Legal

Privacy Policy

Last updated: March 2026 · COVR Ireland Ltd · Questions? [email protected]

This Privacy Policy explains how COVR Ireland Ltd ("COVR", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our website (covrcases.com), our automated phone case printing kiosks, or any other services we offer. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Irish data protection law.

1. Who We Are (Data Controller)

COVR Ireland Ltd is the data controller responsible for your personal data.

Company name: COVR Ireland Ltd
Registered in: Ireland
Email: [email protected]
Website: www.covrcases.com

As we are a small business, we do not have a dedicated Data Protection Officer (DPO). For all data protection matters, please contact us directly at [email protected].

2. What Personal Data We Collect

We collect different data depending on how you interact with us:

2.1 Website (covrcases.com)

Waitlist sign-ups: First name and email address, submitted voluntarily by you.
Analytics data: Via Google Analytics 4 — anonymised page views, session duration, device type, browser type, approximate geographic region (country/city level). IP addresses are anonymised before storage.
Cookies: See Section 9 for full details.

2.2 Kiosk Transactions

Photo/image: The image you upload to create your custom case. This is processed solely to print your case and is deleted immediately after printing is complete — we do not store your photos.
Payment data: Card payments are processed by SumUp (a PCI-DSS compliant third-party payment processor). COVR does not receive, store, or process your full card number, CVV, or payment credentials. We receive only a transaction confirmation reference.
Transaction records: Date, time, case model selected, transaction amount, and anonymised payment confirmation. No name or card details.

2.3 Direct Communications

If you email us or contact us directly: your name, email address, and the content of your message.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Send launch announcement and exclusive pricing to waitlist members	Name, email	Consent
Print your custom phone case at the kiosk	Uploaded photo	Contract performance
Process your payment	Via SumUp (we don't hold card data)	Contract performance
Maintain transaction records for accounting & tax purposes	Anonymised transaction data	Legal obligation
Improve our website and kiosk experience	Anonymised analytics data	Legitimate interest (analytics only after consent)
Respond to your enquiries or complaints	Name, email, message	Legitimate interest / contract performance
Comply with Irish and EU law	As required by law	Legal obligation

We will never sell your personal data to third parties. We will never use your data for automated profiling or decision-making that produces legal effects.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

Consent (Art. 6(1)(a)): When you join our waitlist or accept analytics cookies. You can withdraw consent at any time (see Section 10).
Contract performance (Art. 6(1)(b)): When you purchase a case at the kiosk — processing your image and payment is necessary to fulfil your order.
Legal obligation (Art. 6(1)(c)): To comply with Irish tax law and financial record-keeping requirements.
Legitimate interest (Art. 6(1)(f)): For responding to direct enquiries and maintaining basic operational records, where this doesn't override your rights.

5. Kiosk Transactions — Special Notes

Your photo is never stored. The image you upload at the kiosk is used exclusively to print your case. Once printing is complete, the image is deleted from the machine. COVR does not retain, view, or transmit your photos to any third party.

The kiosk operates a self-service model — no COVR staff member views your photo during the transaction. The process is fully automated. Transaction logs record only the case model, price, and an anonymised payment reference for accounting purposes.

The kiosk does not use facial recognition, biometric scanning, or any form of identity verification.

We share data only where necessary and with appropriate safeguards in place:

Recipient	Purpose	Location	Safeguard
SumUp (payment processing)	Processing card payments	EU (Germany)	PCI-DSS compliant; GDPR Article 28 processor agreement
Brevo (email / waitlist)	Storing waitlist emails and sending launch announcements	EU (France)	GDPR compliant; Standard Contractual Clauses
Google Analytics 4 (website analytics)	Anonymised website usage analytics	USA	Only activated with your cookie consent; IP anonymisation enabled; Standard Contractual Clauses
GitHub Pages (website hosting)	Hosting covrcases.com	USA	Standard Contractual Clauses
Irish Revenue Commissioners	VAT and tax compliance	Ireland	Legal obligation under Irish law

We do not share your data with retail venue partners (e.g., shopping centres hosting our kiosk) beyond anonymised aggregate sales figures for revenue-share accounting purposes.

7. How Long We Keep Your Data

Data Type	Retention Period	Reason
Kiosk photos (uploaded images)	Deleted immediately after printing	Not required after fulfilment
Waitlist email & name	Until you unsubscribe, or 2 years from last activity	Consent-based; withdrawn on request
Transaction records (anonymised)	7 years	Irish Revenue / Companies Act requirement
Direct email correspondence	2 years from last contact	Legitimate interest for dispute resolution
Analytics data (Google Analytics)	13 months (GA4 default)	Website performance improvement

8. International Data Transfers

Some of our third-party service providers process data outside the European Economic Area (EEA), including in the United States (Google Analytics, GitHub). Where this occurs, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
IP anonymisation for Google Analytics (data sent to Google is anonymised before transfer)

9. Cookies & Tracking

Our website uses cookies. When you first visit covrcases.com, you will be shown a cookie consent banner. We only activate analytics cookies if you give your consent.

Cookie	Type	Purpose	Duration
`covr_cookie_consent`	Necessary	Records your cookie preference so we don't ask you every visit	1 year
`_ga`, `_ga_*`	Analytics (optional)	Google Analytics 4 — anonymised website usage statistics	Up to 13 months

You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site. Most browsers also allow you to block or delete cookies — see your browser's help documentation for instructions.

We do not use advertising cookies, tracking pixels from social media platforms, or any form of behavioural targeting cookies.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Right of access (Art. 15): You can request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You can ask us to correct inaccurate data.
Right to erasure (Art. 17): You can ask us to delete your data ("right to be forgotten"), subject to legal retention requirements.
Right to restrict processing (Art. 18): You can ask us to limit how we use your data in certain circumstances.
Right to data portability (Art. 20): Where we process data based on consent or contract, you can request your data in a machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent (waitlist, analytics cookies), you can withdraw consent at any time without affecting the lawfulness of prior processing. To unsubscribe from the waitlist, use the unsubscribe link in any email or contact us directly.
Right not to be subject to automated decision-making: We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:

HTTPS encryption for all data transmitted to/from covrcases.com
Secure, access-controlled systems for any stored data
Use of PCI-DSS compliant payment processing (SumUp) — we never handle raw card data
Immediate deletion of kiosk photos after printing
Regular review of third-party data processors and their security standards

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission (DPC) within 72 hours and affected individuals without undue delay, as required by GDPR Article 33–34.

12. Children's Privacy

Our website and kiosk services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact & Complaints

For any questions about this Privacy Policy or how we handle your data:

Email: [email protected]