Coplanar

Privacy Policy

Effective Date: November 28, 2025

Last Updated: November 28, 2025

Introduction

Welcome to Coplanar ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered project planning application ("Service").

Please read this privacy policy carefully. By using Coplanar, you agree to the collection and use of information in accordance with this policy.

If you do not agree with this policy, please discontinue use of the Service immediately.

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Third-Party Services and AI Processing
  4. Hybrid Architecture and Data Flow
  5. Data Storage and Security
  6. Data Retention
  7. Your Privacy Rights
  8. International Data Transfers
  9. Cookies and Tracking Technologies
  10. Children's Privacy
  11. Changes to This Privacy Policy
  12. Contact Us

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Email address
  • Password (hashed using Argon2id, never stored in plain text)
  • Display name
  • Organization information (if applicable)

Planning Content:

  • Project plans and descriptions
  • Feature requests
  • Prompts and messages sent to AI services
  • Claude Code CLI conversation history
  • File attachments and project documentation

Workspace Information:

  • Repository paths and project locations (stored locally)
  • Workspace configurations and preferences

1.2 Automatically Collected Information

Usage Data:

  • Session information (authentication sessions, not Claude CLI sessions)
  • API usage metrics (request frequency, feature usage)
  • Error logs and diagnostic information
  • Browser type, device information, and IP address

Authentication Data:

  • Access tokens (RS256 JWT, 5-minute expiry)
  • Refresh tokens (hashed with Argon2id, 30-day expiry)
  • Session version numbers for token invalidation
  • Login attempt records and timestamps

Technical Data:

  • Claude CLI session metadata (session IDs, status, timestamps)
  • Plan execution metrics (turns, costs, completion status)
  • File storage paths and metadata (not file contents)

1.3 Information We Do NOT Collect

  • Payment information (no payment processing at this time)
  • Social Security numbers or government IDs
  • Health or medical information
  • Biometric data
  • Children's information (users must be 18+)

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Service Delivery

  • Account Management: Create and maintain your user account
  • Authentication: Verify your identity using JWT tokens and session management
  • Plan Creation: Process your planning requests through AI services
  • File Storage: Store plans, feature requests, and session data
  • Workspace Management: Track project mappings in our database

2.2 Service Improvement

  • Analytics: Understand how users interact with features
  • Performance Monitoring: Identify and fix technical issues
  • Feature Development: Prioritize new features based on usage patterns

2.3 Security and Compliance

  • Fraud Prevention: Detect suspicious activity and prevent abuse
  • Account Protection: Implement rate limiting and account lockout after failed login attempts
  • Audit Logging: Track security events for compliance and incident response
  • Session Versioning: Enable instant token invalidation on security events

2.4 Communication

  • Service Notifications: Send important updates about your account
  • Security Alerts: Notify you of suspicious activity
  • Feature Announcements: Inform you of new capabilities (with opt-out option)

2.5 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests and prevent harm
  • Enforce our Terms of Service

Legal Basis (GDPR):

  • Contract performance (account management, service delivery)
  • Legitimate interests (security, analytics, improvement)
  • Consent (marketing communications, optional features)
  • Legal obligation (compliance with laws)

3. Third-Party Services and AI Processing

Coplanar integrates with third-party services to provide functionality. When you use our Service, your data may be processed by these providers:

3.1 Anthropic Claude AI

Purpose: AI-powered project planning and code analysis

Data Shared:

  • Your prompts and planning requests
  • Project context you provide
  • Repository information (paths, file names, code snippets)
  • Conversation history within a planning session

How Data is Processed:

  • Your content is sent to Anthropic's API for AI processing
  • Anthropic processes data according to their Commercial Terms and Privacy Policy
  • Important: Anthropic does NOT use API data to train their AI models
  • Anthropic retains data for 30 days for trust and safety purposes, then deletes it
  • Data is processed on Anthropic's servers (U.S. and cloud infrastructure)

Your Control:

  • You control what prompts and content you send to Claude
  • You can delete planning sessions and conversation history
  • Conversation data is stored locally (if using Bridge Agent) or on our servers

Learn More: Anthropic Privacy Policy | Anthropic Commercial Terms

3.2 Vercel AI Gateway

Purpose: AI request routing and optimization

Data Shared: AI requests and responses, usage metrics and analytics

Privacy Policy: Vercel Privacy Policy

3.3 PostgreSQL Database Hosting

Purpose: Store user accounts, plans, and metadata

Data Shared: Account information, plan metadata and content, session data and audit logs

3.4 Hosting and Infrastructure

Purpose: Application hosting and delivery

Data Shared: All application data and user content

3.5 Analytics Services

Purpose: Understand usage patterns and improve the Service

Data Shared: Anonymized usage statistics, page views, feature usage

Privacy-Focused: We use privacy-focused analytics that do not track personal information

3.6 Email Service Provider

Purpose: Send transactional emails (password resets, notifications)

Provider: Resend

Data Shared: Email address, notification content

4. Hybrid Architecture and Data Flow

Coplanar uses a hybrid architecture that combines local and cloud processing. Understanding this distinction is important for your privacy:

4.1 Local-First Mode (Coplanar Agent)

When you use the Coplanar Agent running on your local machine:

What Stays Local:

  • Local Coplanar Agent runs entirely on your computer (localhost)
  • Communication between your browser and Coplanar Agent stays on your device
  • Claude Code CLI executes on your machine
  • Conversation files can be stored locally (optional)

What Goes to Cloud:

  • AI Processing: Claude Code CLI sends prompts to Anthropic's API for AI processing
  • Plan Storage: Completed plans are sent to our servers for storage and sync
  • Metadata: Session IDs, timestamps, and status information

4.2 Cloud Mode (Direct Backend)

When using Coplanar without the local Bridge Agent:

What Goes to Cloud:

  • All prompts and planning requests
  • Project context and repository information
  • Conversation history and session data
  • Plans and feature requests

4.3 Two Types of Sessions

Authentication Sessions:

  • User login/logout tracking
  • Stored in PostgreSQL sessions table
  • Managed by NextAuth.js

Conversation Sessions (Claude CLI):

  • Planning conversation history
  • Stored in data/sessions/ directory (file-based)
  • Will be migrated to plan_conversations database table

Important: These are separate concepts. Your authentication session tracks your login state, while conversation sessions track your interactions with Claude AI.

5. Data Storage and Security

5.1 How We Store Your Data

Database Storage (PostgreSQL):

  • User accounts and authentication data
  • Plan metadata and content
  • Feature requests and project mappings
  • Session data and audit logs

File-Based Storage:

  • Plans: data/plans/ (JSON and Markdown files)
  • Feature Requests: data/feature-requests/ (active and archived)
  • Conversation History: data/sessions/ (Claude CLI session files)
  • Prompt Enhancements: data/prompt-enhancements/ (user preferences)

5.2 Security Measures

We implement industry-standard security practices:

Authentication Security:

  • Argon2id password hashing (memory-hard, GPU-resistant)
  • RS256 asymmetric JWT signing for access tokens
  • Session versioning for instant token invalidation
  • Refresh token rotation with automatic cleanup
  • Account lockout after 5 failed login attempts (30-minute duration)
  • Rate limiting on authentication endpoints

Data Security:

  • Encryption in transit: HTTPS/TLS for all communications
  • Encryption at rest: Database encryption (provider-dependent)
  • Token encryption: Access tokens stored in encrypted session cookies
  • Secure headers: CORS, CSP, and other security headers configured

Access Controls:

  • Role-based access control (user, admin)
  • Session-based authorization
  • API token authentication for programmatic access
  • Input validation and sanitization

5.3 Data Backup and Recovery

  • Regular automated backups of database
  • Disaster recovery procedures in place
  • Backups encrypted and stored securely

5.4 Limitations

No system is 100% secure. While we implement robust security measures, we cannot guarantee absolute security. You are responsible for:

  • Keeping your password confidential
  • Using a strong, unique password
  • Logging out of shared devices
  • Reporting security concerns promptly

6. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

6.1 Active Account Data

While your account is active:

  • Account information: Retained indefinitely
  • Plans and feature requests: Retained indefinitely (or until you delete them)
  • Conversation history: Retained indefinitely (or until you delete them)
  • Session data: Authentication sessions expire after 30 days of inactivity

6.2 Inactive Accounts

If your account is inactive for an extended period:

  • We may send a notification before deletion
  • Account and associated data may be deleted
  • You can reactivate before deletion to preserve data

6.3 Deleted Account Data

When you delete your account:

  • Account information: Deleted within 30 days
  • Plans and conversations: Deleted within 30 days
  • Backups: Deleted in next backup cycle
  • Audit logs: Retained for compliance (anonymized if required)
  • Aggregated analytics: Retained (anonymized, no personal data)

6.4 Legal Holds

We may retain data longer if required by law, legal process, or to prevent harm.

7. Your Privacy Rights

Depending on your location, you may have the following rights:

7.1 Rights Under GDPR (European Users)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have these rights:

  • Right to Access: Request a copy of your personal data in structured, machine-readable format
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Restriction: Request we limit processing of your data
  • Right to Data Portability: Export your plans, conversations, and account data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for optional processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 Rights Under CCPA (California Users)

If you are a California resident, you have these rights:

  • Right to Know: Categories of personal information collected and purposes
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Note: We do NOT sell your personal information
  • Right to Non-Discrimination: Equal service regardless of privacy rights exercise

7.3 How to Exercise Your Rights

To exercise any of these rights:

  1. Email us: privacy@getcoplanar.com
  2. Use the in-app form: Settings → Privacy → Data Request
  3. Provide verification: We may request verification to protect your data

Response Time:

  • GDPR requests: Within 30 days
  • CCPA requests: Within 45 days (may extend to 90 days if complex)

No Cost: Exercising your rights is free (unless requests are excessive or unfounded)

7.4 Account Settings

You can manage some data directly in your account:

  • Profile Settings: Update name, email, password
  • Plan Management: View, edit, or delete plans
  • Data Export: Download your data as JSON/Markdown
  • Account Deletion: Delete your account and all data

8. International Data Transfers

Coplanar operates globally. Your information may be transferred to and processed in countries other than your own.

8.1 Data Transfer Mechanisms

For European Users:

  • We use Standard Contractual Clauses (SCCs) for transfers to non-EU countries
  • Our third-party processors (like Anthropic) also use SCCs
  • Data transfers comply with GDPR requirements

For All Users:

  • Data may be processed in the United States and EU
  • AI processing: United States (Anthropic servers)

8.2 Adequacy Decisions

Where possible, we rely on adequacy decisions by the European Commission for certain countries.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve the Service.

9.1 Types of Cookies We Use

Essential Cookies (Required):

  • Authentication: Session cookies for login state (NextAuth.js)
  • Security: CSRF protection tokens
  • Preferences: Language and theme settings

Analytics Cookies (Optional):

  • Usage Analytics: Understand feature usage and performance
  • Privacy-Focused: We use privacy-respecting analytics that do not track personal information

9.2 Your Cookie Choices

Managing Cookies:

  • Browser Settings: Block or delete cookies in your browser

Impact of Blocking Cookies:

  • Blocking essential cookies may prevent login and core functionality
  • Blocking analytics cookies will not affect Service functionality

9.3 Do Not Track

We do not currently respond to "Do Not Track" signals. We use privacy-focused analytics that minimize tracking.

10. Children's Privacy

Coplanar is NOT intended for children under 18 years of age.

  • Age Requirement: Users must be 18 years or older to use the Service.
  • No Knowing Collection: We do not knowingly collect personal information from children.
  • Parental Notice: If you believe a child has provided us with personal information, please contact us immediately at privacy@getcoplanar.com. We will promptly delete such information.
  • COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification of Changes:

  • Email Notification: For material changes, we will notify you by email
  • In-App Notification: Prominent notice in the application
  • Effective Date: Changes take effect on the updated "Effective Date" above

Your Continued Use: Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

Review Regularly: We encourage you to review this policy periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Privacy Contact:

Data Protection Officer:

Response Time: We aim to respond to all inquiries within 5 business days.

Security Concerns: For security vulnerabilities, please email security@getcoplanar.com

Summary of Key Points

  • Account Data: We collect email, password (hashed), and profile information
  • AI Processing: Your prompts are sent to Anthropic's Claude API (they don't train on your data)
  • Hybrid Architecture: Local Bridge Agent keeps conversations local; cloud mode stores everything on our servers
  • Security: Argon2id password hashing, RS256 JWT tokens, encryption in transit and at rest
  • Your Rights: Access, delete, export, and correct your data (GDPR/CCPA compliant)
  • Third Parties: Anthropic (AI), hosting provider, database provider, analytics (privacy-focused)
  • Data Retention: Active accounts retained indefinitely; deleted within 30 days upon request
  • Age Requirement: 18+ only
  • International: Data may be processed in US/EU; SCCs for EU transfers
  • Contact: privacy@getcoplanar.com for questions

This Privacy Policy was last updated on November 28, 2025.

By using Coplanar, you acknowledge that you have read and understood this Privacy Policy.

← Back to Home