Privacy Policy

Last Updated: October 15, 2024

1. Age Requirements

Cohorty is intended for users aged 13 and above. We do not knowingly collect personal information from children under 13 years old.

Minimum Age: You must be at least 13 years old to use Cohorty
Parental Consent: Users under 18 require parental or guardian consent
Child Privacy: If we discover a user under 13, we will immediately delete their account and data
Parent Requests: Parents can request deletion of their child's data by contacting info@cohorty.app

2. Information We Collect

Cohorty collects the following types of information to provide and improve our services:

Account Information: Username, email address, and other details provided during registration.
Usage Data: Progress status, achievement records, and activity related to challenges.
Community Activity: Posts, comments, likes, and other interactions within the service.
Technical Information: IP address, device type, browser information, and related technical data.

What We Do NOT Collect

Payment card details (handled securely by Stripe)
Precise location data or GPS coordinates
Biometric data
Social Security numbers or government IDs

3. How We Use Information (Legal Basis - GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract Performance: To provide the services you requested (account creation, challenge tracking, progress storage)
Consent: For analytics and optional features (you can withdraw consent anytime in Settings)
Legitimate Interest: Service improvement, fraud prevention, security
Legal Obligation: Compliance with applicable laws and regulations

Specific Uses

Provide, operate, and improve the Service
Offer customer support and respond to inquiries
Enable community features and communication among users
Prevent misuse, ensure security, and enforce our Terms of Service
Create statistical reports and research insights (anonymized)

4. Cookies & Tracking Technologies

We use cookies and similar technologies to provide and improve our Service. You can manage your cookie preferences in Settings.

Types of Cookies

Essential Cookies: Required for authentication, security, and core functionality (cannot be disabled)
Analytics Cookies: Google Analytics, Hotjar - Help us understand how users interact with Cohorty (can be disabled)
Preference Cookies: Remember your settings like theme and timezone

Third-Party Analytics

Google Analytics: Usage analytics with anonymized IP addresses
Hotjar: User experience insights (anonymized, no PII collected)

You can disable non-essential cookies without affecting core functionality. Visit Settings → Cookie Settings to manage your preferences.

5. Information Sharing & Third Parties

We do NOT sell your personal data. We only share information in these specific cases:

With your consent: When you explicitly agree to share information
Legal requirements: When required by law, regulation, or legal process
Service providers: Trusted partners who help us operate (see below)
Safety: To protect the safety, rights, or property of users or the public

Our Service Providers (All GDPR-Compliant)

Supabase: Database and authentication (US/EU regions available)
Vercel: Hosting and CDN (global Edge Network)
Stripe: Payment processing (when premium features launch)
Google Analytics: Usage analytics (anonymized)
Hotjar: User experience insights (anonymized)

All service providers use Standard Contractual Clauses (SCCs) for international data transfers and comply with GDPR requirements.

6. Data Storage & Security

Where Your Data is Stored

Database: Supabase (US East or EU Central - configurable)
Hosting: Vercel Edge Network (globally distributed)
Backups: Encrypted, retained for 30 days, then permanently deleted

Security Measures

Password hashing with industry-standard algorithms (bcrypt)
Row-level security (RLS) on all database tables
Encrypted connections (HTTPS/TLS) for all data transmission
Encrypted data at rest
Regular security audits and updates

Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

We will notify affected users within 72 hours
We will notify relevant authorities as required by law (GDPR Article 33)
We will provide details about the breach and steps to protect yourself

7. Data Retention and Deletion

We retain personal information only for as long as necessary to fulfill the purposes described above.

Challenge Data Retention

Completed challenges and their associated data (progress records, participant information) are permanently retained to:

Preserve your achievement history and personal growth records
Enable you to reference past challenges and their outcomes
Maintain community engagement and shared experiences

While completed challenges are archived and hidden from public search, they remain accessible to participants and creators. This data is not deleted even when you delete your account, as it represents shared community experiences.

Record Editing and Deletion

Challenge records can be edited or deleted within 48 hours of creation to allow for corrections of accidental inputs. After this grace period, records are retained permanently to maintain data integrity and community transparency. This policy ensures that:

Users can correct mistakes made during initial recording
Long-term data integrity is maintained for community features
Historical accuracy is preserved for completed challenges

Account Deletion

When you delete your account, associated personal information will be securely deleted or anonymized, except where retention is required by law or for the purposes described above.

8. Your Rights (GDPR & Privacy Laws)

Under GDPR and applicable privacy laws, you have the following rights:

Your Data Rights

Right to Access (Article 15): Download your data anytime from Profile → Download My Data (CSV)
Right to Rectification (Article 16): Edit your profile and settings anytime
Right to Erasure (Article 17): Delete your account and data from Profile → Delete Account
Right to Data Portability (Article 20): Export your data in machine-readable format (CSV)
Right to Object (Article 21): Object to certain data processing (contact us)
Right to Restrict Processing (Article 18): Temporarily suspend data processing
Right to Withdraw Consent: Withdraw analytics consent anytime in Cookie Settings

How to Exercise Your Rights

Self-Service: Most rights can be exercised directly in Profile Settings
Email Request: Contact info@cohorty.app for specific requests
Response Time: We respond within 30 days (GDPR requirement)
No Fee: Exercising your rights is free

9. Guest Accounts

Guest accounts have special privacy considerations:

Guest accounts use anonymized identifiers (no email or personal data initially)
Limited to 3 active challenges
Data automatically deleted after 30 days of inactivity
Convert to full account to keep data permanently and access all features
Guest accounts cannot export data or access GDPR rights (convert to full account first)

10. International Data Transfers

Your data may be processed in regions outside your country:

We use Standard Contractual Clauses (SCCs) approved by the European Commission
EU users can request data storage in EU region
All international transfers comply with GDPR Chapter V requirements

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in practices, services, or legal requirements
Material changes will be announced with 30 days notice
Significant updates will be emailed to registered users
Continued use after changes indicates acceptance
Previous versions available upon request

12. Contact Us & Data Protection

For privacy questions, data requests, or to exercise your rights:

📧 Privacy Inquiries: info@cohorty.app
📋 Data Requests: info@cohorty.app
💬 Contact Form: Contact Page

Response Time: We respond to all privacy requests within 30 days as required by GDPR.

Complaints: If you're in the EU and not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.