Privacy & Cookie Policy

Last Updated: May 20, 2026

1 Privacy

We respect your privacy and are committed to protecting it. We have adopted policies, procedures and controls designed to collect, process and safeguard your personal data, information and documentation (“Personal Information”) in compliance with applicable privacy laws and regulations.

We are required to provide individuals with a privacy notice containing information about how and why their Personal Information is processed. The purpose of the privacy policy is to enable you to make an informed decision about how your Personal Information will be used in your dealings with us or someone else acquiring, using and/or processing your Personal Information.

A privacy policy must be:

concise, transparent, intelligible, and easily accessible
written in clear and plain language; and
free of charge

This Privacy & Cookie Policy (“Policy”) explains what Personal Information we collect when you use our websites (covercy.com and covercypay.com), platforms, and services, why we collect it, and how we use it.

We process Personal Information in compliance with the EU General Data Protection Regulation (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Israeli Protection of Privacy Law 5741-1981 (as amended); and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”) and any other applicable US state or federal privacy laws.

In different jurisdictions, there may be slight differences in terminology, content and application of privacy rules, Accordingly, we have adopted a high watermark approach for all users of our websites, platforms, and services.

This Notice is part of, and should be read in conjunction with, our Terms and Conditions (as amended). By accessing or using our websites, platforms, and services, you acknowledge and consent to the practices described in this Policy.

We may update this Policy from time to time. If we make material changes, we will notify you by email or prominently online. We ask that you revisit this Policy regularly.

2 Who We Are

The Covercy Group provides investment management and money transfer services on an international basis.

If you are a user located or registered with us in the United Kingdom or anywhere else in the world excluding Israel and the United States, references to “Covercy,” “we,” “us,” and “our” are references to Covercy Europe Ltd, a company registered in England (company number 09447723) whose registered address is 5 Elstree Gate, Elstree Way, Borehamwood, Hertfordshire, WD6 1JD United Kingdom. Covercy Europe Ltd is registered by the UK Financial Conduct Authority (“FCA”) as an Authorised Payment Institution. Covercy Europe Ltd acts as the data controller for the purposes of the UK GDPR and EU GDPR, where applicable.

If you are a user located or registered with us in Israel, references to “Covercy” “we,” “us,” and “our” are references to Covercy Technological Trading Ltd, a company registered in Israel (company number 515200657) whose registered address is 7 Dereh Begin St, Ramat-Gan 5268102, Israel. Covercy Technological Trading Ltd is licensed by the Capital Market, Insurance and Savings Authority. Covercy Technological Trading Ltd acts as the data controller for the purposes of the Israeli Protection of Privacy Law, 5741-1981.

If you are a user or registered located in the United States, references to “Covercy” “we,” “us,” and “our” are references to Covercy Inc., a company registered in the State of Delaware (company number 372002522) whose registered office is at 256 Chapman Road, Newark, New Castle, Delaware 19702, USA. Covercy Inc. acts as the data controller for the purposes of United States privacy laws.

The parent company of the group is Covercy Ltd, a company registered in Israel (company number 515194942) whose registered office is at 7 Dereh Begin St, Ramat-Gan 5268102, Israel.

Covercy group entities may share infrastructure, compliance functions, and operational support. Where one group undertaking processes Personal Information on behalf of another, such processing is carried out under appropriate inter-company arrangements and in accordance with applicable data protection and privacy laws.

In certain circumstances, relevant Covercy group entities may also process Personal Information on behalf of business customers, in which case they act as a data processor, service provider, or similar role, depending on the nature of the services provided and the applicable law. In such cases, the processing is carried out under appropriate contractual arrangements and in accordance with applicable data protection laws.

3 Basis of Processing

Data controllers are required to establish the lawful basis(es) for processing your Personal Information. The following bases have been established:

consent
contract
legal obligation
legitimate interests

4 Collection and Use

4.1 Collection

At our heart we are an information technology business who use technology to process transactions in a transparent and compliant way. We anticipate sourcing your Personal Information from:

online registrations you have accessed via our website or social media content
email, face-to-face or telephone meetings
due diligence materials you provide to us as part of the onboarding process such as copies of your passport, utility bills and documentation used to support and verify the data and information you provide to us
third party website analytics or “cookies” used to help improve usability and customer experience
third party due diligence reference agencies and referees
financial institutions used during the transactional flow of our services on your behalf; and
personal/business introductions from referrers and/or our associates and partners

You are responsible for ensuring the accuracy and completeness of any Personal Information you provide.

If you provide Personal Information for another person, you are responsible for ensuring you have their informed consent to provide their Personal Information to us and that you have directed that person to the contents of this Policy.

4.2 What

What we collect from you includes, but is not limited to, the following data, information and documentation:

Account Registration: name, date of birth, nationality, email address, phone number, job title, company name, mailing address, and account credentials required to set up and maintain your account
Financial and Transaction Details: bank account details, payment information, wire transfer details, investment and distribution data, and transaction histories
Identity Verification Materials: Government-issued identification, tax identification numbers (TIN/SSN/EIN), proof of address, and other know-your-customer (“KYC”) data, information and documentation as required by applicable law
Usage Information: IP address, browser type, operating system, device identifiers, language preferences, pages visited, features used, clickstream data, session duration, referring URLs, and approximate geographic location derived from IP address
Communications: records and copies of correspondence between you and us, including support tickets, emails, chat transcripts, and telephone conversations. We may record communications to resolve queries, monitor service quality, and ensure regulatory compliance
Investment Data: fund information, investor relationships, capital commitments, distribution preferences, and performance data

4.3 What not

Biometric Data: we do not collect biometric data. Where third-party KYC providers use biometric comparisons, that processing occurs under their own privacy policies
No Sensitive Data: our business does not require or ask for or need “sensitive” or “special” categories of Personal Information such as about your health, political opinion, race or sex life
Third Parties: except as set forth in this Policy, we will not disclose Personal Information to any third party. We may share personal information with our affiliated group companies for processing, storage, administrative, and operational purpose. Such sharing is carried out on the basis of our legitimate interests or contractual necessity, solely for the purposes described in this Privacy Policy and in accordance with applicable data protection and privacy laws.

5 Use of Personal Information

5.1 Purposes of Use

Your Personal Information will be used for the following purposes:

Providing our services, processing payments, and managing your account.
Implementing anti-money laundering and counter-terrorism financing measures as required by law.
Communicating with you regarding the services, including service notifications and customer support.
Regulatory compliance, reporting to authorities, sanctions screening, and maintaining legally required records.
Analysing usage patterns to improve our services, develop new features, and optimise user experience.
Monitoring use for the prevention of fraud and misconduct.
Retention and storage of the Information in accordance with applicable data protection laws.
Sending marketing communications to users who have provided consent (you may opt out at any time).
Establishing, exercising, or defending legal claims.
We process your Personal Information on the following lawful bases:
Performance of a contract – to provide you with our Services and related customer support.
Compliance with legal obligations – including anti-money laundering, counter-terrorist financing, regulatory reporting (including FCA obligations), fraud prevention and record-keeping requirements.
Legitimate interests – to improve our website, platforms and services, prevent fraud and misuse, protect our legal rights, and monitor service. We ensure such interests do not override your rights.
Consent – where required, including for direct marketing communications and certain analytics or cookies.

5.2 AI and Automated Processing

Our services include AI-assisted features that users may choose to use, such as data extraction, document processing, transaction classification, and related analytics. When you use these features, we process Personal Information contained in the content you submit, and related account, transaction, and financial information where necessary to provide the requested functionality, on the basis of performance of a contract.

Where we use third-party AI providers, they process Personal Information on our behalf subject to appropriate contractual, technical, organisational, and security safeguards. They do not use your Personal Information to train their general models. They may retain submitted content for a limited period only as necessary to provide the service, maintain security, prevent abuse, and support troubleshooting, after which it is deleted or de-identified in accordance with applicable arrangements.

We do not use solely automated processing to make decisions that produce legal effects or similarly significant effects on individuals. You may request human intervention or contest any AI-influenced decision by contacting support@covercy.com.

6 Disclosure of Information to Third Parties

We will not disclose your Personal Information to third parties except as required to provide our services or as required by law. We may share information with:

Other entities within the Covercy Group, under intra-group data-sharing agreements.
Banking and financial services providers who facilitate payments and transactions on our behalf. Their own privacy policies also apply (see paragraph 13).
Service providers: cloud hosting, payment processors, KYC/AML providers, analytics tools, AI providers, customer support platforms, CRM Platform, and professional advisors — all bound by equivalent information and data processing arrangements.
Regulatory authorities, law enforcement, courts, and tax authorities where required or permitted by law, including the FCA (UK), Capital Market Authority (Israel), FinCEN/SEC (US), IRS, HMRC, and the Israel Tax Authority.
Any Covercy entity successor or acquirer in the event of a merger, acquisition, or sale of assets, with prior notice to you.

We will not sell your Personal Information. We do not disclose Personal Information to advertisers. We may however transfer anonymised statistical information regarding website activity.

7 Direct Marketing

We may use your Personal Information to contact you with marketing communications only if you have given explicit consent. You may opt out at any time by clicking the “unsubscribe” link in any marketing email or by emailing support@covercy.com.

If you opt out, we will only delete the information or data required for direct marketing; the rest of your Personal Information necessary to provide the services will continue to be stored and processed.

Information pertaining to individuals under 18 years of age will not be used for direct marketing.

8 Cookies and Tracking Technologies

We use cookies — small text files placed on your device — and similar technologies (pixel tags, web beacons, local storage) to track your activity, record preferences, and deliver a better experience.

Type	Purpose	Duration
Strictly Necessary	Authentication, session management, security. Cannot be disabled.	Session – 12 months
Functional	Preferences, language, display settings.	Up to 12 months
Analytics	Usage statistics via Google Analytics and similar tools.	Up to 26 months
Marketing	Ad relevance and campaign tracking. May be set by third parties.	Up to 13 months

You can manage cookie preferences via the consent banner on our websites, the cookie settings link in the footer, or your browser settings. You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout.

We honour Global Privacy Control (GPC) signals as required by the CCPA/CPRA. We do not currently respond to Do Not Track (DNT) signals as there is no uniform standard for their interpretation.

We use third-party tools to support security and analytics, including Google reCAPTCHA, PostHog, Mixpanel, HubSpot, and Lucky Orange. These tools help us protect our websites from fraud and automated abuse, and to understand how users interact with our services. They may process technical information such as IP address, device and browser characteristics, and user interaction data (such as clicks and navigation patterns) for these purposes.

9 Your Rights

9.1 GDPR (EEA/UK Residents)

If you are in the EEA or UK, you have the right to:

Access your personal data and obtain a copy (Art. 15).
Rectify inaccurate or incomplete data (Art. 16).
Request erasure where there is no lawful basis for continued processing (Art. 17).
Restrict processing in certain circumstances (Art. 18).
Receive your data in a portable, machine-readable format (Art. 20).
Object to processing based on legitimate interests or for direct marketing (Art. 21).
Withdraw consent at any time, without affecting prior processing (Art. 7(3)).
Not be subject to solely automated decisions with legal or significant effects (Art. 22).

We respond within 30 days (extendable by 60 days for complex requests). You may also lodge a complaint with your local supervisory authority.

9.2 CCPA/CPRA (California Residents)

Know the categories and specific pieces of personal information collected, sources, purposes, and third-party recipients (§1798.100).
Delete your personal information, subject to legal exceptions (§1798.105).
Correct inaccurate personal information (§1798.106).
Opt out of the sale or sharing of personal information (§1798.120) — we do not currently sell or share.
Limit the use of sensitive personal information (§1798.121).
Non-discrimination for exercising your rights (§1798.125).

We verify your identity before processing requests and respond within 45 days (extendable by 45 days). You may designate an authorized agent with signed written permission. We do not offer financial incentive programs tied to personal data.

Additional disclosures for California residents — including the categories of personal information we collect and our business purposes — are set out in Appendix A.

9.3 Israeli Privacy Protection Law

Access personal data held about you in our databases.
Request correction of personal data that is inaccurate, incomplete, unclear, or outdated.
Request deletion where applicable under Israeli law, including in certain direct marketing contexts.
Object to direct marketing and request removal from direct marketing lists.
Request that your data not be transferred from a direct marketing database to third parties for marketing purposes, where applicable.

We verify your identity before processing requests and respond within 45 days (extendable by 60 days for complex requests).

9.4 How to Exercise Your Rights

You may review your information through your account page or contact us at support@covercy.com. If requested, we will update or restrict your information, provided you provide such further evidence we may reasonably require. Please note that requesting deletion of your Personal Information may mean we are unable to continue providing our services to you.

We are required by law to retain certain records for a minimum of five years after our relationship ends (or longer, where applicable legislation requires).

10 Security

The security of your Personal Information is important to us. We have implemented appropriate technical and organisational measures to protect it. You can learn more about these measures on our Trust Centre: https://trust.covercy.com/.

In the event of a data breach likely to affect your rights, we will notify the relevant authority within 72 hours (GDPR Art. 33) and inform affected individuals as required. If you believe your account has been compromised, contact support@covercy.com immediately.

The security of your account also depends on you keeping your password confidential and not sharing it with anyone. It is your responsibility to control access to your device and account and to alert us if you believe security has been compromised.

11 Transfers of Information Outside Your Jurisdiction

We may transfer your personal information to, access it from, or process it in countries other than the country where you are located, including within our group companies in Israel, the United Kingdom, and the United States.

Where these transfers involve personal information subject to the GDPR, UK GDPR, or other applicable laws governing cross-border transfers, we rely on lawful transfer mechanisms as required by applicable law. Depending on the circumstances, these may include:

an adequacy decision or adequacy regulations, where the destination country has been recognised as providing an adequate level of protection;
the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Agreement / UK Addendum;
the EU-U.S. Data Privacy Framework, where applicable.

Where required, we also apply supplementary technical, contractual, and organisational safeguards designed to protect personal information transferred across borders.

Because privacy laws in some countries may not provide the same level of protection as those in your home jurisdiction, we take steps to ensure that transferred personal information remains protected in accordance with applicable data protection laws.

12 Data Retention

We retain personal data for at least 7 years, unless otherwise explicitly mentioned in this Privacy and Cookie Policy. When data is no longer needed, it is securely deleted or irreversibly anonymised.

13 Links to Other Sites and Third-Party Services

Our websites and platforms may contain links to other websites not operated by us. We are not responsible for the privacy practices of those sites and recommend you review their privacy policies before providing Personal Information.

Certain Covercy services are provided in partnership with third party financial institutions. Where applicable, their privacy policies also govern the capture and use of your Personal Information in connection with those services.

14 Children’s Privacy

Our services are not directed at individuals under 18. We do not knowingly collect information or data from or for children. If you believe a child has provided us with Personal Information, contact support@covercy.com.

15 Legal Disclaimer

We are not responsible for events beyond our direct control. While we implement extensive security measures, no method of transmission or storage is 100% secure, and we cannot guarantee error-free performance regarding the privacy of your Personal Information.

This Notice is governed by the laws applicable to the relevant Covercy entity: Israeli law for Covercy Ltd and Covercy Technological Trading Ltd, English the law for Covercy Europe Ltd, and the US federal and State of Delaware law for Covercy Inc. Nothing in this Policy limits your rights under mandatory privacy protection or consumer protection laws in your jurisdiction.

16 Contacts

16.1 Our contacts

For any questions regarding this Policy or our services, please contact us:

Covercy Europe Ltd

5 Elstree Gate, Elstree Way, Borehamwood, Hertfordshire, WD6 1JD, England

Phone: +44-203-8567-888

Email: support@covercy.com

Covercy Inc.

256 Chapman Road, Newark, New Castle, Delaware 19702, United States

Email: support@covercy.com

Covercy Technological Trading Ltd

7 Dereh Begin St, Ramat-Gan 5268102, Israel

Phone: +972-3-720-8883

Email: support@covercy.com

Covercy Ltd

7 Dereh Begin St, Ramat-Gan 5268102, Israel

Email: support@covercy.com

16.2 Supervisory Authorities

If you are not satisfied with our response, you may lodge a complaint with:

EEA: Your local Data Protection Authority (edpb.europa.eu)
UK: Information Commissioner’s Office (ico.org.uk) | +44 303 123 1113
California: California Privacy Protection Agency (cppa.ca.gov)
Israel: Privacy Protection Authority (gov.il)

Appendix A — California Residents

Categories of Personal Information

In the preceding 12 months, we collected the following categories of personal information as defined in Cal. Civ. Code §1798.140(v):

Category	Examples	Business Purpose
A. Identifiers	Name, email, phone, IP address	Service delivery; compliance
B. Personal Information (§1798.80(e))	Address, SSN/TIN, bank account, financial data	Payment processing; KYC/AML
D. Commercial Information	Transaction history, investment records, fund commitments	Fund administration; reporting
F. Internet / Electronic Activity	Browsing history, clickstream, platform interactions	Analytics; security
G. Geolocation	Approximate location from IP	Fraud prevention
H. Professional Information	Job title, company, role	Account setup
K. Inferences	Usage patterns, preferences	Service improvement

We do not sell personal information and do not share it for cross-context behavioural advertising.

We may collect sensitive personal information (government identifiers and financial account data) solely for KYC/AML verification, regulatory compliance, and payment processing. We do not use it beyond the purposes permitted by the CPRA (§1798.121). You have the right to limit its use — see paragraph 9.