Coop

01

What we collect

Account information you provide when signing up — name, email address, company name, and role.
VA application data — work history, skills, availability, and the minimum acceptable rate you enter.
Usage data — pages visited, features used, agent runs triggered, and time tracked through the platform.
Communications — messages, task notes, and standup entries submitted through Coop.
Payment information — processed exclusively by Stripe. Coop does not store raw card numbers.

02

To operate the platform — matching, time tracking, invoicing, leave management, and agent execution.
To communicate with you — onboarding emails, invoice summaries, match notifications, and support replies.
To improve Coop — aggregate usage analytics that never identify individual users.
To comply with law — we retain records as required by applicable financial and employment regulations.

03

Sub-processors listed on our Security page — infrastructure (AWS), payments (Stripe), identity (WorkOS), AI inference (Anthropic, OpenAI, Google), error tracking (Sentry), and communications (Resend).
Your VA and your workspace members — task content, timesheets, and communications are visible to authorized members of your workspace.
We do not sell your data. We do not share it with advertisers. We do not use it to train external AI models.

04

Active account data is retained for the duration of your subscription plus 90 days after cancellation.
Invoices and financial records are retained for 7 years to comply with tax regulations.
VA application data is retained for 12 months if not accepted, then deleted.
You may request deletion of your personal data at any time by emailing support@mycoop.ai.

05

Access — you can request a copy of all personal data we hold about you.
Correction — you can update your information at any time from your account settings.
Deletion — you can request permanent deletion of your account and associated data.
Portability — you can request an export of your data in machine-readable format.
If you are in the EEA or UK, you have additional rights under GDPR, including the right to object to processing and to lodge a complaint with your local supervisory authority.

06

We use strictly necessary cookies to keep you logged in and prevent cross-site request forgery.
We use analytics cookies (PostHog) in aggregate, anonymized form only — no cross-site tracking.
We do not use advertising cookies.
You can opt out of analytics cookies from your account settings at any time.

07

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Integration tokens are encrypted before storage.
Access controls follow the principle of least privilege — VA access is role-scoped and audited.
We conduct annual third-party penetration tests and maintain a SOC 2 Type I report.
See our Security page for full details.

08