This Privacy Policy explains what data Cothyra collects, why, and how it's used. We collect only what we need to run the Service and we don't sell anything to advertisers.
1. Account data
When you sign in, our auth provider (Casdoor / OIDC) shares your email, display name, and a unique ID with us. We store these so we know which content belongs to you.
2. Your content
- Books, chapters, notes, and edits you create are stored on our servers and in your browser's IndexedDB cache.
- Chat transcripts with the AI are stored per-session for your reference; you can delete them at any time.
- We don't read your content for any purpose other than making the Service work, and we don't share it with anyone outside the AI providers needed to fulfill your request.
3. AI processing
When you ask the AI a question, the relevant text (your prompt and the chapter content you're working on) is sent to a third-party model provider β currently Anthropic and/or OpenAI, depending on which model you've selected. These providers process the request, return a response, and (per their documented policies) do not use it for training their models when accessed through paid API tiers.
Their privacy and data-retention terms apply alongside ours:
- Anthropic: anthropic.com/legal/privacy
- OpenAI: openai.com/policies/privacy-policy
4. Payment data
We do not see, store, or process your card details. Payments are handled entirely by our merchant of record (Paddle.com), who collects what they need and shares only the result with us β your user ID and the credit amount to apply. Their privacy policy: paddle.com/legal/privacy.
5. Operational logs
- HTTP request logs (path, status code, timestamp) for debugging and security monitoring. Retained ~90 days.
- Per-AI-call billing records (timestamp, model, token counts, cost) for transparency and dispute resolution. Retained as long as your account exists.
- No third-party analytics or advertising trackers.
6. Cookies
We use one functional cookie to keep you signed in. No advertising cookies, no tracking cookies, no consent banner because we don't set any non-essential cookies.
7. Data retention
Your books and chats stay until you delete them or close your account. Billing records are retained for accounting purposes (typically 7 years where the law requires it). Server logs roll off after ~90 days.
8. Your rights
Depending on where you live (GDPR for EU/UK, CCPA for California, similar elsewhere) you may have the right to access, correct, delete, or export your data. To exercise any of these, email [email protected] and we'll respond within 30 days.
9. Security
Data is transmitted over HTTPS. Stored data is access-controlled to the operator. We're a small operation, so we don't run a SOC 2 program β but we do follow standard practice (no shared accounts, no plaintext credentials in logs, regular dependency updates).
10. Children
The Service isn't intended for users under 13. Don't sign up if you are.
11. Changes
We'll update the date at the top when we change this. Material changes will be announced via email.
12. Contact
Privacy questions: [email protected].