Privacy Policy

This Privacy Policy explains how CoTrackPro, LLC. (“CoTrackPro,” “we,” “us”) collects, uses, stores, transfers, and discloses information when you use cotrackpro.com or any related service we operate (the “Service”). It is incorporated into our Terms of Service by reference.

Not legal advice. CoTrackPro is a documentation, communication, and organizational platform. Nothing on the Service — including AI-generated content, templates, checklists, or this Policy itself — constitutes legal, medical, or psychological advice. For matters in those domains, consult a licensed professional in your jurisdiction.

CoTrackPro is operated by CoTrackPro, LLC., a limited liability company organized under the laws of the State of Missouri, U.S.A.

For privacy questions, data-subject requests, or to reach our privacy contact, email admin@cotrackpro.com with the subject line indicating the nature of your request (for example, “Data Access Request” or “Data Deletion Request”).

We collect five categories of information:

• Account & identity.Email, name, and (optionally) your role — collected when you sign up via our authentication provider (Clerk). We do not collect or store passwords; sign-in is via Clerk's magic-link or password flows, governed by Clerk's own security controls.
• Payment & billing. Subscription tier, plan key, billing cadence, Stripe customer ID, Stripe subscription ID, and trial/renewal dates. We never receive or store your full card number, CVC, or bank details — those are handled entirely by Stripe under PCI-DSS Level 1.
• Your Content. Incident logs, communication drafts, vault documents you upload, safety-plan entries, complaints, provider notes, and any other content you create inside the Service. This is yours; you retain all rights to it under the Terms.
• AI inputs & outputs. The text you submit to AI features (summaries, role recommendations, message rewriting, semantic library search) and the generated responses. AI requests are routed to the providers listed in our Subprocessors page; see §6 below for what happens to those requests.
• Operational telemetry. Server logs (timestamps, request paths, HTTP status, anonymized error context), webhook delivery records, email send/bounce/complaint events, and aggregate funnel metrics. We do not include personally identifiable case content in operational logs.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We do not use Your Content to train AI models — neither ours nor those of the AI providers we use (see §6).

We use the categories above only for the purposes that produced them:

• Provide the Service: store and retrieve Your Content, deliver AI features, enforce subscription access, send transactional email (receipts, access changes, security alerts).
• Process payments: route checkout to Stripe, reconcile webhook events, manage trials and renewals.
• Improve reliability: diagnose bugs, monitor error rates, and detect security events. Operational telemetry is the only data used here, and never Your Content.
• Communicate with you: we send transactional email (always), and, only if you have not opted out, onboarding tips, weekly resources, and product updates. Every non-transactional email contains a one-click unsubscribe link with an HMAC-signed token compliant with RFC 8058 and the CAN-SPAM Act.
• Comply with law: respond to lawful subpoenas, court orders, and binding regulatory requests as described in our Terms §15.

If you are in the EEA, UK, or another jurisdiction following the GDPR model, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — to provide the Service you purchased and to bill for it.
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and reliability telemetry. You can object via the contact methods in §13.
• Consent (Art. 6(1)(a)) — for non-transactional email and any optional integrations. You can withdraw consent at any time from your email preferences page or by unsubscribing.
• Legal obligation (Art. 6(1)(c)) — to comply with valid legal process.

Several Service features are powered by third-party AI models. Each request is transmitted to the provider over TLS, the model generates a response, and the response is returned to the Service. Key commitments:

• No model training on your data. Our AI providers contractually commit to not retaining or training on data sent through their commercial APIs. We do not opt into any training programs.
• Zero retention where the provider supports it.Anthropic and OpenAI API requests run under their zero-retention modes. AWS Bedrock processes embedding requests transiently — no logging of input content beyond AWS's standard request metadata.
• Providers we currently use: Anthropic Claude (summaries, role recommendations, agent features), AWS Bedrock with Amazon Titan v2 (semantic library search embeddings), and OpenAI (optional, on a per-environment basis). The current list is maintained on our Subprocessors page.
• AI output is probabilistic. AI-generated content can be inaccurate, incomplete, or biased. You are solely responsible for reviewing AI output before relying on it, sending it to another party, or filing it in a legal proceeding. See Terms §8.
• Sensitive third-party information.Do not submit information about non-consenting third parties (for example, a co-parent's medical, financial, or location data you are not legally authorized to process). The Service is intended for documenting your own experience and the public-record facts of your situation.
• Human oversight. AI does not autonomously take account or billing actions on your behalf. AI features generate text; you decide what to do with it.

We rely on a small set of vetted infrastructure and AI vendors to operate the Service. The complete, current list lives on our dedicated Subprocessors page, which we keep updated independently of this Policy so changes are easy to track.

High-level summary: authentication (Clerk, SOC 2), payments (Stripe, PCI-DSS L1), primary data storage and AI infrastructure (Amazon Web Services in the us-east-1 region — DynamoDB, S3, SES, Bedrock, SNS, SSM), hosting (Vercel, SOC 2), AI inference (Anthropic, OpenAI), optional marketing-email sync (Mailchimp, only if you opt in), and product analytics (Google Analytics 4 and Vercel Speed Insights, in aggregate form).

Primary data — your account record, content, subscription state, audit log, and PHI tables — is stored on Amazon Web Services in the us-east-1 region (Northern Virginia, U.S.A.).

If you access the Service from outside the United States, your data will be transferred to and processed in the United States. For users in the EEA, UK, or Switzerland, transfers are made in reliance on the relevant Standard Contractual Clauses where required by applicable law. Our infrastructure vendors (AWS, Clerk, Stripe, Vercel) maintain their own EU representatives, SCC frameworks, and data-processing addenda; we operate on top of those programs.

If you require a Data Processing Addendum or specific transfer documentation, contact us at admin@cotrackpro.com.

Security is a continuous program, not a checkbox. Concrete measures we have in place today:

• Encryption in transit: all client and server traffic uses TLS 1.2 or higher.
• Encryption at rest: DynamoDB tables and S3 buckets are encrypted with AWS-managed keys; mental-health and provider tables (“PHI tables”) are encrypted with a dedicated customer-managed key (CMK).
• Tenant isolation: every record is keyed by a tenant identifier (TENANT#) and authorization is enforced in middleware before any data access.
• Webhook signature verification: incoming webhooks from Stripe, Clerk, and AWS SNS (used for SES bounce/complaint events) are cryptographically verified before any side effect runs. SNS sender certificates are pinned to *.amazonaws.com, and we maintain a topic-ARN allowlist to prevent cross-account forgery.
• Idempotency: webhook handlers use DynamoDB conditional writes to dedupe duplicate deliveries, so retries cannot produce double-billing or duplicate emails.
• Email reputation: SES bounces and complaints automatically suppress further sends to that address until you contact us — protecting your inbox and our sender reputation.
• Audit trail: administrative actions on user accounts are written to an immutable audit log (actor, action, target, timestamp, contextual details).
• Least-privilege secrets: credentials are stored in AWS Systems Manager Parameter Store and injected at deploy time via signed CI workflows; they are not committed to source.
• Defense-in-depth email preferences: non-transactional email functions independently re-check user opt-out state at send time, so a missed caller-side check cannot bypass user preferences.

No system is unbreakable. If you discover a vulnerability, please report it responsibly to admin@cotrackpro.com with the subject line “Security Disclosure” — we will acknowledge within three business days.

The Mental module collects safety-plan entries, mood/symptom tracking, complaints about providers, and notes about counseling, therapy, or treatment relationships. We treat this category with extra care:

• It is stored in dedicated DynamoDB tables (“PHI tables”) separate from general account data.
• The PHI tables are encrypted with a dedicated customer-managed key (alias alias/cotrackpro-phi-{env}) so encryption and access can be revoked independently of the rest of the system.
• All access goes through a single chokepoint module that future field-level encryption and access logging will be added to in one place.

CoTrackPro is not a HIPAA-covered entity. We are not a health plan, healthcare provider, or healthcare clearinghouse. We do not currently sign Business Associate Agreements (BAAs). If you are a covered entity considering using the Service for protected health information governed by HIPAA, contact us first to discuss whether the Service is appropriate for your use case.

Default retention by data category:

• Account & content: retained while your account is active and for up to 30 days after deletion, then permanently removed from active systems.
• Backups: residual copies may persist in AWS backups for up to 90 days after deletion for disaster-recovery purposes, then are overwritten on rotation.
• Payment records: we retain transaction history for as long as required by tax, accounting, and anti-fraud obligations (typically 7 years in the United States), in line with Stripe's retention.
• Operational logs: 30 to 90 days at the Vercel platform level; we do not extend this.
• Audit log: retained indefinitely for administrative actions on user accounts (this is the security audit trail required to investigate incidents).
• Email bounce/complaint records: retained for as long as the affected email address remains active in our system, so we do not re-send to a recipient who has bounced or complained.

You can delete your account at any time by visiting your billing/settings page or by calling our deletion endpoint, which (a) cancels any active Stripe subscription, (b) removes your DynamoDB record, (c) marks you unsubscribed in any connected marketing systems, and (d) deletes your Clerk user. This is irreversible. We may retain residual data beyond deletion only where legally required (subpoena, court order, statutory retention) and will give you notice where permitted.

Depending on your jurisdiction, you have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion / erasure — request that we delete your data (GDPR Art. 17, CCPA “right to delete”). Implemented end-to-end via our deletion endpoint.
• Portability — receive your data in a structured, commonly used format. You can export Your Content from inside the Service; for a comprehensive export including subscription metadata, email us.
• Opt-out of sale or sharing — applies under CCPA/CPRA. We do not sell or share your personal data for cross-context behavioral advertising; there is nothing to opt out of, but the right itself is honored by our practices.
• Unsubscribe — every non-transactional email contains a one-click unsubscribe link compliant with CAN-SPAM and the GDPR “easy withdrawal of consent” requirement.
• Withdraw consent — for any processing based on consent (GDPR Art. 7(3)).
• Complain to a regulator — EEA, UK, and Swiss residents have the right to lodge a complaint with their local supervisory authority.

Rights by U.S. state. Several states have enacted comprehensive privacy laws that grant residents specific rights. We honor these rights regardless of where you live, but if you are a resident of one of the listed states, the law cited gives them statutory weight:

• California (CCPA / CPRA) — access, deletion, correction, portability, opt-out of “sale” or “sharing” for cross-context behavioral advertising, and limit-use of sensitive personal information. We do not sell or share your data; we do not engage in cross-context behavioral advertising.
• Virginia (VCDPA) — access, correction, deletion, portability, opt-out of targeted advertising / sale / profiling.
• Colorado (CPA) — access, correction, deletion, portability, opt-out of targeted advertising / sale / profiling, with a Universal Opt-Out Mechanism honored.
• Connecticut (CTDPA) — access, correction, deletion, portability, opt-out of targeted advertising / sale / profiling.
• Utah (UCPA) — access, deletion, portability, opt-out of targeted advertising / sale.
• Other states with comprehensive privacy laws (Texas, Oregon, Montana, Tennessee, Iowa, Indiana, New Jersey, Delaware, New Hampshire, etc.) — substantially similar rights to the above. We honor them on the same terms.

California “Shine the Light” (Cal. Civ. Code §1798.83). California residents may request a list of categories of personal information we disclosed to third parties for their direct marketing purposes during the prior year. Our answer is: none. We do not share personal information with third parties for their own marketing.

Do Not Track.We do not respond to browser “Do Not Track” (DNT) signals because there is no industry-standard interpretation. Our default behavior — no advertising cookies, no cross-site tracking, no sale of personal data — already aligns with the goals DNT was designed to express.

To exercise any right, email admin@cotrackpro.com from the address on your account. We will respond within 45 days (extendable by up to an additional 45 days for complex requests, with notice). We may need to verify your identity before fulfilling requests that involve access or deletion of substantive data. You may designate an authorized agent to make requests on your behalf; we will require written authorization plus our standard identity verification.

We keep cookies and tracking minimal:

• Authentication session — set by Clerk; required for the Service to work.
• Speed Insights — Vercel Speed Insights collects anonymized page-performance telemetry. No personal identifiers.
• Google Analytics 4 (server-side) — we record aggregate funnel events (page views, trial starts, subscriptions). We do not run GA4's advertising features, and we do not link GA4 client IDs to Your Content.
• No advertising cookies, no cross-site trackers.

The Service is intended for adults. You must be at least 18 years old to create an account. We do not knowingly collect personal data from children under 13 (U.S. COPPA) or under 16 (EEA GDPR). If you believe a child has provided us personal data, contact us and we will delete it.

Software changes over time. We make a continuing commitment to:

• Promptly investigate and fix tools, content, or pages that are inaccurate, misleading, or broken.
• Acknowledge any user-reported bug at admin@cotrackpro.com within three business days.
• Be transparent about material AI feature changes — when we add, remove, or substantially change an AI provider or model, we will update /subprocessors and, where the change affects privacy, this Policy.
• Maintain the security measures listed in §9 and improve them as the threat landscape changes.

We may update this Policy from time to time. When we make material changes, we will notify active subscribers by email and update the “Effective” date below. Non-material changes (clarifications, typo fixes, link updates) may be made without notice. Continued use of the Service after a change constitutes acceptance of the updated Policy.

Questions about this Policy, your data, or a request to exercise your rights?

• Email: admin@cotrackpro.com
• Web: cotrackpro.com/contact
• Postal mail: CoTrackPro, LLC. — see /contact for the current mailing address.