Privacy Policy

The data controller is Kopern, operated from France. For any data protection inquiries, contact us at: privacy@kopern.app

We collect the following categories of personal data:

• •Account data: email address, display name, authentication provider (Google, GitHub, email)
• •API keys: your LLM provider keys (Anthropic, OpenAI, Google, Mistral), stored encrypted in Firestore
• •Usage data: token consumption, costs, request counts, per-agent breakdowns (for billing purposes)
• •Session data: conversation logs, tool call history, timestamps (when functional consent is given)
• •GitHub data: OAuth access token, connected repository names (if you enable GitHub integration)
• •Payment data: processed by Stripe — we store only your Stripe customer ID, not card details

• •Contract performance: account management, billing, service delivery (Art. 6(1)(b) GDPR)
• •Consent: functional analytics, detailed session tracking (Art. 6(1)(a) GDPR)
• •Legitimate interest: security, fraud prevention, error monitoring (Art. 6(1)(f) GDPR)
• •Legal obligation: invoicing, tax records (Art. 6(1)(c) GDPR)

Kopern uses minimal cookies:

• •NEXT_LOCALE — NEXT_LOCALE: stores your language preference (essential, 1 year)
• •Firebase Auth — Firebase Auth: session tokens for authentication (essential, session-based)
• •kopern_consent — kopern_consent: your cookie preferences (essential, 1 year)

We do not use any third-party analytics, advertising cookies, or tracking pixels.

Account data is retained for the duration of your account. Usage data is retained for 24 months for billing purposes. Session data is retained for 12 months. You may request deletion at any time.

• •Google Firebase (Firestore, Authentication): EU data center, data storage and auth
• •Stripe: PCI-DSS compliant payment processing
• •Vercel: application hosting (edge functions, EU region available)
• •LLM Providers (Anthropic, OpenAI, Google, Mistral): your prompts are sent to these providers using YOUR API keys — Kopern does not store prompt content on its servers

You have the right to:

• •Access: download all your personal data (Settings → Data & Privacy → Export)
• •Rectification: update your data in Settings at any time
• •Erasure: delete your account and all associated data (Settings → Data & Privacy → Delete Account)
• •Portability: export your data in JSON format
• •Restriction: limit processing by disabling functional tracking
• •Objection: contact us to object to any processing
• •Lodge a complaint with the CNIL (cnil.fr) if you believe your rights are not respected

Your data may be processed in the US (Firebase, Vercel, LLM providers). These transfers are covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

We implement encryption at rest (Firestore), encrypted API key storage, HMAC signature verification for webhooks, CORS whitelisting for widgets, sandboxed code execution for custom tools, and role-based access control.

We will notify you of material changes via email or in-app notification. Continued use after notification constitutes acceptance.

For any privacy-related questions or to exercise your rights: privacy@kopern.app