The short version: Your data is yours. We never sell it and never use it to train AI models. It's encrypted and isolated to your account, and you can export or delete everything in one tap. We're based in the UK and store your data in the UK.
Cola is operated by its founding team in the United Kingdom (UK company registration in progress). For UK data-protection law (UK GDPR and the Data Protection Act 2018), we are the "controller" of your personal data. Contact: privacy@bitbots.co.uk.
We practise data minimisation — we collect the least we need.
Your email address and an account identifier. Sign-in is handled by Amazon Cognito; we never store your plaintext password. Basis: our contract with you.
Documents, photos, PDFs, notes and voice notes you add. We store the encrypted original plus details our AI extracts (a title, summary, key facts). If you mark a capture sensitive, Cola never reads its contents — only the file and a label you choose are stored. Basis: our contract; explicit consent where it contains special-category data.
You authorise each connection yourself and can disconnect at any time, which deletes the data pulled from it. Basis: your consent (explicit consent for health data).
A per-user, PII-free activity log (actions, never content), rate/cost counters, and standard server logs. For public actions (e.g. the waitlist) we store a hashed IP, never the raw IP. Basis: our legitimate interest in a secure, sustainable service.
We do not use third-party advertising or tracking, and do not build advertising profiles.
Health data gets extra protection. We process Apple Health / wearable summaries only with your explicit consent (given via the in-app consent screen), and you can withdraw it anytime by disconnecting. Documents you mark sensitive are never read by the AI.
To extract details from a document or answer a question, the relevant data is sent to our AI processor (AWS Bedrock running Anthropic's Claude), in the UK/EU region, only to perform that task. It is not used to train models and not retained by the provider for their own purposes. Sensitive-marked documents are never sent to the AI.
We do not sell your data. We use service providers who process it on our behalf, under contract:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting, database, encrypted file storage, authentication, AI (Bedrock) | UK / EU |
| Google, Microsoft, Apple, Oura, Hevy, Last.fm | Only the source you choose to connect | Per provider |
We may disclose data if required by law or to protect users' safety.
Your data is stored in the UK (AWS London). AI processing occurs in the UK/EU. Any transfer outside the UK relies on appropriate safeguards.
While your account is active. Disconnect a source → its data is deleted. Delete a capture → it and its file are deleted. Delete your account → all your data is permanently and automatically deleted.
Under UK GDPR you can access, correct, erase, export, restrict or object to processing, and withdraw consent — most directly in the app (export, delete, disconnect). Contact privacy@bitbots.co.uk. You can also complain to the UK Information Commissioner's Office.
Cola is for adults 18+. We do not knowingly collect data from under-18s.
We may update this policy and will notify you of material changes.