Privacy Policy

• Your wins and documents are private to your account. Cookd is single-user — there’s no team sharing.
• We never sell your data, and we don’t use your content to train AI models.
• AI features send only your own captured text to our AI provider to generate a response — nothing more.
• You can export everything and delete your account at any time.

We keep this to what the product needs to work:

• Account data — your name, email, and a securely hashed password (or, if you sign in with Google, your Google account email and identifier).
• Your content — the wins, projects, review cycles, rubrics, notes, and documents you create.
• Billing data — if you subscribe, our payment processor handles your card details; we store only your subscription status, plan, renewal dates, and the card brand and last four digits. We never see or store full card numbers.
• Technical & usage data — basic logs, device and browser information, and (where analytics are enabled) anonymized or pseudonymous product-usage events to help us understand and improve the product.

• To provide the core product — storing and organizing your wins.
• To generate AI-assisted drafts, coaching, readiness analysis, and documents from your own content.
• To process subscriptions and send essential account email.
• To keep the service secure and reliable (rate limiting, abuse prevention, error monitoring).
• To understand usage and improve the product.

We don’t sell your personal data, and we don’t use your content to train any AI model.

When you use an AI feature (Quick Capture, Strengthen a win, Promotion prep, or brag-doc generation), the relevant text you’ve captured is sent to our AI provider, Google(via the Gemini API), to generate a response. Only the content needed for that request is sent, output is grounded only in your own data, and your content isn’t used to train models. AI is optional — where no provider is configured, Cookd uses a built-in deterministic fallback and no data leaves for AI processing.

We rely on a small set of trusted providers to run Cookd. Depending on configuration, these may include:

• Vercel — application hosting and traffic/performance analytics.
• Neon — managed PostgreSQL database where your content is stored.
• Google — Gemini API for AI features, and Google Sign-In if you choose it.
• Resend — transactional email (verification, password reset, reminders).
• Lemon Squeezy — payments and subscription management, as merchant of record.
• PostHog and Sentry — product analytics and error monitoring, where enabled.
• Upstash — rate limiting and caching, where enabled.

Each provider only receives the data needed for its function, and we choose providers with appropriate security practices.

Cookd uses a small number of essential cookies to keep you signed in and to secure forms — these are required for the product to work. Where product analytics are enabled, we capture pseudonymous usage events to understand how features are used and where they fall short. Our posture is deliberately conservative:

• No session-recording or screen-replay tools.
• Analytics are reverse-proxied through our own domain rather than loading third-party tracking scripts directly.
• We identify analytics events only by your account id and email, and we don’t use this data for advertising.

You can block non-essential cookies in your browser without breaking core functionality.

• Access & export — you can view your data in the app and export your wins and documents at any time.
• Correction — edit or update your content and account details whenever you like.
• Deletion — delete individual records, or delete your account to remove your data. Some records may be retained briefly where required for legal, security, or accounting reasons.
• Depending on where you live, you may have additional rights under laws like the GDPR or CCPA. Email us to exercise them.

We keep your data for as long as your account is active. When you delete your account, we delete or anonymize your personal data within a reasonable period, except where we’re required to retain certain records (for example, billing records for tax and accounting).

Passwords are stored hashed, traffic is encrypted in transit, sensitive actions are rate-limited, and access to your content is scoped to your account. No system is perfectly secure, but we take reasonable, layered measures to protect your data.

We’ll update this policy as the product evolves. When we do, we’ll change the “Updated” date above and, for material changes, give notice in-app or by email.

Questions, or want to exercise a privacy right? Email support@eastbase.studio. See also our Terms of Service.