Privacy Policy

This Privacy Policy describes how Coral (“we,” “us,” or “our”) collects, uses, and protects your information when you use the Coral mobile application and related services (collectively, the “Service”). Coral is operated by [Entity Name], located in the United States.

We take your privacy seriously. Coral is built with a privacy-first architecture — each user gets their own dedicated server, and we don’t sell your data or use it to train AI models.

1. Information We Collect

1.1 Account Information

When you create a Coral account, we collect:

• Email address (required for all authentication methods)
• Display name (provided via Sign in with Apple on first sign-in, or set by you)

We do not collect: phone numbers, physical addresses, profile photos, government IDs, or biometric data (Face ID is processed entirely on your device by Apple and never sent to Coral).

1.2 Conversation Data

When you use Coral, we store:

• Your messages and Coral’s responses
• Session metadata (timestamps, AI model used, conversation title)
• Tool call records (what actions Coral took on your behalf, inputs and outputs)
• Files you upload to conversations (stored in encrypted cloud storage, retained for 30 days, max 20MB per file)

1.3 Connected Service Data (Integrations)

When you connect third-party services (Gmail, Google Calendar, Google Drive, GitHub, Linear, Slack, Notion), Coral accesses data from those services on your behalf. This includes:

Important: Coral does NOT cache or persistently store data from your connected services. All integration data is fetched live from each service when needed and is not retained in Coral’s database. OAuth tokens (credentials for accessing your accounts) are stored exclusively by Nango, our OAuth management provider, and are never stored in Coral’s own database.

1.4 Proactive Monitoring (Heartbeat)

If you have integrations connected, Coral periodically checks your connected services (approximately every 30 minutes) to surface timely, relevant information — like upcoming meetings, urgent emails, or blocked tasks. This monitoring is:

• Read-only (Coral never takes action during monitoring)
• Configurable (you can customize what Coral monitors)
• Disablable (you can turn off proactive monitoring entirely)

Monitoring findings are stored as brief summaries (up to 500 characters) in your activity feed. Findings that warrant your attention are delivered as push notifications.

1.5 Usage and Billing Data

We track your usage of the Service for billing purposes:

• API token consumption per conversation (input/output token counts)
• AI model used per request
• Cost calculations and credit balance
• Stripe customer ID (a reference identifier only — we never see or store your payment card details)

1.6 Device Information

We collect minimal device information:

• Device type (for push notification delivery)
• APNs device token (Apple’s push notification identifier)

We do NOT collect: device advertising identifiers (IDFA), precise location, contacts, health data, browsing history, or any cross-app tracking data. Coral contains zero analytics SDKs or tracking tools.

1.7 Automatically Collected Information

Our website (getcoral.xyz) does not use cookies, analytics scripts, or tracking pixels. We do not collect any information from website visitors.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Coral Service
• Process your conversations through AI to generate responses and take actions
• Deliver proactive notifications based on your connected services
• Calculate and manage your usage credits and billing
• Communicate with you about your account and the Service
• Ensure the security and integrity of the Service
• Comply with legal obligations

We do NOT use your information to:

• Train AI models (see Section 3)
• Serve advertisements
• Sell or license your data to third parties
• Build profiles for advertising or marketing purposes
• Track you across other apps or websites

3. AI Processing and Third-Party AI

Coral uses Anthropic’s Claude AI models to process your conversations. When you send a message, the following is transmitted to Anthropic’s API:

• Your message text
• Conversation history for that session
• A system prompt that includes your display name, timezone, connected integrations list, and relevant memory context
• Results from any tool calls (e.g., email content fetched on your behalf, calendar events)
• Any files or images you attach to the conversation

Anthropic does not train its AI models on data sent through its commercial API. Under Anthropic’s commercial terms of service, API inputs and outputs are not used for model training. We do not use your conversations, files, or integration data to train any AI model.

Anthropic processes this data in the United States. For more information on Anthropic’s data practices, see Anthropic’s Privacy Policy.

4. How We Share Your Information

We share your information only with the following service providers, solely to operate the Service:

We do not sell, rent, or share your personal information with advertisers, data brokers, or any other third parties for their own purposes.

5. Your Dedicated Server

Unlike most cloud services, Coral provisions a dedicated server for each user. This means:

• Your conversations, files, memory, and workspace data are physically isolated from other users
• No other user’s data exists on your server
• Your server runs its own instance of the Coral gateway software
• When you delete your account, your server is permanently destroyed along with all data on it

Server data includes your workspace files (AI memory, conversation summaries, user-created files, projects), uploaded files (retained for 30 days), AI session data (retained for 30 days), and application logs (automatically rotated, approximately 250MB maximum).

6. Data Retention

7. Account Deletion

You can delete your account at any time from the Settings screen in the Coral app. When you delete your account, we permanently:

• Destroy your dedicated Hetzner server and all data on it (workspace files, logs, AI sessions)
• Delete all your data from our database (conversations, messages, profile, usage history, activity feed, integrations, heartbeat configuration)
• Revoke all OAuth tokens for your connected services through Nango
• Remove your Cloudflare tunnel and DNS records

This deletion is immediate and irreversible. We do not retain any personal data after account deletion.

8. Data Security

We protect your data through:

• Per-user server isolation (your data never touches another user’s environment)
• Encrypted connections (TLS 1.2+ / WSS) between your device and your server via Cloudflare Tunnel
• Row-Level Security in our database (enforces user-level access controls at the database layer)
• JWT-based authentication with short-lived access tokens (15 minutes) and automatic refresh
• Production log sanitization (message content, API keys, and tokens are stripped from logs)
• No analytics SDKs or third-party tracking code in our mobile app

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: You can view your conversations, usage data, and account information within the app.
• Deletion: You can delete individual conversations or your entire account at any time.
• Correction: You can update your display name and profile information in the app.
• Integration Control: You can connect or disconnect any third-party service at any time, immediately revoking Coral’s access.
• Monitoring Control: You can disable proactive heartbeat monitoring at any time.

To exercise any rights not available through the app’s interface, contact us at privacy@getcoral.xyz.

9.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to Know: You may request details about the personal information we collect, use, and disclose.
• Right to Delete: You may request deletion of your personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• No Sale of Personal Information: We do not sell your personal information, and have not done so in the preceding 12 months.
• No Sharing for Cross-Context Behavioral Advertising: We do not share your personal information for cross-context behavioral advertising.

To make a CCPA request, contact us at privacy@getcoral.xyz.

10. Children’s Privacy

Coral is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you believe a minor has created a Coral account, please contact us immediately and we will delete the account.

11. Push Notifications

Coral sends push notifications for proactive findings (heartbeat alerts, reminders, scheduled reports). Notification content includes brief summaries of findings from your connected services (e.g., “You have an upcoming meeting in 30 minutes”). This content is visible on your device’s lock screen and notification center.

You can manage notification permissions through your device’s Settings. You can also disable proactive monitoring within the Coral app to stop heartbeat-triggered notifications.

12. International Data Transfers

Your data is processed and stored in the United States (Supabase, Anthropic, Nango, Stripe, Apple) and Germany (Hetzner server infrastructure). By using Coral, you consent to the transfer of your information to these countries.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we may also notify you through the app. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

Email: privacy@getcoral.xyz
Website: getcoral.xyz/support