Privacy Policy
Last Updated: 17 June 2026 · Version 1.0
1. Introduction and Who We Are
Welcome to Covely. Covely Technologies Ltd ('Covely', 'we', 'us', or 'our') is a company registered in England and Wales. We operate the Covely platform — a guided digital grief support application and associated website — which provides bereaved adults and children with structured, evidence-based tools to support emotional wellbeing, memory preservation, and grief adaptation following bereavement.
We are the Data Controller in respect of the personal data we collect and process through the Covely platform, website, and associated services. This Privacy Policy applies to all personal data we collect from:
- Users of the Covely mobile application and web platform
- Visitors to our website at www.covelysupport.co.uk
- Funeral directors, funeral homes, and other professional partners who register with or enquire about Covely
- Children and young people under the age of 18 who access Covely through a parent, guardian, or authorised funeral director partner
- Individuals who join our waiting list or submit enquiries
This Privacy Policy should be read alongside our Terms and Conditions of Use and our Cookie Policy, which are published separately on our website.
1.1 Our Commitment
We recognise that our users are often in a vulnerable and emotionally sensitive position. We are committed to:
- Collecting only the personal data we genuinely need
- Being transparent about how we use your data
- Applying the highest standards of security to protect sensitive information
- Never selling your personal data to third parties
- Treating children's personal data with particular care and implementing age-appropriate protections
- Complying fully with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, and other relevant international data protection laws
1.2 Special Category and Sensitive Data
The Covely platform, by its nature, may involve the collection and processing of information that is classified as 'special category data' under UK GDPR. This includes data relating to health and physical wellbeing, mental health and emotional state, and religious or philosophical beliefs (which may arise in the context of grief, bereavement practices, and memorial content). We also process data relating to children, which carries heightened legal obligations.
2. What Personal Data We Collect
2.1 Data You Provide Directly
Account Registration Data — When you create a Covely account, we collect your full name, email address, password (stored in encrypted form), date of birth, country of residence, account type, and subscription tier.
Payment and Billing Data — Where you subscribe to a paid tier, payment card details are processed securely by our third party payment provider and are not stored directly by Covely. We retain billing records for a minimum of 7 years in accordance with our legal and accounting obligations.
Profile and Personalisation Data — Once registered, you may provide additional information including the name of the person you have lost, your relationship to the deceased, the date of passing, photographs, videos, audio recordings, written journal entries, drawings, and memorial preferences. All such content is stored securely and is accessible only to you unless you choose to share it.
Communication Data — When you contact us directly, we collect your name, contact details, the content of your message, any attachments, and the date and time of your communication.
Waiting List and Partner Enquiry Data — If you join our waiting list or submit a partnership enquiry, we collect your name, job title, business name and address, business email and telephone number, website address, and any additional information you provide.
2.2 Data Generated Through Your Use of the Platform
Interaction and Usage Data — We automatically collect information about which tools and features you access, time spent within the application, actions taken, and progress through the 7-Week Grief Pathway. This data is used to improve the platform and personalise your experience. It is not used to profile you for advertising purposes.
Technical and Device Data — We collect device type, operating system, browser type, app version, IP address, device identifiers, crash reports, and session frequency.
Location Data — We may collect your approximate location (based on IP address) to comply with legal requirements and provide region-appropriate content. We do not collect precise GPS location data unless you explicitly consent.
2.3 AI-Generated Conversation Data
The Covely platform includes a guided AI conversation feature ('Let's Talk'). When you use this feature, conversation content is processed to generate responses and may be stored to allow you to revisit previous sessions. Aggregated, anonymised conversation data may be used to improve the AI model's performance.
2.4 Children's Data
Covely includes tools specifically designed for bereaved children and young people. We are committed to protecting children's privacy and complying with the UK Children's Code and Data Protection Act 2018:
- Children under the age of 13 may only use Covely with verified parental or guardian consent
- Children aged 13 to 17 may use Covely with parental or guardian awareness, where required by applicable law
- We do not collect more data from children than is strictly necessary for the provision of the service
- We do not subject children to profiling, behavioural advertising, or nudge techniques
- Parental or guardian access to a child's account data may be requested at any time
2.5 Data We Receive From Third Parties
We may receive personal data from funeral director partners who set up family accounts, friends or family members who contribute to a memorial tribute page, technology service providers such as authentication and single sign-on providers, and analytics and crash reporting services.
3. Legal Basis for Processing Your Personal Data
3.1 Performance of a Contract
Where you have entered into an agreement with us — for example by creating an account or joining our waiting list — we process certain personal data because it is necessary to perform our obligations under that contract. This includes creating and managing your account, providing access to Covely tools, managing your waiting list registration, and administering funeral director partnership arrangements.
3.2 Legitimate Interests
We process certain personal data on the basis of our legitimate interests, including improving and developing the Covely platform, monitoring for fraud and security threats, managing enquiries and complaints, and understanding how our website is used. You have the right to object to processing based on legitimate interests — see Section 8.
3.3 Consent
Where we rely on your consent, we will ask for it clearly and separately. You may withdraw consent at any time. We rely on consent for: sending marketing communications; processing special category data relating to emotional health through journaling and AI conversation features; placing non-essential cookies; and collecting precise location data for optional features.
3.4 Legal Obligation
We may process your personal data where required by law, including responding to lawful requests from regulatory authorities, courts, or law enforcement, and meeting our obligations under financial, tax, and accounting legislation.
3.5 Vital Interests
In exceptional circumstances, we may process personal data where it is necessary to protect the vital interests of a user or another person — for example, where a user's interactions suggest they may be at risk of serious harm.
3.6 Processing Children's Data
For children under the age of 13, we rely on verified parental or guardian consent as our primary lawful basis. For children aged 13 to 17, we rely on consent or contract performance and legitimate interests where the child is capable of providing their own consent under UK law. We apply a precautionary approach in all cases.
3.7 Special Category Data
For special category data we rely on: explicit consent where you have clearly agreed to the processing; substantial public interest where processing is necessary for the provision of health or social care support services; and vital interests where necessary to protect the data subject or another person.
4. How We Use Your Personal Data
We use your personal data only for the purposes described in this Policy:
| Purpose | Lawful Basis |
|---|---|
| Providing and managing your account and access to the platform | Contract performance |
| Delivering the Covely grief support tools and features | Contract performance |
| Processing AI conversation content to generate responses | Contract performance / Consent |
| Sending service-related notifications and updates | Contract performance / Legitimate interests |
| Responding to your enquiries and support requests | Legitimate interests / Contract performance |
| Managing waiting list registrations | Contract performance / Legitimate interests |
| Managing funeral director partner relationships | Contract performance |
| Sending marketing communications (where consented) | Consent |
| Improving and developing the Covely platform | Legitimate interests |
| Monitoring security and preventing fraud or abuse | Legitimate interests / Legal obligation |
| Complying with legal and regulatory obligations | Legal obligation |
| Protecting the vital interests of users at risk | Vital interests |
| Conducting anonymised research to improve grief support outcomes | Legitimate interests / Consent |
4.1 Marketing Communications
If you have consented to receive marketing communications, we may contact you by email or push notification regarding Covely product updates, launch announcements, partnership opportunities, bereavement awareness content, and events. You may withdraw consent at any time by clicking the unsubscribe link in any email or by updating your preferences in the Covely application settings. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.
Marketing vs Transactional Emails
We draw a clear distinction between two categories of email communication:
- Marketing emails — updates, launch announcements, new features, partnership opportunities, newsletters, and any other promotional content. These require your explicit opt-in consent and will only be sent if you have actively ticked the marketing communications checkbox at the point of registration. You may withdraw this consent at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in your account settings.
- Transactional emails — account-related communications such as password resets, account notifications, billing receipts, subscription confirmations, and security alerts. These are sent as a necessary part of providing the service and do not require separate marketing consent. You will continue to receive transactional emails even if you unsubscribe from marketing communications.
When you unsubscribe from marketing emails, we will cease sending marketing communications immediately. We will never re-add you to our marketing list without your active consent, and we will never send you an email asking whether you would like to re-subscribe. Your unsubscribe preference will be recorded and honoured permanently unless you choose to opt back in yourself through your account settings or a new sign-up form.
At the point of registration, marketing email consent is collected via a separate, optional, unticked checkbox. Agreeing to our Terms and Conditions and Privacy Policy does not constitute consent to receive marketing emails. These are collected separately and independently.
4.2 Anonymised Research and Service Improvement
We may use anonymised and aggregated data — from which all identifying information has been removed — for research into grief support outcomes and improvement of the Covely platform. This data cannot be used to identify you as an individual.
5. How We Share Your Personal Data
We do not sell your personal data to third parties under any circumstances. We may share your personal data with the following categories of recipient, strictly as described below.
5.1 Service Providers and Data Processors
We engage trusted third party service providers including cloud hosting and infrastructure providers, email delivery providers, push notification providers, analytics providers, crash reporting providers, AI and natural language processing providers, payment processing providers, and customer support software providers. All service providers are subject to appropriate contractual obligations including data processing agreements that comply with UK GDPR requirements.
5.2 Funeral Director Partners
Where a funeral director partner has set up a family account or tribute page on your behalf, that partner may have access to certain account information — such as the family name, tribute page content, and donation information — to the extent necessary to manage the service. Funeral director partners are prohibited from using family data for any purpose other than the provision of the Covely aftercare service.
Where you access Covely through a funeral director partner's embedded iFrame implementation, the FD Partner will be able to see that a family account has been activated and its general status, and will have access to tribute page content and donation information as necessary. The FD Partner will not have access to your personal journal entries, AI conversation content, or other private emotional content.
5.3 Family and Invited Contributors
If you choose to share a memorial tribute page link with friends or family members, those individuals will be able to view the tribute page and, where you permit it, contribute memories, photographs, and messages. You retain control over what is shared and with whom, and can revoke access at any time through your account settings.
5.4 Legal and Regulatory Disclosure
We may disclose your personal data to courts, regulatory authorities, or law enforcement agencies where we are legally required to do so, or where necessary to comply with a legal obligation, protect our rights, prevent wrongdoing, protect personal safety, or protect against legal liability.
5.5 Business Transfers
In the event that Covely Technologies Ltd is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you prior to any such transfer and will ensure that the receiving party is bound by privacy obligations at least as protective as those in this Policy. You will have the right to request deletion of your data prior to any such transfer.
6. International Transfers of Personal Data
Covely operates on an international basis and your personal data may be transferred to, stored in, or processed in countries outside the United Kingdom and the European Economic Area. Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, including International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, and transfers to countries deemed to provide an adequate level of protection. You may request further information about specific safeguards by contacting us using the details in Section 11.
7. How Long We Keep Your Personal Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and registration data | Duration of account plus 2 years following closure | Contract performance / Legal obligation |
| Memory Garden content, journal entries, photographs | Duration of account. Permanently deleted upon account deletion unless export requested. | User control / Contract |
| AI conversation content | 90 days from session unless user saves to account | Contract / Consent |
| Technical and usage data | 13 months from collection | Legitimate interests |
| Marketing consent and preferences | Until consent is withdrawn plus 1 year | Consent / Legal obligation |
| Waiting list data | Until launch or until you withdraw, plus 6 months | Consent / Legitimate interests |
| Partner enquiry and contract data | Duration of partnership plus 7 years | Legal obligation / Contract |
| Legal correspondence and complaints | 7 years from resolution | Legal obligation |
| Children's account data | Deleted upon request by parent/guardian or on account closure | Legal obligation / Consent |
| Dormant account data | Account deactivated after 12 months of inactivity. Data retained for further 90 days then permanently deleted. | Legitimate interests / Legal obligation |
| Payment and billing records | 7 years from transaction date | Legal obligation |
| iFrame access and partner attribution data | Duration of FD Partner subscription plus 2 years | Contract / Legitimate interests |
When personal data is no longer required, we will securely delete or irreversibly anonymise it.
8. Your Rights Under Data Protection Law
8.1 Right of Access
You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month and will not charge a fee unless your request is manifestly unfounded or excessive.
8.2 Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.
8.3 Right to Erasure ('Right to be Forgotten')
You have the right to request that we delete your personal data where it is no longer necessary, you withdraw consent, you object to processing with no overriding legitimate grounds, the data has been unlawfully processed, or erasure is required by a legal obligation. This right is not absolute and may be subject to exemptions.
8.4 Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data.
8.5 Right to Data Portability
Where we process your personal data on the basis of consent or contract performance by automated means, you have the right to receive a copy of your personal data in a structured, machine-readable format, and to request that we transmit this data to another data controller where technically feasible.
8.6 Right to Object
You have the right to object to processing where we rely on legitimate interests or where we process your data for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
8.7 Rights in Relation to Automated Decision-Making
Covely does not currently use fully automated decision-making that produces legal effects. Our AI conversation feature is a supportive tool and does not make determinations about your eligibility for services or other significant outcomes.
8.8 Right to Withdraw Consent
Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
8.9 Rights of Children and Their Parents or Guardians
Where personal data has been collected in relation to a child, a parent or legal guardian may exercise data subject rights on behalf of that child. Parents or guardians may request access to, correction of, or deletion of a child's personal data at any time by contacting us.
8.10 How to Exercise Your Rights
To exercise any of the rights described above, please contact our Data Protection team using the contact details in Section 11. We may need to verify your identity before processing your request. We will respond within one calendar month of receipt of a valid request.
8.11 Right to Complain
If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — www.ico.org.uk — telephone: 0303 123 1113. We would welcome the opportunity to resolve any concerns directly before you approach a supervisory authority.
9. How We Protect Your Personal Data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage.
9.1 Technical Measures
- Encryption of data in transit using TLS (Transport Layer Security) protocols
- Encryption of data at rest for sensitive personal data including account credentials and emotional content
- Secure password hashing — we never store plain-text passwords
- Multi-factor authentication options for account access
- Regular security testing and vulnerability assessments
- Access controls ensuring that only authorised personnel can access personal data
- Automated monitoring for unusual access patterns or potential security incidents
9.2 Organisational Measures
- Staff training on data protection and information security
- Data protection impact assessments (DPIAs) for high-risk processing activities
- Contractual obligations on all service providers and data processors
- An internal data breach response procedure
- Regular review of our security practices and this Privacy Policy
9.3 Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where the breach is likely to result in a high risk to your rights and freedoms, will notify you directly without undue delay.
10. Cookies and Similar Technologies
Our website and application use cookies and similar tracking technologies to improve functionality, understand visitor behaviour, and deliver a personalised experience.
Strictly Necessary Cookies — Essential for core functionality such as account login, session management, and security. These cannot be disabled without affecting the functionality of the service.
Performance and Analytics Cookies — Allow us to understand how visitors use our website and application. Information collected is aggregated and anonymous.
Functional Cookies — Allow our website and application to remember choices you have made, such as language preferences and personalisation settings.
Marketing and Tracking Cookies — May be used to deliver relevant information about Covely and to measure the effectiveness of our marketing campaigns. These require your consent before being placed on your device.
When you first visit our website, you will be presented with a cookie consent banner. You can update your preferences at any time through the cookie settings link in our website footer.
11. How to Contact Us
| Company | Covely Technologies Ltd |
| Postal Address | 18 Lakewall, Westonzoyland, Bridgwater, Somerset, TA7 0LP |
| info@covelysupport.co.uk | |
| Website | www.covelysupport.co.uk |
| Data Protection Contact | info@covelysupport.co.uk |
| Response Time | We aim to respond to all data protection enquiries within 5 working days |
11.1 Data Protection Officer
As a UK-based company, we are not currently required to appoint a Data Protection Officer. However, all data protection enquiries are handled promptly and can be directed to info@covelysupport.co.uk.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Where we make material changes, we will notify you in advance by sending a notification to your registered email address, displaying a prominent notice within the Covely application, and publishing an updated version of this Policy on our website with a revised 'Last Updated' date.
Your continued use of the Covely platform following notification of material changes will constitute your acceptance of those changes. If you do not agree to the updated Policy, you may delete your account at any time.