Privacy Policy

Introduction

CoConsultant ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: support@coconsultant.app
Website: https://coconsultant.app
Address: Holunderallee 5, 14624 Dallgow-Döberitz

1. Information We Collect

We collect only the information necessary to provide and improve our Service. We do not sell your personal data, and we do not use tracking or advertising technologies.

1.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and authentication)
• Password (encrypted and stored securely)
• User ID (automatically generated unique identifier)

Purpose: To create and manage your account, authenticate your identity, and provide access to the Service.

Legal Basis (GDPR): Contract fulfillment (necessary to provide the Service you requested)

1.2 User Input and AI Interactions

When you use our AI-powered features, we collect:

• Messages and prompts you send to our AI assistant
• Conversation history (to provide context for better responses)
• Project context (information about your SAP projects to improve AI responses)

Purpose: To generate AI responses and provide the core functionality of our Service.

Legal Basis (GDPR): Contract fulfillment (necessary to provide the AI services you requested)

Note: Your messages are routed through our secure servers (Supabase) and then sent to Anthropic's Claude API to generate responses. We do not send account identifiers, emails, or user IDs to Anthropic. We do not use your input for training AI models or any purpose other than generating your responses. OpenAI is only used for internal admin tools and does not receive your user data.

1.3 Purchase and Subscription Information

When you make in-app purchases or subscribe to our premium features, we collect:

• Purchase events (subscription purchases, renewals, cancellations)
• Subscription status (active, cancelled, expired)
• Subscription expiration dates
• Product identifiers and pricing information

Purpose: To manage your subscription, process payments, and provide access to premium features.

Legal Basis (GDPR): Contract fulfillment (necessary to process your subscription)

Third-Party Processor: RevenueCat (see Section 3 for details)

1.4 Usage and Diagnostic Data

We collect limited usage data to improve our Service:

• AI token usage (number of tokens used for AI requests, for rate limiting and billing)
• Subscription interaction events (when you view the paywall or complete a purchase, for product improvement)
• Error logs (to diagnose and fix technical issues)

Purpose: To monitor Service performance, enforce usage limits, improve features, and diagnose technical problems.

Legal Basis (GDPR): Legitimate interest (improving our Service and ensuring security)

Note: This data is aggregated and anonymized where possible. We do not use this data for advertising or tracking purposes.

1.5 Optional Profile Information

You may optionally provide:

• SAP experience level (beginner, intermediate, advanced, expert)
• SAP modules you work with
• Project names and descriptions

Purpose: To personalize your experience and provide more relevant AI responses.

Legal Basis (GDPR): Consent (you choose to provide this information)

1.6 Information We Do NOT Collect

We explicitly do NOT collect:

• ❌ Location data (GPS, IP-based location)
• ❌ Contacts or address book information
• ❌ Photos or camera images
• ❌ Microphone or audio recordings
• ❌ Calendar or reminder data
• ❌ Device identifiers for advertising
• ❌ Browsing history or search history from other apps
• ❌ Biometric data

2. How We Use Your Information

We use the information we collect solely for the following purposes:

2.1 Service Provision

• To create and manage your account
• To authenticate your identity
• To provide AI-powered responses to your queries
• To manage your subscriptions and premium features
• To store your projects, chat messages, and preferences

2.2 Service Improvement

• To analyze usage patterns (in aggregated, anonymized form)
• To diagnose and fix technical issues
• To improve AI response quality
• To optimize app performance

2.3 Communication

• To send you important Service updates (e.g., subscription status changes)
• To respond to your support requests
• To send password reset emails (if requested)

2.4 Legal Compliance

• To comply with legal obligations
• To enforce our Terms of Service
• To protect our rights and prevent fraud

We do NOT use your information for:

• ❌ Advertising or marketing (except Service-related communications)
• ❌ Tracking you across other apps or websites
• ❌ Selling your data to third parties
• ❌ Training AI models on your personal data (your input is only used to generate your responses)

3. Third-Party Service Providers

We use the following third-party services to operate our Service. Each service processes your data according to their own privacy policies and our instructions:

3.1 Supabase

Purpose: Authentication, user database, and data storage

Data Shared:

• Account information (email, user ID)
• Profile data
• Chat messages and projects
• Usage logs

Location: United States (with data centers in multiple regions)

Privacy Policy: https://supabase.com/privacy

Security: All data is encrypted in transit (HTTPS) and at rest. Supabase is SOC 2 Type II certified.

3.2 RevenueCat

Purpose: In-app purchase and subscription management

Data Shared:

• User ID (linked to your account)
• Purchase events and subscription status

Location: United States

Privacy Policy: https://www.revenuecat.com/privacy

Security: All transactions are processed securely through Apple App Store and Google Play Store.

3.3 Anthropic (Claude API)

Purpose: To generate AI-powered responses to user queries within the app.

How it works: User messages and prompts are routed through our secure servers (Supabase) and then sent to Anthropic's Claude API to produce responses.

Data transmitted: Only the message content required to generate the response.

We do not send account identifiers, emails, or user IDs.

Data protection: All data is transmitted over HTTPS and processed only to deliver responses. Anthropic does not use this data to train its models.

Location: United States

Privacy Policy: https://www.anthropic.com/privacy

Legal Basis (GDPR): Contract fulfillment (to provide the Service requested).

3.4 OpenAI (ChatGPT)

Purpose: Internal admin tools only (not used for user data processing)

Data Shared: None (OpenAI is only used for internal administrative functions, not for processing your personal data)

Location: United States

Privacy Policy: https://openai.com/policies/privacy-policy

Note: Your user data is NOT sent to OpenAI. OpenAI is only used for internal tooling and administrative purposes.

3.5 Data Processing Agreements

All third-party processors are contractually obligated to:

• Process your data only as instructed by us
• Implement appropriate security measures
• Not use your data for their own purposes
• Comply with applicable data protection laws

4. Data Security

We implement industry-standard security measures to protect your information:

4.1 Encryption

• In Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• At Rest: All stored data is encrypted using industry-standard encryption methods

4.2 Access Controls

• Access to your data is restricted to authorized personnel only
• We use authentication and authorization controls to prevent unauthorized access
• API keys and sensitive credentials are stored securely and never exposed in client-side code

4.3 Security Practices

• Regular security audits and vulnerability assessments
• Secure password storage (passwords are hashed and never stored in plain text)
• Rate limiting to prevent abuse
• Monitoring for suspicious activity

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Retention and Deletion

5.1 Retention Periods

We retain your information only for as long as necessary to provide our Service and fulfill the purposes described in this policy:

• Account Information: Retained while your account is active
• Chat Messages and Projects: Retained until you delete them or your account is deleted
• Usage Logs: Retained for up to 2 years for Service improvement and troubleshooting
• Purchase Records: Retained as required by law (typically 7 years for tax and accounting purposes)

5.2 Account Deletion

You can request deletion of your account and all associated data at any time by:

1. In-App: Contact us through the app's settings or support feature
2. Email: Send a deletion request to privacy@coconsultant.app

Upon receiving a valid deletion request, we will:

• Delete your account and profile information
• Delete all your chat messages and projects
• Delete your usage logs and analytics events
• Delete your subscription records (where legally permitted)

Processing Time: Account deletion requests are processed within 30 days.

Note: Some information may be retained longer if required by law (e.g., purchase records for tax purposes) or if necessary to resolve disputes or enforce our agreements.

5.3 Automatic Deletion

• Inactive accounts may be automatically deleted after 3 years of inactivity
• Old analytics events are automatically deleted after 2 years

6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our third-party service providers operate.

Safeguards for International Transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our processors
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission
• Security Measures: All transfers are protected by the security measures described in Section 4

Your Rights: If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights regarding international transfers (see Section 8).

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

• Right to Access: Request a copy of the personal information we hold about you
• Right to Data Portability: Receive your data in a structured, machine-readable format

How to Exercise: Contact us at privacy@coconsultant.app with the subject line "Data Access Request"

7.2 Correction and Updates

• Right to Rectification: Correct inaccurate or incomplete information

How to Exercise: Update your information directly in the app settings, or contact us for assistance

7.3 Deletion

• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and personal information

How to Exercise: See Section 5.2 for account deletion instructions

7.4 Restriction and Objection

• Right to Restrict Processing: Request that we limit how we use your information
• Right to Object: Object to processing based on legitimate interests

How to Exercise: Contact us at privacy@coconsultant.app

7.5 Withdrawal of Consent

• Right to Withdraw Consent: Withdraw consent for optional data processing (e.g., optional profile information)

How to Exercise: Update your preferences in app settings or contact us

7.6 California Privacy Rights (CPRA)

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA):

• Right to Know: Know what personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information

How to Exercise: Contact us at privacy@coconsultant.app with "California Privacy Request" in the subject line

Verification: We may require verification of your identity before processing certain requests.

7.7 Response Time

We will respond to your privacy rights requests within:

• 30 days for most requests
• 45 days for complex requests (we will notify you if an extension is needed)

8. Children's Privacy

Our Service is not intended for children under 13 years of age.

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@coconsultant.app, and we will delete such information.

Age Verification: By creating an account, you represent that you are at least 13 years old. If you are under 13, please do not use our Service.

COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA) and do not collect information from children under 13.

9. Tracking and Advertising

We do NOT track you or use advertising technologies.

Specifically:

• ❌ No Tracking: We do not use tracking technologies, cookies, or similar technologies to track you across apps or websites
• ❌ No Advertising: We do not display advertisements or use advertising SDKs
• ❌ No Cross-App Tracking: We do not link your activity across different apps or websites
• ❌ No Data Sales: We do not sell your personal information to advertisers or data brokers

Apple App Tracking Transparency: Our app does not request permission to track you because we do not engage in tracking activities.

Do Not Track Signals: We honor "Do Not Track" signals and do not track users who have enabled this setting.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification of Changes:

• Material Changes: We will notify you of material changes by:
  • Posting a prominent notice in the app
  • Sending an email to your registered email address
  • Updating the "Last Updated" date at the top of this policy

Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

Review Policy: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Previous Versions: Previous versions of this Privacy Policy are available upon request.

11. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Contract Fulfillment: Processing necessary to provide the Service you requested (account creation, AI responses, subscription management)
• Legitimate Interest: Processing necessary for our legitimate interests (Service improvement, security, fraud prevention)
• Consent: Processing based on your consent (optional profile information)
• Legal Obligation: Processing necessary to comply with legal obligations (tax records, law enforcement requests)

You have the right to object to processing based on legitimate interests. Contact us to exercise this right.

12. Data Protection Officer (GDPR)

If you are located in the EEA, UK, or Switzerland, you can contact our Data Protection Officer (DPO) at:

Email: dpo@coconsultant.app
Subject Line: "GDPR Inquiry"

13. Supervisory Authority (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights.

Find Your Authority:

• EU: https://edpb.europa.eu/about-edpb/board/members_en
• UK: https://ico.org.uk
• Switzerland: https://www.edoeb.admin.ch

14. California Shine the Light Law

California residents may request information about how we share certain categories of personal information with third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@coconsultant.app
Website: https://coconsultant.app
Address: Holunderallee 5, 14624 Dallgow-Döberitz

Response Time: We aim to respond to all inquiries within 5 business days.

16. Consent

By using our Service, you consent to the collection and use of information in accordance with this Privacy Policy.

Withdrawal of Consent: You may withdraw your consent at any time by deleting your account or contacting us. However, withdrawal of consent may affect your ability to use certain features of the Service.