Cotext

Privacy Policy

Last updated: 2026-06-04

In short: Cotext runs locally. We don't see your reactions, your synthesized profile, or the AI conversations you have. We only handle data you explicitly send us — when you publish, push, or sign in.

1. What stays on your machine

The Cotext browser extension processes everything locally. The following never leave your device unless you explicitly publish:

  • Your reactions (likes, dislikes, tags, free-form notes).
  • Your synthesized preference profile and version history.
  • The AI responses and prompts captured for context.
  • The local AI model that interprets your reactions.

This data lives in your browser's storage and, optionally, a folder on your computer that you choose. We have no access to it.

2. Optional outbound destinations from the extension

By default the extension runs interpretation and synthesis on-device (Chrome built-in AI, or a WebGPU model in an offscreen document). No network calls leave your machine for that work. If you change provider in the popup, the extension reaches the following hosts on your behalf — and those services see whatever you send them:

  • Ollama (localhost:11434) — when you pick Ollama as the provider, the extension calls your local Ollama daemon. Network traffic stays on your machine.
  • api.anthropic.com — when you pick Claude (Anthropic) as the provider, your reactions, captured prompts, and AI responses are sent to Anthropic for interpretation. Subject to Anthropic's privacy policy. Your API key stays in browser storage; Cotext never sees it.
  • api.openai.com — same as above for ChatGPT (OpenAI). Subject to OpenAI's privacy policy.
  • huggingface.co and *.hf.co— when you pick WebGPU as the provider, the chosen model's weights are downloaded once from Hugging Face into your browser's cache. No reactions or prompts are sent — just the model download.

All four destinations are listed in the extension's host_permissions for transparency. None of them are contacted unless you actively choose that provider in the popup.

3. What we receive when you use cotext.io

You send us data only when you take a deliberate action on our website. Specifically:

  • Publish (anonymous): the profile JSON you chose to share. Stored under a content hash. We do not link it to an account or an IP address.
  • Push (named): the profile JSON plus your account ID, slug, and an optional commit message. Linked to your account so it appears under @your-name/slug.
  • Pull: a request for a published profile. Our servers see the URL and your IP address, like any HTTP request.
  • Sign in: your email address, used solely to send the sign-in link and to identify your account.

Cotext does not receive your raw signals, your AI conversations, the contents of your local folder, or anything else the extension processes locally.

4. Account data

If you create an account, we store:

  • Your email address.
  • Your chosen username.
  • SHA-256 hashes of any API tokens you generate (never the raw value).
  • The profiles you push, plus their version history.
  • Which profile you marked as “active” (so the CLI / MCP server knows which one to serve when you don't specify a slug).
  • The profiles you've starred — a list of (your user ID, profile ID) pairs. Used to render your starred list and the star counts other users see on profile pages.
  • Pending feedback signals from CLI / MCP clients (only if you use the cloud-only flow, no folder sync): the signal JSON your terminal tools push, queued until a local drainer (browser extension orcotext daemon on your machine) picks them up and runs interpretation. Deleted as soon as the drainer marks them consumed.
  • Standard session metadata (sign-in time, expiry, last token use).

If you only submitted your email to the install waitlist (without creating an account), we store just your email address, the page you signed up from, the timestamp, and whether we've sent you the install-ready notice. Nothing else.

5. Cookies

We set one cookie: an HTTP-only session cookie used to keep you signed in. It is essential to operate the account features. We do not use tracking, advertising, or analytics cookies.

6. Server logs and rate limiting

Our hosting provider records standard web access logs (IP address, timestamp, path, response code). We use these for security, debugging, and rate-limiting. Logs are retained for up to 30 days.

7. Third parties we use

The site runs on the following providers:

  • Vercel — hosting and edge network.
  • Vercel Blob — storage of published profile JSON.
  • Neon — managed Postgres database for accounts.
  • Resend — sending sign-in emails.
  • Sentry (optional, only when configured by the operator) — server-side error monitoring. Receives stack traces and request paths from uncaught errors. Does not receive profile content, signals, or PII beyond what appears incidentally in an error message.

Each processes the minimum data needed to provide their service. They do not receive your reactions, conversations, or local profile data, because we don't have those either.

8. What published profiles contain

A published profile contains the rendered prompt, the structured rules behind it, the metrics summary, and any templates you included. It does not contain raw signals, AI response text, conversation transcripts, or your version history metadata.

9. Sharing and disclosure

We don't sell or rent any data. We disclose to third parties only when (a) you publish or push a profile, in which case the shared copy becomes accessible at its URL; or (b) we are required to comply with valid legal process.

10. Your rights

You can:

  • Export your data. Self-service from /settingsExport your data. Returns a JSON archive of everything we have on you.
  • Delete your account. Self-service from /settingsDelete my account. This is immediate and irreversible: your account, named profiles, every pushed version, and all tokens are removed, and the published Blob payloads are deleted.
  • Revoke API tokens. Anytime from /settings.
  • Anonymous publishes are immutable. Profiles shared via the anonymous flow (/p/<hash>) are content-addressed and not linked to any account by design — we cannot identify you as the publisher, and we cannot delete one on your request unless you provide the hash. Treat anonymous publish URLs as permanent. If you need deletion later, use a named push under your account instead.
  • Object or restrict processing. Email us; we will respond within 30 days.

11. Data retention

Account data is retained while the account is active. Server logs: up to 30 days. Sign-in tokens: invalidated after use or after 24 hours, whichever is first. Published profiles: retained until you delete them, or in the anonymous case, indefinitely (they are immutable by design). Pending CLI / MCP signals are deleted as soon as a drainer marks them consumed; if no drainer runs, they remain in the queue until your account is deleted. Waitlist emails are retained until you ask us to remove them, or until you create an account (at which point the email graduates into your account record). Sentry events (if enabled) follow Sentry's default 90-day retention.

12. Children

Cotext is not directed at children under 13 (16 in some jurisdictions). Don't use it if you're under that age.

13. International transfers

Our providers may process data in the United States or the EU. Where required, they have appropriate transfer mechanisms in place.

14. Changes to this policy

We'll update the date at the top when this changes. Material changes will also be announced on the homepage.

15. Contact

Privacy questions, data requests, or anything else: privacy@cotext.io.