Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use the data we collect to:

• Provide, personalize, and maintain the Service.
• Generate and deliver AI-powered results based on your inputs — including chat responses, transcriptions, rewritten notes, and images.
• Process payments and manage subscriptions and credits.
• Synchronize your data across your devices.
• Send you updates, security alerts, and support responses.
• Track usage patterns, troubleshoot issues, and guard against fraud or misuse.
• Build new features and improve existing ones, using aggregated or de-identified data wherever possible.
• Meet legal obligations and enforce our Terms of Service.

3. Technology Partners and Third-Party AI Services

COET acts as the data controller and relies on the third-party processors listed below to operate the Service. Each processor acts solely as a data processor on our behalf under a signed Data Processing Agreement (DPA), providing protections equal to those stated in this Policy. None of these processors use your content to train foundation models or for model improvement. AI processing occurs only after you grant explicit in-app consent for each AI feature on the dedicated consent screen (also available in Settings → Privacy & AI Consent). You may withdraw consent at any time.

• Firebase (Google Cloud): Provider: Google LLC. Data sent: account identifiers (email, Apple Sign-In ID), authentication tokens, your notes, transcripts, generated images, chat history, app settings, and device diagnostics. Purpose: authentication, encrypted data and file storage, cloud functions, hosting, and crash reporting. Google Cloud processes data under the Google Cloud Data Processing Addendum and does not use Customer Data to train its foundation models. Data is encrypted at rest and in transit.
• Groq: Provider: Groq, Inc. Data sent: the text of your note, chat message, or rewrite request — without your name, email, or account identifier. Purpose: generating chat replies, rewriting notes, and producing titles and summaries. Retention: prompts and outputs are processed in-memory to produce a response and are not retained beyond the request under Groq's enterprise terms. Groq does not use customer content to train its models. Covered by a signed DPA.
• AssemblyAI: Provider: AssemblyAI, Inc. Data sent: the audio recording of the voice note you choose to transcribe. No account identifiers, metadata, or other content is included. Purpose: speech-to-text transcription. Retention: audio and transcripts are deleted from AssemblyAI's servers immediately after the transcription request completes. AssemblyAI does not use customer audio to train its models. Covered by a signed DPA.
• Replicate: Provider: Replicate, Inc. Data sent: your text prompt, selected aspect ratio, chosen model, and any reference image you attach. No account identifiers are included. Purpose: AI image generation and editing. Replicate hosts and runs Google Gemini 2.5 Flash Image (also known as "Nano Banana") as the underlying image model on our behalf; Google acts as a sub-processor. Retention: inputs and outputs are automatically deleted from Replicate within one hour. Neither Replicate nor Google uses customer content to train their models. Covered by a signed DPA.
• RevenueCat: Provider: RevenueCat, Inc. Data sent: an anonymous RevenueCat user identifier and App Store receipt data. No notes, chats, audio, images, or AI content is shared. Purpose: verifying purchases and managing subscriptions and credit balances. RevenueCat does not use customer data for advertising or model training. Covered by a signed DPA.

4. Sharing Your Information

We do not sell your personal data. We only share information with:

• Service providers and third-party AI processors that help us run COET (listed in Section 3). These partners may only access data to perform services on our behalf under signed Data Processing Agreements, are contractually prohibited from using your content to train AI models or for any purpose other than providing the service to us, and are required to provide the same or equal protection of user data as stated in this Privacy Policy.
• Legal authorities when we believe disclosure is needed to comply with the law, defend our rights, prevent fraud or misuse, or respond to a lawful request.
• Business transfers — in the event of a merger, acquisition, or asset sale, we will inform you before personal data is transferred and becomes subject to a different privacy policy.

5. Data Retention

We keep personal data for as long as it is needed to provide the Service, fulfill legal obligations, resolve disputes, and enforce agreements. When you delete content — notes, recordings, images, or chat messages — it is permanently removed from our servers. Deleting your account (available in the app settings) erases all associated data. Server logs are retained for 14 days before automatic deletion. When data is no longer required, we delete or anonymize it.

6. Data Security

We employ technical, organizational, and administrative safeguards to protect personal information from unauthorized access, loss, misuse, or alteration. These include:

• Encryption at rest and in transit.
• Authenticated access — your data is reachable only through your account.
• Strict access controls across all infrastructure.
• Periodic security reviews.

No online service can guarantee absolute security. Please use strong passwords, keep your software up to date, and let us know right away if you suspect your account has been compromised.