Last updated: June 16, 2026
This Privacy Policy explains how COBY ("we", "us", or "our") handles personal data: both the data we process when we build and operate a product brain for a client, and the limited data we collect through our website https://joincoby.com.
COBY has not yet completed incorporation. It is currently operated by its founders. Once COBY is incorporated, this notice will be updated with our registered company name, registration number, and registered address. For any data-protection question or request, contact founders@joincoby.com.
COBY builds a private product brain for each client. Coby is a bespoke engagement, not a self-serve product, and there is no Coby dashboard.
We use OpenAI to compute embeddings (vectors for search) and Anthropic, through AWS Bedrock, for reasoning tasks. Your data is not used to train AI models, not by us and not by our model providers under the terms we use. Direct identifiers such as names and email addresses are excluded from the text sent to the embedding provider. On request, we can run open-source models hosted on EU GPUs so that no third-party model receives your data.
Engagement data is hosted in the EU (Supabase on AWS eu-west-3, Paris; processing on Railway in the EU). It is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access to production is restricted to a small number of authorized people with multi-factor authentication, under least-privilege; no one browses your data in normal operation, and access is logged. Our infrastructure providers are independently certified (SOC 2, ISO 27001). Full detail is on our Security page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (on AWS) | Database, storage, knowledge graph | EU (Paris) |
| Railway (Google Cloud) | Backend processing | EU |
| Anthropic (via AWS Bedrock) | Reasoning | EU region |
| OpenAI | Embeddings | US (Standard Contractual Clauses) |
We give advance notice of any change to this list, as set out in the DPA.
Engagement data is stored in the EU. Where a sub-processor processes personal data outside the EEA (currently OpenAI, in the United States), the transfer is covered by Standard Contractual Clauses. On request, the embedding step can be moved to an EU self-hosted model so that no personal data leaves the EEA.
In the event of a personal data breach, we notify the affected client without undue delay and within 48 hours of becoming aware, and assist the client (as controller) with its obligations under GDPR Articles 33 and 34, including notification to the CNIL within 72 hours and to affected individuals where there is a high risk to their rights. See our Security page for our full incident response process.
For the website itself, where we act as controller, we collect:
Coby is a business product and is not directed at children. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we will delete it.
We may update this Privacy Policy from time to time. The "Last updated" date above always reflects the most recent revision. For engagement data, the terms of the client's DPA prevail over this policy in the event of any conflict.
Email: founders@joincoby.com
Response time: we will respond within 30 days.
A Data Processing Agreement and a security overview are available on request. founders@joincoby.com is our contact point for all data-protection requests. We have not appointed a Data Protection Officer, as we are not required to under GDPR Article 37.