Privacy Policy
Last updated: April 2026
1. Who We Are
HAMR Ltd, trading as Covered, is the data controller responsible for your personal data.
- Registered name: HAMR Ltd
- Trading name: Covered
- Email: hello@covered.technology
- Website: www.covered.technology
References to "we", "us" or "our" in this policy mean HAMR Ltd. References to "you" mean any individual whose personal data we process, including venue operators, their staff, and end-user customers who interact with the platform.
2. Personal Data We Collect
2.1 Account Data
When you register for a Covered account we collect your name, email address, telephone number, business name, business address, and role within the organisation.
2.2 Booking and Reservation Data
Guest name, email, telephone number, party size, date and time of booking, seating preferences, and any special requests or dietary requirements provided by the guest.
2.3 Customer Profile Data
Guest visit history, preferences, tags assigned by venue staff, no-show records, VIP status, and notes entered by venue operators.
2.4 Floor Plan Data
Table layouts, seating capacity, section names, and zone configurations created by venue operators.
2.5 Pre-Order and Menu Data
Items selected, quantities, customisations, dietary flags, and associated pricing when guests place pre-orders through the platform.
2.6 Payment Data
Payments are processed by Stripe and Square. We do not store full card numbers. We receive and retain transaction identifiers, amounts, currency, payment status, and the last four digits of the card used.
2.7 Communications Data
Confirmation messages, reminders, and marketing communications sent via email (SendGrid) and WhatsApp (Meta / WhatsApp Business API), including delivery and read receipts.
2.8 Technical Data
IP address, browser type and version, device type, operating system, referring URL, pages viewed, timestamps, and anonymous usage analytics collected through standard web technologies.
3. Lawful Bases for Processing
We rely on the following lawful bases under Article 6 of the UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Providing the Covered platform and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing bookings, pre-orders, and payments | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails and booking confirmations | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
| Platform security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Responding to data subject rights requests | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request a copy of our balancing assessments by contacting us.
4. Recipients and Sub-Processors
We share personal data only where necessary to operate the platform. Our current sub-processors are:
| Sub-Processor | Purpose | Country |
|---|---|---|
| Vercel Inc. | Application hosting and edge delivery | United States |
| Supabase Inc. | Database hosting and authentication | European Union |
| Stripe Inc. | Payment processing | United States / European Union |
| Square (Block Inc.) | Point-of-sale integration | United States |
| Meta Platforms (WhatsApp Business API) | Guest messaging and notifications | United States / European Union |
| Twilio (SendGrid) | Transactional and marketing email | United States |
We may also share data with professional advisers (accountants, lawyers) and with law enforcement or regulators when required by law.
5. International Transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the United Kingdom, we rely on one or more of the following safeguards:
- The UK International Data Transfer Agreement (UK IDTA) issued by the ICO, incorporating the appropriate risk assessment.
- The EU-US Data Privacy Framework (EU-US DPF) for sub-processors that are certified under the framework.
- An adequacy decision by the UK Secretary of State, where applicable.
You may request a copy of the relevant transfer mechanism by contacting us at hello@covered.technology.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
- Account data: For the duration of your account plus 2 years after closure, to allow reactivation and to resolve any outstanding disputes.
- Booking and transaction records: 6 years from the date of the transaction to comply with HMRC record-keeping requirements and the Limitation Act 1980.
- Marketing consent records: Until you withdraw consent, after which we suppress your details to ensure we do not contact you again.
- Technical and analytics data: Aggregated and anonymised within 26 months.
- Support correspondence: 2 years from resolution of the enquiry.
7. Your Rights
Under the UK GDPR you have the following rights in relation to your personal data:
- Right of access -- request a copy of the personal data we hold about you.
- Right to rectification -- ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") -- ask us to delete your data where there is no compelling reason for continued processing.
- Right to restrict processing -- ask us to suspend the processing of your data in certain circumstances.
- Right to data portability -- receive your data in a structured, commonly used, machine-readable format.
- Right to object -- object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making -- not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
- Right to withdraw consent -- where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please email us at hello@covered.technology. We will respond within one calendar month of receiving your request. If we need to extend this period (by up to two further months), we will inform you within the first month and explain why.
8. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
9. Children's Data
Covered is a business-to-business platform designed for use by hospitality operators and their staff. Our services are not directed at individuals under the age of 16 and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete it.
10. Changes to This Policy
We may update this privacy policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the platform. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of Covered after any changes constitutes acceptance of the updated policy.
11. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us:
- Email: hello@covered.technology
- Website: www.covered.technology