Privacy Policy
Last updated: March 2026
1. Who we are
Covarah Ltd ("Covarah", "we", "us") is the data controller responsible for your personal data. We are a UK-based technology platform that facilitates construction project management, milestone-based payments, and dispute resolution. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What data we collect
We collect the following categories of personal data:
- Account data: name, email address, phone number, role (client/builder)
- Business data: company name, company number, VAT number, trading address, insurance details, accreditations
- Project data: property addresses, project descriptions, milestones, timelines, uploaded documents and photos
- Communication data: messages, comments, call records, and timestamps sent via the platform
- Financial data: contract values, milestone amounts, payment references (actual funds are held by our FCA-accredited escrow partner, not Covarah)
- Technical data: IP addresses, device information, browser type, collected during account activity and contract signing
- Identity verification data: processed by our escrow partner for AML/KYC compliance under their own data controller obligations
3. How we use your data
| Purpose | Legal Basis |
|---|---|
| Account registration and platform operation | Contract (Art. 6(1)(b)) |
| Project management and payment workflows | Contract (Art. 6(1)(b)) |
| Dispute resolution and mediation | Legitimate Interests (Art. 6(1)(f)) |
| Legal and regulatory compliance | Legal Obligation (Art. 6(1)(c)) |
| Fraud prevention and platform security | Legitimate Interests (Art. 6(1)(f)) |
| Platform improvement (anonymised analytics) | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
4. How long we keep your data
| Data | Retention |
|---|---|
| Account and identity data | Duration of account + 7 years |
| Project communications and records | Duration of project + 7 years |
| Contracts and signatures | 6 years from contract end (Limitation Act 1980) |
| Payment records | 7 years (HMRC requirement) |
| Dispute and mediation records | 7 years from resolution |
| KYC/AML verification | 5 years (Money Laundering Regulations 2017) |
5. Who we share data with
- FCA-accredited escrow partner — payment services, escrow, KYC/AML verification
- Clerk — Authentication provider (account sign-in)
- Resend — Transactional email delivery
- AWS — Cloud hosting and file storage (encrypted)
- Other project members — as necessary for project collaboration
All third-party processors are bound by data processing agreements under Article 28 UK GDPR. We do not sell your data to third parties.
6. Your rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Request erasure ("right to be forgotten") — subject to legal retention obligations
- Restrict processing
- Data portability
- Object to processing based on legitimate interests
- Rights relating to automated decision-making
To exercise any of these rights, contact us at privacy@covarah.co.uk. We will respond within 30 days.
7. Communications as evidence
All communications conducted via the platform are logged and may be used as evidence in dispute resolution, adjudication, arbitration, or court proceedings. By using Covarah, you consent to this use. We do not warrant completeness or legal admissibility of platform records for any specific legal purpose.
8. Contact
Covarah Ltd
Email: privacy@covarah.co.uk
Website: www.covarah.co.uk
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.