← BackCOBY

Privacy Policy

Last updated: June 16, 2026

This Privacy Policy explains how COBY ("we", "us", or "our") handles personal data: both the data we process when we build and operate a product brain for a client, and the limited data we collect through our website https://joincoby.com.

COBY has not yet completed incorporation. It is currently operated by its founders. Once COBY is incorporated, this notice will be updated with our registered company name, registration number, and registered address. For any data-protection question or request, contact founders@joincoby.com.

1. Our two roles

  • Engagement data (we are a processor): When we build a brain for a client, we process the data that client makes available to us strictly on their documented instructions. The client is the data controller; COBY is the data processor. This processing is governed by a Data Processing Agreement (DPA) signed with each client.
  • Website data (we are a controller): For the limited personal data we collect through our website, for example when you contact us, COBY is the controller. See section 10.

2. How the brain works with your data

COBY builds a private product brain for each client. Coby is a bespoke engagement, not a self-serve product, and there is no Coby dashboard.

  • With the client's authorization, we connect to the tools or database they designate, either read-only access or scoped access tokens, and ingest the data agreed in the engagement.
  • That data is processed on our backend (Railway, EU) and structured into a knowledge graph stored in our database (Supabase, on AWS in eu-west-3, Paris). It stays in the EU.
  • The client queries the brain through a secure interface (the Model Context Protocol over HTTPS), from their own tools or AI assistants.
  • We connect only what the engagement and the DPA specify.

3. What data we process

  • Types of personal data: identifiers such as names, business email addresses, and account identifiers; product-usage data; customer-support interactions; communications and call notes; and product feedback, as drawn from the client's connected tools. We do not seek special-category data, and clients are asked not to send it.
  • Categories of data subjects: the client's customers and end users, and the client's personnel whose data appears in the connected tools.

4. How AI handles your data

We use OpenAI to compute embeddings (vectors for search) and Anthropic, through AWS Bedrock, for reasoning tasks. Your data is not used to train AI models, not by us and not by our model providers under the terms we use. Direct identifiers such as names and email addresses are excluded from the text sent to the embedding provider. On request, we can run open-source models hosted on EU GPUs so that no third-party model receives your data.

5. Hosting and security

Engagement data is hosted in the EU (Supabase on AWS eu-west-3, Paris; processing on Railway in the EU). It is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access to production is restricted to a small number of authorized people with multi-factor authentication, under least-privilege; no one browses your data in normal operation, and access is logged. Our infrastructure providers are independently certified (SOC 2, ISO 27001). Full detail is on our Security page.

6. Sub-processors

Sub-processorPurposeLocation
Supabase (on AWS)Database, storage, knowledge graphEU (Paris)
Railway (Google Cloud)Backend processingEU
Anthropic (via AWS Bedrock)ReasoningEU region
OpenAIEmbeddingsUS (Standard Contractual Clauses)

We give advance notice of any change to this list, as set out in the DPA.

7. International transfers

Engagement data is stored in the EU. Where a sub-processor processes personal data outside the EEA (currently OpenAI, in the United States), the transfer is covered by Standard Contractual Clauses. On request, the embedding step can be moved to an EU self-hosted model so that no personal data leaves the EEA.

8. Retention and deletion

  • Engagement data is retained for the duration of the engagement.
  • You can request deletion of any part of it, or all of it, at any time; we action deletion requests within 30 days, and usually sooner.
  • When an engagement ends, we delete the data in full by default, including data incorporated into the knowledge graph and held by sub-processors.
  • Specifics are set in each client's DPA.

9. Data breach notification

In the event of a personal data breach, we notify the affected client without undue delay and within 48 hours of becoming aware, and assist the client (as controller) with its obligations under GDPR Articles 33 and 34, including notification to the CNIL within 72 hours and to affected individuals where there is a high risk to their rights. See our Security page for our full incident response process.

10. Your rights

  • Engagement data: because the client is the controller, data subjects exercise their GDPR rights (access, rectification, erasure, restriction, objection, portability) with that client. We assist the client in responding, as set out in the DPA, and we do not respond to such requests directly except on the client's instructions.
  • Website data: contact founders@joincoby.com to access, correct, or delete the data we hold about you as controller.
  • Lodge a complaint: you have the right to lodge a complaint with the French data protection authority, the CNIL (www.cnil.fr), or your local EU supervisory authority.

11. Data we collect through the website

For the website itself, where we act as controller, we collect:

  • Contact data: if you email us or sign up for an event, we collect your email address and any details you provide, to respond to you. Legal basis: your consent or our legitimate interest in responding.
  • Analytics: we use PostHog to understand website usage (page views, basic events). PostHog uses cookies and local storage in production. Legal basis: legitimate interest.
  • We do not use advertising trackers, and we do not sell your data.

12. Children

Coby is a business product and is not directed at children. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above always reflects the most recent revision. For engagement data, the terms of the client's DPA prevail over this policy in the event of any conflict.

14. Contact

Email: founders@joincoby.com
Response time: we will respond within 30 days.
A Data Processing Agreement and a security overview are available on request. founders@joincoby.com is our contact point for all data-protection requests. We have not appointed a Data Protection Officer, as we are not required to under GDPR Article 37.

HOMECONTACTABOUTTERMS AND CONDITIONSPRIVACY POLICYSECURITY
COBY