Privacy Policy

The short version. Voice streams travel peer-to-peer between participants. Speech recognition runs on your device. We do not store voice recordings or transcripts on our servers. We do not sell your personal data. We do not train AI models on your conversations.

Who we are

Cohra is operated by [Legal Entity Name], registered at [Registered Address]. We are the data controller for the personal information we handle through the Cohra app and website.

For privacy questions, requests, or to exercise your rights, contact us at privacy@cohra.app.

Information we collect

Information you provide

When you sign up, set up your profile, or contact us, you may provide:

• A display name
• An email address (for account recovery and important notices)
• Subscription / payment information (handled by Apple via the App Store)
• Support messages and feedback

Information collected automatically

When you use Cohra, we may receive:

• Device model, OS version, and app version (for compatibility and crash diagnostics)
• IP address (used briefly to establish peer-to-peer connections, then discarded)
• Approximate region (derived from IP for routing purposes)
• Anonymous usage events (e.g., “session created”) if you opt in to analytics

Voice and conversation data

This is the most sensitive category, so we want to be very specific:

• Audio is not uploaded to Cohra servers. Voice streams travel peer-to-peer between participants over WebRTC.
• Speech recognition runs on your device. Transcripts are generated locally and shared only between participants in the room.
• When you “Ask Cohra,” the relevant transcript snippet is sent to our AI provider (Anthropic) to generate a response. The snippet is processed in transit and not retained by Cohra after the response is delivered.
• We do not retain your audio or full transcripts on our infrastructure.

How we use your information

We use the information we collect to:

• Provide and maintain the Cohra service
• Authenticate you and protect your account
• Process subscription payments (via Apple)
• Respond to support requests
• Detect, prevent, and respond to abuse and security incidents
• Comply with legal obligations
• Improve the product (only with your explicit, opt-in consent)

Legal basis for processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

• Performance of a contract for providing the service you signed up for
• Legitimate interest for security, abuse prevention, and basic product analytics
• Consent for opt-in analytics and any optional features
• Legal obligation for tax, accounting, and regulatory compliance

You can withdraw consent at any time by contacting privacy@cohra.app.

AI and machine learning

Cohra uses third-party AI models (currently Anthropic Claude) to generate responses when you Ask Cohra. We have a separate AI Data Processing page that goes into more depth, but in summary:

• Your conversations are not used to train Cohra’s or third-party foundation models.
• AI outputs are probabilistic and may be wrong. Don’t rely on Cohra alone for medical, legal, financial, or safety-critical decisions.
• You can disable AI features at any time in app settings.

How we share your information

We share information only in these specific situations:

• With other participants in your room — display names, transcripts of what you said, and ephemeral connection metadata
• With service providers acting on our behalf, including:
  • Anthropic (AI inference for Ask-Cohra responses)
  • Apple (account, payment, push notifications)
  • Cloud infrastructure providers (signaling, error reporting)
• For legal reasons, when required by law, court order, or to protect rights, safety, and property
• In a business transfer, if Cohra is acquired or merged, we’ll notify you and honor this policy

We do not sell your personal information.

International data transfers

Cohra operates globally. Your information may be processed outside the country where you live, including in the United States. Where required, we use Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent safeguards under UK GDPR and Swiss law.

Data retention

We keep personal information only as long as we need to:

• Account data — for the life of your account, plus 30 days after deletion to handle disputes
• Voice and conversation content — not retained on our servers (see above)
• Transactional records — retained as required by tax and accounting laws (typically 7 years)
• Support correspondence — retained for up to 2 years to provide context if you contact us again

How we protect your data

• Transport encryption (TLS 1.3) for all network traffic
• End-to-end encryption for peer-to-peer voice streams
• At-rest encryption for stored data
• Strict access controls and audit logging for engineering access
• Regular security reviews and dependency scanning

No system is 100% secure, so we strongly encourage you to keep your account credentials private and use a unique, strong password.

Your privacy rights

Rights under GDPR

If you live in the EU, EEA, UK, or Switzerland, you have the right to:

• Access the personal data we hold about you
• Rectification — correct any inaccurate data
• Erasure (“right to be forgotten”) — delete your data
• Restriction of processing in certain situations
• Portability — receive your data in a machine-readable format
• Objection to processing based on legitimate interest
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

We respond to requests within 30 days as required by GDPR.

Rights under CCPA / CPRA (California residents)

If you live in California, you have the right to:

• Know what personal information we collect, use, and share
• Delete the personal information we have about you
• Correct inaccurate personal information
• Opt out of sale or sharing of your personal information (we don’t sell or share it for advertising)
• Limit the use of sensitive personal information
• Non-discrimination — we won’t penalize you for exercising your rights

We respond to verifiable consumer requests within 45 days as required by CCPA.

Rights under other US state privacy laws

Residents of Virginia, Colorado, Connecticut, Texas, Utah, Oregon, and other states with comprehensive privacy laws have substantially similar rights to access, delete, correct, and opt out as those described above. Email us at privacy@cohra.app to exercise these rights.

How to exercise your rights

Email privacy@cohra.app with the request and any details that help us identify your account. We may need to verify your identity before acting on certain requests.

Children’s privacy

Cohra is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided personal information to us, please contact privacy@cohra.app and we will delete it.

Cookies and tracking technologies

The Cohra website uses a small number of strictly necessary cookies and, with your consent, anonymous analytics cookies. The Cohra mobile app does not use advertising identifiers and does not include third-party trackers. See our Cookie Policy for details.

Automated decision-making and profiling

Cohra does not use your personal data to make automated decisions that produce legal or similarly significant effects. AI-generated responses to “Ask Cohra” prompts are content suggestions, not automated decisions about you.

Changes to this policy

We may update this policy from time to time. If the changes are significant, we will notify you in the app and by email (if we have one for you) before the changes take effect. Continued use of Cohra after the changes take effect means you accept the updated policy.

Contact us

For privacy questions or to exercise your rights:

• Email: privacy@cohra.app
• Postal: [Legal Entity Name], [Registered Address]
• Supervisory authority (EU): you have the right to lodge a complaint with your local data protection authority. A list is available at edpb.europa.eu.