1. Who We Are and How to Contact Us
Controller: CoTeam Inc., team@coteam.ai
For privacy questions, email team@coteam.ai with subject line "Privacy Inquiry".
If you are located in the EEA or UK, CoTeam acts as a data controller for account and billing data, and as a data processor for Customer Content (your knowledge base and query data) processed on your behalf.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data Collected | Purpose |
|---|---|---|
| Account information | Email address, full name, password (hashed) | Account creation, authentication, billing notifications |
| Workspace information | Workspace name, URL slug, company name | Workspace setup, dashboard routing, billing records |
| Knowledge base content | Document text extracted from uploaded PDFs, Word files, Excel files, and text files | Generating answers, embeddings, questionnaire filling, scaffold generation |
| Slack interactions | Text of /ask queries, questionnaire files, /brief company names, /scaffold requests | Delivering AI-generated responses; stored for corrections flywheel and audit log |
| Billing information | PayPal payer ID, subscription ID, seat count | Processing payments. We do not store card numbers — payment data is handled entirely by PayPal |
| Communications | Emails sent to team@coteam.ai | Responding to support requests |
2.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Usage data | Commands run, confidence tiers, SE actions, timestamps | Product analytics, corrections flywheel, billing seat count |
| Log data | IP address, browser type, pages visited, API request metadata | Security monitoring, debugging, rate limiting |
| Billing events | Subscription created/cancelled, payment succeeded/failed, trial started/activated | Billing audit trail, trial nurture communications |
2.3 Information from Third Parties
- /brief command: When you run
/brief [company], CoTeam uses Anthropic's web search tool to retrieve publicly available information about the prospect company. This is public information about third parties, not personal data you provide. - PayPal: When you subscribe, PayPal shares a payer ID and subscription ID. We do not receive full payment card details.
- Slack: When you install CoTeam, we receive your Slack workspace ID, user IDs of members who interact with the bot, and their email addresses (used to match Slack users to CoTeam workspace members).
3. How We Use Your Information
We use your information to:
- Authenticate users and enforce workspace data isolation
- Process /ask queries, /questionnaire files, /brief requests, and /scaffold requests
- Store and index knowledge base content and return AI-generated responses
- Maintain the corrections flywheel (storing SE edits to improve future answers)
- Process PayPal subscription lifecycle (activation, renewal, cancellation)
- Send trial nurture and billing communications via Slack DM and email
- Monitor for security anomalies and enforce rate limits
- Comply with applicable legal obligations
Trial communications: During the 7-day trial, workspace owners receive: a welcome Slack DM (day 0), a setup or activation nudge (day 2), a conversion nudge with usage summary (day 5), a final warning (day 6), and an expiry email if no subscription is started. You can opt out of non-essential communications by emailing team@coteam.ai.
4. Legal Bases for Processing (GDPR)
If you are located in the EEA or UK, we process your personal data under the following legal bases:
| Basis | Data | Rationale |
|---|---|---|
| Contract performance | Account data, workspace data, usage data | Processing necessary to deliver the CoTeam service you contracted for |
| Legitimate interests | Log data, billing events, trial nurture communications | Operating and improving the platform, fraud prevention, communicating about your trial |
| Legal obligation | Billing records, audit logs | Compliance with financial, tax, and data protection law |
| Consent | Marketing emails (where separately obtained) | Only where we have obtained your explicit consent — withdrawable at any time |
5. How We Share Information
5.1 AI Sub-processors
CoTeam sends content from your knowledge base and queries to the following AI service providers solely to generate responses on your behalf:
| Sub-processor | Data Sent | Data Handling |
|---|---|---|
| Anthropic (Claude API) | Query text and relevant knowledge base chunks (for /ask, /questionnaire, /brief, /scaffold). Web search queries for /brief contain no customer data. | Anthropic's Data Processing Agreement. Customer inputs are not used to train Anthropic models by default under API terms. |
| OpenAI (Embeddings API) | Text chunks extracted from your ingested documents | OpenAI's Data Processing Agreement. Embeddings API inputs are not used to train OpenAI models. |
5.2 Infrastructure Sub-processors
- Supabase: Database, authentication, and file storage
- Vercel: Hosts the CoTeam web dashboard
- Railway: Hosts the CoTeam backend API and Slack bot
- PayPal: Payment processing and subscription management
- Resend: Transactional email delivery for billing and trial notifications
5.3 What We Do Not Do
- We do not sell your personal data or your knowledge base content to third parties
- We do not share your data with advertisers
- We do not use your knowledge base content to train AI models
- We do not share data between separate CoTeam customers — workspace isolation is enforced at the database layer
6. Data Retention
| Data | Retention |
|---|---|
| Knowledge base content | Retained until you delete the source document or delete your workspace |
| Interaction history (/ask queries) | Retained for the life of your workspace; deletable on workspace deletion |
| Prospect briefs and scaffolds | Retained for the life of your workspace; deletable on workspace deletion |
| Questionnaire files (raw uploads) | Deleted 30 days after processing. Filled outputs retained until workspace deletion. |
| Billing events | Retained for 7 years for financial audit compliance |
| User account data | Retained until account deletion. Requests processed within 30 days. |
| Log data | Retained for 90 days |
You can delete your workspace and all associated data from Settings → Danger Zone. Account deletion requests can be submitted to team@coteam.ai.
7. Your Rights
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Restriction | Request that we restrict processing of your data |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
| Lodge a complaint | File a complaint with your local data protection authority (EEA/UK residents) |
To exercise any of these rights, email team@coteam.ai with subject "Privacy Request". We will respond within 30 days.
8. California Privacy Rights (CCPA / CPRA)
California residents have the right to know what personal information we collect, use, and disclose; the right to delete personal information; the right to opt out of the sale of personal information (note: CoTeam does not sell personal information); and the right to non-discrimination for exercising CCPA rights.
To submit a CCPA request, email team@coteam.ai.
9. Cookies and Tracking
- Authentication cookies: Session tokens issued by Supabase Auth. Strictly necessary — cannot be opted out of while using the dashboard.
- Preference cookies: Remembering UI preferences. Functional only, not used for tracking.
CoTeam does not use advertising cookies, third-party tracking scripts, or analytics platforms that send your data to advertising networks. CoTeam products are ad-free and contain no advertiser tracking.
10. Security
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for all data at rest (via Supabase managed infrastructure)
- Row Level Security (RLS) enforced at the database layer for workspace isolation
- API key hashing — plaintext keys are never stored after creation
- Webhook signature verification for all PayPal billing events
To report a security vulnerability, email team@coteam.ai with subject "Security Disclosure".
11. International Data Transfers
CoTeam operates primarily in the United States. If you access CoTeam from the EEA or UK, your data may be transferred to and processed in the United States. For such transfers, CoTeam relies on Standard Contractual Clauses (SCCs) and the sub-processor agreements with Supabase, Anthropic, OpenAI, and other providers listed in Section 5.
12. Children's Privacy
CoTeam is a B2B platform intended for use by businesses and their employees. We do not knowingly collect personal information from anyone under the age of 18.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to workspace owners and by prominent notice in the dashboard at least 14 days before the change takes effect.
14. Contact
CoTeam Inc. · team@coteam.ai · app.coteam.ai
For privacy requests or data protection questions, email team@coteam.ai with the relevant subject line. We aim to respond within 5 business days.