Privacy Policy
Last updated: 2 June 2026
This Privacy Policy explains how Coverboard (“Coverboard”, “we”, “us”) collects, uses and protects personal data when you use our team-leave management service (the “Service”) and our website.
Coverboard is a UK company hosted in the United Kingdom. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Controller and processor roles
For data about your customers’ employees that an organisation stores in the Service (leave records, sickness notes, earnings history, etc.), the Customer is the data controller and Coverboard is the data processor. We process this data on the Customer’s documented instructions, as set out in our Terms of Service.
For data we collect directly from individuals interacting with our website or signing up for an account (your name, email, billing details), Coverboard is the controller.
2. What we collect
The personal data we process includes:
- Account data: name, work email, hashed password, organisation name, role, country of work.
- Billing data: company name, plan, billing country, tax IDs (e.g. VAT numbers, with verification status returned by HMRC or VIES), payment-card details (held by Stripe — we never see the full card number), and invoice history.
- Employee leave data: leave types, dates, statuses, approval history, statutory pay calculations, optional sickness notes, optional evidence flags.
- Right-to-work and employment data: verification flag and metadata (no document images stored).
- Communications: emails you send to our support address, in-app feedback.
- Technical data: IP address, user agent, authentication session cookie, anonymised audit-log entries.
3. Lawful bases for processing
- Contract (UK GDPR Art. 6(1)(b)) — to provide the Service to you under your subscription.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, send service-related emails and improve the product. We have weighed our interests against your rights and consider this proportionate.
- Legal obligation (Art. 6(1)(c)) — to retain financial records and respond to lawful requests.
- Consent (Art. 6(1)(a)) — where we explicitly ask for it (for example, before sending non-essential marketing emails).
For sickness notes and other special-category data submitted by Customer employees, the lawful basis is the employer’s obligation under employment law and social-security law (Art. 9(2)(b)).
4. How we use it
- To operate, maintain and improve the Service.
- To send transactional emails (welcome, leave-request notifications, billing receipts, trial reminders).
- To detect and prevent fraud, abuse and security incidents.
- To comply with HMRC, financial, employment and data-protection obligations.
- To send the optional weekly digest to admins and managers (you can opt out from your profile settings or via the one-click unsubscribe link in each digest email).
- On the Pro plan, to record who in the Customer organisation viewed which employee, sickness record, or audit log. This is a transparency feature for the Customer; we do not access these logs except to operate the Service.
5. Sub-processors
We use a small set of trusted sub-processors to provide the Service. We have a data-processing agreement in place with each.
- Vercel Inc. — application hosting and serverless execution (UK and EU regions).
- Supabase Inc. — managed PostgreSQL hosting for the application database.
- Stripe Payments Europe Ltd. — subscription billing, payment processing, invoice generation.
- Resend — transactional email delivery.
- Sentry (Functional Software, Inc.) — application error tracking. Receives error payloads tagged with user and organisation identifiers when something goes wrong.
- Upstash, Inc. — Redis-backed rate-limiting counters keyed by IP address (and, for signup, email) to protect authentication endpoints from abuse.
- PostHog Inc. — product analytics. Only used if you click “Accept all” on our cookie banner; never used otherwise. Receives anonymised feature-usage events.
- Slack Technologies Inc. — only when a Customer chooses to connect Slack for leave notifications.
- Atlassian Jira (Atlassian Pty Ltd) — only when a Customer chooses to connect Jira.
We will give reasonable advance notice (typically in-app and via email to admins) before adding or replacing a sub-processor.
6. Data residency
Customer Data is stored in the United Kingdom (London, AWS eu-west-2 region, via our database provider Supabase). Application servers run on Vercel’s serverless infrastructure, primarily within UK and EU regions, with a global edge cache used only for static assets (no personal data).
Some sub-processors (notably Stripe, Slack and Atlassian) may process data outside the UK. Where they do, we rely on UK International Data Transfer Agreements or equivalent safeguards to ensure your data receives an essentially equivalent level of protection.
7. Retention
- Active organisations: Customer Data is retained for as long as your account is active, whether on the Free plan or a paid subscription.
- Cancelled or expired organisations: data enters a 30-day grace period during which an admin can reactivate. After 30 days, the organisation’s team members, leave requests, audit logs and integrations are permanently deleted and the organisation record is anonymised to a stub.
- Anonymisation under data-retention policy: Admins can run a retention sweep that anonymises personal notes and sickness notes on leave records older than the configured cutoff (default 6 years after the leave end date — the standard UK recommendation). Statutory shell fields (dates, leave type, SSP/SMP figures) are preserved so historical pay records remain reportable.
- Billing records: retained for the period required by UK tax law (currently 6 years).
- Audit logs: retained for the life of the organisation; purged on full deletion.
8. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have it corrected if it is inaccurate;
- have it erased (subject to our right to retain it for legal or legitimate reasons);
- restrict or object to certain processing;
- receive a copy of your data in a structured, commonly used, machine-readable format;
- withdraw consent at any time where processing is based on consent.
For employees of a Customer organisation, the route to exercise these rights is via your employer (the data controller). Coverboard provides admins with a one-click Subject Access Request export from each employee’s profile, producing a machine-readable file (JSON for the per-employee SAR; CSV or Excel for report-level exports) containing every record we hold about that employee.
For data we hold about you as a Customer (account holder), email our data-protection contact at dpo@coverboard.io and we will respond within one month, as required by UK GDPR.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
9. Security
We use industry-standard measures to protect personal data, including encrypted storage, role-based access controls, an append-only audit log of writes and (on the Pro plan) read-side audit, secure password hashing (bcrypt) with a strength check at signup, email verification before first sign-in, and rate limiting on authentication endpoints. No system is perfectly secure; you are responsible for keeping your own credentials confidential and reporting suspected incidents to us promptly.
10. Cookies
next-auth.session-tokenandnext-auth.csrf-token— set by NextAuth to keep you signed in and protect form submissions. Session-scoped.cb_cookie_consent_v1— records your cookie-banner choice (granted or rejected) so we don’t ask repeatedly. First-party, 365 days.
Analytics cookies (optional, off by default) — only set if you click “Accept all” on the cookie banner:
ph_*— set by PostHog to count distinct visitors, measure feature usage and pageviews. We do not use PostHog for advertising. First-party (served via our/ingestreverse-proxy), up to 365 days.
We do not use advertising cookies. You can change your choice at any time by clearing the cb_cookie_consent_v1 cookie in your browser, which will re-show the banner on your next visit. Clearing cookies will also log you out of the Service.
11. Children
The Service is not intended for individuals under 16 years old. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material we will give reasonable advance notice. The latest version is always available at this URL with the “Last updated” date at the top.
13. Contact
Questions about how we handle your data, or any data-subject request (access, correction, deletion, portability)? Email our data-protection contact at dpo@coverboard.io. For general or billing questions, use support@coverboard.io.