Download

Security whitepaper

How on-device privacy is implemented at Cove.

This document is for compliance teams, IT decision-makers, and skeptical users. We list every outbound network call Cove apps can make, how the model is verified, what data is retained where, and our posture on industry frameworks (HIPAA / GDPR / ISO 27001).

Version 1.0 Last updated: 2026-04-29

Executive summary

Cove apps process all user content (photos, voice, transcripts, health entries, translations) entirely on the user's Android device. No content data is ever uploaded to Cove servers, third-party AI providers, or analytics platforms. The only outbound network calls are: model download from Hugging Face, Google Play purchase verification, optional opt-in newsletter signup, and optional anonymous crash reports. There are no Cove-controlled servers handling user content.

Outbound network calls — exhaustive list

Every network call any Cove app can initiate, by purpose. We commit to this list — adding any new call type requires an app version bump and is documented in changelog.

  • Model download from Hugging Face

    Purpose
    On first launch, download Gemma 4 E2B weights (~2.5 GB, Q4_0 quantized — same file for free and Pro)
    Endpoint
    huggingface.co/litert-community (LiteRT-LM mirror of Google's official Gemma release)
    Data
    None outbound. Inbound: model weights file.
    Frequency
    Once per device — the same Gemma 4 E2B file is reused across all four Cove apps
    User control
    Can be skipped by pre-placing the model file at /sdcard/GemmaApp/models/

  • Google Play purchase verification

    Purpose
    Verify Pro upgrade purchase via Google Play Billing Library
    Endpoint
    Google Play servers (handled by Play Billing Library, not Cove)
    Data
    Google account email + purchase token (handled by Google, never seen by Cove servers — we have none)
    Frequency
    On Pro upgrade attempt, on Pro entitlement re-check (silent, ~daily by Play services)
    User control
    Required to use Pro features. Free tier never triggers this call.

  • Newsletter signup (opt-in)

    Purpose
    Subscribe to the Cove email newsletter (covebase.app website only)
    Endpoint
    Self-hosted Listmonk instance (cove infrastructure)
    Data
    Email address only
    Frequency
    Once per signup attempt
    User control
    Fully opt-in via website form. Apps do not collect email.

  • Anonymous crash reports (opt-in)

    Purpose
    Help diagnose app stability issues
    Endpoint
    Sentry self-hosted instance (cove infrastructure)
    Data
    Stack trace, Android version, device model, app version. NO user content. PII scrubbed before send.
    Frequency
    On crash event (which we hope is rare)
    User control
    Off by default. Settings → Privacy → Crash reports to enable.

Model integrity verification

Before loading the Gemma 4 E2B model, Cove verifies its SHA-256 hash against an embedded expected hash for that model version. If the hash mismatches, the model is rejected and the user is prompted to re-download. This protects against (a) corrupted downloads, and (b) tampering of the model file by malicious actors with file system access. We do not load unverified weights — this is a hard constraint.

Model hash registry

Model variant Approx. size Hash algorithm Hash source
Gemma 4 E2B (Q4_0, default) ~2.5 GB SHA-256 embedded + signed
Gemma 4 E4B (Q4_0, optional upgrade) ~3.6 GB SHA-256 embedded + signed
Gemma 4 E2B (Q4_0, prior release — kept for rollback) ~2.5 GB SHA-256 embedded + signed

Data retention — what's stored where

All user content stays on the device. Below is the inventory.

  • Translation history

    Where
    Local SQLite database (Room) at /data/data/com.gemmaapp.travellens/databases/
    Retention
    Until user deletes (in-app History screen) or app is uninstalled
    Encryption
    Android's default file system encryption (full-device encryption on Android 6+)

  • Voice recordings + transcripts

    Where
    Audio files in app-private storage; transcripts in Room database
    Retention
    Until user deletes from in-app library or app is uninstalled
    Encryption
    Android's default file system encryption

  • Photo analyses + history

    Where
    Local SQLite database at /data/data/com.gemmaapp.photolens/databases/
    Retention
    Until user deletes or app is uninstalled. Original photos stored only if user explicitly saves.
    Encryption
    Android's default file system encryption

  • Health journal entries

    Where
    Local SQLite database at /data/data/com.gemmaapp.healthlens/databases/, AES-256 encrypted at rest with Android Keystore-derived key
    Retention
    Until user deletes or app is uninstalled. SOS-relevant entries are not synced anywhere.
    Encryption
    AES-256-GCM with key sealed in Android Keystore (additional encryption beyond device default — health data warrants the extra layer)

Compliance posture

We are a small independent studio and Cove is consumer software. We don't claim certifications we don't have. Below is our honest position on commonly asked frameworks.

  • HIPAA (US healthcare)

    Not a Business Associate. Cove Health is not a HIPAA-covered system. However, the on-device design means patient data dictated to Cove never leaves the device — whether your individual organization's policy permits this is between you and your compliance team.

  • GDPR (EU privacy)

    Data-minimal by design. We do not collect content data. The only personal data processed is: optional email (newsletter), optional crash reports (PII-scrubbed), and Google Play purchase records (handled by Google as a separate processor). Right to delete: uninstall the app + unsubscribe from newsletter (one-click).

  • ISO 27001

    Not certified. Small independent studios rarely have the budget for ISO certification — it's not the right fit for a $3.99 consumer app. The technical controls described in this document address most of the same threats ISO 27001 cares about.

  • SOC 2

    Not certified. Same reasoning as ISO 27001. We don't operate cloud services for user content, which removes most of the SOC 2 surface area.

Vulnerability disclosure

If you find a security issue, please email [email protected] (alias of [email protected], but using this address routes it as a security report). We commit to: acknowledging within 3 business days, investigating within 14 days, and crediting reporters in the changelog (if they wish to be named). We don't have a bug bounty program yet — too early-stage — but we're happy to send Cove Pro keys as thanks for valid reports.

Questions for compliance / legal teams

If your organization is evaluating Cove for staff use and needs a more detailed assessment (e.g., signed questionnaire, security policy review), email [email protected] with your specific requirements.

Email [email protected] See network audit