Legal

Privacy Policy

Effective date: March 18, 2026  ·  Niche Nudge LLC  ·  Delaware, USA

Terms of ServicePrivacy PolicyCookie PolicyAcceptable Use

Plain language summary: We collect only what we need to operate the Service. We do not sell your data. We do not train AI on your meetings. You can request deletion at any time. Meeting consent is your responsibility.

Contents

  1. Controller Identity & Contact
  2. Data We Collect
  3. Legal Basis for Processing (GDPR)
  4. How We Use Data
  5. Subprocessors & Third Parties
  6. Meeting Audio & Agent Voice Responses
  7. Connected Data Sources
  8. Data Retention
  9. International Data Transfers
  10. Security
  11. Your Rights
  12. US State Privacy Rights (CCPA/CPRA)
  13. Children’s Privacy
  14. Security Breach Notification
  15. Do Not Sell or Share
  16. Changes to This Policy
  17. Contact & DPA Requests

1. Controller Identity & Contact

CoAgentor is operated by Niche Nudge LLC, a Delaware limited liability company. For purposes of applicable data protection law (including GDPR where applicable), Niche Nudge LLC is the data controller for personal data processed through the Service. Our data protection contact is: support@coagentor.com — subject line “Privacy Request.”

2. Data We Collect

2.1 Account & Identity Data

Name, email address, company name, job title (optional), and payment information (billing address, card type, last four digits — full card data is handled by our payment processor and not stored by us).

2.2 Agent Configuration Data

Agent names, roles, behavioral directives, knowledge base files you upload, connected data source credentials and tokens (encrypted at rest), and Agent interaction history.

2.3 Meeting Data

Participant audio: Real-time audio streams from meeting participants are processed as a live stream solely to enable Agent comprehension. Participant audio is never persistently stored after real-time processing completes for each utterance.

Agent voice responses: AI-generated audio responses produced by Agents during meetings are distinct from participant audio. These Agent-generated audio clips may be stored and are accessible to you through your meeting event log in the dashboard. This is AI-synthesized audio output only — it does not contain recordings of human participants’ voices. You may delete stored Agent responses at any time from the dashboard.

Transcripts: Where transcript logging is enabled on your plan, a text transcript of each Agent-participated session is retained for up to 90 days and accessible in your dashboard. You may delete transcripts at any time. Transcript data may include statements made by all meeting participants.

2.4 Usage & Technical Data

Meeting hour consumption, Agent invocation logs, feature usage events, session logs, error reports, IP addresses, browser/OS type, and device identifiers for security and analytics purposes.

2.5 Communications

The content of emails, contact form submissions, and support tickets you send to us.

2.6 Cookies & Similar Technologies

As described in our Cookie Policy.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill billing obligations.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement through aggregated analytics, and communicating about service changes.
  • Legal obligation (Art. 6(1)(c)): Retention of financial records; compliance with court orders, law enforcement requests, and regulatory requirements.
  • Consent (Art. 6(1)(a)): Optional analytics cookies (see Cookie Policy); any AI training (which we do not currently do without explicit opt-in).

4. How We Use Data

We use collected data to:

  • Provide and operate the Service, including Agent real-time processing
  • Manage accounts, subscriptions, and billing
  • Respond to support requests and communications
  • Monitor for security incidents, fraud, and AUP violations
  • Send transactional emails (account notifications, billing receipts, service changes)
  • Improve Service reliability and performance through aggregated, anonymized analytics
  • Measure advertising conversion effectiveness (sign-ups and subscriptions attributed to ad campaigns) using anonymized conversion events

We do not use your data for: behavioral advertising; selling to data brokers; training AI models (without explicit separate consent); or profiling for automated individual decision-making that produces legal or similarly significant effects (GDPR Art. 22).

5. Subprocessors & Third Parties

We share data with the following categories of subprocessors, each bound by data processing agreements and required to implement appropriate security measures. A complete, named subprocessor list is available upon request at support@coagentor.com.

  • Cloud Infrastructure & Hosting: We use cloud infrastructure providers (including Amazon Web Services) to host, store, and process Service data. Primary data is hosted in the United States. AWS is certified under SOC 2, ISO 27001, and participates in the EU-US Data Privacy Framework.
  • Meeting Bot & Real-Time Audio Infrastructure: We use a third-party meeting infrastructure provider to enable automated Agent participation across Google Meet, Zoom, and Microsoft Teams. This provider operates meeting bots and processes live audio streams on our behalf in order to generate transcripts for Agent evaluation. This provider does not use your meeting data for any purpose other than providing this service to us. Your calendar OAuth tokens (where applicable) are shared with this provider solely to enable detection of upcoming meeting events for auto-join functionality.
  • AI Language Model Provider: Agent reasoning, transcript evaluation, and response generation are powered by third-party AI language model APIs (such as those provided by Anthropic, OpenAI, Google, or Mistral). We transmit only the minimum necessary transcript context to generate Agent responses. We do not transmit personally identifiable account data to AI language model providers.
  • AI Voice Synthesis Provider: Agent speech output is generated by a third-party AI voice synthesis service (such as ElevenLabs, Amazon Polly, Microsoft Azure Cognitive Services, or Google Cloud TTS). We transmit Agent response text to this service to produce audio output. We do not transmit meeting participant audio or personal account data to voice synthesis providers.
  • Payment Processor: Billing and payment processing is handled by a PCI-DSS compliant third-party payment processor (such as Stripe, Braintree, or Adyen). We do not store full payment card data. Your card data is transmitted directly to the payment processor and never passes through our servers.
  • Transactional Email: Account notification, billing receipt, and service communication emails are delivered via a third-party transactional email provider (such as SendGrid, Mailgun, Postmark, or AWS SES). We transmit your email address and message content to this provider solely for delivery purposes.
  • Error Monitoring & Observability: We use application error monitoring services (such as Sentry, Datadog, or Rollbar) to detect and diagnose technical issues. Error reports may contain anonymized request data but are configured to exclude personal data and meeting content.
  • Analytics & Advertising (Google):We use Google Analytics 4 (GA4) via Google Tag Manager (GTM) to collect anonymized usage analytics, and Google Ads for conversion measurement. Anonymized event data (page views, sign-ups, subscription conversions) is transmitted to Google. IP addresses are anonymized before storage. Google LLC is certified under the EU-US Data Privacy Framework. Analytics and advertising cookies are only activated with your consent. See Google’s Privacy Policy.
  • Third-Party Integration Platforms:When you authorize connections to productivity, CRM, or data platforms (such as Google Drive, Notion, Airtable, HubSpot, Slack, Confluence, or similar), data flows between those platforms and your Agents per your configuration. Each platform’s own terms and privacy policy applies to data processed on their infrastructure.

We do not sell personal data to, or share it with, advertisers, data brokers, or marketing networks. A full named subprocessor list with DPA details is available on request at support@coagentor.com.

6. Meeting Audio & Agent Voice Responses

Participant audio — never stored: Audio streams from human meeting participants are processed transiently as a live stream to enable Agent comprehension. Participant audio is not retained after real-time processing completes. We have no persistent copy of participant speech.

Agent voice responses — may be stored: AI-generated audio clips produced when an Agent speaks during a meeting are a distinct category of data. These clips may be stored and made accessible to you through your meeting event log in the dashboard. This storage contains only AI-synthesized speech output — it does not contain recordings of human voices. You may delete individual Agent response audio at any time from the dashboard.

Transcripts: If transcript logging is enabled on your plan, a text transcript of each Agent-participated session is retained for up to 90 days and accessible in your dashboard. You may delete transcripts at any time.

Your consent obligations: You are solely responsible for ensuring all meeting participants have legally sufficient knowledge of and consent to the Agent’s audio processing. See Section 7 of the Terms of Service for applicable legal obligations. We are not responsible for consent failures.

Voice and biometric data: We do not create biometric identifiers or voice prints of individuals from meeting audio. Audio is processed transiently for language understanding only. However, applicable law in your jurisdiction (e.g., Illinois BIPA) may classify voice data differently. Consult local counsel.

7. Connected Data Sources

When an Agent queries a connected source (such as Google Drive, Notion, Airtable, HubSpot, Slack, Confluence, or uploaded CSV and document files), the query response is used in-session to formulate the Agent’s reply. We do not persistently store the content of those query responses outside of transcript logs (if enabled). Access tokens for connected integrations are stored in encrypted form and are scoped to the minimum permissions you authorize.

Connect only data sources you are legally authorized to access. Connecting sources without authorization may violate the Computer Fraud and Abuse Act (CFAA), GDPR, or other laws, and constitutes a material breach of the Terms of Service.

Not all data connectors described on our website may be currently active — some are planned for future availability. Where a connector is not yet live, no data flows to or from that platform. Our legal pages describe the full scope of planned data processing to ensure transparency about our roadmap.

Google Calendar integration: When you connect Google Calendar, CoAgentor requests read-only access to your calendar events and your Google account email address. We use this data solely to display your upcoming Google Meet events within the dashboard and to allow you to assign AI agents to those events. We do not use Google Calendar data for advertising or any purpose unrelated to operating the Service.

Your Google OAuth refresh token is shared with our meeting infrastructure provider solely to enable that service to detect upcoming calendar events and schedule meeting bots on your behalf. Our meeting infrastructure provider does not use your token for any other purpose. All other Google Calendar data is fetched on demand and not persistently stored beyond your active session.

Our use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements. You may disconnect your Google Calendar at any time from the Account settings page, which immediately revokes our access and removes your stored tokens.

Microsoft Calendar (Outlook) integration: When you connect your Microsoft account for calendar access, CoAgentor requests read-only access to your Outlook calendar events and your Microsoft account email address. We use this data solely to display upcoming meetings within the dashboard and to enable Agent auto-join. Your Microsoft OAuth refresh token is shared with our meeting infrastructure provider solely for bot scheduling. You may disconnect Outlook Calendar at any time from the Account settings page.

Google Drive integration: When you connect Google Drive, CoAgentor uses the drive.file OAuth scope. This is the narrowest scope Google offers for Drive integrations and grants CoAgentor access only to the specific files you explicitly hand us through Google’s file picker. CoAgentor cannot list, browse, search, or read any other file in your Drive.

We use this access solely to download files you select via the picker when building agent contexts. CoAgentor never creates, modifies, or deletes files in your Drive. Your Google OAuth refresh token is stored encrypted at rest and is used only to (a) download the specific files you have picked and (b) maintain push notification watches on those same files so that CoAgentor can automatically re-index them when you edit them in Drive. Watch state (channel identifiers and expiry timestamps) is stored alongside your encrypted tokens in our database.

We do not transmit Drive file content to any third party other than our AI language model provider (solely to generate agent responses) and our cloud storage provider (solely to store indexed content). You may disconnect Google Drive at any time from the Integrations page, which immediately revokes our access, removes your stored tokens and watch state, and deletes all files and embeddings sourced from that account.

Our use of Google Drive data complies with the Google API Services User Data Policy, including the Limited Use requirements.

8. Data Retention

  • Account data: Retained during account lifetime; deleted within 30 days of account closure.
  • Agent configurations: Retained until deleted by you or account closure.
  • Agent voice response audio: Retained until deleted by you, or 90 days, or account closure — whichever is sooner.
  • Meeting transcripts: 90 days or until manually deleted, whichever is sooner.
  • Usage and access logs: 12 months for security and operational purposes.
  • Financial records: 7 years as required by US tax law.
  • Support correspondence: 3 years from resolution.
  • Legal hold: Data subject to litigation holds is retained until the hold is lifted regardless of standard retention periods.

9. International Data Transfers

The Service is operated in the United States. If you are in the EEA, UK, or other jurisdictions with data transfer restrictions, your personal data is transferred to the US for processing. We rely on the following safeguards:

  • Our primary cloud infrastructure provider participates in the EU-US Data Privacy Framework (DPF).
  • Where required, we enter Standard Contractual Clauses (SCCs) with EEA/UK customers. Contact us to request an executed SCC or Data Processing Agreement (DPA).
  • We require our subprocessors who receive EEA/UK personal data to maintain equivalent transfer safeguards.

10. Security

We implement technical and organizational measures including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls; multi-factor authentication for internal systems; automated vulnerability scanning; and periodic security reviews. Access tokens for third-party integrations are encrypted at rest and never logged in plaintext.

No security system is infallible. If you discover a security vulnerability, please disclose it responsibly to support@coagentor.com before public disclosure. We will acknowledge receipt within 48 hours.

11. Your Rights (EEA/UK/Global)

Subject to applicable law, you have the following rights regarding your personal data. To exercise any right, email support@coagentor.com with “Privacy Request” in the subject line. We respond within 30 days (extendable to 60 days for complex requests):

  • Access (Art. 15 GDPR): Receive a copy of personal data we hold about you.
  • Rectification (Art. 16): Correct inaccurate data.
  • Erasure / Right to be forgotten (Art. 17): Delete your data, subject to legal retention requirements.
  • Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Restriction (Art. 18): Restrict processing in certain circumstances.
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent for consent-based processing at any time without affecting prior processing.
  • Lodge a complaint: Lodge a complaint with your supervisory authority (e.g., ICO in UK, your national DPA in the EU).

12. US State Privacy Rights (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Know: Request disclosure of the categories and specific pieces of personal information collected, disclosed, or sold in the past 12 months.
  • Delete: Request deletion of your personal information, subject to exceptions.
  • Correct: Request correction of inaccurate personal information.
  • Opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you may notify us at support@coagentor.com.
  • Limit sensitive data use: Request limitation of use of sensitive personal information to necessary service purposes.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other state privacy law rights are honored to the extent required. Contact us to exercise any state privacy right.

13. Children’s Privacy

The Service is not directed to children under 13 (US / COPPA) or under 16 (EEA / GDPR). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact us immediately and we will delete it within 72 hours of verification.

14. Security Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware, to the extent required by GDPR Article 33/34 or applicable US state breach notification laws (including California, New York, and other states). Notification will be by email to the address on your account.

15. Do Not Sell or Share My Personal Information

We do not sell personal information as defined by the CCPA, nor do we share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months. You may confirm this opt-out status by contacting support@coagentor.com.

16. Changes to This Policy

We may update this Privacy Policy. For material changes, we will notify you by email at least 30 days before the change takes effect for existing accounts, and update the effective date above. For non-material changes, we update the policy and date without individual notification. Continued use after the effective date constitutes acceptance.

17. Contact & DPA Requests

Niche Nudge LLC— Data Controller
Email: support@coagentor.com(subject: “Privacy Request”)
Delaware, USA

To request a Data Processing Agreement (DPA), Standard Contractual Clauses (SCCs), or our full named subprocessor list, email us with “DPA Request” in the subject line. We will respond within 5 business days.