Skip to main content

Privacy Policy

Last updated: January 2026

At Cove, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services. For specific information about cookies and browser storage, please see our Cookie Policy.

Information We Collect

We collect information you provide directly to us when you create an account, make a booking, or contact us. This may include:

  • Personal identification information (name, email address, phone number)
  • Payment information (processed securely through Stripe — we do not store your full card details)
  • Booking preferences and history
  • Communications you send to us

We also automatically collect certain information when you use our services, including device information, IP address, browser type, and usage data.

Third-Party Services

We use the following third-party services to operate our platform:

Stripe (Payment Processing)

We use Stripe to process payments securely. When you make a payment, your card details are transmitted directly to Stripe and are not stored on our servers. Stripe is PCI-DSS Level 1 certified. View Stripe's Privacy Policy.

Umami (Analytics)

We use Umami for privacy-focused website analytics. Umami does not use cookies, does not collect personal data, and does not track users across websites. It collects only aggregated data:

  • Page views and navigation paths
  • Referrer URLs (how you found us)
  • Device type and browser
  • Approximate country (derived from IP, which is not stored)

This data cannot be used to identify individual visitors. View Umami's Privacy Policy.

Convex (Authentication & Data Storage)

We use Convex for user authentication and secure data storage. Your account information and booking data are stored on Convex's infrastructure. View Convex's Privacy Policy.

Resend (Email Service)

We use Resend to send transactional emails including booking confirmations, reminders, and review requests. When we send you emails, Resend processes your email address, name, and booking details (reference, dates, activity information). View Resend's Privacy Policy.

Google

We use Google services in the following ways:

  • Sign-in (optional): If you choose to sign in using Google, we receive your email address, name, and a unique identifier. We do not receive or store your Google account password.
  • Customer support email: When you email our support addresses (such as hello@covemalta.com or privacy@covemalta.com), Google processes your email address, name, email content, attachments, and email metadata (such as timestamps).

Google is certified under the EU-US Data Privacy Framework. View Google's Privacy Policy.

How We Use Your Information

We use the information we collect to:

  • Process and manage your bookings
  • Communicate with you about your reservations
  • Send you promotional communications (with your consent)
  • Improve our services and user experience
  • Comply with legal obligations
  • Detect and prevent fraud

Automated Communications

We send automated emails at scheduled times to enhance your experience:

  • Booking confirmations: Sent immediately upon successful deposit payment
  • Booking reminders: Sent the day before your scheduled activity
  • Review requests: Sent the day after your activity is completed
  • Operator notifications: Operators receive notification of new bookings for their activities

You can manage your email preferences by contacting us at hello@covemalta.com.

Fraud Prevention & Rate Limiting

To prevent abuse and protect our platform, we may derive a hashed version of your IP address for rate limiting purposes. This hash:

  • Cannot be reversed to reveal your actual IP address
  • Is used only to enforce limits on requests and prevent platform abuse
  • Is processed in real-time and not stored long-term
  • Uses SHA-256 hashing with a secure salt for privacy compliance

This processing is based on our legitimate interest in preventing platform abuse and protecting our users.

Server-Side Processing (Webhooks)

We receive notifications (webhooks) from our service providers to process your bookings efficiently:

  • Stripe webhooks: Notify us when payments are processed, allowing us to confirm your booking
  • Resend webhooks: Track email delivery status to ensure you receive important communications

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Contract Performance

Processing necessary to fulfill our contract with you, including processing bookings, managing your account, and communicating about your reservations.

Consent

Processing based on your explicit consent, such as sending marketing communications and promotional offers. You can withdraw consent at any time.

Legitimate Interest

Processing necessary for our legitimate business interests, including improving our services through analytics, detecting and preventing fraud, and ensuring platform security.

Legal Obligation

Processing required to comply with legal requirements, including maintaining tax records and responding to lawful requests from authorities.

Information Sharing

We share your information with water activity operators when you make a booking so they can provide their services to you. We may also share information with:

  • Service providers who assist us in operating our platform (Stripe, Convex, Umami)
  • Payment processors for secure transaction handling
  • Legal authorities when required by law or to protect our rights

We do not sell your personal information to third parties.

International Data Transfers

Some of our third-party service providers are based outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

  • Convex (US-based): Data transfers are protected by Standard Contractual Clauses (SCCs)
  • Stripe (US-based with EU entities): Stripe has EU entities and uses SCCs for transfers outside the EEA
  • Resend (US-based): Data transfers are protected by Standard Contractual Clauses (SCCs)
  • Google (US-based): Google is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs)
  • Umami: Collects only non-personal, aggregated data that does not constitute personal data transfer

You can request more information about the safeguards we use by contacting us at privacy@covemalta.com.

Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption of data in transit and at rest, secure server infrastructure, and regular security assessments.

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We encourage you to use strong passwords and protect your account credentials.

Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), if you are in the European Economic Area, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restriction: Request limitation of processing
  • Right to Portability: Receive your data in a portable format
  • Right to Object: Object to certain processing activities

To exercise any of these rights, please contact us at privacy@covemalta.com. We will respond within 30 days.

Opt-Out Options

You have several options to control how your data is used:

Marketing Communications

You can unsubscribe from marketing emails by clicking the "unsubscribe" link at the bottom of any marketing email, or by contacting us at hello@covemalta.com.

Analytics

Our analytics (Umami) do not track individual users, so there is nothing personal to opt out of. If you wish to prevent any analytics data collection, you can use a browser extension that blocks JavaScript or analytics scripts.

Account Deletion

You can request deletion of your account and associated data by contacting us at privacy@covemalta.com. We will process your request within 30 days, subject to any legal retention requirements.

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

  • Booking data: 3 years after booking completion (for dispute resolution and service improvement)
  • Account data: Until you request deletion, plus a 30-day grace period for recovery
  • Analytics data: Aggregated only — no personal data is retained
  • Payment and financial records: 7 years (Malta tax compliance requirements)
  • Marketing consent records: Duration of consent plus 3 years (to demonstrate compliance)
  • Support inquiries: 2 years after resolution

When data is no longer needed, we securely delete or anonymize it.

Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@covemalta.com.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. Your continued use of Cove after changes are posted constitutes acceptance of the modified policy.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Cove
Email: privacy@covemalta.com
Valletta, Malta

For general inquiries: hello@covemalta.com