COVERFLEX PRIVACY POLICY

Updated: 19 October 2020

Date Purpose Owner
15/02/2023 Creation of policy Privacy Team
07/03/2024 Review of the policy Privacy Team
18/11/2024 Clarification on controller v processor roles Privacy Team
23/07/2025 Review of the policy DPO

1. Scope

This Privacy Policy ("Policy") sets the terms for data processing carried out in the Coverflex application (hereinafter, "Application"), owned by Coverflex.

Consulting this Policy does not exempt from the knowledge of the Coverflex Website Privacy Policy, for a broader and more transparent view of the personal data processing carried out by Coverflex.

The Coverflex Application is a mobile application through which Coverflex clients can interact, or alternatively, they can also access a reserved area through the Website - coverflex.com.

The Application's functionalities include a unique platform to manage benefits (such as child care vouchers, savings and retirement, health and wellness, education expenses, gym and fitness, among others), meal allowance, insurances (such as health insurance and work accident insurance) and discounts. Additionally, the User, through the contract established between Coverflex and the Client (the User's employer), has access to the available balance of their benefits, as well as the record of activities pursued by each of them (wallet, meal, benefits, budgets, and insurance), so that the User can decide how and where to spend. The Application also provides access to centralized reports and processes, such as access to the history and invoices of benefits expenses, approval of expenses or reimbursement requests. The User can also manage their insurance policy, as well as add members of their household.

The Application also includes a reserved area for the User, where they can control and update their personal information, as well as information regarding their household. A Chat (Coverflex Bot) is also available for contact with Coverflex, through which Users can place their doubts/questions.

2. Data Controller and Processor

The Application is operated by the Coverflex Group, which comprises the following entities responsible for data processing in their respective jurisdictions:

  • Universal Cover S.A., headquartered at EN 101, Avenida Barros e Soares, No. 423, 4715-214 Braga, Portugal;
  • Evinrude Due SRL, headquartered at Via Giosuè Carducci 8, 20123 Milano, Italy;
  • Coverflex España, SL, headquartered at Avenida De General Perón 29, Planta 16, 28020 Madrid, Spain.

Each of these entities acts as a data controller for users in its respective jurisdiction, in accordance with this Privacy Policy.

Coverflex acts both as a Data Controller and as a Data Processor, depending on the nature and purpose of the processing activity.

  • As a Data Controller, Coverflex is responsible for the operation of the Application and for its direct relationship with users. This includes, for example, personalising the user experience, maintaining and improving the Application’s features, and providing user support. In these contexts, Coverflex determines the purposes and means of the processing and provides this Privacy Policy directly to users, in line with Articles 13 and 14 of the GDPR.
  • As a Data Processor, Coverflex processes certain personal data on behalf of its Clients—who act as Data Controllers—for specific activities such as supporting payroll reporting or managing fringe benefit values, in accordance with the Clients’ instructions.

In both cases, a Data Processing Agreement (DPA) is in place to ensure compliance with applicable national and European data protection laws.

3. Personal Data Collected

Personal data is collected for registration as a User in the Coverflex Application, through the subscription of the Coverflex Product. For this purpose, the following categories of personal data are processed:

  • Identification data, such as name, username, tax identification number, citizen card number;
  • Contact data, such as email address, full address, and phone number;
  • Demographic data, such as gender, date of birth, nationality, and place of birth;
  • Profile data for analytics purposes, such as interests and other identifiers;
  • Professional data, such as company name and professional position;
  • Banking data, such as IBAN;
  • Tax data, such as marital status, number of dependents, and salary;
  • Household data, in particular, name, tax identification number, date of birth, and gender. In the context of the Coverflex Child service, these data may refer to a minor data subject of the household exclusively for the creation and management of vouchers of this category;
  • Authentication/credential data, such as email and password;
  • Product consumption/use data, in particular the transactions of the benefits made, information about the insurance policies and people of the household insured, invoices that demonstrate expenses covered by the benefits given by the Clients (companies) for reimbursement purposes;
  • Health data, such as identification of the consultation/exam, specialty, medical act for billing purposes and presentation of expense for reimbursement;
  • Navigation and usage data, such as IP address, logs, information about the configuration of the Users' devices, cookies, and similar tracking technologies. The collection and use of Cookies are regulated in our Cookie Policy.

Considering that some of these data may consist of information that may reveal health data (i.e., that can be inferred), Coverflex commits to processing them only for billing purposes and management of expenses/reimbursements.

4. On whatbasis and for what purposes are my personal data processed?

Purpose Description Legal Basis
User Management and Registration in the Coverflex Application Provision of Coverflex Products; Management of User account creation, access to reserved area for account data change and modification, access to functionalities as a registered User, password recovery, control over the use of services by the User; Management and processing of payments for products purchased by the User; Management of reimbursements. As Coverflex acts as a processor of the Client, the subscription to the Coverflex Application is subject to the direct commercial relationship with the Client (the User's employer and data controller for the purposes of benefits management), so the basis of legitimacy is defined by the Client
Direct Marketing Sending of commercial communications from Coverflex Legitimate interest
Compliance with legal obligations In the context of transactions made, for billing purposes Legal obligation
Customer support and assistance Management of customer support service, to respond to questions/doubts submitted by Users (Coverflex Bot or other means provided for this purpose) As Coverflex acts as a processor of the Client, the subscription to the Coverflex Application is subject to the direct commercial relationship with the Client (the User's employer and data controller for the purposes of benefits management), so the basis of legitimacy is defined by the Client
Website management and Tracking of visits Development of publication and contents adapted to the requests and types of Users with a view to improving search capabilities and functionalities of websites and obtaining aggregated or statistical information regarding the typical User profile Consent and Legitimate Interest (applicable in specific cases)
Measurement of ads and Personalization of Advertising Use of personal data to select and display specific Coverflex ads to Users, as well as to enhance their effectiveness and relevance Consent

5. For how long will my personal data be processed?

We only retain your personal data for the period strictly necessary to fulfill the purposes identified above, within legal limits. Once the defined retention period has ended, Coverflex commits to delete, destroy, or anonymize your personal data. Note that data necessary for billing will be kept for a period of 10 years.

You may request additional information regarding the retention periods of your personal data, through communication to the email address [email protected].

6. Who are the recipients of my personal data?

Your data may be communicated to third parties when the transmission is carried out within the scope of complying with a legal obligation, a decision by the National Data Protection Commission or another relevant control entity, or a judicial order; or even when the communication is carried out to protect the vital interests of the Users or any other legitimate purpose provided by law.

Additionally, it is important to mention that Coverflex may resort to third-party entities (subcontractors), contracted by it, to process the User's data on behalf of Coverflex, and in accordance with the instructions given by it, in strict compliance with the law and this Privacy Policy. Coverflex commits to only hiring subcontractors that provide sufficient guarantees to implement appropriate technical and organizational measures, in such a manner as to ensure the protection of the User's rights.

For the purpose of sharing personal data, these, whenever applicable and under the terms mentioned above, may be communicated to partners, other group companies, transport companies, marketing campaign agencies, sales services, customer support and assistance, among others.

For consideration:

Recipient Purpose Location Role
PECUNIA CARDS E.D.E., S.L.U. (or “Pecunpay”) Electronic Money Institution (“EMI”); Provision of all and any payment and/or electronic money products and services available in the Coverflex Application, including the issuance of debit cards. Only applicable to Portuguese clients. Spain Controller
Monavate UAB Electronic Money Institution (“EMI”); Provision of all and any payment and/or electronic money products and services available in the Coverflex Application, including the issuance of debit cards. Only applicable to Spanish and Italian clients. Lithuania Controller
Insurance companies; Insurance brokers Health insurance solutions Depending on where the client’s based Controller
Educational institutions For the use of the Child Voucher Depending on where the client’s based Controller
Apple The Coverflex Application provides access to the Apple product catalog. Personal data will only be provided if you intend to purchase a product. Ireland Controller
Other commercial partners For the purposes of discounts/reimbursements when acquired through the Coverflex Application. Depending on where the client’s based Controller
Public entities, such as the Tax Authority For tax and billing purposes. Depending on where the client’s based Controller
Amazon Web Services EMEA SARL Cloud hosting services Luxembourg (data centers in Paris) Processor
Google Cloud EMEA Limited Cloud hosting services Dublin (data centers in Frankfurt) Processor
Zendesk, Inc. Cloud customer service platform. Personal data will exclusively be hosted in data centers in the EEA - Frankfurt -, in line with the Regional-Data-Hosting-Policy. - Processor
Hubspot Sales; Email marketing sending; Customer Support and Management (CRM). Ireland Processor
Adecco Prestação de Serviços, Lda. Invoices validation Portugal Processor

7. Are there international data transfers?

As a rule, Coverflex does not transfer data outside of the European Economic Area (“EEA”). However, any information that may need to be shared with a third country outside the EEA, that is, necessary to ensure the full fulfillment of the purposes mentioned in this Privacy Policy, for example, in the context of using certain computer system support service providers, Coverflex commits to carry out such transfer in total respect for the applicable legal provisions, namely regarding the determination of such country's adequacy in terms of data protection or through the provision of adequate guarantees.

8. What are my data protection rights and how can I exercise them?

Under applicable legislation, you may request, at any time, the following data protection rights:

  • Right of Access: the right to obtain confirmation as to whether or not personal data concerning the User are being processed and, if so, the right to access their personal data and certain information.
  • Right to Rectification: the right to rectify inaccurate personal data concerning the User or to have incomplete personal data completed.
  • Right to Erasure: the right to obtain the erasure of your personal data without undue delay provided that there are no valid grounds for its retention, such as cases where they must be retained to comply with a legal obligation or because a judicial process is underway.
  • Right to Restriction of Processing: the right to request the restriction of processing of your personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes, as established in Article 18 of the GDPR.
  • Right to Data Portability: the right to receive the personal data concerning you, which you have provided, in a structured, commonly used and machine-readable format and/or the right to have those data transmitted to another controller.
  • Right to Object: the right for the User to object at any time to the processing of data concerning them, provided there are no legitimate reasons for such processing that override the interests, rights, and freedoms of the User, or for the establishment, exercise, or defense of legal claims. The User may also withdraw their consent, in treatments dependent on obtaining consent, without such withdrawal invalidating the processing of data while the consent was in force.

Furthermore, you may file a complaint with the National Data Protection Commission or another competent data protection authority (https://edpb.europa.eu/about-edpb/board/members_en).

You may exercise your rights at any time. To do so, simply send a communication to the following email address: [email protected].

Additionally, for the purposes of verifying the identity of the User as the holder of the personal data, the communication should contain, whenever possible, the following elements: name, email address, and the right you wish to exercise.

Note that, if an authorized representative exercises any right on your behalf, proof of such authorization will be required.

Coverflex will respond through the means by which you exercised your right within a maximum period of one month from the receipt of the request, except in cases of special complexity, where this period may be extended up to two months with duly justified reasoning.

9. How are my personal data protected?

Coverflex employs the best means at its disposal to protect Users' personal data against unauthorized access, disclosure, alteration, or unauthorized destruction of data. To ensure the security of the User's data and maximum confidentiality, Coverflex treats the information in absolute confidentiality, in accordance with internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with the legally stipulated terms and conditions. Depending on the nature, scope, context, and purposes of data processing, as well as the risks arising from processing for the rights and freedoms of the User, Coverflex commits to applying, both at the time of defining the means of processing and at the time of the processing itself, the necessary and appropriate technical and organizational measures to protect the User's data and comply with legal requirements.

10. Final Provisions

Cookies

Coverflex collects and uses cookies on its Website. If you wish to manage the cookies collected and stored, you can do so through the following link. For more information, please consult our Cookie Policy.

Minors

Our Website, Products, and/or services are all directed to individuals who are 13 years of age or older. However, in the Coverflex Child services, data of minors from a User's household may be processed exclusively for the creation and management of vouchers of this category, as it results from the fulfillment of contractual terms established with the Client.

Law and Jurisdiction

The Privacy Policy, as well as the processing of personal data by Coverflex, are governed by the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 (“GDPR”) and by the applicable legislation and regulations in the country where the contract between the parties is performed.

To resolve all questions and disputes that may arise, inherent to this Privacy Policy, the exclusive jurisdiction of the court of the district of Coverflex's headquarters is competent, without prejudice to the applicable mandatory legal norms.

Changes to the Privacy Policy

Coverflex may change this Privacy Policy at any time. These changes will be duly advertised through the pages of the Website and, should they imply a substantial change regarding how data will be processed, Coverflex will notify such changes, through the contact details that have been provided.

Questions

If you have any questions related to the processing of your personal data and the exercise of the rights conferred on you by applicable legislation and, in particular, referred to in this Policy, contact us through the email address [email protected].