Cohort Privacy Policy

Created: March 19, 2026 Last Updated: March 21, 2026

1) Introduction

Cohort is a private collaborative archive for groups. This Privacy Policy explains what information we collect, how we use it, when we share it, and what choices you have.

If you have questions, contact us at admin@cohort-app.org.

2) Information We Collect

We collect information you provide directly, including:

• Account information such as email, password (through Supabase Auth), display name, username, and profile icon selection.
• Waitlist and invite information such as email, intended use, invite status, and invite-related timestamps.
• Group and collaboration content, including group names/descriptions, links/posts, comments, reactions, votes, and reports.
• Notification records related to account and group activity.

We also process technical and operational data, including:

• Authentication/session cookie data required to keep users signed in.
• Local browser storage for recent searches and feed display preferences.
• Usage analytics data (for example page views and navigation activity) through Vercel Analytics.
• Security and abuse-prevention records, such as rate-limit counters and security audit events.
• Server error logs with reference IDs and operational metadata.

When a user submits a link, Cohort may fetch metadata from that URL (for example title, description, source/domain, and preview image) to support post previews.

3) How We Use Information

We use information to:

• Create and secure accounts.
• Enforce invite and waitlist onboarding controls.
• Operate private groups, roles, and permissions.
• Display and manage posts, comments, reactions, and notifications.
• Support moderation and abuse prevention.
• Deliver transactional emails, such as invites and onboarding emails.
• Troubleshoot reliability and security issues.

4) How We Share Information

We share information with service providers that support Cohort operations:

• Supabase (authentication, database, and related platform services)
• Vercel (hosting/runtime and analytics)
• Brevo (transactional email delivery)
• Cloudflare (DNS/domain services)

We may also disclose information where required by law, or where necessary to protect the security and integrity of Cohort.

Cohort includes a "Send to AI" export feature that lets users copy group content into a prompt. Cohort does not currently send group content directly to external AI providers through a server-side AI integration. If users paste copied content into an external AI tool, that sharing is user-directed and governed by that third party's terms.

5) Group Content & Visibility

Cohort is designed around private groups. Group content is intended to be visible to group members according to role-based permissions.

Group owners and editors can manage members and invites according to in-app role controls. Admin users may access data for operational, moderation, and security purposes.

6) Third-Party Services

Cohort relies on third-party infrastructure providers listed above. Those providers may process technical metadata needed to deliver their services (for example delivery logs, request metadata, and infrastructure logs) under their own policies.

7) Data Retention

Cohort currently does not enforce fixed deletion timelines for all data categories.

Information may be retained while accounts are active and as needed for operations, security, moderation, and legal compliance. Waitlist records are currently retained unless manually removed. Security and operational records may also be retained.

Infrastructure backups are managed outside the application layer and may persist for a period after changes in live data.

8) Your Choices & Account Controls

Users can:

• Update profile information in the app.
• Manage group membership/invites according to role permissions.
• Mark notifications as read.
• Request password reset.

If a user deletes their account, data handling follows current database relationships and constraints. Account deletion may require first transferring or removing ownership responsibilities (for example, owned groups) before deletion is permitted.

9) Security

Cohort uses technical and organizational safeguards, including authentication controls, row-level access controls, rate limiting, and operational audit logging.

No method of transmission or storage is perfectly secure.

10) Children's Privacy

Cohort is intended for users 16 years of age or older. During account creation, users must confirm that they are at least 16 years old.

If you believe someone under 16 has provided personal information, contact admin@cohort-app.org.

11) Changes to This Policy

We may update this Privacy Policy as Cohort evolves. When we make material changes, we will update this policy with an updated effective date or other appropriate notice.

12) Contact

For privacy questions or requests, contact: admin@cohort-app.org