← BackCOBY

Privacy Policy

Last updated: February 28, 2026

This Privacy Policy explains how COBY ("we", "us", or "our") collects, uses, and protects personal data through the website https://joincoby.com and our AI-powered product intelligence platform.

1. Data We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Authentication credentials (hashed passwords or OAuth provider tokens)
  • Profile information provided via OAuth (such as display name)

1.2 Onboarding Data

When you enter your email on our landing page before creating an account, that email is temporarily held in your browser's sessionStorage during the onboarding flow. It is not stored on our servers until you complete account creation.

1.3 Integration Data (OAuth)

When you connect a third-party service, we collect and process data from that service on your behalf. Below is a breakdown by integration:

Gmail (via Google API Services):

  • Scope: gmail.readonly, gmail.send
  • Data collected: Email metadata (sender, recipient, subject, date) and email body content
  • Sending: When you explicitly approve an email draft in our interface, we send it on your behalf via the Gmail API. No emails are ever sent without your explicit review and confirmation.
  • Purpose: Surface user feedback, communication patterns, and strategic signals from your inbox. The gmail.send scope is used exclusively to send emails you have explicitly reviewed and approved in our interface.

Outlook (Microsoft Identity Platform):

  • Scope: Mail.Read, Mail.Send, User.Read
  • Data collected: Email metadata, email body content, and Microsoft profile information (name, email address)
  • Sending: When you explicitly approve an email draft in our interface, we send it on your behalf via Microsoft Graph. No emails are ever sent without your explicit review and confirmation.
  • Purpose: Same as Gmail — surface user signals from Microsoft-based inboxes

GitHub:

  • Scope: Read-only access to selected repositories (contents, issues, pull requests, commit history)
  • Data collected: Commit history, pull request activity, issue threads, repository metadata
  • Purpose: Analyze engineering velocity, development patterns, and team collaboration

Notion:

  • Scope: Read access to pages and databases you authorize
  • Data collected: Page content, database entries, metadata
  • Purpose: Analyze product documentation, knowledge base, and decision history

Slack:

  • Scope: Read access to channels, messages, and team structure
  • Data collected: Channel messages, user activity, workspace structure
  • Purpose: Surface team communication patterns and product discussions

PostHog:

  • Scope: Read access to analytics data
  • Data collected: Product usage events, funnels, user behavior data, session metadata
  • Purpose: Analyze product metrics and user engagement

Sentry:

  • Scope: Read access to issues, events, and performance data
  • Data collected: Error reports, stack traces, performance metrics, release information
  • Purpose: Analyze product reliability and error impact on users

Supabase:

  • Scope: Read access via Management API (project metadata and database metrics)
  • Data collected: Database health metrics, auth statistics, edge function logs, project configuration
  • Purpose: Analyze infrastructure health and backend performance

Vercel:

  • Scope: Read access to deployment and project data
  • Data collected: Deployment history, build logs, serverless function metrics, project settings
  • Purpose: Analyze deployment patterns and infrastructure reliability

1.4 Uploaded Documents

When you upload documents, we collect:

  • File content: The text extracted from your file (PDF, DOCX, CSV, TXT, MD, XML formats)
  • File metadata: Filename, size, MIME type, and upload date
  • Limits: 25MB per file, maximum 50 files per account
  • Files are stored in Supabase Storage with row-level security — only you can access your files
  • Extracted text is used exclusively for AI analysis as described in Section 2

1.5 AI Analysis and Conversation Data

  • Results from Event analysis runs (AI-generated insights, recommendations, and agent findings)
  • Conversation history from "Ask Coby" chat sessions
  • Claude Session transcripts from interactive AI sessions
  • These are stored in our database and linked to your account

1.6 Usage Data

  • Service usage patterns (feature usage, session activity)
  • Error logs and diagnostic data necessary to maintain the Service
  • We do not use third-party advertising trackers or tracking pixels

2. How We Use Your Data

  • Event Analysis: We run multi-agent AI pipelines that fetch data from your connected integrations, process it using Anthropic Claude, and generate strategic insights. This is the core product feature.
  • "Ask Coby" Chat: Your connected integration data and uploaded documents are provided as context to an AI assistant. The assistant may query your connected tools in real-time during conversations via MCP protocol.
  • Claude Sessions: We execute interactive AI sessions that use your connected tools to answer questions and complete tasks on your behalf.
  • Document Analysis: Uploaded documents are included in AI analysis context when you run Event analysis or chat with Coby.
  • Service Improvement: We may use anonymized, aggregated data to improve our analysis quality. We do not train AI models on your personal data.
  • Communications: We may send service-related notices (security alerts, material policy changes). We do not send marketing emails without your consent.

3. Google API Services User Data Policy Compliance

COBY's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We only request the minimum scopes necessary for our declared functionality (gmail.readonly for reading emails, gmail.send for sending emails you approve)
  • Gmail data is used exclusively for providing analysis features you explicitly request
  • We do not use Gmail data for serving advertisements
  • We do not allow humans to read your Gmail data except when necessary for security purposes, to comply with applicable law, or with your explicit consent
  • Gmail data is not transferred to third parties except to Anthropic's Claude API (our AI provider) for analysis purposes only, and to Supabase for secure storage of analysis results

4. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
  • OAuth tokens: Stored server-side only — never exposed to client-side code
  • Authentication: Industry-standard authentication via Supabase Auth
  • Access control: Row-level security ensures users can only access their own data and files
  • Infrastructure: Database, authentication, and file storage hosted on Supabase; frontend hosted on Vercel; backend API hosted on Railway
  • Document files: Stored in Supabase Storage with user-scoped access paths

5. Data Retention

  • Integration data: Fetched on-demand for analysis; raw third-party data is not permanently stored on our servers
  • OAuth tokens: Retained until you disconnect the integration
  • Analysis results: Retained indefinitely unless you request deletion
  • Conversation history: Retained until you delete the conversation or your account
  • Uploaded documents: Retained until you delete the file or your account
  • Account data: Retained until account deletion

6. Third-Party Data Sharing

We share data with the following service providers to operate the Service:

  • Anthropic (Claude API): AI analysis of your integration data, document content, and conversations (subject to Anthropic's privacy policy)
  • Supabase: Database, authentication, and file storage infrastructure
  • Vercel: Frontend hosting and deployment infrastructure
  • Railway: Backend API hosting infrastructure

We do not sell your data to third parties. We do not share your data with advertisers.

7. Your Rights and Controls

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and all associated data
  • Revoke integration access: Disconnect any integration from your dashboard settings at any time — OAuth tokens are immediately revoked and we lose access to that service
  • Delete uploaded documents: Delete any file directly from your dashboard
  • Delete conversations: Delete chat history directly from your dashboard
  • Data portability: Request your data in a machine-readable format
  • Withdraw consent: Delete your account at any time to stop all processing

How to Revoke Integration Access

You can revoke access to any connected service from your dashboard settings. When you disconnect an integration:

  • OAuth tokens are immediately revoked or deleted from our systems
  • GitHub App installations are uninstalled; OAuth integrations have their access revoked
  • We no longer have the ability to fetch new data from that service
  • Previously generated analyses remain available in your account unless you request deletion

8. Legal Basis for Processing (GDPR)

The processing of your personal data is based on:

  • Consent (Article 6(1)(a)): For connecting integrations, uploading documents, and processing your data through AI analysis features
  • Contractual necessity (Article 6(1)(b)): To provide the analysis service you have requested
  • Legitimate interests (Article 6(1)(f)): To improve our service quality and ensure security

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where Anthropic, Supabase, Vercel, and Railway operate). We ensure adequate safeguards through:

  • EU-US Data Privacy Framework compliance (where applicable)
  • Standard Contractual Clauses with our service providers

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on our website. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the Service after changes constitutes your acceptance of the updated policy.

11. Contact

To ask questions, raise concerns, or exercise any of your rights, contact us at:

Email: founders@joincoby.com
Response time: We will respond within 30 days

HOMECONTACTABOUTTERMS AND CONDITIONSPRIVACY POLICY
COBY