Privacy Policy

Last updated: 2026-04-26
Effective: 2026-04-26

1. About This Policy

Coshe ("Coshe", "we", "us", or "our") is operated as a sole proprietorship by an individual operator based in Hong Kong SAR.

For the purposes of the EU and UK General Data Protection Regulation (collectively, "GDPR") and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA"), the operator acts as the data controller of personal information processed through coshe.app and my.coshe.app. As Coshe is operated from Hong Kong SAR, our processing is also subject to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, "PDPO").

The operator may transfer the operation to a corporate entity in the future. We will update this section accordingly when that happens.

This Privacy Policy applies to coshe.app, my.coshe.app, and any related Coshe-branded services. It does not apply to a Coshe browser extension, should one become available; a separate privacy policy will govern any such extension (see §15).

If you have questions about this Policy, contact us at support@coshe.app.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and avatar image. Depending on how you sign up, this information may come either from a form you fill in directly, or from your Google account if you sign in with Google.

2.2 Content You Provide

When you use Coshe, you provide content for processing, including:

Files you upload (such as PDFs, Word documents, Excel spreadsheets, images, and CSV files) for AI extraction.
Sheet headers and prompts that you configure to drive extraction logic.
Google Sheets and files that you explicitly select via the Google Picker, or that Coshe creates on your behalf in your Google Drive.

2.3 Service Usage Data

We retain operational records about your use of the service, including task history, credit logs, error logs, and request logs. These records are kept for diagnostics, billing, and security purposes.

2.4 Payment Data

Payments are processed by Stripe. We do not collect, store, or have direct access to your full payment card details (such as the full card number or CVV.) Through Stripe, we receive only a Stripe customer ID, the last four digits of your card, the card brand, and billing event records (such as subscription status changes and invoices).

2.5 Cookies and Analytics

With your consent, we use cookies and analytics services to understand how Coshe is used. See §7 below for details.

2.6 Information from Third Parties

When you sign in with Google, we receive your Google account ID, email address, and basic profile information from Google's OAuth service.

3. How We Use Your Information

We use the information described above for the following purposes:

Purpose	Legal basis under GDPR
Providing the Coshe service (AI extraction, writing results to your Google Sheet)	Performance of a contract
Account management and authentication	Performance of a contract
Billing and subscription management	Performance of a contract / Legal obligation (tax records)
Security and abuse prevention	Legitimate interests
Service notifications (such as password resets and account-related emails)	Performance of a contract
Service improvement (web analytics, session replay)	Consent (only when you accept analytics cookies)
Compliance with legal obligations	Legal obligation

We do not use your information for advertising or for sale to third parties.

4. AI Processing of Your Content

Coshe is an AI-assisted data extraction tool. Processing your content with an AI model is the core of the service, so we explain this in detail.

4.1 What we send to AI models

When you create a task, we send the content of the files you upload, together with extraction instructions derived from your sheet's headers, to our AI model provider for processing. The provider returns extracted results, which we deliver back to you.

4.2 Current LLM provider

Our current LLM provider is Google Gemini, accessed through Google Cloud's paid API. We may engage additional providers in the future and will update this Policy and the Subprocessor List before doing so.

4.3 Our commitments

We do not use your content to train AI models. We have engaged Google Gemini under terms which, according to Google's published policy for the paid Gemini API, exclude API traffic from being used to train Google's models. We rely on Google's continued adherence to those terms; users seeking the most up-to-date detail should review Google's terms directly (see the link in §4.4).
Beyond fulfilling the specific task you submitted, we do not analyze, profile, or otherwise repurpose your file content for advertising, training, or any other secondary use.
As a matter of policy, we do not routinely review files you upload. Operational personnel may access stored data only when strictly necessary — for example, to investigate a technical issue you have reported, to prevent abuse of the service, or to comply with a legal obligation. Such access is limited to the minimum required.
Files you upload are configured to be automatically deleted from our storage within approximately 36 hours, via an automated lifecycle policy on our object storage. After this window, only task metadata (such as filename, processing status, and the results returned to you) is retained as part of your task history. The 36-hour window is a target enforced by automated infrastructure; we do not guarantee precise deletion timing or recovery from third-party backups beyond this window.

4.4 How Google Gemini handles your content

Once your content reaches Google Gemini, its handling is governed by Google's terms for the paid Gemini API and applicable Google Cloud data processing agreements. According to those terms, Google does not use paid API content to train its models and retains processing data only as needed for service operation.

For the most authoritative information, see Google Cloud's data processing addendum: https://cloud.google.com/terms/data-processing-addendum (link confirmed at the time of publication; refer to Google's current terms for authoritative information).

4.5 How to withdraw or delete

You can delete a task at any time through the application, which removes its associated metadata from your account. To delete your account and request removal of associated data, contact us at support@coshe.app (see §11). Note that data already transmitted to and processed by our AI provider remains subject to that provider's retention practices, which we do not directly control.

5. Google Workspace Integration

If you use Coshe with your Google account, we read from and write to your Google Sheets and Google Drive on your behalf, strictly within the scope you have authorized.

We use the drive.file scope, the most restrictive Google Drive scope. This means we can only access Google Sheets and files you explicitly select via the Google Picker, or files Coshe creates on your behalf. We do not have access to your full Drive contents, your other Sheets, your Gmail, your Calendar, or any other Google service.

Coshe's use and transfer of information received from Google APIs to any other party will adhere to Google API Services User Data Policy, including the Limited Use requirements.

You can revoke Coshe's access to your Google account at any time at https://myaccount.google.com/permissions.

We do not sell your personal information.

We share your information with the following categories of recipients, only as necessary to operate the service:

Subprocessors — third-party service providers that help us run Coshe (such as cloud infrastructure, AI inference, payment processing, and analytics). See our Subprocessor List for the current list of subprocessors, including their roles, data categories, and regions. We have entered into data processing agreements with each subprocessor where required by applicable law.
Legal disclosure — we may disclose information if required by law, subpoena, court order, or other lawful request, or to protect the rights, property, or safety of Coshe, our users, or others.
Business transfers — if Coshe is acquired, merged, or otherwise transferred, your information may be transferred to the receiving party. In such a case, we will notify you and ensure that the receiving party honors this Privacy Policy or provides equivalent protections.

7. Cookies and Analytics

Coshe uses two categories of cookies:

Strictly Necessary cookies are required for Coshe to function and cannot be disabled. These include authentication tokens (tokens), CSRF protection (csrf), and the cookie consent state itself (coshe_consent).
Analytics & Performance cookies help us understand how Coshe is used so we can improve it. They are loaded only after you grant consent. This category includes:
- Google Analytics 4 (_ga, _ga_*) — aggregated traffic and event statistics.
- Microsoft Clarity (_clck, _clsk) — session replay and heatmap analytics, which capture anonymized recordings of how users interact with our pages.

You can manage your cookie preferences at any time via the Cookie Settings link in our footer or in your account profile, which opens the Cookie Preferences modal. From there you can grant or revoke analytics consent. When you revoke analytics consent, we instruct your browser to clear the corresponding cookies and reload the page so that analytics scripts stop running immediately.

For complete details about each cookie (name, purpose, and duration), please refer to the Cookie Preferences modal, which we keep authoritative and in sync with our actual implementation.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy:

Category	Retention
Files uploaded for AI processing	Approximately 36 hours, then automatically deleted
LLM provider transient processing data	According to the provider's terms (Google Gemini's paid API retains data only as needed for service operation)
Task metadata (filename, status, results)	Until you delete the task or your account
Account information (email, display name, avatar)	Until account deletion
Stripe billing records	7 years (to meet tax and accounting record-keeping obligations)
Server logs (request, error)	Approximately 90 days, for operational diagnostics and security
Analytics data (Google Analytics, Microsoft Clarity)	According to the provider's standard retention; Coshe does not extend or override these defaults
Cookies	According to the duration shown in the Cookie Preferences modal for each cookie

9. Where Your Data Is Processed

Coshe is operated from Hong Kong SAR, but our infrastructure is hosted with cloud providers primarily in the United States:

Application infrastructure (compute, primary database, file storage): Amazon Web Services, US West (Oregon, us-west-2).
LLM processing: Google Cloud (Gemini API), primarily US data centers.
Payment processing: Stripe (global infrastructure).
Web analytics: Google (GA4) and Microsoft (Clarity), global infrastructure.

By using Coshe, you acknowledge that your personal information may be transferred to, stored, and processed in the United States and other jurisdictions, which may have data protection laws different from those in your country of residence.

For users in the EU, EEA, the UK, and other regions where cross-border transfer requires safeguards, we rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms provided by our subprocessors (such as AWS's and Google's Data Processing Addenda) to safeguard international transfers as required by GDPR.

10. Security

We take reasonable technical and organizational measures to protect your information:

In transit, data is encrypted using TLS 1.2 or higher.
At rest, data in our databases and object storage is encrypted using AES-256 encryption provided by the underlying infrastructure.
Access to production data is limited to the operator and is granted only on the basis of operational need, following the principle of least privilege. As we grow, we will extend this with role-based access controls.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach affecting your information, we will notify you and the relevant supervisory authorities as required by applicable law (within 72 hours under GDPR, where applicable).

11. Your Privacy Rights

11.1 Universal rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you;
Erase ("right to be forgotten") personal information we hold about you;
Port ("right to data portability") your personal information in a structured, commonly used, machine-readable format;
Rectify inaccurate personal information;
Object to certain processing activities;
Restrict processing of your personal information in certain circumstances.

In addition to the universal rights above, you have the right to:

Withdraw consent at any time, where processing is based on consent (such as analytics cookies);
Lodge a complaint with your national or regional data protection supervisory authority if you believe our processing of your personal information infringes GDPR.

11.3 If you are a California resident (CCPA / CPRA)

In addition to the universal rights above, you have the right to:

Know the categories of personal information we collect, the sources from which we collect it, the purposes for which we use it, and the categories of third parties with whom we share it;
Opt out of the sale or sharing of your personal information — though as noted in §6, we do not sell your personal information;
Non-discrimination — we will not discriminate against you for exercising any of your rights under the CCPA.

We do not disclose personal information to third parties for their direct marketing purposes; California's "Shine the Light" law does not apply to our practices.

11.4 If you are in Hong Kong (PDPO)

You may contact us with any data access or correction request under the PDPO. If you believe we have failed to comply with the PDPO, you may also lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) at https://www.pcpd.org.hk/.

11.5 How to exercise your rights

To exercise any of the rights above, send a request to support@coshe.app from the email address associated with your Coshe account. We will respond within 30 days.

We may need to verify your identity by asking for additional information before fulfilling certain requests, particularly account deletion or data export. We do not charge a fee for handling reasonable requests, and we will not discriminate against you for exercising your rights.

12. Children's Privacy

Coshe is intended for users 16 years of age or older. We do not knowingly collect personal information from children under 16. If we become aware that we have collected information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact support@coshe.app.

13. Sensitive Information You Should Not Upload

Coshe is a general-purpose data extraction tool. It is not designed for, certified to handle, or contractually bound to protect the following categories of highly sensitive information:

Protected Health Information (PHI) subject to HIPAA — we are not a HIPAA Business Associate and have not entered into a Business Associate Agreement.
Payment card data within PCI DSS scope (full PAN, CVV, magnetic stripe data, etc.) — for billing matters, please use Stripe's hosted Checkout and Customer Portal.
Government-classified or export-controlled material.
GDPR Article 9 special categories of personal data — including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, data concerning health, and data concerning a person's sex life or sexual orientation.
Information subject to legal privilege or professional confidentiality (such as attorney–client privileged communications or doctor–patient confidentiality).

By uploading content to Coshe, you confirm that you are authorized to do so and that you are not uploading information you cannot share with third-party AI service providers under your own legal or contractual obligations. If you require a service certified to handle the above categories, Coshe is not the right product for that use case.

14. International Users

Coshe is operated from Hong Kong SAR, with primary infrastructure in the United States. If you access Coshe from outside these regions, your data will be transferred to and processed in these jurisdictions. By using Coshe, you consent to this transfer. See §9 for details on the safeguards we apply.

15. Browser Extension

Coshe may offer an optional browser extension in the future. Because browser extensions have specific data handling characteristics (such as host permissions, active tab data, and local storage), any such extension will be governed by a separate privacy policy. This Privacy Policy does not cover any browser extension.

16. Third-Party Links

Coshe may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties, and we recommend you review their privacy policies before providing any personal information.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically. Your continued use of Coshe after a Policy update constitutes acceptance of the revised terms.

18. Contact Us

For any question, request, or complaint relating to this Privacy Policy or your personal information, please contact us at:

support@coshe.app

If you wish to lodge a complaint with a supervisory authority, you may contact:

For users in the EU, EEA, or UK: your national or regional data protection authority.
For California residents: the California Attorney General (https://oag.ca.gov/contact).
For Hong Kong residents: the Office of the Privacy Commissioner for Personal Data, Hong Kong (https://www.pcpd.org.hk/).

Privacy Policy ​

1. About This Policy ​

2. Information We Collect ​

2.1 Account Information ​

2.2 Content You Provide ​

2.3 Service Usage Data ​

2.4 Payment Data ​

2.5 Cookies and Analytics ​

2.6 Information from Third Parties ​

3. How We Use Your Information ​

4. AI Processing of Your Content ​

4.1 What we send to AI models ​

4.2 Current LLM provider ​

4.3 Our commitments ​

4.4 How Google Gemini handles your content ​

4.5 How to withdraw or delete ​

5. Google Workspace Integration ​

6. How We Share Your Information ​

7. Cookies and Analytics ​

8. Data Retention ​

9. Where Your Data Is Processed ​

10. Security ​

11. Your Privacy Rights ​

11.1 Universal rights ​

11.2 If you are in the EU, EEA, or UK (GDPR) ​

11.3 If you are a California resident (CCPA / CPRA) ​

11.4 If you are in Hong Kong (PDPO) ​

11.5 How to exercise your rights ​

12. Children's Privacy ​

13. Sensitive Information You Should Not Upload ​

14. International Users ​

15. Browser Extension ​

16. Third-Party Links ​

17. Changes to This Policy ​

18. Contact Us ​