← BackCOBY

Privacy Policy

Last updated: April 1, 2026

This Privacy Policy explains how COBY ("we", "us", or "our") collects, uses, and protects personal data through the website https://joincoby.com and our AI-powered product intelligence platform.

1. Data We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Authentication credentials (hashed passwords or OAuth provider tokens)
  • Profile information provided via OAuth (such as display name)

1.2 Onboarding Data

When you enter your email on our landing page before creating an account, that email is temporarily held in your browser's sessionStorage during the onboarding flow. It is not stored on our servers until you complete account creation.

1.3 Integration Data (OAuth)

When you connect a third-party service, we collect and process data from that service on your behalf. Below is a breakdown by integration:

Gmail (via Google API Services):

  • Scope: gmail.readonly
  • Data collected: Email metadata (sender, recipient, subject, date) and email body content
  • Purpose: Surface user feedback, communication patterns, and strategic signals from your inbox.

Outlook (Microsoft Identity Platform):

  • Scope: Mail.Read, Mail.Send, User.Read
  • Data collected: Email metadata, email body content, and Microsoft profile information (name, email address)
  • Sending: When you explicitly approve an email draft in our interface, we send it on your behalf via Microsoft Graph. No emails are ever sent without your explicit review and confirmation.
  • Purpose: Same as Gmail — surface user signals from Microsoft-based inboxes

GitHub:

  • Scope: Read-only access to selected repositories (contents, issues, pull requests, commit history)
  • Data collected: Commit history, pull request activity, issue threads, repository metadata
  • Purpose: Analyze engineering velocity, development patterns, and team collaboration

Notion:

  • Scope: Read access to pages and databases you authorize
  • Data collected: Page content, database entries, metadata
  • Purpose: Analyze product documentation, knowledge base, and decision history

Slack:

  • Scope: Read access to channels, messages, and team structure
  • Data collected: Channel messages, user activity, workspace structure
  • Purpose: Surface team communication patterns and product discussions

PostHog:

  • Scope: Read access to analytics data
  • Data collected: Product usage events, funnels, user behavior data, session metadata
  • Purpose: Analyze product metrics and user engagement

Sentry:

  • Scope: Read access to issues, events, and performance data
  • Data collected: Error reports, stack traces, performance metrics, release information
  • Purpose: Analyze product reliability and error impact on users

Supabase:

  • Scope: Read access via Management API (project metadata and database metrics)
  • Data collected: Database health metrics, auth statistics, edge function logs, project configuration
  • Purpose: Analyze infrastructure health and backend performance

Vercel:

  • Scope: Read access to deployment and project data
  • Data collected: Deployment history, build logs, serverless function metrics, project settings
  • Purpose: Analyze deployment patterns and infrastructure reliability

Linear:

  • Scope: Read access to issues, projects, cycles, and team workflows
  • Data collected: Issues, project roadmaps, cycle data, team workflow metadata
  • Purpose: Analyze project management patterns, team velocity, and roadmap progress

Intercom:

  • Scope: Read access to conversations, tickets, and contacts
  • Data collected: Support conversation threads (truncated to 10,000 characters), ticket metadata, contact attributes (company, plan)
  • Purpose: Analyze customer support patterns and user feedback signals

HubSpot:

  • Scope: Read access to CRM data
  • Data collected: Deals, contacts, companies, pipelines, and activities
  • Purpose: Analyze sales pipeline and customer relationship data

Amplitude:

  • Scope: Read access to analytics data
  • Data collected: Event taxonomy, saved charts, cohorts, and user profiles
  • Purpose: Analyze product analytics and user behavior data

Modjo:

  • Scope: Read access via API key
  • Data collected: Call transcripts and metadata (truncated to 10,000 characters)
  • Purpose: Analyze sales call patterns and customer conversations

1.4 Uploaded Documents

When you upload documents, we collect:

  • File content: The text extracted from your file (PDF, DOCX, CSV, TXT, MD, XML formats)
  • File metadata: Filename, size, MIME type, and upload date
  • Limits: 25MB per file, maximum 50 files per account
  • Files are stored in Supabase Storage with row-level security — only you can access your files
  • Extracted text is used exclusively for AI analysis as described in Section 2

1.5 AI Analysis and Conversation Data

  • Results from Event analysis runs (AI-generated insights, recommendations, and agent findings)
  • Conversation history from "Ask Coby" chat sessions
  • Claude Session transcripts from interactive AI sessions
  • These are stored in our database and linked to your account

1.6 Knowledge Graph

As you use the Service, COBY builds a structured knowledge base about your product. This includes:

  • Entities: Product features, metrics, user segments, integrations, and other concepts extracted from your conversations and connected data
  • Relations: Connections between entities (e.g., which metrics measure which features)
  • Facts: Atomic claims about your product state, user behavior, strategic decisions, and market intel — each with a confidence score and temporal validity
  • Embeddings: Vector representations used for semantic search across your knowledge base
  • Knowledge is extracted from your conversations and integration data, consolidated daily, and used to provide more relevant future analysis
  • All knowledge graph data is scoped to your account via row-level security

1.7 Proactive Agents and Daily Briefs

  • Proactive Agents: You may configure AI agents that run on a daily schedule to monitor your connected tools. These agents maintain persistent goals, memory, and learnings across runs.
  • Agent findings: Investigation results, observations, and hypotheses generated by agents are stored in your account. Your feedback on findings (useful, not useful) is recorded on each finding.
  • Daily Briefs: You may configure daily summary reports. These are generated from your connected data and delivered via in-app notification, Slack (using your connected Slack integration), or email (sent from coby@mail.joincoby.com via our email provider Resend)

1.8 Exports and Sharing

  • Exports: You may export AI-generated content to third-party tools including Notion, Linear, Jira, Confluence, and Slack. Export history (destination, type, metadata) is stored in your account.
  • Conversation sharing: You may share conversations via a unique link. Shared conversations include a share token, optional recipient email, and an expiration date. Recipients can view the shared conversation without an account.

1.9 Web Search Queries

During AI analysis or chat, COBY may perform web searches on your behalf using third-party search APIs (Brave Search, Exa, Linkup). Your search queries are sent to these services and results are provided to the AI for analysis. Search queries and results are not permanently stored in our database.

1.10 Usage Data and Analytics

  • Service usage patterns (feature usage, session activity)
  • Error logs and diagnostic data necessary to maintain the Service
  • We use PostHog for product analytics in production. PostHog tracks events such as page views, feature usage, signup/login flows, and integration setup. PostHog uses localStorage and cookies for session persistence.
  • We track AI usage internally (token counts, model used, cost, duration) to manage service costs and quality. This data is not shared externally.
  • We do not use third-party advertising trackers or tracking pixels

1.11 Cookies and Local Storage

  • Authentication cookies: Managed by Supabase Auth via httpOnly cookies for secure session management
  • Analytics cookies: PostHog uses localStorage and cookies (in production only) to track session identity and feature flags
  • Functional cookies: Short-lived cookies for OAuth flow state (e.g., region selection, redirect targets) — these expire within 10 minutes
  • Session storage: Your email is temporarily held in browser sessionStorage during onboarding — it is cleared when you close the tab or sign out
  • We do not use advertising or third-party tracking cookies

2. How We Use Your Data

  • Event Analysis: We run multi-agent AI pipelines that fetch data from your connected integrations, process it using Anthropic Claude, and generate strategic insights. This is the core product feature.
  • "Ask Coby" Chat: Your connected integration data, uploaded documents, and knowledge graph are provided as context to an AI assistant. The assistant may query your connected tools in real-time during conversations via MCP protocol.
  • Claude Sessions: We execute interactive AI sessions that use your connected tools to answer questions and complete tasks on your behalf.
  • Document Analysis: Uploaded documents are included in AI analysis context when you run Event analysis or chat with Coby.
  • Knowledge Building: We extract entities, facts, and relations from your conversations and integration data to build a persistent knowledge graph. This knowledge is used to provide more relevant analysis across sessions and is consolidated daily.
  • Proactive Agents: If you enable proactive agents, they run on a daily schedule using your connected tools to investigate goals you define. Agent findings may be delivered to you via in-app notifications, Slack, or email.
  • Daily Briefs: If configured, we generate daily summary reports from your connected data and deliver them via your chosen channels (in-app, Slack, or email).
  • Exports: When you export AI-generated content to Notion, Linear, Jira, Confluence, or Slack, we send the generated content to those services using your connected integration tokens.
  • Web Search: During analysis or chat, we may send queries to third-party search APIs (Brave, Exa, Linkup) to supplement AI analysis with current web information.
  • Service Improvement: We may use anonymized, aggregated data to improve our analysis quality. We do not train AI models on your personal data.
  • Communications: We may send service-related emails from coby@mail.joincoby.com (via Resend) for agent findings, daily briefs, and service notices (security alerts, material policy changes). We do not send marketing emails without your consent.

3. Google API Services User Data Policy Compliance

COBY's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We only request the minimum scopes necessary for our declared functionality (gmail.readonly for reading emails)
  • Gmail data is used exclusively for providing analysis features you explicitly request
  • We do not use Gmail data for serving advertisements
  • We do not allow humans to read your Gmail data except when necessary for security purposes, to comply with applicable law, or with your explicit consent
  • Gmail data is not transferred to third parties except to Anthropic's Claude API (our AI provider) for analysis purposes only, and to Supabase for secure storage of analysis results

4. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
  • OAuth tokens: Stored server-side only — never exposed to client-side code
  • Authentication: Industry-standard authentication via Supabase Auth
  • Access control: Row-level security ensures users can only access their own data and files
  • Infrastructure: Database, authentication, and file storage hosted on Supabase; frontend hosted on Vercel; backend API hosted on Railway
  • Document files: Stored in Supabase Storage with user-scoped access paths

5. Data Retention

  • Integration data: Fetched on-demand for analysis; raw third-party data is not permanently stored on our servers
  • OAuth tokens: Retained until you disconnect the integration
  • Analysis results: Retained indefinitely unless you request deletion
  • Conversation history: Retained until you delete the conversation or your account
  • Uploaded documents: Retained until you delete the file or your account
  • Knowledge graph: Entities, facts, and relations are retained indefinitely and updated through daily consolidation. Facts include temporal validity (valid_from/valid_until) and may be superseded. Deleted upon account deletion or upon request.
  • Agent data: Agent configurations, memory, goals, and findings are retained until you remove the agent or delete your account
  • Daily briefs: Generated briefs are retained until you delete your account
  • Export history: Records of exports are retained until account deletion
  • Shared conversations: Shared links expire on their set expiration date. Share records are deleted upon account deletion.
  • Web search queries: Not permanently stored
  • Account data: Retained until account deletion. Account deletion cascades to all associated data in our database. Storage bucket files (documents, attachments) are cleaned up separately.

6. Third-Party Data Sharing

We share data with the following service providers to operate the Service:

  • Anthropic (Claude API): AI analysis of your integration data, document content, knowledge graph, and conversations. Data sent includes message history, tool call results, system context, and file content. Subject to Anthropic's privacy policy.
  • Supabase: Database, authentication, and file storage infrastructure
  • Vercel: Frontend hosting and deployment infrastructure
  • Railway: Backend API hosting infrastructure
  • Resend: Email delivery service for agent findings, daily briefs, and service notifications (emails sent from coby@mail.joincoby.com)
  • PostHog: Product analytics and event tracking (production only)
  • Brave Search, Exa, Linkup (when configured): Web search queries during AI analysis — search terms and results are processed but not permanently stored

When you export content to third-party tools (Notion, Linear, Jira, Confluence, Slack), AI-generated content is sent to those services using your own connected integration credentials.

We do not sell your data to third parties. We do not share your data with advertisers.

7. Your Rights and Controls

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and all associated data
  • Revoke integration access: Disconnect any integration from your dashboard settings at any time — OAuth tokens are immediately revoked and we lose access to that service
  • Delete uploaded documents: Delete any file directly from your dashboard
  • Delete conversations: Delete chat history directly from your dashboard
  • Data portability: Request your data in a machine-readable format
  • Withdraw consent: Delete your account at any time to stop all processing

How to Revoke Integration Access

You can revoke access to any connected service from your dashboard settings. When you disconnect an integration:

  • OAuth tokens are immediately revoked or deleted from our systems
  • GitHub App installations are uninstalled; OAuth integrations have their access revoked
  • We no longer have the ability to fetch new data from that service
  • Previously generated analyses remain available in your account unless you request deletion

8. Legal Basis for Processing (GDPR)

The processing of your personal data is based on:

  • Consent (Article 6(1)(a)): For connecting integrations, uploading documents, and processing your data through AI analysis features
  • Contractual necessity (Article 6(1)(b)): To provide the analysis service you have requested
  • Legitimate interests (Article 6(1)(f)): To improve our service quality and ensure security

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where Anthropic, Supabase, Vercel, and Railway operate). We ensure adequate safeguards through:

  • EU-US Data Privacy Framework compliance (where applicable)
  • Standard Contractual Clauses with our service providers

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on our website. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the Service after changes constitutes your acceptance of the updated policy.

11. Contact

To ask questions, raise concerns, or exercise any of your rights, contact us at:

Email: founders@joincoby.com
Response time: We will respond within 30 days

HOMECONTACTABOUTTERMS AND CONDITIONSPRIVACY POLICY
COBY