Skip to content
Legal

Privacy Policy

Last updated: June 20, 2026.

This Privacy Policy explains what information Hutytech ICT Resources Limited (“Coveton”, “we”, “us”) collects when you use our communication platform and related websites, how we use it, the legal bases for processing it, and the rights you have. The short version: your conversations are end-to-end encrypted, the keys live on your devices, and we cannot read them.

1. Our zero-knowledge commitment

Coveton is built on a zero-knowledge architecture. Message content, voice notes and files are encrypted on your device before they ever reach our infrastructure. The encryption keys are generated and stored on your authorized devices and are never transmitted to us in a form we can use. We store only ciphertext, and we do not possess the keys required to decrypt it.

This is a technical guarantee, not just a policy promise. We cannot read, scan, index, sell or hand over the plaintext of your conversations, because at no point do we have access to it. Where we are legally compelled to produce data, we can only provide the limited account and metadata described below and the ciphertext we hold, which is useless without your keys.

2. Categories of data we process

To operate the service, we process a deliberately limited set of data:

  • Account and identity data: name, email address, organization name, role and authentication credentials, used to create and secure your account and administer your organization.
  • Device and session metadata: device identifiers, public keys for your devices, login history, IP address at the time of connection, approximate location derived from IP, browser or app version and session tokens, used for security, device authorization and revocation.
  • Encrypted content: messages, files and voice notes, stored solely as ciphertext that we cannot decrypt.
  • Operational and audit logs: rate-limit, error, delivery and administrative audit records that capture actions and system events (never message content) for security, reliability and compliance.
  • Billing data: plan, subscription status and invoices. Card and payment-instrument data is collected and stored by our payment processors; we never store full card numbers.
  • Support communications: the content of messages you send to our support or sales teams.

3. What we never do

  • We never sell or rent your personal data to anyone.
  • We never serve advertising or run behavioral or cross-site tracking.
  • We never read message content. It is technically impossible for us to do so.
  • We never build profiles of you for advertising or engagement optimization.
  • We never use your content to train machine-learning models.

4. How and why we use information

We use the limited data above only to:

  • Authenticate you and secure your account and devices.
  • Operate, maintain, troubleshoot and improve the service.
  • Route and deliver encrypted content between authorized devices.
  • Provide customer support and respond to your requests.
  • Process payments and manage subscriptions.
  • Detect, prevent and investigate abuse, fraud and security incidents.
  • Comply with legal obligations and enforce our terms.

We do not use your data for advertising of any kind.

5. Legal bases for processing (GDPR Article 6)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

  • Performance of a contract: to provide the service you or your organization have signed up for.
  • Legitimate interests: to secure the platform, prevent abuse and improve reliability, balanced against your rights.
  • Legal obligation: to comply with applicable laws, tax requirements and lawful requests.
  • Consent: where required, for example optional communications, which you may withdraw at any time.

6. Our role: controller and processor

When you use Coveton as an individual or sign up directly, we act as a data controller for your account and metadata. When your organization provides Coveton to you, that organization is the controller of the content and member data within its workspace, and Coveton acts as a data processor on its behalf, processing data only on documented instructions. Our Data Processing Agreement governs that relationship. See our DPA overview.

7. International data transfers

We and our sub-processors may process data in countries other than your own. Where we transfer personal data out of the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms, together with supplementary technical measures such as encryption in transit and at rest.

8. Data retention

We retain data only as long as needed for the purpose it was collected:

  • Encrypted content: retained according to your organization’s configured retention policy, including ephemeral rooms that expire automatically.
  • Account data: retained while your account is active and deleted within a reasonable period after closure.
  • Security and audit logs: retained for a limited period (typically up to 12 months) for security and compliance, then deleted or anonymized.
  • Billing records: retained as required by tax and accounting law.

9. Your rights

Depending on your jurisdiction, you may have the right to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent. You also have the right to lodge a complaint with a supervisory authority. Because content is encrypted with keys only you control, some data is only ever accessible to you and not to us. To exercise any right, email privacy@coveton.com. If your data is controlled by your organization, we will direct your request to them.

10. Children’s privacy

Coveton is intended for use by organizations and the adults working within them. The service is not directed to children under 16, and we do not knowingly collect personal data from them. Where a school or similar institution uses Coveton, it is responsible for obtaining any consents required for student accounts. If you believe a child has provided us data without authorization, contact us and we will delete it.

11. Security

We protect data with end-to-end encryption of content, encryption in transit (TLS) and at rest, strict access controls and least-privilege access for staff, device authorization and revocation, comprehensive audit logging, and regular security review. No system is perfectly secure, but our zero-knowledge design means even a breach of our infrastructure does not expose the plaintext of your conversations.

12. Sub-processors

We rely on a small set of vetted infrastructure providers for hosting, encrypted object storage, payments, email delivery and error monitoring. They process data strictly under contract and never receive your decryption keys. See our current list at Sub-processors.

13. Cookies

We use only strictly necessary cookies and local storage for authentication and saving your theme preference. We do not use advertising or third-party tracking cookies. See our Cookie Policy.

14. Changes to this policy

We may update this policy as the service and the law evolve. We will post the updated version here with a new effective date, and we will give reasonable advance notice of material changes.

15. Contact

Questions about privacy or this policy? Email privacy@coveton.com or our general team at hello@coveton.com.