Privacy Policy

Last updated: 2026-05-19

1. Privacy at a Glance

Here's the short version. The rest of this page is the full legal detail.

What we collectWhyWho we share with
Account infoLog you in, bill youSupabase, Vercel
Brand assets you uploadGenerate your contentOpenAI, Anthropic, Google
Usage analyticsImprove the productMixpanel + Google Analytics (opt-in only)
Session replayDebug UX issues (separate opt-in; masked, with billing/integrations/admin/brand-KB never recorded)Mixpanel (separate opt-in only)
Error logsFix bugsSentry (no PII, no IP)
Advertising / marketingMeasure ad campaigns, build remarketing audiencesGoogle Ads (opt-in only; anonymous conversion pings otherwise)

We do not sell your data. You can export or delete your account at any time from Settings → Privacy.

2. Who We Are

Coolest.Agency is operated by Kobi Projects Management, registered at Begin 13 St., Yahud, Israel 5647807. We are the data controller for the personal data described in this policy.

For any privacy question, contact admin@coolest.agency. For legal notices, contact admin@coolest.agency.

3. Our EU Representative

Under Article 27 of the GDPR, we have appointed an EU representative for individuals in the European Economic Area to contact about their personal data:

Kobi Levi, Begin 13 St., Yahud, Israel — admin@coolest.agency

4. Information We Collect

We collect the following categories of information:

  • Account data: name, email address, and password when you register.
  • Brand assets: documents, guidelines, and files you upload to build your knowledge base.
  • Integration credentials: API keys and tokens for third-party services (WooCommerce, WordPress, Buffer, Google Ads, Meta Ads). These are encrypted at rest.
  • Usage data: pages visited, features used, content generated, and publishing activity.
  • Performance data: analytics from connected platforms (e.g. WooCommerce sales, social reach via Buffer) used to generate reports and improve your content plan.

5. How We Use Your Information

  • To generate, schedule, and publish content on your behalf.
  • To build and maintain your brand knowledge base.
  • To provide performance analytics and monthly content planning.
  • To operate, maintain, and improve the platform.
  • To send transactional emails (account setup, publishing confirmations, alerts).
  • To comply with legal obligations.

We do not sell your data to third parties.

6. Legal Bases for Processing

If you are in the EEA or UK, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): to create your account, deliver the service, and process transactional emails such as publishing confirmations.
  • Legitimate interests (Art. 6(1)(f)): to secure the platform, prevent fraud, and operate error monitoring. You may object at any time. See Section 11.
  • Consent (Art. 6(1)(a)): for product analytics (Mixpanel + Google Analytics), optional session replay (Mixpanel — separate, granular opt-in), advertising and remarketing cookies (Google Ads — separate opt-in), and any future marketing communications. You can withdraw any of these at any time from Settings → Privacy.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and lawful-disclosure requirements.

7. Subprocessors

We use a small number of vetted third-party processors to operate Coolest.Agency. Each processor is bound by a Data Processing Agreement (DPA) and, where applicable, the EU–US Data Privacy Framework or Standard Contractual Clauses.

The full, current list with purpose, data categories, and location is published at /privacy/subprocessors. We notify users of material changes at least 14 days in advance by email or in-app notice.

Regarding AI providers (OpenAI, Anthropic, Google): prompts and brand context may be transmitted strictly for content generation. We contractually prohibit these providers from using customer data to train their models.

8. International Data Transfers

Most of our subprocessors are located in the United States. When we transfer personal data from the EEA or UK to the US, we rely on one of the following safeguards:

  • The EU–US Data Privacy Framework for processors that are certified under it.
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) combined with supplementary technical and organisational measures, for processors that are not.

For transfers from the UK, we rely on the UK International Data Transfer Addendum to the SCCs.

9. Data Security

We implement industry-standard security measures including encryption at rest (via pgcrypto), encrypted connections (TLS), and row-level security on all tenant data. Access to your data is restricted to your account only. Despite these measures, no system is completely secure and we cannot guarantee absolute security.

10. Data Retention

We retain your data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where retention is required by law or legitimate business purposes (e.g. billing records).

11. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Restrict or object to certain processing activities.
  • Data portability (receive your data in a commonly used format).
  • Withdraw any consent you previously gave, without affecting prior lawful processing.

You can exercise most of these rights directly in the app at Settings → Privacy. For anything else, contact admin@coolest.agency. We respond within 30 days.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu. UK residents can contact the ICO at ico.org.uk.

12. California Residents (CCPA / CPRA)

If you are a California resident, this section supplements the rights above.

Categories of personal information we collect: identifiers (email, name), commercial information (plan, billing), internet activity (usage analytics where you have opted in), professional information (role, company context), and inferences drawn from these categories to operate the platform.

Categories of sensitive personal information: account credentials (encrypted) and the contents of brand materials you choose to upload.

Sale or sharing: we do not sell personal information. If you opt in to advertising cookies via our consent banner, Google Ads receives conversion and remarketing data, which under California law may qualify as “sharing” for cross-context behavioural advertising. You can opt out at any time from Settings → Privacy or by toggling the “Advertising” preference in the consent banner. Without that opt-in, Google Ads receives only anonymous, cookieless conversion pings (Consent Mode v2) that do not identify you. We also honour the Global Privacy Control (GPC) browser signal as an opt-out.

Your rights: the right to know, right to delete, right to correct, right to limit the use of sensitive personal information, and the right to opt out of sale or sharing. Exercise any of these via Settings → Privacy or by emailing admin@coolest.agency. You can authorise an agent to act on your behalf; we will verify their authority before acting.

Retention: we retain personal data while your account is active and for up to 30 days after closure, except where a longer period is required by law (e.g., tax records).

13. Other US State Residents

Residents of Colorado, Connecticut, Virginia, Texas, Oregon, Delaware, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Iowa, Indiana, Kentucky, Rhode Island, Tennessee, and Utah have rights similar to those in Section 11 under their respective state privacy laws. We honour verified requests through the same Settings → Privacy flow or by email to admin@coolest.agency.

We honour the Global Privacy Control (GPC) browser signal as an opt-out preference signal wherever applicable.

14. Cookies

We use essential cookies for authentication and session management. We also use analytics cookies (Mixpanel + Google Analytics) to understand how the platform is used, a separate Mixpanel cookie for optional Session Replay if you have opted in to that specifically, and advertising cookies (Google Ads) if you have opted in to Advertising. None of these are loaded until you opt in via the consent banner or Settings → Privacy. You can change your preferences at any time from Settings → Privacy.

Advertising cookies (only set if you opt in):

  • _gcl_au — Google Ads conversion linker (90 days)
  • _gac_* — Google Ads campaign attribution (90 days)
  • IDE, test_cookie — DoubleClick / Google Ads remarketing (up to 13 months)
  • NID — Google preferences for Ads personalisation (6 months)

If you have not opted in, Google Ads runs in Consent Mode v2 — it receives anonymous, cookieless conversion pings only, and none of the cookies above are written to your device.

15. Session Replay (Optional)

Session Replay is an optional feature that lets us anonymously play back how you interacted with the dashboard (clicks, scrolls, navigation) so we can debug UX issues and fix workflow friction. It is off by default and is governed by a separate consent in the cookie banner — accepting product analytics does not turn on session replay. You can turn it off again at any time from Settings → Privacy.

What we record (when you opt in):

  • Mouse movement, clicks, scrolls, keyboard navigation, page transitions, and the visual structure of the page.
  • Anonymised page text on screens we have explicitly whitelisted as safe (navigation, sidebar, dashboard counters, button labels).

What we do NOT record, even when you opt in:

  • The contents of any input field, textarea, or password — Mixpanel masks these by default.
  • Email, telephone, hidden, and any input with a browser autocomplete attribute (always masked).
  • Brand assets you have uploaded (images and the surrounding wrappers are blocked).
  • Generated content drafts, headlines, and AI output.
  • Integration credentials (WooCommerce, WordPress, Buffer, Google Ads, Meta Ads — including masked-tail displays such as ••••1234).
  • Payment forms and the entire Hyp / Meshulam / Grow billing iframe.

Pages that are NEVER recorded (the recorder is fully off, regardless of consent):

  • /settings/integrations and any sub-route — raw API credentials are entered here
  • /settings/users — member email directory
  • /admin — builder-only cross-tenant administration
  • /brand-kb — client brand asset management
  • /onboarding, /auth, /login, /set-password — credential entry

Forms we DO record (with consent), with all sensitive data masked:

  • Account creation (/signup): we record the flow so we can fix sign-up friction. Email and password inputs are masked, and your email address is hidden on the confirmation screen.
  • Billing and plan changes (/settings/billing and the plan-checkout flow): saved card details, billing contact, and payment history are masked. Card entry itself happens only on our payment provider's own page, never on ours, so card numbers are never recorded.

Where it is stored: Mixpanel EU (Frankfurt). Recordings are subject to Mixpanel's session replay retention (typically 30 days) and inherit our DPA.

Legal basis: Your consent under Art. 6(1)(a) GDPR / Art. 82 of the French Data Protection Act. We have aligned the implementation with the CNIL's February 2026 draft recommendation on session replay (purpose limitation, data minimisation, prior consent, and the exclusion or masking of credential, payment, and other sensitive data).

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the service after changes take effect constitutes your acceptance of the updated policy.

17. Contact

For any privacy-related questions, contact us at admin@coolest.agency. For legal notices, contact admin@coolest.agency.

Privacy Policy | Coolest.Agency