AI Data Processing

The short version. Conversation transcripts are sent to our AI sub-processor (currently Anthropic) only when you Ask Cohra, only the relevant snippet, and only in transit. Your data is not used to train Cohra’s or any third party’s foundation models.

Scope

This page describes:

• The AI sub-processors Cohra uses
• What personal data passes through AI components
• Training and retention commitments
• The role of each party under data-protection law
• Your choices and controls

It supplements, rather than replaces, the Privacy Policy and the Terms of Use.

How AI is used in Cohra

Cohra uses AI models in two places:

1. Ask Cohra — when you say or tap “Ask Cohra,” the recent transcript snippet is sent to our AI provider with a system prompt. The provider returns a response that is read aloud in your room.
2. Future features (clearly marked, opt-in) — any new AI features will be disclosed and require your explicit consent before any new categories of data are processed.

Audio is never sent to AI providers. We send text transcripts only — and only the relevant snippet, not your full session.

AI sub-processors

Provider	Purpose	Region	Data shared
Anthropic	LLM inference for Ask-Cohra prompts	US (with EU routing where available)	Recent transcript snippet, user prompt

We will update this list and notify users at least 30 days in advance before adding a new AI sub-processor that processes personal data.

What we send to AI providers

When you trigger “Ask Cohra,” we send:

• A short snippet of the recent transcript that gives the AI enough context to answer
• The explicit prompt or question
• A system prompt describing Cohra’s behavior and guardrails
• Anonymous request metadata (request ID, model name, latency)

We do not send:

• Audio recordings
• Full session transcripts
• Account identifiers, email addresses, or payment data
• Other participants’ data beyond what’s in the recent context window

What AI providers do with the data

Our agreement with Anthropic provides that:

• Customer Data is not used to train Anthropic’s models
• Inference inputs are not retained beyond what’s needed to provide the service
• Standard Contractual Clauses are in place for international data transfers
• Anthropic acts as a processor to Cohra, which acts as a processor to you (or as a controller depending on your relationship with Cohra)

For details, refer to Anthropic’s published Privacy Policy and Data Processing Addendum.

Training commitments

• We do not train any Cohra models on your conversations.
• We do not allow third-party AI providers to train their foundation models on your conversations.
• We do not train, fine-tune, or evaluate models on identifiable user content without explicit, opt-in consent.

If we ever introduce an opt-in research program (e.g., “help us improve Cohra”), it will be clearly labeled, separate from your normal usage, and revocable.

Retention

• AI inference inputs are not retained on Cohra’s infrastructure beyond the immediate request lifecycle.
• AI inference outputs (the response text) are delivered to participants in your room and not retained server-side.
• Anonymous metadata about request volume and latency may be retained for up to 30 days for service-quality monitoring.

Your role and our role under data-protection law

In most consumer scenarios:

• You are the data subject for your personal data and the controller of any third-party data you choose to share into a Cohra session
• Cohra is the data controller for account, billing, and operational data
• Cohra is the data processor for content you produce in sessions, acting on your documented instructions
• Anthropic is a sub-processor to Cohra

If you use Cohra in a B2B or organizational setting, the responsible organization may also be a controller. In that case, the organization can request a Data Processing Addendum (DPA) by emailing privacy@cohra.app.

Your controls

You can:

• Disable AI features in app settings
• Delete your account and data at any time (see Privacy Policy)
• Withdraw consent for any optional AI feature
• Request a copy of the data Cohra processes about you
• Request a DPA if you are a business customer

AI output reliability and human oversight

AI responses are content suggestions, not automated decisions about you. They can be inaccurate, biased, or out of date. Use them as a starting point, not as a final answer for medical, legal, financial, safety, or otherwise high-stakes situations.

We continuously refine our system prompts and safety guardrails. If you find a response that is harmful, biased, or seriously wrong, please report it via the in-app “Report” action so we can improve.

Compliance with the EU AI Act

Cohra is designed to operate as a limited-risk AI system under the EU AI Act. We:

• Inform users they are interacting with an AI (the AI participant is named “Cohra” and clearly identified)
• Provide transparency about model behavior and limitations
• Maintain technical documentation for the AI system in accordance with applicable obligations
• Continue to monitor regulatory developments and update our practices as required

Voice and biometric data

Cohra does not create voiceprints, perform speaker recognition based on voice biometrics, or send raw audio to any AI provider. On-device speech-to-text uses the device’s standard, non-identifying transcription. We do not treat voice as biometric data under GDPR Article 9 because we do not use it to uniquely identify individuals.

Security

The same technical and organizational measures described in our Privacy Policy apply to AI processing — encryption in transit, scoped access controls, audit logging, and regular security reviews.

Changes

If we materially change our AI processing practices, we will notify you at least 30 days before the change takes effect. Significant changes that introduce new categories of data or new sub-processors will require renewed consent where required by law.

Contact

For AI-related privacy questions, DPA requests, or to opt out of any optional AI processing:

• Email: privacy@cohra.app
• Subject line: “AI Data Processing — [your request]”
• Postal: [Legal Entity Name], [Registered Address]