Privacy Policy
Effective date: March 26, 2026 · Last updated: March 26, 2026
1. Introduction
This Privacy Policy describes how First Strategy, LLC ("Company," "we," "us"), a Colorado limited liability company, collects, uses, stores, and protects your personal information when you use the CoBuilder application and related services ("Service").
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. This Privacy Policy is incorporated into and subject to our Terms of Service.
For purposes of the EU General Data Protection Regulation ("GDPR"), First Strategy, LLC is the data controller. For purposes of the California Consumer Privacy Act ("CCPA"), we are the business that collects your personal information.
2. Information We Collect
2.1 Account Information. When you create an account, we collect your name, email address, and authentication credentials. Authentication is handled by BetterAuth, a self-hosted open-source authentication library — your credentials and session data are stored directly in CoBuilder's own PostgreSQL database and are not sent to any third-party auth service. If you sign in via a social provider (Google, Apple, or Microsoft), we receive the profile information you authorize.
2.2 Conversation Content. We collect the prompts you submit to the Service ("Inputs") and the AI-generated responses returned to you ("Outputs"). This content is stored to provide the Service, display your conversation history, and enable workspace features.
2.3 Workspace Files. Files you create, upload, or generate through the Service are stored in our cloud infrastructure. Workspace data is isolated per organization.
2.4 Payment Information. When you subscribe to a paid plan, payment details (card number, billing address) are collected and processed directly by Stripe, Inc. We do not receive or store your full payment card number. We receive from Stripe: card brand, last four digits, expiration date, billing address, and transaction history.
2.5 Device and Usage Data. We automatically collect technical information including: IP address, browser or application type, operating system, device identifiers, pages visited, features used, timestamps, and referring URLs. The desktop and mobile applications may collect crash reports and performance data through Sentry.
2.6 Waitlist and Marketing Data. If you join our waitlist or subscribe to marketing communications, we collect your name and email address. This information is stored in our CRM system (Zoho CRM).
3. How We Use Your Information
We use your information for the following purposes. For users in the European Economic Area, we have identified the lawful basis under GDPR Article 6(1) for each processing activity.
- Provide the Service: process your Inputs through AI models, store your workspace content, and deliver Outputs.
Lawful basis: performance of contract (Art. 6(1)(b)). - Authentication and security: verify your identity, maintain session state, and protect against unauthorized access.
Lawful basis: performance of contract (Art. 6(1)(b)) and legitimate interest in securing the Service (Art. 6(1)(f)). - Billing: process subscription payments and usage-based charges.
Lawful basis: performance of contract (Art. 6(1)(b)). - Communication: send transactional notifications (task completions, usage warnings, account updates) and respond to support requests.
Lawful basis: performance of contract (Art. 6(1)(b)). - Safety and abuse prevention: monitor for violations of our Terms of Service and protect the integrity of the Service.
Lawful basis: legitimate interest in protecting the Service and its users (Art. 6(1)(f)). - Improvement: analyze usage patterns in aggregate to improve the Service. We do not use your conversation content for this purpose.
Lawful basis: legitimate interest in improving the Service (Art. 6(1)(f)). - Legal compliance: fulfill legal obligations, respond to lawful requests, and protect our rights.
Lawful basis: compliance with a legal obligation (Art. 6(1)(c)).
4. Third-Party Processors
We share your personal information with the following third-party service providers ("processors") who process data on our behalf. Each processor operates under a data processing agreement and/or terms of service that govern how they handle your data.
| Processor | Purpose | Data shared |
|---|---|---|
| Anthropic | Primary AI provider | Conversation content (Inputs and Outputs) |
| OpenAI | Secondary AI provider, embeddings | Conversation content, text for embedding |
| Stripe | Payment processing | Payment method, billing address, transaction history |
| Google Cloud Platform | Compute, storage, and secret management | All request data in transit, workspace files, encrypted credentials |
| Neon | Database hosting (PostgreSQL) | All persistent user data (profile, conversations, files) |
| Upstash | Caching and task queues | Transient session state, rate-limit counters, task payloads |
| Cloudflare | DNS, CDN, and edge proxy | IP addresses, request metadata |
| Vercel | Website hosting | IP addresses, waitlist form submissions |
| Resend | Transactional email delivery | Email addresses, notification content |
| Sentry | Client-side error reporting (desktop/mobile app) | Device information, crash traces, user identifier |
| Zoho CRM | Customer relationship management | Name, email (from waitlist and marketing) |
5. AI-Specific Disclosures
5.1 How Your Content Is Processed. When you use AI features, your Inputs are sent to third-party AI providers (Anthropic and OpenAI) via their APIs. These providers process your Inputs and return Outputs, which we deliver to you and store in your workspace.
5.2 No Training on Your Data. Under our API agreements with our AI providers, your data is not used to train their models. Anthropic's commercial terms state: "Anthropic may not train models on Customer Content from Services." OpenAI's business terms state: "We will not use Customer Content to develop or improve the Services." We have not opted in to any data-sharing programs with either provider.
5.3 Provider Data Retention. Our AI providers may temporarily retain Inputs and Outputs for abuse monitoring and safety purposes in accordance with their own data policies. OpenAI retains API data for up to 30 days for abuse monitoring. Anthropic processes data under its commercial Data Processing Addendum. We do not control these provider retention periods; for details, refer to each provider's privacy policy.
6. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. The specific retention periods are:
| Data type | Retention period | Deletion mechanism |
|---|---|---|
| Conversations and workspace files | Retained until you request deletion | On request (see Section 7) |
| Account data | Until account deletion, plus 30 days | Account deletion triggers cascade |
| Billing records | As required by law (typically 7 years) | Not user-deletable |
| Crash reports (Sentry) | 90 days | Automatic expiry |
| Server logs | 30 days | Automatic expiry (Cloud Run) |
| Waitlist and CRM data | Until unsubscribe or deletion request | On request |
Automated data cleanup tooling is planned. Until it is available, deletion requests are processed manually within 30 days.
7. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
7.1 GDPR Rights (European Economic Area). If you are located in the EEA, you have the right to: access your personal data; rectify inaccurate data; request erasure of your data (Article 17 — "right to be forgotten"); restrict processing; data portability; and object to processing. We will respond to erasure requests within 30 days.
7.2 CCPA Rights (California). If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; and opt out of the sale of your personal information. We do not sell your personal information.
7.3 Data Export. You may request a copy of your personal data in a portable, machine-readable format. A self-service data export feature is planned for a future release. Until then, export requests are fulfilled manually upon request.
7.4 Exercising Your Rights. To exercise any of these rights, contact us at legal@cobuilder.me. We will verify your identity before processing your request and respond within 30 days (or such shorter period as required by applicable law). We will not discriminate against you for exercising your rights.
8. Data Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
- Encryption at rest: sensitive credentials are encrypted with AES-256-GCM before storage
- Encryption in transit: all data is transmitted over TLS. API traffic passes through Cloudflare's edge network.
- Access isolation: workspace data is isolated per organization using PostgreSQL row-level security
- Authentication: self-hosted via BetterAuth, an MIT-licensed open-source library. All authentication and session data is stored in CoBuilder's own PostgreSQL database — no credentials are transmitted to a third-party auth service. Supports multi-factor authentication and social login via OAuth/OIDC
- PII scrubbing: crash reports are processed through a filter that removes email addresses, names, and IP addresses before transmission to Sentry
No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.
9. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at legal@cobuilder.me.
10. International Data Transfers
Your personal information is processed and stored in the United States (primarily in the us-central1 region via Google Cloud Platform, Neon, and Upstash). If you are located outside the United States, your information will be transferred to and processed in the United States.
For users in the European Economic Area, we rely on Standard Contractual Clauses (SCCs) and processor-specific data protection mechanisms to ensure adequate safeguards for international data transfers. Our AI providers and infrastructure processors maintain their own data transfer compliance frameworks.
11. Cookies and Tracking
11.1 Essential Cookies. We use cookies that are strictly necessary for the operation of the Service. These include session cookies set by our self-hosted authentication system (BetterAuth) to maintain your login state. These cookies are first-party cookies served from CoBuilder's own domain — no cookies are set by an external authentication provider. These cookies are functional and cannot be disabled without breaking the Service.
11.2 No Advertising Cookies. We do not use advertising or behavioral tracking cookies. We do not participate in ad networks or sell data to advertisers.
11.3 Analytics. Our marketing website may collect anonymous, aggregate analytics data (page views, referral sources) through our hosting provider (Vercel). This data does not identify individual users.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes by email or through the Service. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
13. Contact
For questions about this Privacy Policy, to exercise your data rights, or to raise a privacy concern, contact us at:
First Strategy, LLC
legal@cobuilder.me
If you are not satisfied with our response to a privacy concern, you may have the right to lodge a complaint with your local data protection authority.