Privacy Policy

Introduction

CoConsultant ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web platform and services (the "Service").

CoConsultant is operated by a German-based company. Our primary data infrastructure is hosted on servers located in the European Union, ensuring EU data residency for your stored information.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: support@coconsultant.app
Website: https://coconsultant.app
Address: Holunderallee 5, 14624 Dallgow-Döberitz, Germany

1. Information We Collect

We collect only the information necessary to provide and improve our Service. We do not sell your personal data, and we do not use tracking or advertising technologies.

1.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and authentication)
• Password (encrypted and stored securely)
• User ID (automatically generated unique identifier)

Purpose: To create and manage your account, authenticate your identity, and provide access to the Service.

Legal Basis (GDPR): Contract fulfillment (necessary to provide the Service you requested)

1.2 User Input and AI Interactions

When you use our AI-powered features, we collect:

• Messages and prompts you send to our AI assistant
• Conversation history (to provide context for better responses)
• Project context (custom instructions, uploaded knowledge, and MCP server configurations you define for your projects)

Purpose: To generate AI responses and provide the core functionality of our Service.

Legal Basis (GDPR): Contract fulfillment (necessary to provide the AI services you requested)

Note: Your messages are processed through our self-hosted EU infrastructure and then sent to Anthropic's Claude API to generate responses. We do not send account identifiers, emails, or user IDs to Anthropic. We do not use your input for training AI models or any purpose other than generating your responses.

1.3 Purchase and Subscription Information

When you subscribe to our premium features, we collect:

• Purchase events (subscription purchases, renewals, cancellations)
• Subscription status (active, cancelled, expired)
• Subscription expiration dates
• Product identifiers and pricing information

Purpose: To manage your subscription, process payments, and provide access to premium features.

Legal Basis (GDPR): Contract fulfillment (necessary to process your subscription)

Third-Party Processor: Stripe (see Section 3 for details)

1.4 Usage and Diagnostic Data

We collect limited usage data to improve our Service:

• AI token usage (number of tokens used for AI requests, for rate limiting and billing)
• Anonymous website analytics (page views, referrers, browser type — collected via our self-hosted Umami analytics instance without cookies or personal identifiers)
• Error logs (to diagnose and fix technical issues)

Purpose: To monitor Service performance, enforce usage limits, improve features, and diagnose technical problems.

Legal Basis (GDPR): Legitimate interest (improving our Service and ensuring security)

Note: Our analytics solution (Umami) is self-hosted on our own EU infrastructure, does not use cookies, does not collect personal data, and is fully GDPR-compliant. No analytics data is shared with third parties.

1.5 Optional Profile Information

You may optionally provide:

• SAP experience level (beginner, intermediate, advanced, expert)
• SAP modules you work with
• Project names and descriptions

Purpose: To personalize your experience and provide more relevant AI responses.

Legal Basis (GDPR): Consent (you choose to provide this information)

1.6 Information We Do NOT Collect

We explicitly do NOT collect:

• ❌ Location data (GPS, IP-based location)
• ❌ Contacts or address book information
• ❌ Photos or camera images
• ❌ Microphone or audio recordings
• ❌ Calendar or reminder data
• ❌ Device identifiers for advertising
• ❌ Browsing history or search history from other apps or websites
• ❌ Biometric data

2. How We Use Your Information

We use the information we collect solely for the following purposes:

2.1 Service Provision

• To create and manage your account
• To authenticate your identity
• To provide AI-powered responses to your queries
• To route queries to domain-specific knowledge services (MCP servers) for enhanced accuracy
• To manage your subscriptions and premium features
• To store your projects, chat messages, and preferences

2.2 Service Improvement

• To analyze usage patterns (in aggregated, anonymized form)
• To diagnose and fix technical issues
• To improve AI response quality
• To optimize platform performance

2.3 Communication

• To send you important Service updates (e.g., subscription status changes)
• To respond to your support requests
• To send password reset emails (if requested)

2.4 Legal Compliance

• To comply with legal obligations
• To enforce our Terms of Service
• To protect our rights and prevent fraud

We do NOT use your information for:

• ❌ Advertising or marketing (except Service-related communications)
• ❌ Tracking you across other apps or websites
• ❌ Selling your data to third parties
• ❌ Training AI models on your personal data (your input is only used to generate your responses)

3. Third-Party Service Providers

We use the following third-party services to operate our Service. Each service processes your data according to their own privacy policies and our instructions:

3.1 Anthropic (Claude API)

Purpose: To generate AI-powered responses to user queries.

How it works: User messages and prompts are processed through our self-hosted EU infrastructure and then sent to Anthropic's Claude API to produce responses.

Data transmitted: Only the message content and project context required to generate the response.

We do not send account identifiers, emails, or user IDs to Anthropic.

Data protection: All data is transmitted over HTTPS and processed only to deliver responses. Anthropic does not use this data to train its models.

Location: United States

Privacy Policy: https://www.anthropic.com/privacy

Legal Basis (GDPR): Contract fulfillment (to provide the Service requested).

3.2 Domain-Specific Knowledge Services (MCP Servers)

Purpose: To enhance AI response accuracy by querying specialized SAP documentation and knowledge bases.

How it works: When you interact with the AI assistant, your queries may be routed to domain-specific Model Context Protocol (MCP) servers that provide specialized knowledge (e.g., SAP documentation, SAC scripting syntax). These services return relevant technical information that is used to formulate accurate AI responses.

Data transmitted: Only the technical query content necessary to retrieve relevant documentation. No personal identifiers are sent.

Servers operated by us:

• SAP Documentation Server (mcp.coconsultant.app) — hosted on our own EU infrastructure
• SAC Syntax Oracle (mcp.analygits.com) — hosted on our own EU infrastructure

Data protection: All communication is encrypted via HTTPS. These servers are self-hosted and do not share data with third parties.

Legal Basis (GDPR): Contract fulfillment (necessary to provide accurate AI responses).

3.3 Stripe

Purpose: Subscription and payment processing

Data Shared:

• User ID (linked to your account)
• Purchase events and subscription status
• Billing information (processed directly by Stripe; we do not store card details)

Location: United States (with global data processing)

Privacy Policy: https://stripe.com/privacy

Security: All payment transactions are processed securely by Stripe. We do not collect or store your full payment card details.

3.4 Umami Analytics

Purpose: Privacy-friendly website analytics

How it works: Umami is a self-hosted, open-source analytics platform that we run on our own EU infrastructure. It collects anonymous, aggregated usage data without cookies or personal identifiers.

Data collected: Page views, referrer URLs, browser type, device type, and country (derived from IP, which is not stored).

Data NOT collected: IP addresses, personal identifiers, cross-site tracking data.

Location: European Union (self-hosted)

Note: Because Umami does not use cookies or collect personal data, no cookie consent banner is required for this analytics solution under GDPR.

3.5 Data Processing Agreements

All third-party processors are contractually obligated to:

• Process your data only as instructed by us
• Implement appropriate security measures
• Not use your data for their own purposes
• Comply with applicable data protection laws

4. Data Storage and Security

4.1 Data Residency

Your account data, conversations, projects, and uploaded knowledge are stored on our self-hosted PostgreSQL database running on EU-based infrastructure (Germany). Only AI API calls are transmitted to Anthropic's servers in the United States, and these contain no personal identifiers.

4.2 Encryption

• In Transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
• At Rest: All stored data is encrypted using industry-standard encryption methods

4.3 Access Controls

• Access to your data is restricted to authorized personnel only
• We use authentication and authorization controls to prevent unauthorized access
• API keys and sensitive credentials are stored securely and never exposed in client-side code

4.4 Security Practices

• Regular security audits and vulnerability assessments
• Secure password storage (passwords are hashed and never stored in plain text)
• Rate limiting to prevent abuse
• Monitoring for suspicious activity

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Retention and Deletion

5.1 Retention Periods

We retain your information only for as long as necessary to provide our Service and fulfill the purposes described in this policy:

• Account Information: Retained while your account is active
• Chat Messages and Projects: Retained until you delete them or your account is deleted
• Usage Logs: Retained for up to 2 years for Service improvement and troubleshooting
• Purchase Records: Retained as required by law (typically 7 years for tax and accounting purposes under German commercial law)

5.2 Account Deletion

You can request deletion of your account and all associated data at any time by:

1. In the platform: Use the account deletion option in your account settings
2. Email: Send a deletion request to support@coconsultant.app

Upon receiving a valid deletion request, we will:

• Delete your account and profile information
• Delete all your chat messages and projects
• Delete your usage logs
• Delete your subscription records (where legally permitted)

Processing Time: Account deletion requests are processed within 30 days.

Note: Some information may be retained longer if required by law (e.g., purchase records for tax purposes) or if necessary to resolve disputes or enforce our agreements.

5.3 Automatic Deletion

• Inactive accounts may be automatically deleted after 3 years of inactivity
• Old usage logs are automatically deleted after 2 years

6. International Data Transfers

Your data is primarily stored on EU-based infrastructure (Germany). However, certain data is transmitted to service providers located outside the EU:

• Anthropic (Claude API): Message content is sent to the United States for AI response generation. No personal identifiers are included.
• Stripe: Payment data is processed by Stripe, which operates globally including in the United States.

Safeguards for International Transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our processors
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission
• Data Minimization: We minimize the data transferred internationally, sending only what is strictly necessary
• Security Measures: All transfers are protected by the security measures described in Section 4

Your Rights: If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights regarding international transfers (see Section 8).

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

• Right to Access: Request a copy of the personal information we hold about you
• Right to Data Portability: Receive your data in a structured, machine-readable format

How to Exercise: Contact us at support@coconsultant.app with the subject line "Data Access Request"

7.2 Correction and Updates

• Right to Rectification: Correct inaccurate or incomplete information

How to Exercise: Update your information directly in your account settings, or contact us for assistance

7.3 Deletion

• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and personal information

How to Exercise: See Section 5.2 for account deletion instructions

7.4 Restriction and Objection

• Right to Restrict Processing: Request that we limit how we use your information
• Right to Object: Object to processing based on legitimate interests

How to Exercise: Contact us at support@coconsultant.app

7.5 Withdrawal of Consent

• Right to Withdraw Consent: Withdraw consent for optional data processing (e.g., optional profile information)

How to Exercise: Update your preferences in account settings or contact us

7.6 California Privacy Rights (CPRA)

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA):

• Right to Know: Know what personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information

How to Exercise: Contact us at support@coconsultant.app with "California Privacy Request" in the subject line

Verification: We may require verification of your identity before processing certain requests.

7.7 Response Time

We will respond to your privacy rights requests within:

• 30 days for most requests
• 45 days for complex requests (we will notify you if an extension is needed)

8. Children's Privacy

Our Service is not intended for children under 16 years of age.

We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@coconsultant.app, and we will delete such information.

Age Requirement: By creating an account, you represent that you are at least 16 years old (in accordance with GDPR Article 8). If you are under 16, please do not use our Service.

9. Tracking and Advertising

We do NOT track you or use advertising technologies.

Specifically:

• ❌ No Tracking Cookies: We do not use tracking cookies or similar technologies to track you across websites
• ❌ No Advertising: We do not display advertisements or use advertising SDKs
• ❌ No Cross-Site Tracking: We do not link your activity across different websites or services
• ❌ No Data Sales: We do not sell your personal information to advertisers or data brokers

Do Not Track Signals: We honor "Do Not Track" browser signals and do not track users who have enabled this setting.

Analytics: Our self-hosted Umami analytics collects only anonymous, aggregated data without cookies or personal identifiers (see Section 3.4).

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification of Changes:

• Material Changes: We will notify you of material changes by:
  • Posting a prominent notice on our platform
  • Sending an email to your registered email address
  • Updating the "Last Updated" date at the top of this policy

Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

Review Policy: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Previous Versions: Previous versions of this Privacy Policy are available upon request.

11. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Contract Fulfillment: Processing necessary to provide the Service you requested (account creation, AI responses, subscription management)
• Legitimate Interest: Processing necessary for our legitimate interests (Service improvement, security, fraud prevention)
• Consent: Processing based on your consent (optional profile information)
• Legal Obligation: Processing necessary to comply with legal obligations (tax records, law enforcement requests)

You have the right to object to processing based on legitimate interests. Contact us to exercise this right.

12. Data Protection Officer (GDPR)

If you are located in the EEA, UK, or Switzerland, you can contact our Data Protection Officer (DPO) at:

Email: support@coconsultant.app
Subject Line: "GDPR Inquiry"

13. Supervisory Authority (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights.

Our Supervisory Authority:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
https://www.lda.brandenburg.de

Find Your Authority:

• EU: https://edpb.europa.eu/about-edpb/board/members_en
• UK: https://ico.org.uk
• Switzerland: https://www.edoeb.admin.ch

14. California Shine the Light Law

California residents may request information about how we share certain categories of personal information with third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@coconsultant.app
Website: https://coconsultant.app
Address: Holunderallee 5, 14624 Dallgow-Döberitz, Germany

Response Time: We aim to respond to all inquiries within 5 business days.

16. Consent

By using our Service, you consent to the collection and use of information in accordance with this Privacy Policy.

Withdrawal of Consent: You may withdraw your consent at any time by deleting your account or contacting us. However, withdrawal of consent may affect your ability to use certain features of the Service.