Copa mascotCopa

Privacy Policy

Last updated: March 1, 2026 (Document version: 2026-03-01). Copa is operated from Chandler, Arizona, United States by Jakd LLC ("Copa," "we," "us," "our"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our mobile applications, website, and related services (collectively, the "Service"). Contact: support@copa-ai.app.

1. Scope

This Privacy Policy applies to all users of Copa, including parent and caregiver accounts. It covers information you provide directly, information generated through your use of the Service (including baby-care logs), and information collected automatically. It applies to both free and paid subscription tiers.

By using Copa, you acknowledge that you have read this Privacy Policy. If you do not agree with our practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: email address, display name, password (or third-party authentication credentials via Google or Apple sign-in), profile photo or avatar, caregiver role (e.g., mom, dad, grandparent), parenting experience level, and total children count.
  • Baby profiles: baby's name, birth date, gender (optional), and timezone.
  • Care activity logs: feeding details (type, amount, side, duration), sleep records (start/end times, quality), diaper changes (type, notes), mood entries, tummy time, and other activity data you choose to log, along with timestamps.
  • Health and growth data: weight, length, head circumference, temperature, medicine tracking, measurement source (home or pediatrician), and related notes.
  • Milestone data: milestone achievements, dates, photos, and notes.
  • Photos and images: images you upload for AI vision analysis (diaper assessment, skin checks), avatar generation ("Little Toons"), or milestone documentation.
  • Copa AI chat messages: text messages and attachments you send in Copa AI conversations.
  • Household data: household invite codes, member roles, and permission settings.
  • Preferences: notification settings, unit preferences (metric/imperial), theme selection, and app display preferences.
  • Support communications: messages, attachments, and contact information you provide when contacting support.

2.2 Information Collected Automatically

  • Device and technical data: device type, operating system, app version, device timezone, and unique device identifiers used for push notifications.
  • Usage data: feature interaction patterns, timestamps, session durations, and app performance diagnostics.
  • Push notification tokens: device tokens registered with Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) for delivering notifications.
  • Advertising data (free tier only): if you use the free tier, our advertising partner (Google AdMob) may collect device advertising identifiers and limited usage data for the purpose of serving relevant ads. See Section 6 for more details.

2.3 Information from Third Parties

  • Authentication providers: if you sign in using Google or Apple, we receive your name and email address (and, where applicable, a profile photo) as authorized by you during the sign-in process.
  • App Store billing data: our subscription management provider (RevenueCat) receives transaction confirmations from the Apple App Store or Google Play Store. We receive subscription status, plan tier, and entitlement information but do not receive or store your payment card details.

3. How We Use Information

We use the information we collect for the following purposes:

  • Provide the Service: create and manage your account, enable household collaboration, sync care logs in real time, deliver push notifications, and display insights and analytics.
  • Operate AI Features: process your messages and images through third-party AI providers to generate Copa AI chat responses, vision analysis results, proactive insights, educational content, and AI-generated avatars (only when you have explicitly consented to AI Features).
  • Process subscriptions: manage plan entitlements, enable paid features, and coordinate billing status with App Stores via RevenueCat.
  • Improve the Service: analyze usage patterns to fix bugs, improve features, and develop new functionality.
  • Security and integrity: detect and prevent fraud, abuse, and unauthorized access; enforce our Terms of Service.
  • Communications: send service-related notices, respond to support requests, and deliver push notification reminders you have configured.
  • Legal compliance: satisfy legal obligations, respond to lawful requests, and protect our legal rights.
  • Advertising (free tier): display third-party advertisements to free-tier users through Google AdMob.

4. AI Features and Health-Related Data

  • Explicit consent required: We require separate, explicit in-app consent before activating any AI Feature that processes your messages or photos. You may withdraw consent at any time in app settings; previously processed data is subject to the retention practices described in Section 8.
  • Third-party AI processing: When you use AI Features, relevant inputs (text messages, images, baby care context) may be transmitted to third-party AI service providers, which currently may include Google (Gemini), OpenAI, or Anthropic, acting as our data processors under contractual obligations to protect your data.
  • No AI training on your data: We do not use your personal data or User Content to train general-purpose AI models. Data sent to AI providers is processed solely to generate outputs you request.
  • Vision analysis images: Photos submitted for AI vision analysis are stored in a private, access-controlled storage bucket. Access is limited to time-expiring signed URLs.
  • Not medical advice: Copa AI outputs, including vision analysis (diaper assessment, skin checks), are informational only. They are not medical diagnoses or treatment recommendations. Always consult a licensed healthcare provider for medical concerns.

5. How We Share Information

  • Within your household: All care activity logs, baby profiles, growth data, milestones, and Copa AI chat history are shared with authorized members of your household. You control who is in your household by sending and managing invitations.
  • Service providers: We share information with third-party service providers that help us operate Copa, including:
    • Supabase: database hosting, authentication, real-time data sync, file storage, and server-side functions.
    • AI providers (Google, OpenAI, Anthropic): processing of AI Feature inputs and outputs, only when you have consented to AI Features.
    • RevenueCat: subscription management and entitlement tracking.
    • Expo / Apple / Google: push notification delivery.
    • Google AdMob: advertisement delivery for free-tier users.
    These providers are contractually obligated to use your data only to provide services to us and to maintain appropriate security measures.
  • Legal and safety: We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, regulation, or legal process; respond to a lawful request from a government authority; protect the rights, safety, or property of Copa, our users, or the public; or detect, prevent, or address fraud, security, or technical issues.
  • Corporate transactions: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of the transaction, subject to applicable law and continued protection under this Privacy Policy or a comparable policy.

We do not sell your personal information for monetary consideration. See Section 11 for information about "sharing" under California law.

6. Advertising and Tracking

  • Free tier advertisements: If you use the free tier, Copa displays native advertisements through Google AdMob. AdMob may collect device advertising identifiers (IDFA on iOS, GAID on Android) and limited interaction data to serve and measure advertisements.
  • No ads for subscribers: Paid subscription plans do not include advertisements and AdMob is not active for those users.
  • Opting out: You can limit ad tracking through your device settings (iOS: Settings > Privacy & Security > Tracking; Android: Settings > Google > Ads). You may also upgrade to a paid plan to eliminate advertisements entirely.
  • Analytics: We use aggregated, de-identified usage data to improve Copa. We do not use third-party behavioral analytics SDKs that track individual users across other apps or websites.

7. Security

  • We implement administrative, technical, and organizational safeguards to protect personal information, including:
    • Encryption of authentication tokens using platform-native secure storage (Expo Secure Store).
    • HTTPS/TLS encryption for all data in transit.
    • Row-Level Security (RLS) policies that enforce household-level data isolation in our database.
    • Time-expiring signed URLs for access to stored images.
    • Server-side processing of sensitive operations (AI calls, billing webhooks) via secure edge functions.
  • No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

  • Active accounts: We retain your personal information for as long as your account is active and as needed to provide the Service.
  • After account deletion: When you delete your account, we delete or de-identify your personal data within thirty (30) days, except where retention is required for legal, security, fraud prevention, accounting, or dispute-resolution obligations (typically up to three years, or as required by law).
  • AI data: Vision analysis images and AI chat history associated with your account are deleted upon account deletion, subject to backup retention windows.
  • Consent records: Records of legal consent (Terms, Privacy Policy, AI consent) may be retained beyond account deletion to document compliance history.
  • Aggregated data: We may retain aggregated, de-identified data that cannot reasonably be used to identify you for analytical and improvement purposes.

9. Breach Notification

If a qualifying security incident occurs involving your personal information, we will provide the required notices under applicable law. This includes compliance with:

  • FTC Health Breach Notification Rule: If Copa is determined to be a vendor of personal health records under FTC rules, we will notify affected individuals, the FTC, and (where applicable) the media in accordance with the Health Breach Notification Rule (16 CFR Part 318), including notice within sixty (60) days of discovering a qualifying breach and delivery via email supplemented by in-app notification.
  • Arizona breach notification law: A.R.S. § 18-552, requiring notice to affected Arizona residents without unreasonable delay.
  • Other state laws: We will comply with breach notification requirements in all U.S. states where affected users reside, including California (Cal. Civ. Code § 1798.82) and other applicable state statutes.

10. Children's Privacy

  • Copa is designed for adult parents and caregivers. Only individuals aged 18 or older (or the age of majority in their jurisdiction) may create Copa accounts.
  • We do not knowingly allow children under 13 to create accounts or directly provide personal information to us. If we learn that a child under 13 has created an account, we will promptly delete it.
  • Data about children: Caregiver users input information about the babies and children in their care (names, birth dates, care activities, growth data, photos). This data is provided by and under the control of the adult caregiver, not collected directly from children. We treat all data about minors with heightened care and limit its use to providing the Service.
  • We do not use data about children for advertising purposes. AdMob does not receive baby profile data or care activity logs.
  • If you believe a child under 13 has provided personal information to Copa without appropriate parental involvement, please contact us at support@copa-ai.app and we will investigate and take appropriate action.

11. Your Privacy Rights

11.1 All Users

Regardless of where you live, you may:

  • Access and update your profile information from within the app.
  • Delete your account in-app via Settings or by contacting support.
  • Withdraw consent for AI Features at any time through app settings.
  • Manage push notification preferences (including disabling specific notification categories) through app settings.
  • Request a copy of your data by contacting support@copa-ai.app.

11.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions (legal obligations, security, completing transactions).
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell personal information for monetary consideration. The free tier's use of Google AdMob may constitute "sharing" of personal information (as defined under the CCPA) for cross-context behavioral advertising purposes. You may opt out of this sharing by adjusting your device advertising settings or upgrading to a paid plan. We honor Global Privacy Control (GPC) signals as opt-out requests.
  • Right to limit use of sensitive personal information: We collect certain information that may qualify as "sensitive personal information" under the CCPA, including precise geolocation data (if enabled) and health-related information. We use sensitive personal information only to provide the Service and do not use it for purposes that would require offering a right to limit.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact support@copa-ai.app. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

11.3 Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing. To exercise your rights, contact support@copa-ai.app. If we decline a request, you may appeal by responding to our decision with the subject line "Privacy Rights Appeal."

12. HIPAA Status

Copa is a consumer parenting and wellness application. Jakd LLC is not a HIPAA covered entity or business associate. Unless we explicitly execute a separate written Business Associate Agreement, HIPAA does not apply to data stored in Copa. If you are a healthcare provider or health plan considering Copa for use in a clinical context, please contact us to discuss requirements.

13. International Data Transfers

Copa is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using Copa, you consent to such transfers. We take steps to ensure that your data receives adequate protection through contractual safeguards with our service providers.

14. Do Not Track / Global Privacy Control

Copa honors Global Privacy Control (GPC) signals as valid opt-out requests under applicable state privacy laws. With respect to other "Do Not Track" browser signals, there is no universally accepted standard for how to respond to such signals, and Copa does not currently respond to generic DNT headers beyond GPC.

15. Data Portability

You may request a copy of your personal data in a structured, commonly used, and machine-readable format by contacting support@copa-ai.app. We will respond to data portability requests within the timeframes required by applicable law (typically 45 days, with a possible extension of an additional 45 days for complex requests).

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or the Service. We will post the revised version with a new "Last updated" date. For material changes, we will provide at least fifteen (15) days' advance notice via in-app notification or email before the changes take effect. If you continue to use Copa after the updated Privacy Policy takes effect, you acknowledge the revised practices. If you disagree with any changes, you should stop using the Service and may request account deletion.

17. Contact Us

Privacy questions, data requests, or complaints: support@copa-ai.app
Jakd LLC
Chandler, Arizona, United States

If you have a complaint that we have not resolved to your satisfaction, you may also contact the relevant state attorney general or data protection authority.