Skip to main content
← Home

Privacy Policy

Last updated: May 1, 2026

1. Who we are

Covol is a web application that connects high-school students with local volunteer opportunities. It is operated by an individual developer for the Congressional App Challenge.

2. What we collect

  • Account information: email address, first name, last initial, date of birth (optional), parent/guardian email if you are under 18.
  • Activity: which opportunities you sign up for, check-in status, verified service hours.
  • Messages: text you post in opportunity threads. These are visible to the organisation running that opportunity and to platform administrators.
  • Location (check-in only): when you tap “I’m here” or scan a QR check-in code, your browser sends your GPS coordinates to our server for a single geofence check. We store only a boolean (within/outside the geofence). Your raw coordinates are never saved.
  • Location (during the event, only when the organiser enables it): if an organiser turns on the optional 10-minute location check, the app pings your location every 10 minutes while the event tab is foregrounded and only during the event window. Same rule applies — only a boolean (inside/outside the geofence) is recorded; raw coordinates are never saved. You will see a clear consent prompt at registration time and can refuse, in which case you cannot register for that specific opportunity.

3. What we do NOT collect

  • Profile photos or avatars (student accounts use initials only).
  • Precise location at any time other than a voluntary check-in press.
  • Payment information of any kind.

4. How we use your data

  • To operate the service: match signups, verify attendance, generate service-hour transcripts.
  • To send transactional emails: signup confirmations, reminders, and attendance results via Resend.
  • To protect minors: messages are scanned for contact information (phone numbers, email addresses, external URLs) and flagged for admin review. No automated profanity scanning that stores flagged content is used.
  • To monitor application health: anonymised error events and performance traces are sent to Sentry. Message content is not included in Sentry events.

5. Public surfaces

Your first name and last initial appear on opportunity threads visible to other signed-up participants. Your full name appears only on your own transcript PDF and on organisation rosters (visible only to the org admin and platform admin).

6. Children’s Privacy (COPPA)

Covol is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. Account creation is rejected at registration if the date of birth indicates the user is under 13. If you become aware that a user under 13 has provided us with personal information, please contact us at privacy@covol.app and we will delete the account and any associated data.

If you indicate you are under 18 (but at least 13), we ask for a parent or guardian email address and send that address a one-time notification when your account is created. We do not contact the parent or guardian for any other purpose.

7. Data sharing

We do not sell your data. We share data only with:

  • Supabase (database and authentication hosting, US-based).
  • Resend (transactional email delivery).
  • Sentry (error monitoring; no PII or message content).
  • Vercel (application hosting).

Business transfers. If Covol is acquired, merged, or its assets are transferred, your personal data may be transferred to the acquiring party. We will require any acquirer to honor this Privacy Policy or to notify you of material changes before the transfer takes effect.

8. Legal disclosures

Covol may disclose your personal data when we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, valid subpoena, court order, or governmental request; (b) protect the rights, property, or safety of Covol, our users, or the public; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) defend against legal claims. Where permitted by law, we will notify the affected user before complying with a request.

9. Security

We use reasonable safeguards — encrypted transport (HTTPS/TLS), at-rest encryption for the Supabase database, and access controls — to protect your personal data. No method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Third-party links

Covol may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of those sites. We encourage you to review the privacy policy of every site you visit.

11. Data retention

Account data is retained while your account is active. Verified attendance records and transcript data are retained indefinitely so that verifier URLs remain valid. You may request deletion of your account by emailing us at the address below.

12. Your rights

You may request access to, correction of, or deletion of your personal data at any time. Contact us at privacy@covol.app.

13. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the following rights regarding your personal information:

  • Right to know. Request a copy of the personal information we have collected about you in the past 12 months.
  • Right to delete. Request that we delete personal information we have collected from you, subject to limited exceptions (e.g., information we must retain to verify attendance records or to comply with legal obligations).
  • Right to correct. Request correction of inaccurate personal information.
  • Right to opt out. Opt out of any “sale” or “sharing” of your personal information for cross-context behavioural advertising.
  • Right to non-discrimination. We will not deny services, charge different prices, or provide a different level of quality because you exercised any of these rights.

We do not sell or share your personal information as those terms are defined under the CCPA / CPRA. We do not engage in cross-context behavioural advertising. We do not knowingly sell or share the personal information of consumers under 16.

To exercise any of the rights above, email privacy@covol.app with the subject line “California Privacy Request”. We will verify your identity using the email address associated with your account and respond within 45 days. You may also designate an authorised agent to make a request on your behalf.

14. Do Not Track (CalOPPA)

Some browsers send a “Do Not Track” (DNT) signal. There is no industry consensus on how DNT signals should be interpreted. Covol does not currently respond to DNT signals because we do not engage in cross-site tracking or third-party advertising.

15. Geographic scope

Covol is offered only to users in the United States. We do not target users in the European Union, the United Kingdom, or other jurisdictions outside the United States. If you access the Service from outside the United States, you do so on your own initiative.

16. Changes to this policy

We will update this page if our practices change. Continued use of the service after an update constitutes acceptance of the revised policy.