Privacy Policy
Last Updated: February 20, 2026
Cora ("we," "us," or "our") operates the website at corahelps.net and the Cora AI secretary service (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website or use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide
- Account information. When you sign up using Google OAuth, we receive your name, email address, and profile picture from Google.
- Google Workspace data. When you connect your Google account, Cora accesses your Gmail, Google Calendar, Google Docs, Google Sheets, and Google Drive on your behalf to perform actions you request. We access only the data necessary to fulfill your specific instructions.
- WhatsApp messages. When you interact with Cora via WhatsApp, we receive the text messages, voice notes, and photos you send to Cora. We process this content solely to understand your instructions and execute the requested actions.
- Payment information. If you subscribe to a paid plan, your billing details (credit card number, billing address) are collected and processed directly by Stripe. We receive only limited information from Stripe, including the last four digits of your card, card brand, expiration date, and transaction status. We never store full credit card numbers.
- Support communications. If you contact us for support, we collect the content of your messages and your email address.
1.2 Information Collected Automatically
- Log data. IP address, browser type and version, operating system, referring and exit pages, date and time stamps, and clickstream data.
- Device information. Device type, unique device identifiers, screen resolution, and hardware model.
- Usage data. Pages visited, features used, actions performed, time spent on pages, and interaction patterns within the Service.
- Location data. Approximate geographic location derived from your IP address. We do not collect precise GPS location data.
1.3 Information from Third Parties
- Google OAuth. Authentication data when you sign in with Google.
- Stripe. Transaction status and limited payment information as described above.
2. How We Process Your Data — Trusted Execution Environments
Cora processes your data inside Trusted Execution Environments (TEEs) — hardware-secured enclaves where data is encrypted in use, not just at rest and in transit. This means:
- Your Google Workspace data (emails, calendar events, documents, spreadsheets) is processed inside TEEs where even our own engineering team cannot access the plaintext.
- Your WhatsApp messages, voice notes, and photos are decrypted and processed exclusively within the TEE boundary.
- AI model inference for understanding your instructions happens inside TEEs.
- Action execution (sending emails, updating spreadsheets, creating documents) is performed from within TEEs using your authenticated Google credentials.
TEE processing is a core architectural decision, not an optional feature. It applies to all plans, including the Free tier.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service. Create and manage your account, connect to your Google Workspace and WhatsApp, process your instructions, execute actions on your behalf, and deliver results back to you.
- Process payments. Manage subscriptions, process billing through Stripe, and handle invoicing.
- Improve the Service. Analyze anonymized and aggregated usage patterns to identify bugs, improve reliability, and develop new features. We do not use your private messages or Google Workspace data for training AI models.
- Personalize your experience. Learn your preferences, writing style, contacts, and workflows to provide better assistance over time (Starter plan and above). This personalization data is scoped to your account and processed within TEEs.
- Communicate with you. Send transactional emails (billing confirmations, subscription updates), service notifications (maintenance, security alerts, feature updates), and — with your consent — promotional communications. You can opt out of promotional emails at any time.
- Ensure security and prevent abuse. Detect and investigate unauthorized access, fraud, abuse, or violations of our Terms of Service.
- Comply with legal obligations. Respond to lawful requests from government authorities and enforce our legal rights.
4. What We Do NOT Do With Your Data
- We do not sell your personal information. Not to advertisers, data brokers, or any other third party.
- We do not use your private data to train AI models. Your WhatsApp messages, Google Workspace content, and action history are never used to train, fine-tune, or improve public AI models.
- We do not read your data in plaintext. TEE architecture ensures that your data is processed in hardware-secured enclaves inaccessible to our team.
- We do not share your content with other users. Your data is strictly scoped to your account.
5. Third-Party Services
We rely on the following third-party services to operate Cora. Each service processes data according to its own privacy policy:
| Service | Purpose | Data Shared |
|---|---|---|
| Google (OAuth + Workspace APIs) | Authentication and Workspace access | Name, email, profile picture; Workspace data accessed on your behalf within TEEs |
| Meta / WhatsApp (Business API) | Messaging channel | Messages, voice notes, and photos you send to Cora |
| Stripe | Payment processing | Billing and payment details |
| Cloud infrastructure provider | Hosting and TEE infrastructure | Encrypted data processed within TEEs |
| AI model providers | Language understanding and generation | Instruction content processed within TEEs; no persistent storage by AI providers |
We do not share your data with advertising networks, analytics companies that profile individuals, or any other third parties beyond what is described above.
6. Cookies and Tracking Technologies
6.1 Cookies We Use
- Essential cookies. Required for authentication, session management, and security. These cannot be disabled without breaking the Service.
- Preference cookies. Remember your settings such as language and display preferences.
6.2 Cookies We Do NOT Use
- We do not use advertising or remarketing cookies.
- We do not use third-party tracking pixels.
6.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service. For more information, consult your browser's help documentation.
6.4 Do Not Track
We do not currently respond to "Do Not Track" browser signals due to the lack of a uniform industry standard. However, we do not engage in cross-site tracking regardless of this setting.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email, profile picture) | Retained while your account is active. Deleted within 30 days of account deletion. |
| Google Workspace data | Accessed in real time to execute actions. Not persistently stored by Cora outside of TEE processing. Personalization data (Starter+) retained while your account is active. |
| WhatsApp messages | Processed in real time within TEEs. Message content is not stored after action execution, except for conversation context used for personalization (Starter+), which is retained while your account is active. |
| Payment records | Retained for up to 7 years as required for tax, accounting, and legal compliance. |
| Log data | Retained for up to 12 months for security and analytics, then aggregated or deleted. |
| Support communications | Retained as long as necessary to resolve your inquiry and improve support quality. |
When you delete your account, we delete or anonymize your data within 30 days, except where retention is required by law.
8. Data Security
We implement multiple layers of security to protect your data:
- TEE processing. Your data is encrypted in use inside hardware-secured enclaves.
- Encryption in transit. All communications use TLS/SSL encryption.
- Encryption at rest. Stored data is encrypted using industry-standard algorithms.
- Access controls. Strict role-based access controls and the principle of least privilege. TEE architecture means our own team cannot access your plaintext data.
- Regular security assessments. We conduct periodic security audits and vulnerability assessments.
- Incident response. We maintain an incident response plan and will notify affected users of data breaches as required by applicable law.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
9. Your Rights
9.1 All Users
Depending on your jurisdiction, you may have the following rights:
- Access. Request a copy of the personal data we hold about you.
- Correction. Request correction of inaccurate or incomplete data.
- Deletion. Request deletion of your personal data ("right to be forgotten").
- Restriction. Request that we restrict processing of your data in certain circumstances.
- Portability. Request your data in a structured, machine-readable format.
- Objection. Object to processing of your data based on our legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw that consent at any time.
9.2 European Economic Area and United Kingdom (GDPR)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation:
- Legal bases for processing. We process your data based on: (a) performance of our contract with you (providing the Service), (b) our legitimate interests (improving and securing the Service), (c) your consent (promotional communications), and (d) compliance with legal obligations.
- Data Protection Authority. You have the right to lodge a complaint with your local data protection authority.
- International transfers. When your data is transferred outside the EEA/UK, we use Standard Contractual Clauses approved by the European Commission to ensure adequate protection.
9.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know. What personal information we collect, use, share, or sell.
- Right to delete. Request deletion of your personal information.
- Right to opt-out. Opt out of the sale or sharing of your personal information. We do not sell or share your personal information as defined under the CCPA.
- Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights.
9.4 How to Exercise Your Rights
Contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.
10. International Data Transfers
Your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. When we transfer data from the EEA/UK, we use Standard Contractual Clauses. By using the Service, you consent to the transfer of your information as described in this section.
11. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a minor, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at [email protected].
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you by email or through a prominent notice on the Service before the changes take effect.
Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, contact us at:
- Email: [email protected]
- Website: https://www.corahelps.net