card numbers, bank account information) are collected and processed entirely by Stripe. We do not store payment card data on our servers. We do store transaction records including amounts, dates, fee breakdowns, Stripe transfer IDs, and metadata about the associated proposals or milestones for accounting and dispute resolution purposes. Creators connect a Stripe Connect account to receive payouts. Communications: Messages exchanged between users through the Platform's messaging system are stored on our servers. This includes direct messages, proposal discussions, and file attachments shared within conversations.
2. Automatic Data Collection
When you use the Platform while logged in, we automatically collect activity data to improve our service, ensure security, and provide administrative oversight. This includes: Activity Events: We track events such as page views, button clicks, feature usage, login/logout events, profile updates, proposal actions, and other interactions with the Platform. Each event records the page URL, event type, and timestamp. Device Information: We collect your browser type and version, operating system, device type (desktop, mobile, or tablet), screen resolution, timezone, and preferred language. This data is derived from your browser's user agent string and JavaScript APIs. IP Address Handling: We collect your IP address for security purposes (fraud prevention, rate limiting). Your raw IP address is immediately hashed using SHA-256 with a rotating salt before storage. We do not store raw IP addresses in our activity logs. The hashed value allows us to detect patterns (such as multiple accounts from the same source) without retaining your actual IP address. Session Tracking: We group your activity events into sessions based on a 30-minute inactivity threshold. This helps us understand how users navigate the Platform and identify usability issues.
3. Anonymous Visitor Tracking
When you visit the Platform's public pages (such as the homepage, pricing page, or creator listings) without being logged in, we collect limited anonymous data to understand how visitors discover and interact with the Platform: Visitor Identifier: We generate a random anonymous identifier stored in your browser's localStorage. This identifier is not linked to any personal information and cannot be used to identify you. It allows us to distinguish unique visitors from repeat page loads. Visit Data: We record the pages you visit, the referring website or search engine that brought you to the Platform, and any UTM parameters (campaign source, medium, and campaign name) present in the URL. We also collect the same device information described above (browser, OS, device type, viewport size, timezone, language) and a hashed version of your IP address. This anonymous data is used to measure the effectiveness of our marketing efforts, understand which channels drive signups, and optimize the visitor-to-signup conversion funnel.
4. How We Use Your Information
We use the information we collect for the following purposes: Platform Operations: To create and manage your account, display your profile to other users, facilitate partnerships between creators and brands, and process payments and payouts. Communications: To send transactional emails about your account activity, including account verification, proposal notifications, payment confirmations, milestone updates, dispute notifications, and platform announcements. Emails are sent through our email service provider (Resend). Matching and Discovery: To help brands find relevant creators based on categories, audience data, pricing, and other profile attributes. Analytics and Improvement: To understand how users interact with the Platform, identify bugs and usability issues, monitor conversion funnels, and improve features. Administrators review aggregated and individual activity data to maintain Platform quality. Security and Fraud Prevention: To detect suspicious activity, prevent unauthorized access, enforce rate limits, and protect against fraud. Dispute Resolution: To review messages, deliverables, proposal terms, and activity logs when resolving disputes between creators and brands. We do not sell your personal information to third parties. We do not use your data for behavioral advertising.
5. Information Sharing
We share information only in the following circumstances: With Other Users: Your public profile information (name, bio, portfolio, analytics data, pricing) is visible to other Platform users. Messages you send are visible to the recipients. When you enter a partnership, both parties can see relevant proposal details and deliverables. With Service Providers: We use the following third-party services to operate the Platform: • Supabase — database hosting, authentication, and file storage (hosted in the United States) • Stripe — payment processing, escrow, and payouts • Vercel — website hosting and deployment, basic web analytics • Resend — transactional email delivery • Upstash — rate limiting and caching (Redis) • Anthropic — optional AI-powered features (only when you explicitly use AI features; your data is not used to train AI models) These providers access only the data necessary to perform their services and are bound by their own privacy policies. For Legal Reasons: We may disclose information when required by law, legal process, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.
6. Data Security
We implement security measures to protect your data, including: • Encryption in transit via TLS for all connections • Passwords hashed using industry-standard algorithms (never stored in plain text) • IP addresses hashed with SHA-256 before storage in activity logs • OAuth tokens for social media connections stored securely in our database • Row-level security policies in our database to prevent unauthorized data access • Role-based access controls for administrative functions • Payment data handled entirely by Stripe (PCI-compliant) and never stored on our servers • Rate limiting on authentication and API endpoints to prevent brute-force attacks While no system is 100% secure, we take reasonable measures to protect your information and regularly review our security practices.
7. Cookies and Local Storage
We use cookies and browser local storage as follows: Authentication Cookies: Supabase sets session cookies to keep you logged in. These are essential for the Platform to function and cannot be disabled while using the Platform. Local Storage: We store a randomly generated anonymous visitor identifier in your browser's localStorage to track anonymous visits to public pages. We also store user interface preferences (such as sidebar state and theme settings) in localStorage. This data never leaves your browser except for the anonymous visitor identifier, which is sent with visitor tracking events. We do not use third-party advertising cookies. We do not use tracking pixels or cross-site tracking technologies. Vercel may collect basic web analytics data (page views, referrers) through its hosting infrastructure.
8. Your Rights
You have the right to: • Access the personal information we hold about you • Correct inaccurate information in your profile or account • Delete your account and associated personal data through your account settings • Export your data in a portable format upon request • Opt out of non-essential communications • Restrict or object to certain processing of your data • Clear the anonymous visitor identifier from your browser by clearing your localStorage Upon account deletion, we remove your profile information, social media connections, and personal data. We may retain transaction records as described in our data retention section and certain data in database backups for a limited period. To exercise any of these rights, contact us at privacy@covari.co.
9. Data Retention
We retain different types of data for different periods: • Account and profile data: Retained while your account is active. Deleted upon account deletion, subject to backup retention. • Transaction records: Retained for up to 7 years after the transaction date, as required for tax and legal compliance. • Activity event logs: Retained for up to 2 years to support analytics and security investigations. Older data is deleted or anonymized. • Anonymous visitor data: Retained for up to 1 year for conversion analytics purposes. • Messages: Retained while both participants' accounts are active. If one party deletes their account, messages may be retained for the other party's records. • Database backups: May contain deleted data for up to 90 days after deletion. Aggregated, anonymized data that cannot be used to identify any individual may be retained indefinitely for analytics and reporting purposes.
10. International Data Transfers
The Platform is hosted in the United States via Supabase and Vercel. If you access the Platform from outside the United States, your data will be transferred to and processed in the US. Our third-party service providers may also process data in the United States or other jurisdictions. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.
11. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a user under 18, we will delete that information and terminate the associated account promptly. If you believe a minor has created an account, please contact us at privacy@covari.co.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, contact us at privacy@covari.co or through our contact page.