Privacy Policy

Updated: December 19, 2025

This Privacy Policy explains how the Developer Portal ("Developer Portal" or the "Service") collects, uses, and protects information when you interact with the platform. It applies to users in the United States, India, and other countries where the Service is accessed, subject to applicable local laws.

Who operates this Service

The Service is operated for and on behalf of one or more entities referred to in this policy as "Covenant", which includes Covenant US and Covenant India (together with their affiliates, officers, directors, employees, and agents, "we", "us", or "our"). References to "you" or "your" mean the individual user of the Developer Portal, and where applicable, the organization you represent.

In most cases, Covenant acts as an independent data controller for personal data processed through the Developer Portal. This means we determine the purposes and means of processing your personal data when you interact directly with the Service.

In limited cases where we process personal data solely on the documented instructions of a customer (for example, where a customer uses the Service to input information about their own end users), we may act as that customer's data processor (or equivalent term under applicable law). In those cases, our processing is additionally governed by the applicable data processing agreement or similar contract with that customer.

Information we collect

The information we collect depends on how you use the Developer Portal. In general, we may collect the following categories of data:

  • Account information: Your name, email address, organization, role, and other basic profile data when you create or maintain an account.
  • Authentication and security data: Login timestamps, authentication factors (for example, TOTP enrollment metadata), session identifiers, and related security logs used to help secure your account.
  • Project and support information: Questionnaire responses, technical requirements, business context, attachments, support tickets, comments, and chat messages you submit through the platform.
  • Transactional data: High‑level information about quotes, orders, and payments processed via third‑party payment providers (for example, Stripe), such as amounts, currencies, and payment status. We do not store full payment card numbers on the Developer Portal.
  • Usage and device data: Technical logs and limited analytics such as IP address, browser type, device characteristics, operating system, referring URLs, pages viewed, timestamps, and other diagnostic information used to monitor reliability, performance, and security.
  • Communications: Content of messages you send to us via email or the contact form, as well as communications relating to your projects, quotes, and support requests.

In addition to information you provide directly and data generated by your use of the Service (such as logs), we may also receive limited personal data about you from:

  • Other Covenant entities involved in providing services to you or your organization;
  • Our customers or partners, if they register you as a user or provide your details as a project contact;
  • Third‑party providers such as authentication or payment services, which may confirm information like successful sign‑in or payment status.

We use this information only for the purposes described in this Privacy Policy and subject to any applicable contractual limitations.

How we use your information

We use the information we collect for the following purposes:

  • To operate, maintain, and improve the Developer Portal and related tools.
  • To create and manage your account, authenticate you, and help keep the Service secure.
  • To process project and support submissions, prepare quotes, manage orders, and track delivery status.
  • To provide support, respond to your questions, and communicate about your projects, tickets, quotes, and orders.
  • To monitor reliability, detect and investigate incidents or abuse, and protect the Service against fraud and security threats.
  • To comply with legal obligations, enforce our Terms of Service, and protect our rights or those of our users and partners.
  • To perform internal analytics and product improvement in a privacy‑respectful manner.

We do not use your personal data to make automated decisions that produce legal or similarly significant effects about you (for example, we do not use fully automated decision‑making to approve or deny access to the Service or to determine pricing). If we introduce such features in the future, we will update this Privacy Policy and, where required by law, provide you with additional information and choices.

Legal bases for processing

Where applicable law (such as the EU/EEA/UK General Data Protection Regulation, "GDPR") requires a legal basis for processing, we typically rely on one or more of the following:

  • Contract: Processing necessary to provide the Service under our agreement with you or your organization, including to manage projects, support, quotes, and orders.
  • Legitimate interests: Processing necessary for our legitimate business interests, such as securing the Service, improving features, and preventing abuse, provided those interests are not overridden by your rights and interests.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, or lawful requests from public authorities.
  • Consent: In limited cases, where required by law (for example, certain types of optional communications or cookies), we may rely on your consent. You can withdraw consent at any time, without affecting prior processing based on consent.

How we share information

We do not sell your personal information. We may share information in the following situations:

  • Service providers: With carefully selected third‑party vendors that provide hosting, infrastructure, authentication, analytics, email delivery, logging, payment processing, and other operational services. These providers process data on our behalf under appropriate agreements.
  • Payment processors: With processors such as Stripe to handle deposits, balances, and other payments related to quotes and orders. These providers have their own privacy policies and terms.
  • Affiliated entities: Between Covenant US, Covenant India, and affiliated entities as needed to operate the Service, support you, and provide professional services.
  • Legal and safety: When we believe disclosure is necessary to comply with law, regulation, legal process, or valid governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of Covenant, our users, or others; or to detect, prevent, and address fraud, security, or technical issues.
  • Business transfers: In connection with a merger, acquisition, restructuring, or sale of assets, where permitted by law and subject to appropriate safeguards.

International data transfers

The Developer Portal may be operated from and store data in multiple locations, including the United States, India, and other countries where our infrastructure or service providers are located. As a result, your information may be transferred across borders and processed in jurisdictions that may not offer the same level of data protection as your home country.

Where required by applicable law, we take steps to help protect such transfers, for example by using appropriate contractual safeguards (such as standard contractual clauses), and by limiting access to personal data to personnel and service providers who need it for legitimate business purposes.

Regional information and rights

Users in the United States

Certain US state laws, such as the California Consumer Privacy Act ("CCPA") as amended, grant residents specific rights with respect to their personal information. Depending on your state, you may have rights such as:

  • The right to know what categories of personal information we collect, use, and disclose.
  • The right to access specific pieces of personal information we hold about you.
  • The right to request correction or deletion of certain personal information, subject to legal exceptions.
  • The right to be free from unlawful discrimination for exercising your rights.

We do not "sell" personal information, and we do not "share" personal information for cross‑context behavioral advertising as those terms are commonly defined under CCPA‑style laws.

If you are a resident of a US state with a comprehensive privacy law (for example, California, Colorado, Connecticut, Utah, or Virginia), you may have some or all of the following rights, subject to applicable exceptions:

  • To request access to or a copy of personal information we hold about you;
  • To request that we delete certain personal information;
  • To request correction of inaccurate personal information;
  • To receive information about the categories of personal information we collect, use, and disclose;
  • To opt out of certain types of processing where applicable (for example, targeted advertising or certain types of profiling); and
  • To appeal a decision where we decline to act on a request, where such a right is provided by law.

To submit a request, please contact us through the Contact page and clearly describe your request and the state in which you reside. We may need to verify your identity before responding and will respond within the time period required by applicable law.

We do not "sell" your personal information as that term is commonly defined under CCPA‑style laws. To exercise US state privacy rights or to make a request, please contact us through the Contact page and clearly describe your request and the state in which you reside. We may need to verify your identity before responding.

Users in the EU/EEA, UK, and other GDPR‑style jurisdictions

If the GDPR or similar laws apply to you, you may have the following rights, subject to conditions and limitations in the law:

  • Right of access to personal data we hold about you.
  • Right to rectification of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") in certain circumstances.
  • Right to restriction of processing in certain circumstances.
  • Right to data portability, where technically feasible.
  • Right to object to certain types of processing, including direct marketing or processing based on legitimate interests.
  • Right to withdraw consent where processing is based on your consent.
  • Right to lodge a complaint with a supervisory authority in your country or region.

To exercise these rights, please contact us using the details on the Contact page. We will review and respond to your request in line with applicable law.

Users in India

For users located in India, personal data may be processed by Covenant India and affiliated entities in accordance with applicable Indian data protection and information technology laws. You may have rights to access and request correction or deletion of certain personal data, subject to legal requirements and retention obligations.

We process personal data of users in India in accordance with applicable Indian data protection and information technology laws, including any sector‑specific rules that may apply.

To exercise rights under Indian law or to raise privacy concerns, please contact us via the Contact page and indicate that your request concerns the Indian region so it can be routed appropriately. We will route your request to the appropriate contact (for example, a designated grievance officer where required by law) and respond within the time frame required by applicable law.

Security, DORA‑style resilience, and incident handling

We use reasonable technical and organizational measures designed to protect the Developer Portal and the information we process against unauthorized access, loss, misuse, or alteration. While no online service can guarantee absolute security, our goal is to design the platform with principles aligned to modern security expectations and, where relevant, regulatory frameworks such as the EU Digital Operational Resilience Act ("DORA").

Measures may include access controls, encryption in transit, environment segregation, logging, monitoring, and periodic review of infrastructure and dependencies. We also maintain procedures intended to help us detect, assess, and respond to suspected security incidents. Where required by law, we will notify you and/or relevant authorities of certain data breaches without undue delay.

Data retention

We retain personal information for as long as necessary to provide the Service, support your projects and support requests, fulfill contractual and legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary depending on the type of data and the context in which it was collected.

When information is no longer needed, we may delete it or anonymize it, subject to any legal, regulatory, or contractual requirements that require longer retention.

Cookies and similar technologies

The Developer Portal may use cookies or similar technologies (such as local storage) to support core functionality like session management, security, and user preferences. If additional analytics or third‑party tracking tools are enabled, we will use them in a way intended to respect applicable consent requirements (for example, showing a cookie or tracking banner in certain regions).

Today, the Developer Portal primarily uses cookies and similar technologies for:

  • Core functionality such as authentication, session management, and security; and
  • Remembering basic preferences such as theme or layout.

If we introduce additional categories of cookies or similar technologies (for example, analytics or marketing tags that are not strictly necessary), we will update this Policy and, where required by law, ask for your consent or provide opt‑out controls appropriate for your region.

Depending on your browser, you may be able to control or block certain cookies via your settings. Doing so may affect some features of the Service.

Children's privacy

The Developer Portal is intended for use by adults and business users, not children. We do not knowingly collect personal information from children under the age of 13 (or a higher age where required by local law). If you believe a child has provided us with personal information without appropriate consent, please contact us so that we can take appropriate steps to remove such information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Updated" date at the top of this page and may provide additional notice within the Service where appropriate. Your continued use of the Developer Portal after an update indicates that you have read and understood the updated policy.

Contact

If you have questions about this Privacy Policy, about how we handle personal information, or if you wish to exercise your privacy rights under laws such as GDPR, CCPA‑style legislation, Indian data protection rules, or similar frameworks, please contact us via the Contact page or by using the contact details provided there.

For the purposes of data protection laws where a "data controller" is recognized, the data controller is the relevant Covenant entity identified in your contract or account documentation. If you are unsure who your contracting entity is, you can contact us via the Contact page and we will direct your request appropriately.

If we are required under local law to appoint a representative or a specific contact (for example, a grievance officer in India or an EU representative), we will provide those details on request or in a region‑specific appendix to this Privacy Policy.

When you contact us to exercise your privacy rights, we may need to verify your identity before responding. We will respond within the timeframes required by applicable law and will let you know if we need additional information. Some rights may be subject to legal limitations or exceptions; if we are unable to fulfill a request in full, we will explain why where we are legally permitted to do so.

This Privacy Policy is provided for informational and contractual purposes only and does not constitute legal advice. You should consult your own legal counsel to understand how these concepts apply to your specific circumstances or regulatory obligations.