Privacy Policy
Last updated: 5 July 2026
This policy explains what data CovaSky collects, why, and what we do with it — written in plain language, because a privacy policy you can't understand protects no one.
1. Who we are
CovaSky is operated by Saas Tech DOOEL, which acts as the data controller for any personal data processed through this website. You can reach us at contact@covasky.com.
2. What we collect
We collect only what we need to run and improve a search tool:
- Search queries — origin, destination, dates, trip type, and selected solution mode. This is the core input the tool needs to work.
- Basic analytics — aggregated, non-identifying usage data such as which pages are visited and which result modes people compare, so we can improve the product.
- Technical data — standard server logs (IP address, browser type, timestamps) kept briefly for security and debugging.
- localStorage data — we store your search preferences (last route, currency, mode) in your browser's localStorage. This stays on your device and is never transmitted to us.
- Email address — only if you choose to subscribe to our newsletter (see section 5b). We do not collect an email address otherwise.
2a. AI & Automated Processing
Route suggestions, stopover detection, midpoint calculations, and group meetup optimization are generated using automated AI algorithms. No human reviews individual search results. This automated processing does not produce legal effects or significantly affect you — it is informational route discovery only. GDPR Article 22's right to human review of automated decisions applies only to decisions with legal or similarly significant effects; travel inspiration search does not meet that threshold.
3. What we do not collect
We do not process payments, so we never see or store payment data — no card numbers, no billing addresses. We do not require accounts in the current version, so we hold no passwords or profiles. We do not collect passport or travel document details.
4. Cookies and localStorage
We use two types of browser storage:
Cookies: We set minimal functional cookies only — no tracking, no advertising, no cross-site data sharing.
localStorage: We store your search preferences locally (origin, destination, currency, mode). This data never leaves your device.
We do not use:
- Google Analytics or Google Tag Manager
- Meta Pixel or Facebook tracking
- Any advertising or retargeting cookies
- Any third-party tracking scripts
We use Cloudflare Web Analytics which is privacy-first — no cookies, no personal data, no cross-site tracking, GDPR-compliant by design. See: cloudflare.com/privacypolicy. You can clear all browser storage at any time via your browser settings. The site works without any stored preferences.
5. We do not sell your data
We do not sell, rent, or trade personal data to anyone. Our revenue comes from affiliate commissions when you book on partner sites — not from your data.
5a. Third Party Processors
We work with the following processors:
- Cloudflare (analytics, CDN, DDoS protection) — data: anonymized traffic data only; location: USA/EU (SCCs in place); policy: cloudflare.com/privacypolicy.
- Vercel (hosting) — data: standard server logs; location: USA/EU; policy: vercel.com/legal/privacy-policy.
- Supabase (database, if applicable) — data: anonymized search patterns only; policy: supabase.com/privacy.
All processors are bound by GDPR-compliant data processing agreements.
5b. Newsletter (if you subscribe)
Our newsletter sign-up is optional. If you enter your email address in the newsletter form and submit it, we collect that address to send you occasional product updates and travel ideas.
- Purpose: sending our newsletter and product updates.
- Legal basis: your consent (GDPR Article 6(1)(a)), given when you submit the form. You can withdraw it at any time.
- Processor: when the newsletter is enabled, addresses are stored with Resend (our email delivery provider) — resend.com privacy policy. Until the newsletter is switched on, no address is stored.
- Your control: unsubscribe at any time, or email contact@covasky.com to have your address deleted.
6. Partner sites and their cookies
When you click through to a partner website — an airline, booking platform, or ground transport provider — you leave CovaSky. Affiliate partners may set their own cookies at that point, typically to attribute the referral. From that moment, the partner's privacy policy applies, not ours. We encourage you to review it.
7. How long we keep data
Search queries and analytics are kept in aggregated form for product improvement. Server logs are rotated on a short cycle. Preferences stored in your browser stay on your device until you clear them — we don't control those.
7a. GDPR Legal Basis
For each processing activity our legal basis is:
- Analytics: Legitimate interest (improving service).
- Functional cookies/localStorage: Legitimate interest (providing requested functionality).
- Server logs: Legitimate interest (security).
- Newsletter (only if you subscribe): Consent (Article 6(1)(a)), withdrawable at any time.
8. Your rights
Depending on where you live, you may have the right to access, correct, or delete personal data we hold about you, and to object to or restrict certain processing. Because we hold very little identifiable data, most requests are simple to fulfil.
Your GDPR rights include:
- Right of access (Article 15).
- Right to rectification (Article 16).
- Right to erasure / "right to be forgotten" (Article 17).
- Right to restrict processing (Article 18).
- Right to data portability (Article 20).
- Right to object (Article 21).
- Right not to be subject to automated decisions with significant effects (Article 22).
To exercise any right email contact@covasky.com. We respond within 30 days. You also have the right to lodge a complaint with the Personal Data Protection Agency of North Macedonia (PDPA): website dzlp.mk, email info@dzlp.mk; or with your local EU data protection authority if you reside in an EU member state.
9. Security
We use standard technical measures — encrypted connections, access controls, and minimal data retention — to protect what little data we process. The best security practice we follow is simply not collecting data we don't need.
10. Changes to this policy
If we change how we handle data, we will update this page and revise the date at the top. Material changes will be flagged clearly on the site.
11. Contact
Questions, concerns, or data requests: email contact@covasky.com. Data controller: Saas Tech DOOEL.