Cocision Privacy Policy
Effective date: 2026-06-17
What Cocision Does
Cocision helps you pause before opening websites or apps you chose to protect. On Chrome, Cocision is a browser extension for selected websites. On iOS, Cocision is a native app in development for selected apps using Apple's Screen Time frameworks. When you try to open a protected target, Cocision can route you to an AI checkpoint. You can explain why you want access, receive a Decision Card, and accept a boundary before Cocision applies the selected plan.
Current Launch Mode
The current public launch posture is Free Plan first. Free Plan users sign in with a Cocision account and use Cocision-hosted AI checkpoint and speech-to-text routes within weekly usage limits. Pro may be visible as a locked or unavailable plan, and public paid checkout may remain closed until Cocision explicitly enables it.
Subscription mode is the default/current public launch mode. In Subscription mode, the extension sends the minimum required speech-to-text audio or structured checkpoint context to Cocision's backend. Cocision then calls Cocision-owned OpenAI and DeepSeek provider accounts. Cocision-owned provider keys stay server-side.
BYOK mode is not required for the current Free Plan launch. If BYOK is enabled for your account, the extension stores your provider keys locally and encrypted, and sends provider requests directly to your selected providers using your keys. BYOK is an explicit mode, not an automatic fallback after Subscription mode errors.
Waitlist Email
If you join the Cocision beta waitlist on the website, Cocision stores the email address you submit so we can send one early-access notification when beta access opens.
The waitlist form does not collect extension local state, AI Check conversations, provider keys, raw microphone audio, transcripts, blocked target history, or Decision Card feedback.
Cocision may use a short-lived IP hash for waitlist rate limiting. The IP hash is stored separately from the waitlist signup row and is used for abuse prevention, not lead enrichment.
Website And App Accounts And Sessions
Cocision uses Supabase Auth for website sign-in, app sign-in, Dashboard, pricing, Free Plan usage, account access state, and billing flows.
Account data may include:
- email address.
- Supabase user id.
- OAuth provider metadata, such as Google avatar URL when Google provides it, or Apple email/name fields when Apple provides them.
- website session cookies needed to keep the user signed in on the website.
- native iOS session records stored in the iOS Keychain when signed in.
- account-linked entitlement records used to resolve Free, Pro, BYOK, Developer, or No Plan state.
- account access state derived from entitlement rows, manual overrides, Free Plan policy, and billing state.
Website account sessions are separate from the Chrome extension's local auth/session storage and the iOS app's native session storage. The extension Manage action opens the website Dashboard but does not put access tokens, refresh tokens, OAuth codes, account ids, or email addresses in that URL.
When you sign in inside the Chrome extension, the extension stores an encrypted Supabase auth session locally on that device. That session may include access and refresh tokens, expiration time, user id, email address, and avatar URL when the provider supplies one. Cocision uses that session to refresh account state and authenticate entitlement, usage, or hosted AI requests.
When you sign in inside the iOS app, the app stores the Supabase session locally in the iOS Keychain. Google Sign-In and Sign in with Apple use native provider flows. Cocision treats the Supabase user id and provider identity as the account anchor. Cocision does not automatically merge Apple and Google accounts by matching email, including Apple Private Relay email addresses.
Google Sign-In And Google User Data
Cocision offers Google Sign-In as an optional way to create or access a Cocision account. Google Sign-In is handled through Supabase Auth.
Google user data Cocision may receive or interact with includes your Google account email address, Google profile image or avatar URL, and OAuth profile metadata or account identifiers that Google provides to Supabase Auth for sign-in.
Cocision uses this Google user data only to authenticate your Cocision account, display your signed-in account identity, maintain website or extension sessions, verify entitlement and Free Plan usage state, provide Dashboard and account features, and authenticate account-linked hosted AI or speech-to-text requests.
Cocision stores Google Sign-In account data in Supabase Auth and Cocision account or access records. The website may store session cookies needed to keep you signed in. The Chrome extension stores an encrypted Supabase auth session locally on your device when you sign in inside the extension.
Cocision may share this data with Supabase for authentication and account services, and with Cocision backend routes for account verification, entitlement, usage, and hosted service access. If paid checkout is enabled, Cocision may send the account email and necessary checkout metadata to Lemon Squeezy to create checkout or billing portal sessions.
Cocision does not sell Google user data and does not transfer Google user data for advertising, retargeting, ad measurement, credit decisions, lending, or surveillance. Cocision does not use Google user data to train Cocision-owned models.
Cocision does not request access to Gmail, Google Drive, Google Calendar, Google Contacts, Google Photos, YouTube content, or other Google account content APIs. Cocision application code does not use Google OAuth access tokens or refresh tokens to call Google APIs beyond the sign-in flow.
Free Plan Usage, Quota, And Bonus
Cocision stores account usage state so it can enforce Free Plan limits, show weekly usage, apply global launch bonus quota, apply per-user bonus quota, debug quota issues, and prevent duplicate counting inside one active session.
Usage and policy records may include:
- Free Plan quota policy id.
- base active AI checkpoint limit and base voice-first flow limit.
- global bonus and per-user bonus limits.
- effective active AI checkpoint limit and effective voice-first flow limit.
- weekly reset window and reset time.
- weekly active AI checkpoint count.
- weekly voice-first flow count.
- client session id.
- platform, such as Chrome extension, iOS, or web.
- target kind, such as domain, URL, or app.
- target id when needed for account usage bookkeeping.
- target fingerprint used for quota/debugging without storing full browsing history.
- plan and hosted-access snapshots used when the usage event was committed.
- provider attempt counters for checkpoint and speech-to-text requests.
An active AI checkpoint is counted at the account/session level. A voice-first flow is counted once for a voice-enabled active session, not once per individual voice message inside the same session.
Checkpoint Product Analytics
Cocision stores account-linked checkpoint product analytics so Cocision can monitor whether the AI Check flow is working, debug quota and provider issues, and understand where users abandon or accept Decision Cards.
Checkpoint analytics records may include:
- Supabase user id.
- client session id.
- platform, such as Chrome extension, iOS, or web.
- target kind and target fingerprint used for safe bookkeeping without storing full browsing history.
- UTC day and server/client event timestamps.
- session started, resumed, active, voice-first, completed, abandoned, quota-blocked, or errored state.
- total user turns and assistant turns.
- generated, rendered, accepted, continued, expired, or closed Decision Card event counts.
- accepted Decision Card time, decision id, decision kind, and accepted user turn index.
- request id, event idempotency key, latency, sanitized failure code, and bounded safe metadata.
Checkpoint analytics does not include transcript text, checkpoint conversation text, model output, feedback note text, raw microphone audio, raw speech-to-text responses, raw provider responses, full URLs, exact URL paths, query strings, hash fragments, provider API keys, authorization headers, access tokens, refresh tokens, or email addresses in analytics metadata.
Detailed checkpoint sessions and events are retained for 12 weeks. Daily aggregate checkpoint metrics are retained for 18 months.
Billing And Lemon Squeezy
Cocision uses Lemon Squeezy for paid checkout, subscription billing, billing portal, invoices, payment method updates, cancellation, and renewal flows when paid checkout is enabled.
When a user chooses a paid checkout, Cocision may send Lemon Squeezy:
- email address.
- selected plan.
- a Cocision account identifier or checkout metadata that lets Cocision connect the paid purchase back to the user's account.
- Cocision return URL.
Cocision stores the minimum Lemon Squeezy references needed for entitlement, support, and billing state, such as:
- Lemon customer id.
- Lemon subscription id.
- Lemon order id.
- Lemon variant id.
- billing interval.
- billing status.
- relevant billing period or Lemon resource timestamps.
Cocision does not store full payment card numbers. Payment method handling, invoices, cancellation, renewal, and Lemon-supported subscription management are handled by Lemon Squeezy.
StoreKit And App Store Subscriptions
The iOS app uses Apple StoreKit and the App Store for iOS in-app subscriptions when iOS paid access is enabled. Apple handles App Store payment method collection, purchase sheets, refunds, cancellations, subscription management, and App Store subscription status surfaces.
Before an iOS purchase or restore, Cocision requires a signed-in Cocision account. The iOS app asks Cocision's backend for a server-issued opaque app account token for StoreKit. Cocision stores only a hash of that token for account binding and support. Cocision does not include raw app account tokens in hosted AI, speech-to-text, feedback, diagnostics, or public artifacts.
Cocision may store normalized App Store subscription and notification ledger records needed for entitlement, support, idempotency, fraud prevention, refund/revocation handling, tax, legal, and accounting obligations. These records may include:
- App Store environment, such as Xcode, Sandbox, or Production.
- App Store product id and subscription interval.
- original transaction id and transaction id.
- web order line item id when Apple provides it.
- purchase, expiration, grace, refund, revocation, or signed-at timestamps.
- billing retry or grace state.
- normalized App Store transaction family status.
- notification UUID or notification fingerprint.
- signed payload hash and signed transaction hash.
- processing status and sanitized processing error code.
Cocision does not retain raw signed App Store Server Notification payloads long term. The current server design stores normalized ledger fields and hashes instead of raw signed payload bodies.
App Store Pro and Lemon Squeezy Pro resolve to the same account-level Cocision Pro state, but each provider keeps its own payment and management path. If an App Store restore appears to belong to a different Cocision account, Cocision fails closed and requires the original account or support-mediated review.
Data Stored Locally
Cocision stores product data locally in browser extension storage, IndexedDB, iOS app storage, iOS App Group storage, and the iOS Keychain, depending on the surface.
The Chrome extension stores local data including:
- blocked target records, such as the domain or exact URL target label you configured.
- temporary access, cooldown, and local enforcement state.
- target/day negotiation threads.
- user messages and speech-to-text transcripts in those local threads.
- assistant messages, Decision Cards, and model outputs used by the checkpoint.
- settings, including selected AI mode, Chat provider/model, and OpenAI speech-to-text model.
- encrypted BYOK provider API keys only if BYOK is enabled and you save provider keys.
- encrypted extension auth session records when signed in, including Supabase tokens and account profile fields needed for account access.
- local feedback outbox items while they are waiting to be sent.
- local feedback receipt records after successful submission.
- local review and evaluation artifacts used by the extension's internal review tools.
Cocision Settings currently provides Export JSON and Delete All controls for local extension data on that device.
The iOS app stores local data needed for app protection and runtime state, including:
- protected app display names, icons, category labels, strictness settings, and local opaque target fingerprints.
- Apple FamilyControls selection data and Screen Time tokens in local app or App Group storage.
- current runtime boundary state, such as blocked, checkpoint active, access active, pause active, denied, revoked, stale, or ended.
- local Cocision decision history for protected apps.
- Shield, DeviceActivity, notification, Live Activity, and Dynamic Island presentation state where the OS supports those surfaces.
- local iOS auth/session state in the Keychain.
iOS Screen Time tokens, raw FamilyControls tokens, raw application tokens, bundle identifiers, raw DeviceActivity streams, and unrelated app usage history stay on the device. Cocision's hosted AI, speech-to-text, feedback, diagnostics, and analytics payloads must not upload raw Screen Time tokens, raw application tokens, bundle identifiers, raw DeviceActivity logs, app account tokens, App Store signed payloads, OAuth ids, email addresses, access tokens, or refresh tokens.
Provider API Keys
In Subscription mode, Cocision uses server-side provider keys. Server-side provider keys are not exposed to the extension, browser client bundles, logs, feedback payloads, diagnostics, or public artifacts.
If BYOK is enabled for your account, user-provided provider keys are stored locally and encrypted by the extension storage layer.
- Provider keys are not sent to Cocision servers.
- Provider keys are used only to authenticate requests to the provider you selected.
- Raw provider keys are not included in feedback payloads, diagnostics, logs, exports, screenshots, or Chrome Web Store submission artifacts.
Voice Input And Speech To Text
Cocision voice input is user-triggered. The extension records microphone audio only while you use the voice control on the Cocision checkpoint page. The iOS app records microphone audio only while you use the voice control in the iOS checkpoint flow.
Cocision does not request tab audio capture, page audio, desktop audio, video, screen capture, or background recording for this feature.
In Subscription mode:
- raw microphone audio is sent from the extension to Cocision's hosted speech-to-text route.
- raw microphone audio is sent from the iOS app to Cocision's hosted speech-to-text route.
- Cocision forwards the audio to OpenAI's transcription API.
- Cocision uses JSON transcription output and reads the transcript text from the response.
- Cocision hosted routes do not persist raw microphone audio by default.
If BYOK is enabled and selected:
- raw microphone audio is sent directly from the extension to OpenAI's transcription API using your locally saved OpenAI API key.
- Cocision does not receive the raw microphone audio for BYOK speech-to-text.
For both modes:
- Cocision uses OpenAI transcription for speech-to-text.
- Cocision does not use OpenAI translation, Realtime transcription, streaming transcription, diarization, timestamps, logprobs, chunking, speaker identification, or language hints for this feature.
- raw microphone audio is kept only in current page memory while needed for transcription or a user-triggered Retry after a retryable error.
- raw microphone audio is cleared after successful transcription and send, after an empty transcript, after a non-retryable transcription error, when a new recording starts, when a new session starts, or when the page is refreshed or closed.
- if transcription succeeds, the transcript becomes a user message in the local negotiation thread.
- if transcription returns an empty transcript, Cocision does not create a user turn and does not call the Chat provider for that empty transcript.
- Decision Card feedback and diagnostics must not include raw microphone audio, audio hashes, or audio payloads.
OpenAI's handling of speech-to-text API data is governed by OpenAI's API terms and data controls. See OpenAI's data controls documentation: https://developers.openai.com/api/docs/guides/your-data.
Hosted Checkpoint Decision Engine
In Subscription mode, Cocision sends structured checkpoint context to Cocision's backend. The hosted checkpoint route may include:
- the current text input or speech-to-text transcript.
- a visible same-target conversation window.
- a safe target snapshot, such as target type, match type, target domain/origin, strictness, coarse path/search/hash flags, protected app display name, app category label, or local opaque target fingerprint.
- local strictness and access policy context.
- visible pattern memory snapshot.
- visible recent behavior summary snapshot.
- prompt, output schema, evaluation schema, and API contract version metadata.
Cocision's hosted checkpoint route builds the prompt, runs input Moderation, calls DeepSeek, parses, repairs, validates, and applies hosted safety policy before returning a normalized Decision Card result to the extension.
Hosted checkpoint context does not include raw microphone audio, provider API keys, provider request headers, full browsing history, unrelated sessions, unrelated targets, raw local behavior events, feedback notes, diagnostics, full query strings, hash fragments, full exact URL paths, raw Screen Time tokens, raw FamilyControls tokens, raw application tokens, bundle identifiers, raw DeviceActivity logs, app account tokens, App Store transaction identifiers, OAuth ids, access tokens, or refresh tokens by default.
BYOK Chat Provider Requests
If BYOK is enabled and selected, the extension sends model-visible checkpoint context and negotiation messages directly to the selected Chat provider using your locally saved provider key.
The BYOK Chat request may include:
- the blocked target label or origin needed for the checkpoint.
- the current target/day negotiation messages.
- transcript text that became user messages.
- local strictness and access policy context.
- pattern memory snapshots visible to that decision.
- recent behavior summary snapshots visible to that decision.
- prompt, output schema, and evaluation version metadata.
The BYOK Chat request does not include raw microphone audio, provider API keys as content, provider request headers, full browsing history, unrelated targets, unrelated sessions, or raw local behavior logs.
Input Moderation
Cocision uses OpenAI Moderation as an input-only safety gate for the current user input or speech-to-text transcript.
In Subscription mode, the input moderation request goes through Cocision's backend using Cocision's server-side OpenAI key.
If BYOK is enabled and selected, the input moderation request goes directly from the extension to OpenAI using your locally saved OpenAI key.
Cocision does not output-moderate provider responses in this version. Feedback and diagnostics must not include raw OpenAI moderation responses, category scores, category flags, or category input-type internals. Feedback may include minimal policy-level metadata such as output source, moderation gate decision, and policy bucket when needed to explain the selected Decision Card.
Decision Card Feedback
Decision Card feedback is optional. Cocision sends feedback to Cocision only after you explicitly submit feedback for a specific Decision Card.
Decision Card feedback may include:
- anonymous installation id and app/version metadata.
- target/day thread id, target key, local date, and Decision Card provenance.
- messages from the start of the target/day thread through the selected Decision Card.
- typed or spoken user messages and transcript text already included in that thread.
- the selected Decision Card captured output.
- Cocision's parsed Decision Card.
- parser and repair metadata.
- model-visible round/thread context.
- pattern memory snapshot visible to that decision.
- recent behavior summary snapshot visible to that decision.
- redacted current attempt context.
- Opening Message metadata, such as the local opening message id, template id, template set version, and strictness mode shown for that checkpoint.
- your feedback rating, reason codes, expected decision, and optional note.
For hosted Subscription decisions, feedback records the normalized selected output the user saw. Hosted feedback must not include discarded provider output, raw hosted provider bodies, raw OpenAI moderation responses, category scores, provider headers, provider keys, raw route bodies, or repair prompts.
For BYOK decisions, feedback may include the selected raw provider output when that output was adopted and shown to you, under the explicit decision-scoped feedback contract.
Decision Card feedback does not include:
- messages after the selected Decision Card.
- unrelated sessions.
- unrelated targets.
- raw behavior events.
- raw target attempt lists.
- full browsing history.
- provider API keys.
- provider request or authorization headers.
- raw microphone audio.
- audio hashes or audio payloads.
- raw speech-to-text provider responses.
- raw OpenAI moderation responses or category scores.
- local-only Opening Message draft ids, structured target-chip UI parts, duplicated opening provider text, or duplicated opening target display.
- exact URL paths, query strings, or hash fragments in Opening Message metadata.
- raw iOS Screen Time tokens, raw FamilyControls tokens, raw application tokens, bundle identifiers, raw DeviceActivity logs, app account tokens, App Store transaction identifiers, OAuth ids, email addresses, access tokens, or refresh tokens.
Cocision uses submitted feedback to improve prompts, parsing, evaluation cases, product quality, and debugging workflows. Cocision does not use feedback for advertising.
Technical Diagnostics
Cocision can send a metadata-only diagnostic report when you choose the diagnostic action after a feedback error.
Diagnostics may include:
- diagnostic id and creation time.
- app and extension version.
- schema versions.
- terminal error code.
- endpoint status code.
- payload size or short payload hash prefix.
- safe browser/network metadata.
- speech-to-text error class, selected STT model, endpoint name, retry count, provider request id, and coarse duration or byte-size buckets.
Diagnostics do not include:
- Checkpoint conversation text.
- transcript text.
- model output.
- feedback note text.
- raw microphone audio.
- raw speech-to-text responses.
- raw OpenAI moderation responses.
- full URLs, browsing history, exact URL paths, query strings, or hash fragments.
- provider API keys or authorization headers.
Error And Performance Monitoring
Cocision may use Sentry for website, API route, release, error, and performance monitoring when Sentry reporting is configured for an environment.
Sentry events may include sanitized error names, stack traces, route or transaction names with query strings and hash fragments removed, release and environment identifiers, browser/runtime metadata, timing information, and a small allowlist of safe technical headers.
Cocision configures Sentry to avoid default personally identifiable information and to scrub or drop user identity, cookies, request bodies, query parameters, OAuth callback values, authorization headers, provider keys, transcripts, raw provider output, raw URLs, GenAI inputs/outputs, and stack-frame variables. Sentry is used for debugging, reliability, and performance monitoring, not as the product analytics source of truth.
Hosted Rate Limiting
Cocision hosted routes may use rate limiting for abuse prevention. Hosted rate-limit storage may include endpoint name, scope, an HMAC daily IP hash, rate-limit window, request count, and expiration time.
Hosted rate-limit rows do not store raw IP addresses.
Data Sale, Advertising, And Training
Cocision does not sell user data.
Cocision does not transfer user data for advertising, retargeting, or ad measurement.
Cocision does not use submitted feedback, transcripts, blocked target data, hosted checkpoint requests, or diagnostic reports for advertising.
Cocision does not use your data to train Cocision-owned models. Provider requests are subject to the selected provider's or Cocision provider account's applicable terms and data controls.
Human Review
Human review is limited to user-submitted feedback, diagnostics, account/support requests, billing/support workflows, and internal quality/debugging workflows. Cocision does not review local-only negotiation threads unless you explicitly submit feedback or diagnostics containing the relevant allowed data.
Third Parties
Cocision may send data to:
- OpenAI, when Cocision uses OpenAI speech-to-text or OpenAI input Moderation.
- DeepSeek, when Cocision uses DeepSeek for Chat or hosted checkpoint decisions.
- Cocision's backend, when Subscription mode uses hosted speech-to-text or hosted checkpoint routes, or when you submit waitlist email, explicit Decision Card feedback, explicit diagnostic reports, or account usage requests.
- Supabase, when Cocision uses website account authentication, extension account authentication, account-linked entitlement records, account access state, runtime policy, and usage state.
- Lemon Squeezy, when Cocision creates paid checkout, processes billing webhooks, or opens billing portal flows.
- Apple, when the iOS app uses StoreKit, App Store subscription management, Sign in with Apple, FamilyControls, ManagedSettings, Shield, DeviceActivity, notifications, Live Activities, Dynamic Island, or other iOS system services.
- Sentry, when configured, for sanitized error, release, and performance monitoring.
Provider requests are subject to the selected provider's or Cocision provider account's applicable terms and data controls.
Data Deletion
You can delete local Cocision extension data from the extension settings on that device.
You can remove local iOS app data by deleting the Cocision app from your device. In-app account deletion request initiation is available in the iOS account surface when signed in. The request notifies Cocision support and starts a support-reviewed account deletion workflow.
If you submitted feedback or diagnostics to Cocision, joined the waitlist, used a website account, used account-linked hosted AI/STT, have account-linked checkpoint analytics, or want deletion help, contact Cocision at support@cocision.app.
Account deletion may tombstone feedback, remove or detach user-owned account state, detach retained App Store transaction families from the deleted account, audit the deletion operation, and delete the Supabase Auth user when the request is verified and eligible. Account-linked usage, access, Lemon Squeezy billing records, App Store transaction records, App Store notification ledgers, and support records may need to be retained or detached when necessary for entitlement, quota enforcement, support, tax, fraud-prevention, legal, or accounting obligations.
Changes
Cocision may update this policy when the product, data flows, providers, or store requirements change. The effective date at the top of this policy identifies the current version.