CCoppica

Privacy Policy

Last updated: April 10, 2026

This Privacy Policy describes how Coppica ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our AI-powered marketing pipeline platform ("Service").

We are committed to protecting your privacy and handling your data transparently. This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

1. Data We Collect

1.1 Account Information

When you create an account, we collect your email address, display name, company name, and the plan you select. We also store authentication credentials securely through our authentication provider.

1.2 Intake Form Content

When you or your clients submit intake forms, we collect business information including product/service descriptions, ideal customer profiles, competitor information, brand voice preferences, and any other information entered into intake forms.

1.3 Bot Outputs

We store all AI-generated outputs (strategy documents, marketing copy, chat histories) created through the Service. These are stored to provide you with access to your generated materials.

1.4 Billing Data

Payment information (credit card numbers, billing addresses) is collected and processed by our payment processor, Stripe. We do not store full credit card numbers on our servers. We receive and store billing metadata such as plan type, subscription status, and transaction history.

1.5 Usage Logs

We collect usage data including pages visited, features used, bot runs initiated, API request metadata, IP addresses, browser type, and device information. This data is used for security, performance monitoring, and service improvement.

1.6 Uploaded Files

If you upload reference materials, documents, or other files to the Service, we store those files to provide context to the AI pipeline.

1.7 Electronic Signature Data

When you use the electronic signature features of the Service, we collect and store data related to each signing event, including: signer name, email address, IP address at the time of signing, browser and device information, timestamp of each signing action, cryptographic document hashes (SHA-256), consent records for electronic signing, and document viewing/access events. This data forms the audit trail required for legal defensibility under the ESIGN Act and UETA. Signed document references and audit trail records are retained for a minimum of seven (7) years.

1.8 Third-Party Advertising Platform Data

When you connect a third-party advertising account (such as Meta Ads or Google Analytics) to the Service, we collect and store:

  • Your advertising account identifier and account name
  • Campaign performance data including impressions, clicks, spend, and conversion actions
  • Ad creative identifiers used to link platform data to content generated through the Service
  • Sync status and timestamps related to data retrieval

OAuth tokens for connected advertising accounts are managed by our integration provider (Composio Inc.) and are not stored directly in our database. We store only a reference identifier to the authorized connection.

We do not use data from your connected advertising accounts to train AI models. Advertising platform data is used solely to provide conversion tracking, performance analytics, and to improve the relevance of AI-generated marketing content for your specific business.

You may disconnect your advertising account at any time through the Service settings. Upon disconnection, we delete the stored account configuration and reference identifier. Historical conversion data previously synced remains in your account unless you request its deletion. If the advertising platform sends a data deletion or deauthorization callback, we automatically remove all associated connection data and account configuration from our systems.

1.9 First-Party Conversion Pixel

If you install our JavaScript tracking pixel on your website(s), the pixel collects data from visitors to those websites ("End Users") to provide you with conversion tracking and attribution analytics. In this capacity, you are the data controller for End User data and Coppica acts as a sub-processor.

Data collected by the pixel:

  • UTM parameters from the page URL (specifically utm_content)
  • Conversion events you explicitly track via the coppica('track', ...) API (event type, value, reference ID)
  • A first-party cookie (_ck_utm, 7-day expiry, Secure, SameSite=Lax) that stores the UTM content parameter to attribute conversions across page views
  • Timestamp of each tracked event

The pixel does not collect IP addresses, fingerprints, browsing history, or any data beyond the UTM parameter and explicitly tracked conversion events.

Privacy controls:

  • Global Privacy Control (GPC): The pixel automatically respects the GPC signal (navigator.globalPrivacyControl). When GPC is enabled, the pixel deletes any existing tracking cookie and does not send any data.
  • Programmatic consent: You can integrate the pixel with your cookie consent banner by calling coppica('consent', false) to disable tracking or coppica('consent', true) to re-enable it.

It is your responsibility to disclose the use of the Coppica pixel in your own privacy policy and to obtain any required consent from End Users under applicable law (including GDPR and CCPA). We provide the GPC compliance and consent API to support your compliance obligations.

2. How We Use Your Data

We use your data for the following purposes:

  • To provide the Service: Processing your intake form data through our AI pipeline, generating outputs, and storing your results.
  • To manage your account: Authentication, billing, subscription management, and customer support.
  • To improve the Service: Analyzing aggregate, non-personally-identifying usage patterns to improve performance, features, and user experience. We do not use your individual content (intake forms, bot outputs, or chat histories) to train AI models.
  • For security: Detecting and preventing fraud, abuse, and security incidents.
  • For communications: Sending transactional emails (account confirmations, billing receipts, service updates). We will only send marketing communications with your explicit consent.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contractual necessity: Processing required to deliver the Service you have subscribed to (intake data processing, output generation, account management).
  • Legitimate interests: Security monitoring, fraud prevention, service improvement using aggregate analytics, enforcing our Terms of Service, and providing ad performance analytics for users who connect third-party advertising accounts.
  • Consent: Marketing communications and any non-essential cookies. You may withdraw consent at any time.
  • Legal obligation: Where we are required by law to retain or disclose data (e.g., tax records, legal requests).

4. Third-Party Service Providers (Sub-Processors)

We share your data with the following sub-processors to deliver the Service. Each sub-processor is bound by contractual data protection obligations:

Sub-ProcessorPurposeData ProcessedLocation
Anthropic PBCAI content generation (Claude API)Intake form content, user promptsUnited States
Supabase Inc.Database and authenticationAll platform dataUnited States (AWS)
Vercel Inc.Hosting and edge infrastructureRequest/response data, logsUnited States and global edge
Stripe Inc.Payment processingBilling data, payment informationUnited States
Composio Inc.OAuth connection management for third-party integrationsEncrypted OAuth tokens, connection identifiersUnited States
Loops Inc.Marketing email deliveryEmail address, name, contact properties, engagement eventsUnited States
E-Signature Service ProviderElectronic document signing and audit trailSigner names, emails, IP addresses, document contents, signing eventsUnited States

Important note on AI processing: Anthropic processes inputs and generates outputs but does not retain or train on your data under our commercial API agreement. You can review Anthropic's data processing commitments at anthropic.com/privacy.

5. Data Retention

  • Account data: Retained for the duration of your subscription plus 90 days after cancellation.
  • Bot outputs and intake forms: Retained for the duration of your subscription. Deleted 90 days after account cancellation.
  • Usage logs: Retained for 12 months, then automatically deleted.
  • Billing records: Retained as required by applicable tax and financial reporting laws (typically 7 years).
  • Third-party integration data: Advertising account configurations and connection references are deleted immediately upon disconnection or upon receiving a deletion/deauthorization callback from the platform. Previously synced conversion data is retained per the bot outputs schedule above unless you request earlier deletion.
  • Electronic signature records: Audit trail data, signed document references, and certificates of completion are retained for a minimum of 7 years from the date of execution, regardless of account status. This retention period ensures legal defensibility and compliance with business record retention requirements.

You may request earlier deletion of your data at any time by contacting support@coppica.com.

6. Your Rights

6.1 GDPR Rights (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate personal data.
  • Deletion: request deletion of your personal data (right to erasure).
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Restriction: request restriction of processing while a dispute is resolved.

To exercise any of these rights, contact support@coppica.com. We will respond within 30 days (or the timeframe required by applicable law).

You also have the right to lodge a complaint with your local data protection supervisory authority.

6.2 CCPA/CPRA Rights (California)

If you are a California resident, you have the right to:

  • Know: request disclosure of the categories and specific pieces of personal information we collect, use, and disclose.
  • Delete: request deletion of your personal information.
  • Opt-out of sale: Coppica does not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising.
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact support@coppica.com.

7. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies: Session cookies required for authentication, security, and core functionality. These cannot be disabled.
  • Preference cookies: Local storage entries for theme preference and UI state (e.g., sidebar collapsed state). These are stored locally and are not transmitted to our servers.
  • Analytics cookies: If analytics are enabled, we may use cookies to collect aggregate usage data. Where required by applicable law (including GDPR), analytics cookies will only be set with your consent.

We do not use third-party advertising cookies. We do not participate in ad networks or retargeting programs.

8. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest (via our infrastructure providers)
  • Role-based access controls
  • Regular security reviews of our infrastructure and codebase
  • Service-role key separation between client-side and server-side operations

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. International Data Transfers

Your data is primarily processed in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States where our service providers are located.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure adequate protection of your personal data.

11. Data Processing for Agency Customers

When agency users process their end clients' data through the Service, the agency acts as the data controller and Coppica acts as a data processor. In this capacity:

  • We process end-client data only according to the agency's instructions and for the purpose of providing the Service.
  • Agency and Enterprise customers may request a Data Processing Agreement (DPA) by contacting support@coppica.com.
  • Our DPA incorporates Standard Contractual Clauses for international transfers and lists all sub-processors with their data processing commitments.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR. If the breach is likely to result in a high risk to you, we will also notify you without undue delay.

For US residents, we will comply with applicable state breach notification laws, including California's requirement to notify affected individuals within 30 calendar days.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

14. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:

Email: support@coppica.com

For GDPR inquiries, you may also contact our designated data protection point of contact at the same email address.