PRIVACY POLICY
Privacy Policy
Effective Date: May 25, 2026 · Last Updated: June 2026
1. Introduction
This Privacy Policy explains how Copat Tech LLC ("Copat," "we," "us," "our") collects, uses, shares, and protects personal information when you use the Copat virtual receptionist service, the copat.ai website, or any related services (the "Service").
Copat Tech LLC is part of a group of affiliated companies that includes Medisomatech LLC, our parent affiliate. See Section 9 for specific disclosures about our affiliated companies and how data may flow between Copat and Medisomatech.
This Policy applies to:
- Account holders — businesses and individuals who sign up for Copat and use the Service to handle their calls, messages, and email
- Callers — people who call, text, or email a Copat-managed phone number or email address, whether or not they have a Copat account
- Website visitors — anyone who visits copat.ai
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, you must not use the Service.
If you are an account holder, you are responsible for ensuring that your use of the Service complies with applicable privacy laws in your jurisdiction. You may need to inform your callers and recipients about how their information is processed.
2. Information we collect
2.1 Information you give us
When you create an account or use the Service, you provide:
- Identity: Name, business name, email address, phone number, profile photo
- Authentication: Password (hashed), verification codes, security questions
- Payment: Billing name, billing address, payment card details (handled by Stripe — Copat does not store full card numbers), tax ID
- Contacts: Phone numbers, names, emails, and notes you add or import from your device's contact list
- Settings + preferences: Languages, voice selection, business hours, call routing rules, AI persona, briefing preferences
- Content you create: Notes, calendar events, custom AI prompts, FAQ entries, knowledge base content
2.2 Information about your callers and message senders
When someone calls, texts, WhatsApps, or emails a Copat-managed number or address, we collect and process:
- Caller identification: Phone number, caller name (if provided by carrier), country, carrier
- Communication content: Audio of the call (full recording), real-time transcript, our AI's analysis and summary, any messages sent or received
- Metadata: Date and time, duration, direction (inbound/outbound), call result (connected, voicemail, missed, blocked), language detected
- Spam signals: Patterns that suggest the caller is a robocall, spam, or fraud source
We process this information on behalf of you (the account holder). You are the data controller for your callers' information; Copat is the data processor.
Joint controllership notice for EU/UK / Swiss callers: In certain limited circumstances where Copat and an affiliated company (Section 9) jointly determine purposes or means of processing — for example, cross-property analytics combining Copat usage data with Medisomatech property usage data for an individual user — Copat and Medisomatech LLC may operate as joint controllers under GDPR Article 26 with respect to those specific data flows. In such cases, the parties have an internal arrangement under which Copat serves as the primary contact for data subject rights requests. You may contact [email protected] to exercise any GDPR right and the request will be coordinated across both controllers as required.
2.3 Information collected automatically
When you use the apps or visit copat.ai:
- Device: Device type, operating system, app version, push notification token, screen resolution, time zone
- Network: IP address, approximate location (city-level, derived from IP), carrier
- Usage: Screens viewed, features used, buttons tapped, error reports, performance metrics
- Cookies and similar: On copat.ai, we use first-party cookies for session management and analytics (see Section 9 on cookies and Section 11 on cross-property linkage with Medisomatech properties)
We use Sentry to capture errors and crash reports, which may include device information and stack traces. Sentry data is retained for 90 days.
2.4 Information from third parties
If you connect a third-party account (Google Calendar, Microsoft 365, Apple Calendar), we receive the data you authorize, including events, attendees, and times. We do not access more than what is needed to display and create events from within Copat.
3. How we use information
We use information to:
- Provide the Service — handle calls, generate transcripts, draft replies, schedule appointments, send notifications, process payments
- Personalize the Service — adapt AI to your account's preferred persona, language, and business context
- Improve the Service — analyze how features are used, fix bugs, develop new functionality. We use de-identified and aggregated data for product improvement and may use it to train AI models that benefit all users
- Communicate with you — account notifications, security alerts, billing notices, product updates, support responses
- Detect and prevent abuse — identify spam, fraud, and violations of our Terms; block bad actors; protect our infrastructure
- Coordinate with affiliated companies — share certain operational, analytics, and account data with Medisomatech LLC and other Copat affiliates as described in Section 9
- Comply with law — respond to subpoenas, court orders, and government requests; defend legal claims; satisfy tax and accounting obligations
3.1 AI model training
We do not use identifiable content from your calls, messages, recordings, or transcripts to train AI models deployed for other customers. We may use de-identified, aggregated statistics and patterns for general model improvement.
Our third-party AI providers (Anthropic, OpenAI, Deepgram, ElevenLabs) process your content under contracts that prohibit them from using your data to train their models for other customers. These contracts are part of our Data Processing Agreements with each provider.
3.2 Legal basis for processing (for EU/UK visitors and callers)
Under GDPR and UK GDPR, our legal bases for processing personal information include:
- Contractual necessity — to provide the Service you signed up for
- Legitimate interests — to operate, secure, and improve the Service; to prevent fraud; to coordinate with affiliated companies in our group
- Consent — for optional features like cross-account model improvement (opt-in only) and where required by applicable law for cross-property data flows
- Legal obligation — for tax, accounting, and law-enforcement compliance
You may withdraw consent at any time without affecting prior processing.
4. How we share information
We do not sell personal information for monetary consideration. We share information in the circumstances described below. See Section 7.1 for important California-specific definitions of "sale" and "share."
4.1 Service providers (Subprocessors)
We share information with third parties that help us operate the Service. They process information on our behalf, under contracts that restrict their use and require security safeguards:
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Billing name, address, payment method |
| Anthropic | AI summarization, content analysis, image understanding | Call transcripts, AI prompts, generated text, inbound images/video frames (Zero Data Retention) |
| OpenAI | Real-time call AI, content moderation | Live audio, conversation context, inbound images/video frames (Zero Data Retention) |
| Deepgram | Speech-to-text | Live audio streams |
| ElevenLabs | Text-to-speech voice synthesis | Text to convert, voice ID |
| Picovoice (Porcupine) | Wake-word detection (on-device only) | Audio buffers (not transmitted off-device) |
| VoIP.ms | Telephony carrier | Phone numbers, call routing data, CDR |
| Meta Platforms (WhatsApp Business API) | WhatsApp messaging | Phone numbers, message content |
| SendGrid | Transactional email delivery | Email addresses, message content |
| Microsoft 365 / Outlook | Email integration when connected; also underlying email infrastructure for Copat staff email (see Section 9) | Email account access, messages (user-authorized); email metadata for staff communications |
| Google (Firebase, Calendar) | Push notifications + calendar | Device tokens, calendar events (user-authorized) |
| Apple | Push notifications | Device tokens |
| Sentry | Error tracking | Crash reports, device info, stack traces |
| Linode / Akamai | Cloud hosting | All Service data (encrypted at rest) |
| Cloudflare R2 | Media file storage (WhatsApp images, audio, video, documents) | Inbound and outbound media files; encrypted per-account; quarantined media is access-controlled |
This list matches the Subprocessor list in our Terms of Service Section 9. Updates to either list will be reflected in both.
4.1-a AI media analysis
When you or your contacts send media through Copat (images, audio, video, or documents), the following processing applies:
- Images and video frames: Sent to Anthropic (vision understanding) and OpenAI (content moderation). Both providers process under Zero Data Retention agreements — content is not retained after the API response.
- Voice notes and video audio: Transcribed by Deepgram. Audio is transmitted to Deepgram's servers and deleted after transcription per Deepgram's data retention policy.
- Documents: Analyzed locally by Copat's servers (text extraction only). Document content is not transmitted to third-party AI providers.
- Storage: All media files are stored in Cloudflare R2, encrypted at rest, and access-controlled per account. Only the account holder's users can access their media.
- Quarantined media: Media flagged by content moderation is quarantined and inaccessible to the account holder, their users, and Copat staff except under incident review procedures.
- CSAM: Detection of child sexual abuse material triggers an internal security incident alert and review for mandatory reporting under applicable law. Flagged media is preserved for law enforcement upon valid legal request.
4.2 Affiliated companies (Medisomatech LLC and other Copat affiliates)
See Section 9 below for detailed disclosure of how data may be shared with Medisomatech LLC, our parent affiliate, including shared infrastructure, overlapping personnel, and cross-property analytics or account linkage.
4.3 Account holders see their callers' data
If you call, text, email, or WhatsApp a Copat-managed number or address, the account holder of that number will see your communication content, transcript, summary, and identification information (name, number, country). The account holder may also export, share, or delete that information per their account settings.
4.4 Legal requirements
We may share information if required by law, subpoena, court order, or other legal process; to protect our rights, property, or safety; to prevent fraud or illegal activity; or to enforce our Terms.
4.5 Business transfers
If Copat is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred. We will notify you (by email and on copat.ai) before your information becomes subject to a different privacy policy.
4.6 De-identified data
We may share de-identified, aggregated data with partners, researchers, and the public for industry insights, marketing, or research purposes. This data cannot reasonably be linked back to you.
4.7 With your consent
For any other sharing, we will ask for your explicit consent.
5. Call recording and transcript storage
The Service records inbound and outbound calls to your Copat-managed numbers by default. Florida is a two-party consent state; we play an audible recording notice at the start of every call to satisfy this requirement. You can customize the notice or, with our written consent, disable it where doing so is lawful.
Retention:
- Recordings: Stored for 90 days by default. Account holders can extend retention up to 7 years (subject to tier) or delete individual recordings on demand.
- Transcripts: Stored for the active life of the account plus 90 days, unless deleted.
- Summaries + metadata: Stored for the active life of the account plus 7 years for billing and audit purposes.
- Tokens consumed log: Stored for 7 years for billing purposes.
You can request deletion of specific recordings or transcripts via Settings → Recording → Delete, or by emailing [email protected].
5.1 Legal hold and extended retention
Notwithstanding the retention defaults above, Copat may retain recordings, transcripts, metadata, and other information longer than the stated periods when required by:
- Applicable law, regulation, or order of a court or government authority
- A subpoena, search warrant, civil discovery request, or other legal process
- A regulatory investigation or inquiry (including but not limited to FCC, FTC, FL Attorney General, or equivalent foreign agency)
- An active dispute (a "Legal Hold") between Copat and an account holder, caller, third party, or insurer, or anticipating reasonable litigation
- Tax, accounting, or audit obligations
When a Legal Hold ends, retention resumes per the default schedule, and the information is purged or de-identified as appropriate. Legal Holds may extend retention beyond an account holder's deletion request; in such cases, we will inform the account holder of the existence of the Legal Hold to the extent permitted by law.
6. Security
We use industry-standard technical and organizational measures to protect personal information:
- In transit: TLS 1.2+ for all client-server communication; SRTP for voice media
- At rest: AES-256 encryption for database storage and backups
- Access control: Role-based access; multi-factor authentication for Copat employees; least-privilege principle. Personnel access by Medisomatech employees who also serve in a Copat role is governed by the same role-based access controls (see Section 9)
- Network: Firewalls, WAF, DDoS protection; intrusion detection
- Monitoring: Continuous logging, alerting, and incident response
- Audits: Periodic third-party security reviews; planned SOC 2 Type II certification (target: 2027)
- Personnel: Background checks; confidentiality agreements; security training
No system is perfectly secure. If we discover a security incident affecting your personal information, we will notify you and applicable authorities in accordance with applicable law.
Notification timing varies by jurisdiction:
- US residents: Notification will typically occur within 30 days of discovery, consistent with the Florida Information Protection Act and most US state breach notification laws. Some states impose shorter windows — for example, Vermont (14 days) and Puerto Rico (10 days) — and we will meet those shorter windows for affected residents in those jurisdictions.
- EU / UK / Swiss residents: Notification to the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 / UK GDPR. Notification to affected individuals is provided without undue delay where the breach is likely to result in a high risk to rights and freedoms.
- Other jurisdictions: Notification timing follows applicable local law.
To report a vulnerability, email [email protected]. We participate in responsible disclosure and will not pursue legal action against good-faith researchers.
7. Your rights
You have rights regarding the personal information we process. Specific rights vary by jurisdiction, but generally include:
- Access — request a copy of personal information we hold about you
- Correction — ask us to fix inaccurate or incomplete information
- Deletion — ask us to delete personal information, subject to legal retention requirements (see Section 5.1)
- Portability — receive your information in a structured, machine-readable format
- Restriction — ask us to limit how we use your information
- Objection — object to processing based on legitimate interests, including marketing
- Withdrawal of consent — withdraw consent for processing where consent is the legal basis
- Opt out of "sale" or "share" — see Section 7.1 for California-specific opt-out mechanism
- Lodge a complaint — with your local data protection authority (EU/UK residents)
To exercise any of these rights, email [email protected] with your request and proof of identity. We will respond within 30 days (45 days for complex requests, with notice).
7.1 California residents (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act, including:
- The right to know what personal information we collect, use, share, and sell
- The right to delete personal information we collected from you
- The right to correct inaccurate personal information
- The right to opt out of "sale" or "share" of personal information. As described in Section 9, Copat may "share" personal information with our parent affiliate Medisomatech LLC for cross-property analytics or account-linkage purposes. Under CCPA / CPRA this qualifies as "sharing for cross-context behavioral advertising or analytics," even though we do not "sell" personal information for monetary consideration to unaffiliated third parties.
- The right to limit use of sensitive personal information
- The right to non-discrimination for exercising your rights
To opt out of "sharing": Visit https://copat.ai/privacy-choices to submit an opt-out request via our intake form. The form is also accessible via the "Do Not Sell or Share My Personal Information" link in the footer of every page on copat.ai. We will process opt-out requests within 15 business days. You do not need to create an account or be a Copat customer to submit a request.
We do not discriminate based on the exercise of CCPA rights.
7.2 Other US states
If you reside in Colorado, Connecticut, Utah, Virginia, or other states with comprehensive privacy laws, you may have similar rights. We will honor verifiable requests as required by your state's law.
7.3 EU/UK residents (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, you have rights under GDPR or UK GDPR. We process EEA personal information based on Standard Contractual Clauses or equivalent mechanisms when data is transferred outside the EEA. See also Section 2.2 regarding joint controllership with Medisomatech LLC where applicable. You may contact [email protected] or your local data protection authority.
7.4 Verification
To protect you, we will verify your identity before fulfilling a rights request. Verification may include confirming the email on your account, asking security questions, or requesting government-issued ID for high-sensitivity requests.
8. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided information to us, contact [email protected] and we will delete it promptly.
If you are a callee under 18 who has called or messaged a Copat-managed number, the account holder of that number is responsible for handling your information appropriately.
9. Affiliated companies (Medisomatech LLC) and cross-property data sharing
This is an important disclosure. Please read carefully.
Copat Tech LLC is affiliated with Medisomatech LLC. Medisomatech is our parent affiliate company group. This means that beyond standard contractual relationships, Copat and Medisomatech operate as part of an integrated group of companies. Specific elements of this relationship that affect your information include:
9.1 Shared email infrastructure
Copat email (e.g., addresses ending in @copat.ai) is hosted on the same Microsoft 365 tenant operated by Medisomatech. As a result, Medisomatech IT operations personnel may have technical-level access to email infrastructure that hosts Copat email, including for purposes of system administration, security monitoring, and incident response. Such personnel are bound by confidentiality obligations and the same role-based access principles that apply to Copat employees. They do not have access to user-facing application data (call recordings, transcripts, account databases) unless they also serve a Copat role described in Section 9.2.
9.2 Overlapping personnel
Certain Medisomatech employees may also work for Copat in defined roles. When a Medisomatech employee serves a Copat role, that individual is subject to Copat's role-based access controls, confidentiality obligations, and security policies with respect to Copat user data. We do not share user data broadly across all Medisomatech staff; access is limited to specific personnel whose Copat duties require it.
9.3 Cross-property analytics and account linkage
We may combine and link information between Copat and other Medisomatech-affiliated properties (a "Cross-Property Operation") for purposes that include:
- Joint analytics — measuring how the same individual uses Copat and other Medisomatech properties, to understand customer journeys and improve our combined offerings
- Account linkage — linking a single sign-on or shared account identifier across properties so a user does not need to maintain separate credentials
- Cross-property notification — informing you of relevant features or services at a Medisomatech-affiliated property based on your Copat usage, where you have not opted out
Under California law (CCPA / CPRA), Cross-Property Operations of this kind qualify as "sharing" of personal information. They do not constitute a "sale" for monetary consideration. You may opt out at any time via Section 7.1.
9.4 What we will NOT do without further disclosure and consent
We will not, without first updating this Privacy Policy with at least 30 days' advance notice and obtaining your consent where required by applicable law:
- Share identifiable Copat user data with unaffiliated third-party advertisers
- Sell Copat user data to data brokers
- Combine your Copat call recordings or transcripts with Medisomatech data for any purpose beyond Service operation, billing, security, or aggregated analytics
- Make personal information available to Medisomatech personnel who do not have a defined Copat role
9.5 Updates to affiliate-sharing practices
If we add new categories of data sharing with Medisomatech or other Copat affiliates beyond what is described in this Section, or if we add new affiliate entities to the group, we will update this Privacy Policy and notify you in advance. Continued use of the Service after notice constitutes acceptance unless you exercise applicable rights described in Section 7.
10. Cookies and similar technologies
On copat.ai we use:
- Strictly necessary cookies: Required for the site to function (authentication, security, session). Cannot be disabled.
- Performance cookies: Help us understand which pages are visited. We use these to improve copat.ai. We do not currently use third-party advertising cookies or cross-site behavioral advertising trackers.
- Cross-property cookies and identifiers — see Section 9 regarding Cross-Property Operations with Medisomatech-affiliated properties. Where such cookies or identifiers are used, opt-out is available via Section 7.1.
If we add additional cross-property cookies or third-party tracking technologies in the future, we will update this Policy and notify users in advance.
You can control cookies via your browser settings. Disabling necessary cookies may prevent parts of copat.ai from working.
In the mobile apps, we use the OS-provided device identifiers and the push-notification tokens you authorize. We do not use third-party advertising SDKs.
11. International transfers
Copat is based in the United States. Personal information we collect is stored and processed in the US. If you access the Service from outside the US, your information is transferred to the US.
For information originating in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and supplementary measures to ensure adequate protection. Where Section 2.2 joint controllership applies between Copat and Medisomatech, both controllers commit to honoring the SCCs and to applying equivalent supplementary measures.
12. Data retention
We retain personal information only as long as needed for the purposes described in this Policy, or as required by law (see also Section 5.1 on Legal Holds):
| Data type | Retention |
|---|---|
| Account profile | Life of account + 90 days |
| Call recordings (default) | 90 days, extendable per plan |
| Call transcripts | Life of account + 90 days |
| Call metadata + summaries | Life of account + 7 years (billing/audit) |
| Payment records | 7 years (tax compliance) |
| Support tickets | 3 years from resolution |
| Sentry crash reports | 90 days |
| Marketing email lists | Until you unsubscribe |
| Logs (server, application) | 30 days for hot logs; 1 year archived |
| Cross-property linkage records (Section 9) | Life of relationship + 90 days, subject to opt-out per Section 7.1 |
After the retention period, we delete or de-identify personal information. Some information may remain in encrypted backups for an additional 30-90 days before purge.
If you delete your account, we delete identifiable personal information within 30 days, except information we are legally required to keep (typically billing records and any data subject to legal hold).
13. Marketing communications
We may send you product updates, feature announcements, and tips via email. You can opt out by clicking "unsubscribe" in any marketing email, or by emailing [email protected].
We may always send you transactional communications (billing notices, security alerts, service notifications) regardless of marketing preferences, because they are necessary to provide the Service.
We do not sell email addresses or share them with unaffiliated third parties for their marketing. Affiliate-related communications from Medisomatech-affiliated properties are governed by Section 9; you may opt out via Section 7.1.
14. Third-party links
The Service may contain links to third-party websites, services, and integrations. Those third parties have their own privacy practices. We are not responsible for their practices. Review their privacy policies before using.
15. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and via in-app notification at least 30 days before the changes take effect.
The "Last Updated" date at the top reflects the most recent change. Continued use of the Service after the effective date constitutes acceptance.
16. Contact
Privacy questions or requests: [email protected]
Security incident or vulnerability: [email protected]
General support: [email protected]
Postal mail:
Copat Tech LLC Attn: Privacy 6845 S US Hwy 1 Port St. Lucie, FL 34952
For EU/UK residents, our Data Protection Officer (if appointed) can be reached at [email protected].