Privacy policy
June 26, 2026
Cotool, Inc. (“Cotool,” “we,” “us,” “our”) builds AI tools that help security teams protect their cloud applications (the “Service(s)”). We collect the minimum information needed to operate our Services, and we do not sell your personal data. This policy explains what we collect, how we use it, and the choices you have.
Where we process data on behalf of our enterprise customers, we act as their service provider/processor — see “Our role as a data processor” below.
Information we collect
- Website and inquiry data: when you visit our site, request a demo, or contact us, we collect your IP address, browser and device details, pages visited, and any details you choose to provide (such as name, email, phone, company, and role).
- Account data: when you register for the Services, we collect information such as your email and password to administer your account and provide support.
- Payment data: we use third-party payment processors and do not store full payment card numbers; that information goes directly to the processor and is governed by its privacy policy.
- Customer cloud application data: metadata, content, permissions, and access settings from your connected cloud applications, which may contain personal data. We process this on behalf of, and under the instructions of, our customers (see “Our role as a data processor”).
How we use your information
We use the information we collect to provide, secure, and improve the Services; to take action on your behalf to maintain the security of your cloud environment; to respond to your inquiries and support requests; to communicate with you about your account and the Services; and to meet our legal obligations.
If you are in the EEA, the UK, or Switzerland, we process your personal data on the basis of contract, our legitimate interest in operating and securing the Services, your consent (where required), and compliance with legal obligations. You may withdraw consent at any time.
What we don't do
- We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising.
- We do not use information collected through the Services to develop, improve, or train generalized AI or ML models. Processing is limited to providing and improving the specific Services we deliver to you and our customers.
Cookies
We use cookies and similar technologies that are strictly necessary to operate the website and to register for and connect to your account, and — with your consent where required — analytics cookies that help us understand and improve how the site is used. You can manage your preferences through our cookie banner or your browser settings. If you disable cookies you can still browse our site, but registering for and using the Services requires them.
Our role as a data processor
Our enterprise customers may use the Services to process their organization's cloud application data, which may contain your personal data. We process that data on their behalf, governed by our agreements with them (including our Data Processing Agreement), not this policy. If you have questions about that data or want to exercise your rights, contact the customer (the data controller) that engaged us. We assist our customers with such requests as required by our agreements.
Sharing and subprocessors
We share personal data only with trusted subprocessors that help us operate our Services and that are bound to keep it confidential and process it only on our instructions. Our current subprocessors are listed at cotool.ai/subprocessors. We may also disclose information where required to comply with law or to protect the rights, property, or safety of Cotool or others. If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, as permitted by law.
International data transfers
Our production data centers are in the United States, and your personal data may be processed there. Where we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy determination, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable). Contact us for more information.
Data retention and deletion
We retain personal data for as long as you use the Services or as needed to fulfill the purposes described here, comply with our legal obligations, resolve disputes, and enforce our agreements. After you terminate the Services, we delete the associated personal data within 60 days, except where we are required to retain it by law. Once deleted, it cannot be restored. You may request transfer of your personal data on termination by contacting us.
Security
We use industry-standard safeguards to protect your data, including encryption in transit and at rest, least-privilege access with multi-factor authentication, continuous monitoring, and annual third-party penetration testing. We maintain a SOC 2 Type II program. If a breach affects your personal data, we will notify affected customers without undue delay. More detail about our security program is available in our Trust Center.
Your privacy rights
Depending on where you live, you may have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority. To exercise these rights, contact us using the details below, and we will respond as required by applicable law. We will not discriminate against you for exercising your rights. Where we process data on behalf of a customer, we will route your request to that customer.
If you are a California resident, you have rights under the CCPA/CPRA to know, delete, and correct your personal data and to opt out of its sale or sharing. As noted above, we do not sell your personal data or share it for cross-context behavioral advertising. You may use an authorized agent to submit a request, and we will verify it as required by law.
Children's information
The Services are not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us personal data, contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the version and effective date above and, where appropriate, provide additional notice. Continued use of the Services after an update takes effect constitutes acceptance of the revised policy.
Contact us
Cotool, Inc. · 2130 Bay St., San Francisco, CA 94123 · legal@cotool.ai
Data Protection Officer / Privacy contact: Max Pollard, Chief Executive Officer — legal@cotool.ai