This policy explains how Cope Pilot handles your data across two surfaces:
The web landing site at copepilot.com (including the web-based burnout self-assessment)
The Cope Pilot mobile app (Android, currently distributed via Google Play closed testing)
We follow a privacy-first design: most of your health data never leaves your device. The sections below describe exactly what we do collect, why, where it goes, and how to delete it.
1. Who runs Cope Pilot
Cope Pilot is in early-access closed-beta phase. During this phase, the mobile app's subscription service is operated by the founder, Alex Tikhomirov (Berlin, Germany), as an individual. A formal company entity (Cope Pilot UG haftungsbeschränkt) is in formation; once active, the subscription service and this privacy policy will be updated to reflect the company as the controller.
Survey answers — your responses to the burnout self-assessment. Processed on our server to generate your report and stored for research and product improvement.
Feedback — any messages you voluntarily submit through the feedback widget, along with your optional contact email.
Waitlist email — if you sign up for the waitlist, we store your email address with your consent to receive updates.
Usage analytics (consent-gated) — if you accept analytics cookies, anonymized behavioral data: page views, time spent on questions, navigation patterns. Never linked to your identity.
Technical request data — IP addresses are hashed (one-way SHA-256) for abuse prevention; never stored in plain text.
2.2 Mobile app (Android)
On-device only — never sent to our servers:
Daily check-ins (energy, stress, mood, recovery indicators you log)
Assessment answers and personalized burnout reports
Recommendation history (which boosters you've tried)
App settings and preferences
This data is stored in encrypted local storage (Android MMKV + SQLite) on your device. It is not transmitted to our servers, not synced to any cloud, and not accessible to anyone but you. Uninstalling the app permanently deletes all on-device data.
Sent to our servers (consent-gated, where applicable):
Anonymous usage telemetry (opt-in via in-app consent toggle): screen views, button taps, feature usage, performance metrics. Identified only by a random installation UUID generated on the device — never tied to your name, email, IP address, or device fingerprint.
Sensitive-tier telemetry (separate, opt-in consent): qualitative content you choose to share (e.g. free-text feedback within check-ins). Identified by a separate UUID that rotates every 30 days, with no derivation from the analytics UUID, so the two cannot be correlated.
Crash reports (default on, opt-out in Privacy Hub): error name, message, sanitized stack trace (filesystem paths redacted), app version, OS version, anonymous install UUID. No health values, no check-in content.
Chat-checkin LLM input (only if you use the chat-style check-in flow): the free text you type (capped at 1000 characters) plus a hashed anonymous install UUID is sent to Google AI Studio's Gemini API to suggest matching check-in tiles. Your check-in tile selections themselves stay on-device; only the free text you type goes to Google, and only for the duration of that single API call (Google's paid-tier opt-out means your input is not used for model training). See §3 for the data-residency disclosure.
Subscription processing data (only if you subscribe — see §2.3 below).
2.3 Mobile app — subscriptions (only if you subscribe)
If you choose to subscribe to Cope Pilot's Early Bird Membership (€5/month), our payment processor Stripe will receive and process:
Your payment method details (card number, expiry, CVC — entered into Stripe's secure PaymentSheet, never seen by our app or backend)
Your billing email (for Stripe's automatic receipts)
The amount and currency (€5 EUR / month)
Your IP address (collected by Stripe for fraud prevention)
Your country (derived from payment method)
Our own backend stores only the minimum needed to manage your subscription: your random installation UUID, your Stripe customer ID, your subscription ID, status (active / cancelled / past_due), and current period end date. We never see or store your card details.
3. Third-party services we use (sub-processors)
The following third parties process some of your data on our behalf, each under a written Data Processing Agreement (DPA):
Stripe Payments Europe Ltd. (Ireland) — payment processing for subscriptions (mobile-app only). Stripe Privacy Policy. Stripe is GDPR-compliant and certified under the EU-U.S. Data Privacy Framework for any data that crosses to the United States.
Render Services Inc. (US-incorporated, EU region) — hosts the web landing site at copepilot.com from Render's Frankfurt region. EU-region compute; SCCs Module 2 covers the controller-to-processor relationship. Render DPA.
Hetzner Online GmbH (registered office Germany; data hosted in Helsinki, Finland — EU) — hosts the mobile-app backend API and telemetry storage (ClickHouse). EU-only infrastructure; no Art. 44 transfer analysis required. Hetzner Privacy Policy.
Google LLC — Google AI Studio (Gemini API) — provides the LLM for the optional chat-checkin tile-recognition feature: when you type how you feel in the chat-style check-in flow, your input (capped at 1000 characters) is sent to Google's gemini-2.5-flash-lite model to suggest matching check-in tiles. We use the paid tier (input not used for model training). Google AI Studio routes API requests through Google's global infrastructure; specific data-residency region is not guaranteed at the API layer. The controller-to-processor transfer is covered by Google Cloud's standard contractual clauses (SCCs Module 2). Google Cloud DPA.
Google LLC — Google Play — Android app distribution and update delivery. Google's terms apply to app installs. We do not embed Google Analytics, Firebase Analytics, AdMob, or any other Google tracking SDK in the app. Google Privacy Policy.
We do not use third-party analytics services on the landing site (no Google Analytics, no Facebook Pixel, no tracking beacons). We do not sell, rent, or trade your data with anyone. We do not share your data with advertisers.
We notify you 30 days before adding or changing a sub-processor — via in-app notification (mobile app) or the consent banner (landing site).
4. Where data is stored and how long
On your device (mobile app health data): stored until you uninstall the app, clear app data, or use the in-app delete-everything action. We have no copy.
Landing-site assessments + analytics: retained on our server in an encrypted SQLite database for up to 2 years for research and product improvement, then deleted.
Waitlist emails: retained until you unsubscribe or request deletion.
Feedback: retained indefinitely for product improvement, unless deletion is requested.
Mobile-app telemetry (anonymous): stored on our Hetzner-hosted ClickHouse with these maximum lifetimes — 24 months for analytics events, 90 days for sensitive-tier content, 90 days for crash reports.
Mobile-app subscription records: retained for as long as your subscription is active, plus the minimum period required by German tax and accounting law (typically 10 years for financial records).
Stripe-side payment records: retained per Stripe's own policy and legal obligations. See Stripe's privacy policy linked above.
5. Cookies (landing site only)
The mobile app does not use cookies. The landing site uses two categories:
Strictly necessary cookie (cp_consent): records your choice on the consent banner so we don't ask again on every page load. Value is essential or analytics. 1-year expiry. Set only when you click a button on the banner.
Analytics cookie (cp_user): a random UUID that lets us link page views within a single browser into one anonymous session. Only set if you choose Accept analytics on the consent banner. 1-year expiry. Never linked to your identity, IP address, or any other site.
Cookie preferences
You can change your choice at any time. The button below clears both cookies and reopens the consent banner so you can decide again.
6. Your rights (GDPR)
Under the General Data Protection Regulation (EU) 2016/679, you have the right to:
Access: request a copy of all data we hold about you.
Rectification: request correction of inaccurate data.
Erasure ("right to be forgotten"): request deletion of all your data.
Portability: request your data in a machine-readable format.
Object: object to processing of your data for any purpose.
Withdraw consent: for any processing based on consent (analytics, sensitive-tier telemetry, waitlist subscription), at any time.
Complaint: file a complaint with your local data-protection authority (in Germany: BfDI, or the Berlin data-protection commissioner for Berlin residents).
How to exercise these rights
In the mobile app: open Profile → Privacy hub. You'll find toggles for telemetry consent, a one-tap "delete all my data" action (which cancels any active subscription, detaches saved payment methods, and removes all server-side records for your install), and links to this policy.
To cancel a subscription: open Profile → Subscription → Cancel subscription. Cancellation takes effect at the end of your current billing period; you keep access until then.
For everything else (landing-site data, support requests, formal GDPR exercises): email support@copepilot.com. We'll respond within 30 days as required by GDPR.
7. Children's privacy
Cope Pilot is intended for adults aged 18 and over. We do not knowingly collect data from children. The mobile app shows a 18+ confirmation gate during onboarding; the web assessment is similarly intended for adult use. If you believe a child has provided us data, contact us and we will delete it promptly.
8. Refunds and cancellation rights
Subscribers can cancel their subscription at any time via the in-app Profile → Subscription → Cancel subscription button. Cancellation takes effect at the end of the current billing period; no further charges occur, and you retain access until that period ends.
For refund requests within the first 14 days of a subscription, contact support@copepilot.com and we will process a refund via Stripe within 24 hours of receiving your request.
9. Security
All web traffic uses HTTPS (TLS 1.2+) with HSTS.
Mobile-app health data stays on your device in encrypted local storage; nothing is uploaded to our servers.
Payment data is handled exclusively by Stripe via their PaymentSheet — our backend never sees your card details.
Server-side data: landing-site assessments + feedback + waitlist in an encrypted SQLite database on Render (Frankfurt, EU); mobile-app backend + telemetry in encrypted ClickHouse / Redis on Hetzner (Helsinki, Finland — EU).
Webhook callbacks from Stripe are signature-verified on every request.
Operational secrets (API keys, signing secrets) are stored in restricted server filesystems, never in source code or transmitted by chat.
10. Legal basis for processing
We process your data under the following GDPR legal bases:
Consent (Art. 6 §1 lit. a) — for analytics telemetry, sensitive-tier telemetry, waitlist subscriptions, and analytics cookies. You can withdraw consent at any time.
Contract performance (Art. 6 §1 lit. b) — for subscription management (processing payment, providing the paid service, sending receipts).
Legal obligation (Art. 6 §1 lit. c) — for retention of subscription records under German tax and accounting law.
Legitimate interest (Art. 6 §1 lit. f) — for abuse prevention (e.g. IP hashing for rate limiting), security, and product improvement using anonymized data.
11. Changes to this policy
We will update this policy when our data practices change. Material changes (e.g. new sub-processors, new data categories, changes in retention) will be announced via in-app notification at the next app launch, and by email if you have an active subscription. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions, GDPR rights exercises, or any concerns about how we handle your data: