Privacy

Privacy Policy

Plain English. The same data principles we promise on the rest of the site, written in the formal version Stripe and regulators expect.

Effective date: 23 May 2026 · Last updated: 23 May 2026

1. Who we are

Covered is operated by Orchestra Labs ("we", "us", "our"). For the purposes of UAE data-protection law and this policy, Orchestra Labs is the data controller for personal data processed through www.getcovered.ae (the "Service").

Contact for any privacy question: hello@getcovered.ae.

2. What we collect

We collect three categories of data, and only these:

  • Account data — your email address and, if you sign in via magic link, an associated authentication identifier issued by our auth provider.
  • Policy data — the health insurance policy documents you upload (PDFs, images, or pasted text), plus the structured fields we extract from them (insurer name, plan, dates, coverage limits, exclusions). We also keep page-level text extracts and vector embeddings to power the citations feature.
  • Usage data — the questions you ask, the answers we return, feedback you give (thumbs up/down), and metadata like timestamps, IP address (for abuse prevention), and basic device/browser information.

If you pay for a Pro unlock (AED 49), our payment processor (Stripe) handles your card details directly — we never see or store them. We retain only a record of the transaction (amount, date, policy unlocked).

3. Why we collect it

  • To deliver the Service (read your policy, return cited answers, track your usage cap).
  • To send you the magic-link sign-in and renewal-reminder emails you've requested.
  • To prevent abuse (rate limits keyed by IP).
  • To improve the Service in aggregate — for example, identifying which question categories users find confusing. This is always anonymised.

4. What we share with

We share the minimum required to run the Service. Each provider is bound by a contract that prohibits using your data for any other purpose:

  • Anthropic (AI provider) — processes your policy text and questions to generate answers. Operated under a zero-data-retention agreement: Anthropic does not store your data and does not use it to train models.
  • OpenAI — generates the vector embeddings used for citation lookup. Embeddings only; never the full policy text. OpenAI does not retain API request data for training under their enterprise terms.
  • Supabase (infrastructure) — hosts our database and authentication. Your data is stored encrypted at rest in their Mumbai region.
  • Resend (email) — delivers magic links and renewal reminders.
  • Stripe (payments) — processes Pro unlock payments. Subject to Stripe's privacy policy.
  • Vercel (hosting) — serves the website. Aggregate request logs only.

We do not sell your data. We do not share it with brokers, insurers, advertisers, or any other third party for marketing. We do not allow your policy or questions to be used to train any AI model.

5. How long we keep it

We keep your data for as long as your account is active, plus a short retention window for legitimate operational purposes:

  • Account, policy, and Q&A data: until you delete it, or until 12 months after your last sign-in (whichever comes first).
  • Payment records: 7 years, as required by UAE accounting law.
  • Aggregated anonymised analytics: indefinitely (no longer linked to you personally).

6. Your rights — and how to use them

You have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate.
  • Delete your account and all associated data. One-click deletion is available in your account page. The deletion is immediate and irreversible.
  • Export your data in a machine-readable format. Email us and we'll send you a JSON file of everything we hold about you within 30 days.
  • Object to processing for legitimate-interest purposes (e.g., analytics).
  • Withdraw consent to marketing emails (although we don't send marketing emails — only transactional ones you've opted into, like renewal reminders).

To exercise any of these rights, email hello@getcovered.ae. We aim to respond within 7 working days.

7. Security

Your policy documents are encrypted at rest in storage. Database access is gated by row-level security — your data is only accessible by your own authenticated session and our service-level admin accounts (used for support and incident response only). Transport is TLS 1.2 or higher.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you by email within 72 hours of becoming aware of it.

8. International data transfers

Some of our service providers process data outside the UAE: Anthropic, OpenAI, Stripe, Resend, and Vercel operate from the United States and the European Union. Supabase hosts our database in Mumbai, India. By using Covered you consent to these transfers. Each provider is contracted under terms that require equivalent protection of your data.

9. Cookies

We use a single essential session cookie to keep you signed in. We do not use third-party tracking cookies. We do not use cookies for advertising. We do not share cookie data with anyone.

10. Children and sensitive data

Covered is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has used the Service, email us and we will delete their data.

Health insurance documents may include sensitive data (medical history, dependants' details). By uploading, you acknowledge and consent to this processing for the purpose of receiving an explanation of your policy. You can delete this data at any time as described above.

11. Automated decision-making

Covered uses AI to read your policy and generate plain-English answers. This processing is informational, not decisional: we never make a binding decision about your insurance, your claims, or your eligibility. The answers we produce are explanations of what your own policy document says — always verify with your insurer before acting.

12. Changes to this policy

We may update this policy occasionally. If we make a material change (e.g., a new category of data, a new service provider), we'll notify you by email at least 14 days before the change takes effect. The current version of this policy lives at this URL — the "Last updated" date at the top tells you when it was last revised.

13. How to complain

If you're unhappy with how we handle your data, email hello@getcovered.ae first — we'll try to fix it quickly. If we can't resolve the issue, you can lodge a complaint with the UAE Data Office or the relevant data-protection authority in your jurisdiction.

See also: Terms of Service · How we make money