Cofora AI

1. Introduction

Cofora, Inc. (“Cofora,” “we,” “us,” or “our”) operates the Cofora AI platform, an AI-powered contract analysis tool available at cofora.ai (the “Service”). We take your privacy seriously.

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Service. It also describes your rights and choices regarding your personal information.

By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

This Privacy Policy is incorporated into and subject to our Terms of Service.

2. Information We Collect

2.1 Information You Provide to Us

Account information: Your full name and email address when you create an account
Uploaded documents: PDF files of contracts and legal documents you submit for analysis
Profile information: Company name, company stage, industry, number of founders, and funding status (optional)
Additional context: Any background information you provide to improve AI analysis accuracy
Communications: Messages you send to us via email or support channels

2.2 Automatically Collected Information

When you use the Service, we automatically collect certain information:

Usage data: Pages visited, features used, analysis requests, time spent, and actions taken within the Service
Device information: Browser type and version, operating system, device type, and screen resolution
Network information: IP address, approximate geographic location (city/country level), and internet service provider
Log files: Server logs recording your interactions with the Service, including timestamps and error reports
Cookies and similar technologies: As described in Section 9

2.3 Information from Third Parties

Authentication providers: If you sign in using a third-party authentication provider (such as Google), we receive basic profile information (name and email) from that provider
Payment processors: If you subscribe to a paid plan, our payment processor handles billing information. We do not store full credit card numbers

Note on Uploaded Documents

When you upload a contract for analysis, the text content of that document is transmitted to our AI processing provider (Anthropic) for analysis. Do not upload documents containing sensitive personal information (such as social security numbers, bank account details, or personal health information) beyond what is necessary for your analysis.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing the Service

Processing and analyzing your uploaded contracts
Creating and managing your account
Generating and delivering analysis reports
Storing your contracts and analysis history
Enabling document sharing features

3.2 Communications

Sending analysis completion notifications
Sending account-related emails (confirmation, password reset, security alerts)
Responding to your support requests
Sending service updates and policy change notifications
Sending promotional or marketing emails (with your consent; unsubscribable at any time)

3.3 Improving the Service

Analyzing usage patterns to improve features and user experience
Diagnosing and fixing technical issues
Developing new features and capabilities

3.4 AI Model Improvement

We may use anonymized and de-identified data derived from usage of the Service to improve our AI models and analysis quality. This means:

We may analyze patterns in how the AI performs on different types of contracts (without identifying you or your specific documents)
We do NOT use your specific, identifiable contracts to train third-party public AI models
We do NOT share your personal information or documents for this purpose

3.5 Safety, Security & Legal

Detecting, preventing, and investigating fraud and abuse
Ensuring the security of the Service
Enforcing our Terms of Service
Complying with applicable laws and regulations
Establishing, exercising, or defending legal claims

4. How We Share Your Information

4.1 Service Providers

We share your information with third-party service providers who help us operate the Service. These providers process your data only on our behalf and are contractually obligated to protect it:

Provider	Data Shared	Purpose
Supabase	Account data, contracts, analysis results	Database & authentication
Anthropic (Claude)	Contract text content	AI analysis processing
Resend	Email address, email content	Transactional emails
Vercel	Request logs, IP addresses	Website hosting

4.2 Legal Requirements

We may disclose your information if we believe it is necessary to:

Comply with a court order, subpoena, or other legal process
Respond to a lawful request from law enforcement agencies
Protect the rights, property, or safety of Cofora, our users, or the public
Detect, prevent, or address fraud, security, or technical issues
Enforce our Terms of Service

4.3 Business Transfers

If Cofora is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you explicitly direct us to do so or give us your consent.

We Do Not:

Sell your personal data to third parties
Share your contracts with other users (except via your explicit share links)
Use your data for advertising or ad targeting
Share your personal information with data brokers
Monetize your personal data in any way

5. Data Retention

We retain different types of data for different periods:

Data Type	Retention Period
Account information	Until account deletion
Uploaded contracts & files	Until you delete them, or account deletion
Analysis results	Until you delete them, or account deletion
Usage logs	Up to 90 days
Security logs	Up to 1 year
Email communication records	Up to 3 years

When you delete your account, we will delete your personal data within 30 days, except where we are required or permitted to retain it for longer by law (such as for fraud prevention, financial records, or legal compliance). Backup copies may persist for up to an additional 90 days before being permanently deleted.

You can delete individual contracts and analyses at any time through your account. Deletion of files from our storage is processed immediately.

6. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal information:

Right to Access

Request a copy of the personal information we hold about you.

Right to Correction

Request that we correct inaccurate or incomplete personal information.

Right to Deletion

Request that we delete your personal information (subject to certain exceptions for legal compliance).

Right to Portability

Request your personal data in a structured, machine-readable format.

Right to Opt Out of Marketing

Unsubscribe from marketing emails at any time via the unsubscribe link or by contacting us.

Right to Withdraw Consent

Where processing is based on consent, withdraw consent at any time (without affecting prior processing).

Right to Restrict Processing

Request that we limit how we use your personal information in certain circumstances.

Right to Object

Object to processing of your personal information based on legitimate interests.

To exercise any of these rights:

Email us at john@cofora.ai. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before fulfilling your request. Some requests may be subject to limitations under applicable law.

7. International Data Transfers

Cofora is based in the United States. Your personal information may be transferred to, stored in, and processed in the United States and other countries, which may have different data protection laws than your country of residence.

By using the Service, you acknowledge and consent to the transfer of your personal information to the United States and to other countries as described in this policy.

We take reasonable steps to ensure that your personal information is protected in accordance with this Privacy Policy regardless of where it is processed. For transfers from the European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses where required by law.

8. Data Security

We implement commercially reasonable technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, and destruction, including:

Encryption in transit (HTTPS/TLS) for all data transmission
Encryption at rest for stored data (via Supabase)
Access controls and authentication requirements
Limited employee and contractor access to personal data
Regular review of our data collection and storage practices

Security Limitation

No method of electronic transmission or storage is 100% secure. While we implement reasonable safeguards, we cannot guarantee absolute security. You use the Service at your own risk.

Data Breach Notification. In the event of a data breach that affects your personal information, we will notify you as required by applicable law, including by email to the address on your account.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service. Here is what we use:

Essential Cookies

Required for the Service to function. These include authentication cookies that keep you logged in and security cookies that prevent fraud. You cannot disable essential cookies.

Analytics Cookies

Help us understand how users interact with the Service so we can improve it. These are optional and can be disabled through your browser settings.

Preference Cookies

Remember your settings and preferences (such as language or display settings). Optional.

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service, including your ability to stay logged in.

10. Third-Party Links

The Service may contain links to third-party websites, resources, or services. These links are provided for your convenience only. We do not control and are not responsible for the content, privacy practices, or terms of any third-party sites.

Clicking on a third-party link is at your own risk. We encourage you to review the privacy policy of every website you visit.

11. Children’s Privacy

The Service is not directed to or intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors under 18.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at john@cofora.ai. If we learn that we have collected personal information from a minor under 18 without verification of parental consent, we will delete that information as quickly as possible.

12. California Residents — CCPA Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

Right to Know: The categories of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it
Right to Delete: Request deletion of your personal information (subject to certain exceptions)
Right to Correct: Request correction of inaccurate personal information
Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising
Right to Limit Sensitive Information Use: We do not use sensitive personal information for purposes beyond those permitted by the CPRA
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your California rights, email john@cofora.ai with “California Privacy Request” in the subject line.

13. European Residents — GDPR Notice

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent local law may apply to your personal data.

Legal Basis for Processing. We process your personal data under the following legal bases:

Legal Basis	Examples
Contract performance	Providing the Service you signed up for, processing your contract analysis requests
Legitimate interests	Improving our AI models, ensuring security, detecting fraud, communicating service updates
Consent	Sending marketing emails, optional features requiring data processing beyond core service delivery
Legal obligations	Complying with applicable laws, responding to lawful government requests

You have the right to lodge a complaint with a supervisory authority in your EEA member state if you believe we have violated applicable data protection law.

For GDPR inquiries, contact our privacy team at john@cofora.ai.

14. Do Not Track

Some browsers include a “Do Not Track” (DNT) feature that signals to websites that you do not want to be tracked. The Service does not currently respond to DNT signals because there is no industry-wide standard for how to interpret them. We will update this section if our approach changes.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we do, we will update the “Last Updated” date at the top of this page. For material changes — meaning changes that significantly affect your rights or how we handle your information — we will notify you by:

Sending an email notification to the address on your account
Displaying a prominent notice on the Service

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

16. Contact Us

For privacy questions, data rights requests, or to report a concern, please contact us:

Cofora, Inc.

Privacy inquiries: john@cofora.ai

Legal inquiries: john@cofora.ai

General support: john@cofora.ai

Indiana, United States

We will acknowledge all privacy requests within 5 business days and respond fully within 30 days (or sooner as required by applicable law).