Privacy Policy
CovenAI ("we", "us", "our") is committed to protecting your personal information. This policy explains what data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.
This service is intended for adults and businesses. It is not directed at children under the age of 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data to us, please contact us at hello@covenai.io and we will delete it promptly.
1. Who We Are
CovenAI is operated as a sole trader business based in England, United Kingdom. Contact: hello@covenai.io
2. Free Public Beta
CovenAI is currently in free public beta. The Agent Analytics platform, free scan, methodology rubric, monitoring dashboards, developer endpoints, and MCP server are all available at no cost during beta. Paid tiers are not active. When paid tiers activate, this policy will be updated to reflect the additional data we process for billing.
3. We Do Not Process Transactions
CovenAI does not currently process or facilitate transactions on behalf of users or autonomous AI agents. We have built infrastructure to support agent-initiated payments (using USDC on the Base network via the x402 protocol), but this capability is not active. We will only activate it if and when the regulatory environment provides sufficient clarity, and this policy will be updated before any activation.
4. Lawful Basis for Processing
We process your personal data on the following legal bases under UK GDPR:
- Legitimate interests — for free scans and public tools, we process submitted URLs to generate your results. For waitlist and early-access sign-ups, we process your email to follow up on your expressed interest. These interests are balanced against your rights and do not override them.
- Consent — if you opt in to product updates or marketing communications, we will send them only with your explicit consent. You can withdraw consent at any time by emailing hello@covenai.io or using the unsubscribe link in any email.
- Contract performance — once paid tiers activate, processing your email and account identifiers will be necessary to deliver the services you have purchased.
- Legal obligation — we may retain certain records to comply with applicable tax and financial regulations.
5. Data We Collect
During the free public beta we may collect:
- Email address — when you join the waitlist, register a developer account, or contact support
- Website URL — the target site you submit for a scan or to monitor
- Scan results and history — scores, findings, and metadata generated by our analysis, retained against your account if you have one
- API usage metadata — if you use our developer endpoints or MCP server, we log request metadata (timestamp, endpoint, status, originating account or agent identifier) for rate limiting, abuse prevention, and product improvement
- Limited site analytics — see §7 below
When paid tiers activate, we will additionally process billing identifiers — internal references linking your account to payments for CovenAI services. If, in future, transaction features are activated (see §3), additional data including wallet addresses and on-chain transaction identifiers may be processed; this policy will be updated before any such activation.
We do not use cookies or marketing pixels. We do not sell, rent, or share your data with third parties for marketing purposes.
6. How We Use Your Data
- To generate and deliver scan, monitoring, and rubric results
- To operate the public scan, monitoring, developer, and MCP services
- To respond to support enquiries
- To maintain rate limits and protect against abuse
- To improve the methodology and product (using aggregated, non-identifying signals where possible)
- To comply with legal obligations
7. Analytics
We use Plausible Analytics, a cookieless, privacy-first analytics tool. Plausible does not use cookies, does not collect personal data, does not track users across sites, and does not share data with advertising networks. Aggregate metrics (page views, referrers, country at country level) help us understand which content is useful. We do not use Google Analytics or any cross-site tracking pixel.
8. Third-Party Processors
- Cloudflare — website delivery, application hosting (Workers), database (D1), and DDoS protection (Cloudflare Privacy Policy)
- LLM providers — large language model providers, including Anthropic and OpenAI, are used to generate parts of scan analysis. Submitted URLs and page content extracted during a scan are processed by these providers solely to produce your results and are not used by them to train their models, in line with the providers' enterprise data handling commitments (Anthropic, OpenAI).
- Resend — transactional email delivery (Resend Privacy Policy)
- Plausible Analytics — cookieless site analytics, EU-hosted (Plausible Privacy Policy)
If transaction features are activated in future (see §3), additional processors may be added to this list, including infrastructure for on-chain settlement. This policy will be updated before any such activation.
9. International Data Transfers
Some of our third-party processors are based in the United States. Specifically, Cloudflare, Anthropic, OpenAI, and Resend are US-based companies. Plausible is hosted in the European Union. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
- Cloudflare — relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) framework, with EU/UK data centres available for routing.
- Anthropic and OpenAI — data transfers are covered by Standard Contractual Clauses. URLs and page content submitted for analysis are processed only to generate your report and are not used to train AI models.
- Resend — data transfers are covered by Standard Contractual Clauses.
You can request further information about the specific safeguards in place by contacting us at hello@covenai.io.
10. Monitoring and Scheduled Scans
If you register a site with our monitoring product, CovenAI runs scheduled scans against that site using Coven-Citability-Bot, our web agent, and stores a history of scores over time so you can track progress and identify regressions. Current scheduled cadence is approximately once per week, alongside on-demand scans you trigger manually or via the API which are processed immediately. Cadence may increase as the product evolves; we will update this policy if material changes are made. Scan history is tied to your account and is subject to the same retention and deletion rights as all other personal data we hold.
11. CovenAI's Own Agent and Third-Party Agent Activity
CovenAI operates Coven-Citability-Bot, our own web agent, which visits URLs you submit (via scan, monitoring, or API) to analyse them and produce your results. Coven-Citability-Bot's identity and published policy are available at /agent-policy.json on covenai.io. Operators of sites being scanned can reference this document to understand the bot's behaviour and permissible use cases.
CovenAI also publishes machine-readable surfaces (an MCP server, an agent-policy.json document, and public API endpoints) that allow third-party autonomous AI agents to discover and use the platform. When a third-party agent acts on your behalf:
- Requests are subject to the same processing terms as human-initiated requests.
- Where an agent is authenticated against your account or developer key, activity is logged against that account and you remain the data controller for any URLs or content the agent submits.
- Where an agent operates anonymously (for example via the public scan endpoint), only request metadata is retained for rate limiting and abuse prevention.
12. Automated Decision-Making
Our scan, monitoring, and ADL outputs are generated automatically using software and AI tools without human review. The system analyses your website and produces findings and recommendations against the CovenAI rubric. While these outputs do not produce legal or similarly significant effects on their own, they may influence business decisions you make.
You have the right to request that a member of our team reviews any AI-generated report and provides a human assessment. To exercise this right, contact hello@covenai.io with your account or scan reference and we will respond within a reasonable timeframe.
13. Data Retention
We retain your email and account details for as long as your account is active, plus up to 12 months for support and legal compliance. Scan history is retained for as long as your account is active. You can request earlier deletion at any time. Anonymous aggregate analytics derived from scans (which cannot be linked back to you) may be retained indefinitely to improve the methodology.
14. Your Rights (UK GDPR)
You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data ("right to be forgotten")
- Object to processing of your data
- Lodge a complaint with the ICO at ico.org.uk
To exercise any of these rights, email hello@covenai.io. We will respond within 30 days.
15. Data Breach Notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, as required by UK GDPR. If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay, explaining what happened and what steps we are taking.
16. Security
All data is transmitted over HTTPS. Application infrastructure runs on Cloudflare Workers and D1, with secrets managed via Cloudflare's secret store. We do not store payment card data.
17. Changes to This Policy
We may update this policy from time to time. Material changes will be noted on this page with a revised date. Substantive changes affecting how we process your data will be notified by email where we have your address.