Legal

Privacy Policy

This is the plain-English version of how Coommit handles your data. We've kept it short on jargon and long on specifics. The same document, in legal form, is what governs your rights.

Effective May 15, 2026 · Last updated May 15, 2026

1. The basics

Coommit is a collaborative meeting workspace operated by TAAO, Inc., a Delaware C-Corporation. When we say "we," "us," or "Coommit" in this document, we mean TAAO, Inc.

You can reach us anytime at hello@coommit.com or by mail at 1007 N Orange St, 4th Floor 5510, Wilmington, DE 19801, USA.

This Privacy Policy covers our marketing site at coommit.com and our product at app.coommit.com (together, the "Services").

2. Our core privacy commitments

Coommit is built around seven commitments. The rest of this policy explains how we keep them.

  1. We never sell your data. Not to advertisers, brokers, or anyone else. Ever.
  2. We don't train our own AI models on your content. Coommit doesn't operate proprietary models. We orchestrate calls to providers you choose.
  3. You bring your own keys (BYOK). Your AI prompts go directly from our servers to your chosen provider, signed with your own API key. We hold the key encrypted; we never use it for anything besides routing your request.
  4. We delete inactive accounts after 12 months. If you stop using Coommit for a year, we erase your content.
  5. You can export and delete everything at any time. One click to delete your account, instant hard-delete cascade. No 30-day "grace" purgatory.
  6. No advertising, no advertising cookies, no third-party trackers beyond what's strictly needed. We use Google Analytics for product metrics. That's it. No ad networks.
  7. We're a small team and we know what we do with your data. If something below is unclear, email us and a real person will answer.

3. What we collect and why

3.1 Account information

When you sign up: your email address, name (if provided), a hashed password, your locale, your plan, and your subscription status. You may optionally connect Google or GitHub OAuth, in which case we receive your name, email, and avatar URL from those providers.

3.2 Content you create

Anything you put into Coommit: canvas elements (text boxes, images, embeds, sketches, tasks), chat messages, meeting transcripts, Loom-style recordings, Echo brain notes, files you upload, and your room settings. This is your content; you own it.

3.3 Calls and meetings

Audio: live call audio is streamed through our servers to Google Cloud Speech-to-Text for real-time transcription. The raw audio is never persisted on our infrastructure. It transits in memory and is discarded.

Transcriptions: the resulting text is stored in our database, attached to the room, until you delete it (or the 12-month retention runs).

Recordings: if you create a Loom-style recording, the video file is stored in our private cloud storage (Belgium region) and only accessible via short-lived signed URLs.

3.4 BYOK API keys

If you connect an Anthropic, OpenAI, or Google Gemini API key for Echo (our AI teammate), we store it AES-encrypted in our database. We only decrypt it in memory, briefly, to forward your request to the provider. We never log it, never share it, and never use it for anything you didn't initiate.

3.5 Integration tokens

If you connect Google Calendar or Calendly, we store the OAuth tokens needed to read and create events on your behalf. You can disconnect at any time from Settings. We hard-delete the tokens immediately.

3.6 Usage and analytics

We collect aggregated usage metrics: page views, feature usage, error reports, performance data. We use this to fix bugs and improve the product. See §6 for the tools involved.

3.7 Acquisition data

When you visit our marketing site or sign up to the waitlist, we log: referrer URL, UTM parameters, Google Click ID (gclid), approximate country (derived from IP; we don't store the IP itself long-term), and the user agent. This helps us understand how people find Coommit. Stored in your signup record.

3.8 Communications

Emails you send us at hello@coommit.com, support conversations, and your responses to product surveys.

What this means Two buckets: your content (rooms, calls, recordings, files; you own it, we hold it) and operational data (account, analytics, tokens; we need it to make Coommit work). We don't collect anything outside these two buckets.

4. AI providers and BYOK

Echo, Coommit's AI teammate, is powered by third-party large language models. Coommit doesn't train any AI models. We orchestrate calls to providers you choose, using your API keys.

4.1 How BYOK works

  1. You paste your API key into Settings → Echo → BYOK form.
  2. We encrypt it with AES (server-side secret) and store it in our database.
  3. When Echo runs, we decrypt your key in memory, send your request to the provider, and discard the key from memory.
  4. Your prompts (transcripts, canvas state, query) and the provider's response transit through Coommit's servers for orchestration only. We don't store the prompts beyond the brain-note summaries you opt into.
  5. If you haven't configured a key, Echo refuses to run. There is no fallback to a Coommit-owned key.

4.2 Supported providers

  • Anthropic (Claude models): Anthropic's commercial terms commit to not training on customer inputs or outputs.
  • OpenAI (GPT models): OpenAI's API data-usage policy commits to not training on data submitted via API.
  • Google Gemini: Google's paid API tier commits to no training. Important: if you use a free-tier Google AI Studio key, Google may use your prompts to improve their models, per Google's own terms. We show a warning when you paste a Gemini key, but the decision is yours.

4.3 What we send to providers

When Echo is invoked: the relevant transcript fragments, the current canvas state, your query, and our system prompt. Sent over TLS to the provider's API. Coommit doesn't add identifiers. The provider only sees what your key authenticates.

4.4 Other AI-related processing

Speech-to-text (Google Cloud STT) and text-to-speech (Google Cloud TTS) are run with our enterprise contracts, which prohibit training on customer audio.

What this means We're an orchestrator, not an AI lab. Your prompts go to your chosen model with your key. The big AI vendors don't train on API data by default, except Google's free-tier Gemini, which we warn you about.

5. Cookies and similar technologies

We use a minimal set of cookies and browser storage: strictly-necessary cookies (session, CSRF, referral attribution) and Google Analytics for product metrics. We do not run advertising cookies and have no third-party advertising trackers.

Full inventory: Cookie Policy.

6. Sub-processors we rely on

We rely on the following third parties to operate Coommit. They process your data on our behalf, under contracts that bind them to confidentiality and security standards comparable to ours.

6.1 Hosting and infrastructure

VendorPurposeRegion
Google Cloud PlatformApplication hosting (Cloud Run), database (Cloud SQL PostgreSQL), file storage (Cloud Storage), logging, monitoring, build pipelines, BigQuery (billing analytics)us-central1 (app), europe-west1 (database & file storage), europe-west9 (Gemini Live)

6.2 Real-time meetings & voice

VendorPurpose
MeteredTURN / STUN servers for WebRTC NAT traversal during calls
Google Cloud Speech-to-TextLive transcription of meeting audio
Google Cloud Text-to-SpeechEcho's spoken responses (voice synthesis)

6.3 AI providers (BYOK: you choose)

VendorPurpose
AnthropicClaude models (Echo chat); your key, your account
OpenAIGPT models (Echo chat); your key, your account
Google GeminiGemini models & embeddings (Echo chat & memory); your key, your account

6.4 Authentication

VendorPurpose
Google OAuth"Sign in with Google" login
GitHub OAuth"Sign in with GitHub" login

6.5 Payments

VendorPurpose
StripeSubscription billing & payment processing (Stripe receives your name, email, and payment information; Coommit never sees your card details)

6.6 Email, monitoring & integrations

VendorPurpose
ResendTransactional email (account verification, invites, password reset, notifications)
SentryError and performance monitoring
Google Analytics 4Aggregated usage analytics on the marketing site and product
BrowserbasePowers the optional Canvas Browser Box (a shared headless Chrome session inside a room)
CalendlyOptional integration if you connect your Calendly account (OAuth + webhooks)
Google Calendar APIOptional integration if you connect your Google Calendar (OAuth)
Google Drive Picker APIOptional file picker if you import from your Google Drive
country.isFallback IP-to-country resolution for acquisition analytics (no IP is stored)

6.7 Marketing site (coommit.com) only

VendorPurpose
Spline3D scene rendering on the homepage hero (CDN-hosted)
MaskoEcho mascot animated video (CDN-hosted)
FormSubmitRelays the contact form on the Contact page to hello@coommit.com

An always-current list is also maintained internally and can be requested at hello@coommit.com.

What this means Every vendor here has a specific job. None of them are advertising networks. The list grows or shrinks only when our engineering does, and we update this page when it changes.

7. Where your data lives

The Coommit app currently runs from Google Cloud's us-central1 region (Iowa, USA). Your database records (account, rooms, transcripts, brain notes, recordings metadata) and your file storage (canvas assets, recordings, avatars) live in Google Cloud's europe-west1 region (Belgium).

This means: parts of your data live in the EU by default, even though our application servers are in the US. When you initiate an Echo request to a US-based AI provider (Anthropic, OpenAI), your prompt travels from our servers to theirs over TLS, a transatlantic transfer governed by Section 13 below.

8. How long we keep your data

8.1 Inactive accounts

If you stop using Coommit for 12 consecutive months (no logins, no activity, no API calls), we will email the address on file and, 30 days later, hard-delete your account and all associated content.

8.2 Active accounts

While you use Coommit, we keep your content for as long as you keep it: rooms, transcripts, recordings, brain notes, files. You can delete any of these individually at any time.

8.3 When you delete your account

Account deletion (Settings → Delete account) triggers an immediate hard-delete cascade: rooms you own, transcripts, chat messages, recordings, brain notes, file uploads, friendship and notification records, BYOK keys, integration tokens, all removed. There is no soft-delete grace period.

8.4 Specific retention windows

Data typeRetention
Raw call audioNot stored. Streamed through memory only.
Auth session cookies30 days (rolling)
Waitlist session cookie90 days
Guest invite link7 days
Guest session cookie24 hours
Signed URLs for files1 hour (recordings), 6 hours (canvas assets), 7 days (avatars, bug-report screenshots)
Echo transcript-summary cache (in-memory)30 minutes
Brain digest cache (in-memory)5 minutes
Billing & tax records (legal obligation)Up to 7 years after the last transaction, as required by US and EU tax law
BackupsEncrypted snapshots retained up to 35 days; deletions propagate within this window

9. How we share data

We share data only in the following situations:

  • With sub-processors listed in Section 6, who process data on our behalf to operate Coommit.
  • With other room participants. Content you put into a shared room is visible to people you invited. That's the product, not a privacy issue.
  • To comply with law. Court orders, subpoenas, valid law-enforcement requests. We push back on overbroad requests, and we'll notify you if legally allowed.
  • To prevent harm. Credible threats to safety, fraud investigations, or to enforce our Terms of Service.
  • In a business transfer. If Coommit is acquired or merges, your data may transfer to the new owner under terms at least as protective as this policy. We'll notify you.

We do not sell your data. We do not share your data for advertising.

10. Your rights

10.1 If you're in the EU, UK, EEA, or Switzerland (GDPR / UK GDPR / FADP)

You have the right to:

  • Access: get a copy of the personal data we hold about you.
  • Rectify: correct anything inaccurate.
  • Erase: ask us to delete your data ("right to be forgotten"). You can also do this yourself from Settings.
  • Restrict: limit how we process your data.
  • Object: to processing based on legitimate interests, including analytics.
  • Port: receive your data in a structured, machine-readable format.
  • Withdraw consent: for processing that relies on consent (e.g., optional integrations).
  • Lodge a complaint: with your local data-protection authority.

Our legal bases under GDPR: performance of a contract (operating Coommit for you), legitimate interests (security, fraud prevention, product analytics), consent (optional integrations, marketing emails), and legal obligation (tax records).

10.2 If you're in California (CCPA / CPRA)

You have the right to:

  • Know what personal information we collect, use, share, and sell (we don't sell).
  • Delete the personal information we hold about you.
  • Correct inaccurate personal information.
  • Opt out of "sale" or "sharing": moot here, because we do neither.
  • Limit use of sensitive personal information.
  • Non-discrimination: we won't penalize you for exercising any right.

10.3 If you're in another US state with a privacy law

(Virginia, Colorado, Connecticut, Utah, and others.) You have analogous rights under your state's law. The fastest way to exercise any of them is the same as above: email us.

10.4 How to exercise your rights

Email hello@coommit.com from the address tied to your account, or use the Settings page in the product. We respond within 30 days (sometimes faster). We may ask you to verify your identity if the request is sensitive.

You can also delete your account yourself, instantly, from Settings → Delete account.

11. Children's privacy

Coommit is intended for users aged 13 and over.

For users in the European Economic Area, the UK, or Switzerland, the digital age of consent is typically 16 (some member states have lowered it to as young as 13). If you are below the digital age of consent in your country, you may only use Coommit with the consent of your parent or legal guardian.

We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided data to Coommit, email hello@coommit.com and we will delete it.

12. Security

We take security seriously. Concretely:

  • Encryption in transit: TLS 1.2+ for everything between your device and our servers, and between our servers and our sub-processors.
  • Encryption at rest: Google Cloud's default storage encryption for the database and file storage.
  • BYOK keys: additionally encrypted at the application layer with AES, using a server-side secret that is itself rotated.
  • Hashed passwords: passwords are never stored in plaintext.
  • Hard deletes: when you delete content, it's gone (subject to the backup window in §8.4).
  • Access controls: only a small team of TAAO, Inc. employees has production access, on a need-to-know basis.
  • Monitoring: Sentry alerts us to errors and anomalies in real time.
  • Coordinated disclosure. Found a vulnerability? Email hello@coommit.com. We respond fast, we credit researchers who want it, and we don't sue.

No system is perfect. If we ever experience a security incident affecting your data, we will notify affected users without undue delay and, where required, the relevant data-protection authority within 72 hours.

13. International data transfers

Coommit is a US company with infrastructure in both the US (us-central1) and the EU (europe-west1, europe-west9). When data moves from the EU to the US (for example, when you use an AI provider hosted in the US), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, with our sub-processors.
  • EU–US Data Privacy Framework certifications, where our sub-processors are certified.
  • Your explicit consent. When you connect a BYOK key to a US provider, you authorize the transfer in the act of doing so.

14. Changes to this policy

If we materially change this policy, we'll update the "Last updated" date at the top and email registered users at least 30 days before the changes take effect. Minor edits (typo fixes, link updates) won't trigger a notice but will be reflected in the date.

Past versions are available on request.

15. Contact us

Privacy questions, data requests, or anything else: write to a real human.

hello@coommit.com

Or by mail to our registered office:

TAAO, Inc.
1007 N Orange St, 4th Floor 5510
Wilmington, DE 19801
USA