1. Information We Collect

We collect information you provide directly:

Account information (email, name, authentication provider)
Startup profile data (company name, industry, sector, stage, funding details)
Chat conversations with AI agents
Uploaded documents (pitch decks, secure documents)
Cap table configurations and financial models
Lead and campaign data for outreach features
Usage data, preferences, and session history

2. How We Use Your Information

Your data is used to:

Provide personalized AI advisory responses via our LLM Council
Analyze pitch decks and generate investor-specific recommendations
Calculate cap table scenarios and dilution models
Power secure document RAG (Retrieval-Augmented Generation) for contextual AI responses
Discover and enrich leads for customer outreach campaigns
Monitor competitors and deliver real-time alerts
Improve our AI models and service quality
Communicate important updates and security notices

3. Data Security

We implement enterprise-grade security measures to protect your data:

All data encrypted in transit (TLS 1.3)
Database encryption at rest (PostgreSQL)
AES-256-GCM encryption for secure documents
Secure authentication via Supabase with JWT tokens
Token blacklisting for immediate session revocation
Rate limiting and DDoS protection
Comprehensive audit logging
Regular security audits and penetration testing
Circuit breaker patterns for service resilience

4. Document Processing

When you upload documents (pitch decks, secure documents):

Files are processed and text is extracted for AI analysis
Secure documents are encrypted with AES-256-GCM before storage
Original files for secure documents are deleted after processing (only encrypted chunks stored)
Document chunks are stored in isolated vector databases per user
Auto-expiry available for sensitive documents
You can delete your documents at any time

5. AI Processing

Our LLM Council architecture processes your queries through multiple AI providers:

Queries are sent to 2-3 AI models for cross-validation
Providers include Groq (Llama), Google AI (Gemini), and HuggingFace
Queries are anonymized where possible
We do not use your data to train third-party AI models
RAG context is retrieved from your documents and our curated knowledge bases

6. Data Sharing

We do not sell your personal data. We may share data with:

AI model providers (anonymized queries for response generation)
Infrastructure providers (Supabase, Vercel, Render, Upstash, Koyeb)
Email service providers (for outreach campaigns and notifications)
Law enforcement when legally required

7. Your Rights

You have the right to:

Access your personal data
Request data correction or deletion
Export your data (sessions, cap tables, documents)
Delete individual documents, sessions, or your entire account
Opt out of non-essential communications
Revoke API keys and webhook access

8. Data Retention

We retain your data for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law. Secure documents with auto-expiry are automatically deleted after their TTL expires.

9. Cookies & Local Storage

We use essential cookies and local storage for authentication, session management, and user preferences (theme, sidebar state). We do not use tracking cookies or third-party advertising cookies.

10. Self-Hosted Instances

If you self-host Co-Op, you are responsible for your own data handling and privacy compliance. This policy applies only to the hosted version at co-op.software.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy inquiries, contact us at privacy@co-op.software

Privacy Policy