Privacy Policy.
Your data is not the product. cohost is bootstrapped + family-operated; we don't sell data to advertisers, brokers, or AI training sets. What we collect, who we share it with, how long we keep it, what you can do about it — all of it below.
1. Who controls your data
The data controller responsible for your personal data is cohost. In this Policy, "cohost," "we," "us," and "our" refer to the cohost service. For any privacy request, contact support@cohost.com.
2. What we collect
You provide: email, role (investor / municipal / agent / host / etc.), jurisdiction (where applicable), permit application content, complaints you submit, listings you scrape from public OTAs, your password (hashed with argon2 — we cannot read it). Optionally for Compliance customers: SSO data via Google OAuth (email + name).
We collect automatically: pages visited (via Plausible — cookie-free, no fingerprinting), IP address at the edge (Cloudflare, dropped after 24h), affiliate click events (which lender / OTA you clicked through to, for attribution), Sentry error reports when something breaks (PII-scrubbed). When Silver launches: Stripe processes payment data; we see the last 4 digits + expiry, never the full card.
We do not collect: location beyond the city you searched for, contact lists, microphone / camera input, third-party analytics (no Google Analytics, no Facebook Pixel, no Meta SDK).
3. Who we share data with
Subprocessors: Stripe (payments), Twilio (SMS / hotline — opt-in per jurisdiction only), Lob (certified mail for enforcement notices, opt-in), Accela / Tyler / OpenGov (permit-system exports, opt-in), Mapbox (maps), Plausible (analytics), Cloudflare (edge + DNS), Turso (database hosting), AWS-via-R2 (object storage), Sentry (error tracking when DSN is set).
Jurisdictions: when you submit a permit application, the application is shared with the issuing jurisdiction (that's the whole point of the application). Complaints you submit are shared with the jurisdiction whose hotline you contacted, per ADR 0008's opt-in posture.
Aggregated / anonymized: aggregated market statistics (e.g. "occupancy rate for Sarasota in Q2") may appear in editorial content. No individual property or person is identifiable.
We do not: sell data to advertisers / data brokers / AI training sets / political campaigns. Period. If we ever change this, we will email registered users 30 days in advance and the change requires opt-in, not opt-out.
4. How long we keep it
| Data | Retention |
|---|---|
| Account email + role | Until you delete the account. |
| Compliance audit log | 7 years (matches typical state recordkeeping rules) or until the host opts to delete the related listing record. |
| Permit applications | For the life of the permit + 3 years post-expiry. |
| Twilio voicemail recordings | 90 days at Twilio CDN; 1 year in R2 if the operator has enabled the M4 archive. |
| Affiliate click events | 24 months. |
| Plausible analytics | 24 months, aggregated, no PII. |
| Sentry error reports | 90 days, PII-scrubbed. |
| Backups | Rolling 30-day window in R2. |
5. Your rights
Anyone: request an export of your data (email support@cohost.com — we send it within 5 business days). Delete your account at any time via Settings.
GDPR (EU + UK residents): right to access, rectify, port, restrict, and erase your personal data; right to withdraw consent for any opt-in feature; right to lodge a complaint with your supervisory authority. We respond to GDPR requests within 30 days.
CCPA / CPRA (California residents): right to know what we collect, right to delete, right to opt out of sale (we do not sell — see § 2 — but the right exists). Submit via email; we verify identity via a second-factor email confirmation.
Children: cohost is not directed at children under 13. We do not knowingly collect from them. If we learn we did, we delete.
6. Cookies + tracking
We use one cookie: a signed session cookie (cohost_session) when you sign in. Configurable as Secure + SameSite=Lax in production. We do not use third-party cookies, advertising cookies, or fingerprinting.
Plausible Analytics is cookie-free by design — it uses a hash of (IP + User-Agent + daily salt) which expires every 24 hours and cannot identify you across days. The Plausible script is loaded only when COHOST_PLAUSIBLE_DOMAIN is set in production.
7. Data security
Passwords hashed with argon2id (industry-standard, slow). All HTTPS in transit (TLS 1.3). At rest: Turso for relational data (encrypted at rest), R2 for objects (encrypted at rest). Production secrets are stored in the host's secret manager (Fly Secrets / Cloud Run Secret Manager), not in the repo.
Cloudflare Worker fronts the production origin and HMAC-signs every forwarded request — the Python container only accepts signed requests, defeating origin-bypass attacks.
8. International transfers
cohost is hosted in the United States. If you use cohost from the EU / UK, your data is transferred to the US under Standard Contractual Clauses where applicable.
9. Changes
We will email registered users when this Policy changes in a way that affects rights. The last_updated date reflects the most recent change.
10. Contact
Privacy questions, data export requests, GDPR / CCPA requests: support@cohost.com. We read everything; we respond to most within a business day.