Legal

Privacy Policy

Effective date: January 1, 2026  ·  Niche Nudge LLC  ·  Delaware, USA

Terms of ServicePrivacy PolicyCookie PolicyAcceptable Use

Plain language summary: We collect only what we need to operate the Service. We do not sell your data. We do not train AI on your meetings. You can request deletion at any time. Meeting consent is your responsibility.

Contents

  1. Controller Identity & Contact
  2. Data We Collect
  3. Legal Basis for Processing (GDPR)
  4. How We Use Data
  5. Subprocessors & Third Parties
  6. Meeting Audio & Transcripts
  7. Connected Data Sources
  8. Data Retention
  9. International Data Transfers
  10. Security
  11. Your Rights
  12. US State Privacy Rights (CCPA/CPRA)
  13. Children’s Privacy
  14. Security Breach Notification
  15. Do Not Sell or Share
  16. Changes to This Policy
  17. Contact & DPA Requests

1. Controller Identity & Contact

CoAgentor is operated by Niche Nudge LLC, a Delaware limited liability company. For purposes of applicable data protection law (including GDPR where applicable), Niche Nudge LLC is the data controller for personal data processed through the Service. Our data protection contact is: support@coagentor.com — subject line “Privacy Request.”

2. Data We Collect

2.1 Account & Identity Data

Name, email address, company name, job title (optional), and payment information (billing address, card type, last four digits — full card data is handled by our payment processor and not stored by us).

2.2 Agent Configuration Data

Agent names, roles, behavioral directives, knowledge base files you upload, connected data source credentials/tokens, and Agent interaction history.

2.3 Meeting Data

Real-time audio streams processed during active Agent sessions. Where transcript logging is enabled, text transcripts of meetings where an Agent participated. We do not store raw audio after real-time processing.

2.4 Usage & Technical Data

Meeting hour consumption, Agent invocation logs, feature usage events, session logs, error reports, IP addresses, browser/OS type, and device identifiers for security and analytics purposes.

2.5 Communications

The content of emails, contact form submissions, and support tickets you send to us.

2.6 Cookies & Similar Technologies

As described in our Cookie Policy.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill billing obligations.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement through aggregated analytics, and communicating about service changes.
  • Legal obligation (Art. 6(1)(c)): Retention of financial records; compliance with court orders, law enforcement requests, and regulatory requirements.
  • Consent (Art. 6(1)(a)): Optional analytics cookies (see Cookie Policy); any AI training (which we do not currently do without explicit opt-in).

4. How We Use Data

We use collected data to:

  • Provide and operate the Service, including Agent real-time processing
  • Manage accounts, subscriptions, and billing
  • Respond to support requests and communications
  • Monitor for security incidents, fraud, and AUP violations
  • Send transactional emails (account notifications, billing receipts, service changes)
  • Improving Service reliability and performance through aggregated, anonymized analytics
  • Measuring advertising conversion effectiveness (sign-ups and subscriptions attributed to Google Ads campaigns) using anonymized conversion events

We do not use your data for: behavioral advertising; selling to data brokers; training AI models (without explicit separate consent); or profiling for automated individual decision-making that produces legal or similarly significant effects (GDPR Art. 22).

5. Subprocessors & Third Parties

We share data with the following categories of subprocessors, each bound by data processing agreements and required to implement appropriate security measures:

  • Amazon Web Services (AWS): Cloud hosting, storage, and compute infrastructure. Data hosted in US-East-1 (N. Virginia). AWS is certified under SOC 2, ISO 27001, and participates in the EU-US Data Privacy Framework.
  • ElevenLabs: AI voice synthesis. We transmit Agent response text to ElevenLabs’ API to generate audio output. ElevenLabs’ privacy policy governs their data handling.
  • Payment Processor: Billing and payment processing. We do not store full payment card data. PCI-DSS compliant.
  • Transactional Email (AWS SES): Delivery of account and contact form emails.
  • Third-Party Integration Platforms: When you authorize connections to Google Drive, Notion, Airtable, HubSpot, Slack, Confluence, Zapier, or Make, data flows between those platforms and your Agents per your configuration. Each platform’s own terms and privacy policy applies.
  • Google (Analytics & Ads): We use Google Analytics 4 (GA4) via Google Tag Manager (GTM) to collect anonymized usage analytics, and Google Ads for conversion measurement. Anonymized event data (page views, sign-ups, subscription conversions) is transmitted to Google. IP addresses are anonymized before storage. Google LLC is certified under the EU-US Data Privacy Framework. Analytics and advertising cookies are only activated with your consent. See Google’s Privacy Policy.

We do not sell personal data to, or share it with, advertisers, data brokers, or marketing networks. We maintain an up-to-date subprocessor list available upon request at support@coagentor.com.

6. Meeting Audio & Transcripts

Real-time processing: Meeting audio is processed as a live stream to enable Agent comprehension. Audio data is not persistently stored after processing completes for each utterance.

Transcripts: If transcript logging is enabled on your plan, a text transcript of each Agent-participated session is retained for up to 90 days and accessible in your dashboard. You may delete transcripts at any time. Transcript data may include statements made by all meeting participants.

Your consent obligations: You are solely responsible for ensuring all meeting participants have legally sufficient knowledge of and consent to the Agent’s audio processing. See Section 7 of the Terms of Service for applicable legal obligations. We are not responsible for consent failures.

Voice and biometric data: We do not create biometric identifiers or voice prints of individuals from meeting audio. Audio is processed transiently for language understanding only. However, applicable law in your jurisdiction (e.g., Illinois BIPA) may classify voice data differently. Consult local counsel.

7. Connected Data Sources

When an Agent queries a connected source (Google Drive, Notion, Airtable, HubSpot, Slack, Confluence, CSV, webhooks), the query response is used in-session to formulate the Agent’s reply. We do not persistently store the content of those query responses outside of transcript logs (if enabled). Access tokens for connected integrations are stored in encrypted form and are scoped to the minimum permissions you authorize.

Connect only data sources you are legally authorized to access. Connecting sources without authorization may violate the Computer Fraud and Abuse Act (CFAA), GDPR, or other laws, and constitutes a material breach of these Terms.

When you connect Google Calendar, CoAgentor requests read-only access to your calendar events and your Google account email address. We use this data solely to display your upcoming Google Meet events within the CoAgentor dashboard and to allow you to assign AI agents to those events. We do not use Google Calendar data for advertising or any purpose unrelated to operating the Service.

Your Google OAuth refresh token is shared with Recall.ai, our meeting infrastructure partner, solely to enable their service to detect upcoming Google Meet events on your calendar and schedule bots to join them on your behalf. Recall.ai does not use your token for any other purpose. All other Google Calendar data is fetched on demand and not persistently stored beyond your active session.

Our use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements. You may disconnect your Google Calendar at any time from the Account settings page, which immediately revokes our access and removes your stored tokens.

8. Data Retention

  • Account data: Retained during account lifetime; deleted within 30 days of account closure.
  • Agent configurations: Retained until deleted by you or account closure.
  • Meeting transcripts: 90 days or until manually deleted, whichever is sooner.
  • Usage and access logs: 12 months for security and operational purposes.
  • Financial records: 7 years as required by US tax law.
  • Support correspondence: 3 years from resolution.
  • Legal hold: Data subject to litigation holds is retained until the hold is lifted regardless of standard retention periods.

9. International Data Transfers

The Service is operated in the United States. If you are in the EEA, UK, or other jurisdictions with data transfer restrictions, your personal data is transferred to the US for processing. We rely on the following safeguards:

  • AWS participates in the EU-US Data Privacy Framework (DPF).
  • Where required, we enter Standard Contractual Clauses (SCCs) with EEA/UK customers. Contact us to request an executed SCC or Data Processing Agreement (DPA).

10. Security

We implement technical and organizational measures including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls; multi-factor authentication for internal systems; automated vulnerability scanning; and periodic security reviews. Access tokens for third-party integrations are encrypted at rest and never logged in plaintext.

No security system is infallible. If you discover a security vulnerability, please disclose it responsibly to support@coagentor.com before public disclosure. We will acknowledge receipt within 48 hours.

11. Your Rights (EEA/UK/Global)

Subject to applicable law, you have the following rights regarding your personal data. To exercise any right, email support@coagentor.com with “Privacy Request” in the subject line. We respond within 30 days (extendable to 60 days for complex requests):

  • Access (Art. 15 GDPR): Receive a copy of personal data we hold about you.
  • Rectification (Art. 16): Correct inaccurate data.
  • Erasure / Right to be forgotten (Art. 17): Delete your data, subject to legal retention requirements.
  • Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Restriction (Art. 18): Restrict processing in certain circumstances.
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent for consent-based processing at any time without affecting prior processing.
  • Lodge a complaint: Lodge a complaint with your supervisory authority (e.g., ICO in UK, your national DPA in the EU).

12. US State Privacy Rights (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Know: Request disclosure of the categories and specific pieces of personal information collected, disclosed, or sold in the past 12 months.
  • Delete: Request deletion of your personal information, subject to exceptions.
  • Correct: Request correction of inaccurate personal information.
  • Opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you may notify us at support@coagentor.com.
  • Limit sensitive data use: Request limitation of use of sensitive personal information to necessary service purposes.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other state privacy law rights are honored to the extent required. Contact us to exercise any state privacy right.

13. Children’s Privacy

The Service is not directed to children under 13 (US / COPPA) or under 16 (EEA / GDPR). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact us immediately and we will delete it within 72 hours of verification.

14. Security Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay and in any event within 72 hours of becoming aware, to the extent required by GDPR Article 33/34 or applicable US state breach notification laws (including California, New York, and other states). Notification will be by email to the address on your account.

15. Do Not Sell or Share My Personal Information

We do not sell personal information as defined by the CCPA, nor do we share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months. You may confirm this opt-out status by contacting support@coagentor.com.

16. Changes to This Policy

We may update this Privacy Policy. For material changes, we will notify you by email at least 30 days before the change takes effect for existing accounts, and update the effective date above. For non-material changes, we update the policy and date without individual notification. Continued use after the effective date constitutes acceptance.

17. Contact & DPA Requests

Niche Nudge LLC — Data Controller
Email: support@coagentor.com (subject: “Privacy Request”)
Delaware, USA

To request a Data Processing Agreement (DPA) or Standard Contractual Clauses (SCCs), email us with “DPA Request” in the subject line. We will respond within 5 business days.