Cohara — Trusted-Family Pilot

Privacy Policy

Cohara is operated for an invitation-only trusted-family pilot. This Privacy Policy describes Cohara's current practices for that pilot.

1. Who we are

Cohara is operated by Cohara AI Inc. (“Cohara,” “we,” “us”), 1300 Grant Ave #204, Novato, CA 94945, United States. Contact: jr@cohara.ai.

2. What this Policy covers

This Policy describes what information Cohara collects during the trusted-family pilot, how Cohara uses it, who it is shared with, how long it is kept, and what rights parents have over it.

This Policy does not cover websites or services operated by third parties (Google, Twilio, Vercel, Supabase, Resend, Anthropic), whose own privacy policies apply when their services are used.

3. Children's information — parent-provided family context

Cohara does not offer accounts to children. Children do not log in, register, or interact with the Cohara product directly. Information about children is provided by a parent or legal guardian on the child's behalf as part of parent-controlled family context (e.g., the child's first name, grade level, schedule context, observations, school name) to enable Cohara's morning-brief, action-plan, and family-context features.

Cohara treats parent-provided child information with the same protections required of “personal information” under 16 CFR Part 312 (the Children's Online Privacy Protection Act / COPPA Rule):

4. Categories of information we collect

4.1 Parent identity + account information

4.2 Parent-provided family context (about children)

Cohara stores parent-provided child information in two related places: a children record for each child added to the workspace, and per-child attribution on items the parent records (calendar events, plans, tasks, artifacts). The categories captured:

We do not collect child contact information (no child email, no child phone, no child home address). We do not enable children to communicate with us. The child information we hold is exclusively what the parent has chosen to record in their own family-context workspace, plus AI-co-generated inferences from that recorded context.

4.3 Co-parent / caregiver / non-account adult information

The persons table stores parent-recorded contact details of non-account adults associated with the family:

4.4 Calendar integration (Google Calendar)

4.5 SMS messages — the Cohara morning brief (optional)

If the parent opts into SMS at onboarding, Cohara collects:

The full SMS program description (frequency, message and data rates, STOP/HELP keywords, opt-in screen rendering, sample messages) lives at SMS Consent & Messaging Practices and is summarized in §13 below.

4.6 Action plans + chat (AI-co-created content)

4.7 Operational + audit data

4.8 What we do NOT collect

5. How we use information

We use the information in §4 only for the following purposes:

  1. To provide the trusted-family-pilot product — onboarding, the family-context workspace, action plans, the morning brief, the co-parent invite flow, and the deletion request flow.
  2. To send the Cohara morning brief SMS to parents who have opted in (see §13).
  3. To respond to parent support requests.
  4. To improve the trusted-family pilot through controlled, internal review of pilot usage (no behavioral advertising; no profiling; no sale).
  5. To meet legal / regulatory / security obligations.

We do not use the information for behavioral advertising. We do not use the information to build advertising profiles. We do not sell the information.

6. Who we share information with

The trusted-family pilot uses the following third-party processors. Each processor sees only what is reasonably necessary for its operational role.

ProcessorRoleCategories of information shared
Anthropic (Claude model)AI processing for action-plan co-creation, in-app morning brief content, optional chatParent-provided family-context summaries (parent input).
VercelHosting, serverless runtime, deployment infrastructureHTTP request logs (URL + status + duration); no application body content unless explicitly logged.
SupabasePostgres database, authentication, secure storageAll application data, scoped to per-family row-level security (RLS); service-role admin access is operator-only.
TwilioSMS dispatch + inbound webhookPhone numbers, SMS body, delivery metadata (only for parents opted into the Cohara morning brief).
ResendEmail dispatch (invite emails, deletion alerts)Email addresses and email body content.
Google (Calendar OAuth)Calendar event read access (only calendars the parent grants)Operates on the parent's OAuth token; calendar data flows directly to Cohara, not via Google.

We do not share information with any party not listed above. We do not share information with advertisers. We do not share with data brokers.

Mobile phone numbers and SMS consent information are not shared with third parties or affiliates for marketing or promotional purposes. Twilio is the SMS-delivery vendor; phone numbers are not shared with any party outside that delivery-vendor relationship.

If a co-parent is invited by a primary parent, the co-parent's email is used by Cohara only to send the co-parent the invitation and (after the co-parent accepts) to enable the co-parent's access to the same family context, subject to the same Privacy Policy.

7. Parent rights — access, correction, deletion, consent withdrawal

The parent who created a family-context workspace has the following rights with respect to the information described in §4:

  1. Access. Request a description of categories of information Cohara has collected, and the specific content where reasonable.
  2. Correction. Request that we update inaccurate information.
  3. Deletion. Request that we delete the family-context workspace (including parent-provided child information).
  4. Consent withdrawal. Withdraw consent for SMS, calendar, AI processing, or the pilot itself at any time. Withdrawal of SMS consent stops further SMS dispatch; withdrawal of calendar consent stops further calendar reads; withdrawal of overall consent triggers the deletion path (3).
  5. Right to refuse further collection. Direct Cohara to stop further collection of child information from the parent's workspace while leaving prior data in place.
  6. Right to be told what categories of personal information have been collected from a child (16 CFR §312.6).

How to exercise. Email jr@cohara.ai from the email address on the family account. We will verify the requestor is a parent on the family account before disclosing or deleting information, in a manner reasonably designed not to be unduly burdensome (16 CFR §312.6).

Response time. We will acknowledge receipt within 5 business days and complete the request within a reasonable time appropriate to the request type (typical deletion: within 30 days; access: within 30 days).

8. Retention + deletion

Cohara maintains a written data-retention policy:

When information is no longer needed, Cohara deletes it using reasonable measures designed to protect against unauthorized access or use during deletion (16 CFR §312.10).

8.1 Partial-retention exception list

The following tables are retained even after a parent's account-deletion request, for compliance audit purposes:

9. Security

Cohara maintains a written information security program (WISP) with safeguards appropriate to data sensitivity and operator size/complexity. Components include: designated security coordinator (Justin Roberts), at-least-annual risk assessment, technical and organizational safeguards (HTTPS everywhere, per-family row-level security, service-role-key compartmentalization, audit logging, env-var-gated dispatch surfaces, signature verification on inbound Twilio webhooks), regular testing/monitoring, at-least-annual program evaluation.

No security program eliminates all risk. Parents should use a strong unique password for the email account they use with Cohara.

10. Children's privacy and COPPA

See §3 above. Cohara treats parent-provided information about children with the protections required of “personal information” under 16 CFR Part 312, the COPPA Rule.

11. AI processing

Action plans, in-app morning brief content, and (when active) chat are AI-co-created. The AI model is operated by Anthropic. AI outputs are draft suggestions for parent review — they are not professional advice and are not a substitute for parent judgment. See the AI / Vendor Disclosure for the full disclosure.

12. Pilot scope

13. SMS Program — the Cohara morning brief

Cohara operates an SMS program called the Cohara morning brief for parents who explicitly opt in during onboarding. The program disclosure below is summarized; see SMS Consent & Messaging Practices for the full opt-in flow, the rendered opt-in screen, sample messages, and the consent-record schema.

14. Changes to this Policy

We may revise this Privacy Policy. Any material revision will be communicated to parents on the family account, and re-acceptance may be required where the change materially affects parent-consent scope. Prior consent versions are retained in consent_records for audit.

15. Disputes

Disputes about this Policy or Cohara's privacy practices should first be raised by email to jr@cohara.ai.

16. Contact