Privacy Policy
Last updated 24 May 2026
This policy explains what Coco ("the app", "we") collects, how we use it, and the choices you have. Coco is a wellness app built to keep your information as private as possible. Most of your data stays on your device, and only syncs to our cloud after you choose to sign in.
Local-first. Your mood logs, journals, check-ins and chat history are stored on your device using local storage (AsyncStorage). After you sign in, the app makes a best-effort sync of this content to our backend (Google Firebase / Firestore) so it can be backed up and used across devices. If you never sign in, that content is not uploaded.
Information we collect
| Data | Why |
|---|---|
| Name | Account and personalization (optional, depending on sign-in method). |
| Email address | Account creation and management, developer communication. |
| Firebase user ID | To identify your account and sync your data. |
| Gender (optional) | Optional profile field; you can leave it blank. |
| Mood logs, journals, daily check-ins | Core app functionality — these are your own content. |
| AI listener chat text | To generate a response from the AI. See "AI listener chat" below. |
| Analytics (event names & durations) | To understand which features are used and improve the app. No content of your journals or chats is included. |
| Device identifier | Basic app functionality and abuse prevention. |
Coco does not collect your precise location, contacts, photos, browsing history, or payment information. We do not sell your data, and we do not use it for advertising.
AI listener chat
When you use the AI listener, the text of the message you send is transmitted to our LLM provider, Groq (running a Llama model), via a Vercel Edge function, to generate a reply. This is the only third party that receives your chat content, and it is used solely to produce the response (app functionality). We do not send your name, email, or account identifiers with the message. Please avoid sharing information you would not want processed by a third-party AI service. The AI listener is not a therapist and does not provide medical advice.
How we use your information
- To provide and operate the app's features (chat, mood, journal, check-ins, exercises, directories).
- To create and manage your account and sync your content across devices after sign-in.
- To understand aggregate, non-identifying usage so we can improve Coco.
- To respond to your support and account requests.
Sensitive / health-related data
Coco is a mental-wellness app, so some of the content you create — your mood logs, journal entries, and daily check-ins — may reveal information about your mental or emotional health. This kind of information is treated as "special category data" under Article 9 of the GDPR and as "sensitive personal information" under California's CPRA and comparable laws.
- We process this data only to provide the app's features to you (showing your history, trends, reflections, and reminders) — never to infer characteristics about you for any other purpose.
- Where this data syncs to our servers, it is processed on the basis of your explicit consent, which you give by choosing to sign in and sync.
- We never sell or share this data and never use it for advertising or cross-context behavioral advertising.
- By default it stays on your device and is only uploaded after you sign in (see "Local-first" above).
- You can withdraw your consent at any time and delete this data — locally in the app, or in full from our servers via the Delete account page.
Sign-in methods
You can use Coco anonymously, or create an account with email & password, Google, or Apple. Authentication is handled by Google Firebase Authentication.
Sharing
We share data only with service providers ("processors") that help us run the app, and only as needed to provide it: Google Firebase (authentication, database/sync) and Groq (AI chat responses — chat text only). These providers act on our instructions. We do not share your data with advertisers, data brokers, or any party for their own marketing.
We do not sell or share your personal information. Coco does not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We have not sold or shared personal information in the preceding 12 months. The only third party that receives the content of your messages is Groq, which processes your AI-listener chat text on our behalf solely to generate a reply — this is a disclosure to a service provider for app functionality, not a sale.
Data retention
How long we keep your information depends on where it lives:
- On your device: Mood logs, journals, check-ins and chat history are stored locally and remain on your device until you delete them in the app or uninstall Coco.
- Synced to our servers (after sign-in): Content synced to Firebase/Firestore and account details (name, email, user ID, optional gender) are retained while your account is active, and afterward only as needed to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements.
- AI chat text: Sent to Groq only to generate the immediate reply and not retained by us to build a profile of you.
- Analytics: Event names and durations are kept in aggregate, non-identifying form to improve the app.
"Erase all my data" clears your device only. The in-app "Erase all my data" action deletes the copy of your data stored locally on your device. It does not delete data that has already synced to our servers. Full, server-side deletion of your synced data and account is request-based: email us or follow the steps on the Delete account page, and we will delete your account and synced data, subject to any retention we are legally required to keep.
Security
Data is encrypted in transit. We restrict access to stored data to what is needed to operate the service. No method of storage or transmission is 100% secure, but we take reasonable measures to protect your information.
Children
Coco is not directed to children under 13 (or the minimum age in your region) and we do not knowingly collect their data.
Your rights
Depending on your location, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these rights, email us (see Contact) or use the Delete account page. We will not discriminate against you for exercising your privacy rights. We may need to verify your identity before acting on a request.
California privacy rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know / access the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties to whom it is disclosed.
- Delete the personal information we hold about you, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of your personal information — though, as stated above, we do not sell or share your personal information, so there is nothing to opt out of.
- Limit the use of sensitive personal information — we use any sensitive information (such as the content of your journals or chats) only to provide the app's features to you, not for inferring characteristics or for advertising.
- Non-discrimination for exercising these rights.
You may make a request yourself or through an authorized agent. To submit a California request, email us (see Contact).
EU/UK rights (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access your personal data and obtain a copy.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten").
- Restrict or object to certain processing.
- Data portability — receive your data in a portable, machine-readable format.
- Withdraw consent at any time, where processing is based on consent, without affecting prior processing.
- Lodge a complaint with your local data-protection authority.
We process personal data on the legal bases of performing our contract with you (providing the app), your consent (where applicable, such as optional profile fields), and our legitimate interests in operating, securing, and improving the service. To exercise any GDPR right, email us (see Contact).
Other U.S. state privacy rights
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive consumer-privacy law, you have rights similar to those described above — including the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of certain processing. You can exercise these rights through the same contact below, and you may appeal a decision we make about your request.
To be clear about practices these laws single out: Coco does not sell or "share" your personal data, does not engage in targeted (cross-context behavioral) advertising, and does not use it for profiling that produces legal or similarly significant effects. Any sensitive data (such as the content of your mood logs, journals, or check-ins) is used only to provide the app's features to you, and never beyond that.
International data transfers
Coco is operated from, and your data may be processed in, the United States and other countries where we or our service providers operate. Our processors — Google Firebase / Google Cloud (authentication, database, and sync) and Groq (AI chat responses) — may process data in these locations. Privacy laws in these countries may differ from those where you live.
Where we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards recognized under applicable law, such as the European Commission's Standard Contractual Clauses (SCCs) (and the UK Addendum), to ensure your data continues to receive an adequate level of protection.
Not a medical or emergency service
Coco is not a medical, therapy, or emergency service. If you are in crisis or may be in danger, contact your local emergency services or a crisis helpline immediately.
Changes
We may update this policy. Material changes will be reflected here with a new "last updated" date.
Contact
Questions about this policy or your data, or want to exercise a privacy right? Email rodriguescarson@gmail.com (developer contact). You can also reach us by mail:
Mailing address
Coco
[PHYSICAL MAILING ADDRESS — placeholder; replace before relying on this policy]
Email: rodriguescarson@gmail.com
See also our Terms of Service.