Terms

Privacy Policy

Last updated 1 July 2026

The short version: Your data is yours. We never sell it and never use it to train AI models. It's encrypted and isolated to your account, and you can export or delete everything in one tap. We're based in the UK and store your data in the UK.

1. Who we are

Cola is operated by its founding team in the United Kingdom (UK company registration in progress). For UK data-protection law (UK GDPR and the Data Protection Act 2018), we are the "controller" of your personal data. Contact: privacy@bitbots.co.uk.

2. The data we collect and why

We practise data minimisation — we collect the least we need.

Account

Your email address and an account identifier. Sign-in is handled by Amazon Cognito; we never store your plaintext password. Basis: our contract with you.

Content you capture

Documents, photos, PDFs, notes and voice notes you add. We store the encrypted original plus details our AI extracts (a title, summary, key facts). If you mark a capture sensitive, Cola never reads its contents — only the file and a label you choose are stored. Basis: our contract; explicit consent where it contains special-category data.

Connected sources (you choose)

You authorise each connection yourself and can disconnect at any time, which deletes the data pulled from it. Basis: your consent (explicit consent for health data).

Security & usage

A per-user, PII-free activity log (actions, never content), rate/cost counters, and standard server logs. For public actions (e.g. the waitlist) we store a hashed IP, never the raw IP. Basis: our legitimate interest in a secure, sustainable service.

We do not use third-party advertising or tracking, and do not build advertising profiles.

3. Special-category (health) data

Health data gets extra protection. We process Apple Health / wearable summaries only with your explicit consent (given via the in-app consent screen), and you can withdraw it anytime by disconnecting. Documents you mark sensitive are never read by the AI.

4. How we use AI

To extract details from a document or answer a question, the relevant data is sent to our AI processor (AWS Bedrock running Anthropic's Claude), in the UK/EU region, only to perform that task. It is not used to train models and not retained by the provider for their own purposes. Sensitive-marked documents are never sent to the AI.

5. Who we share with

We do not sell your data. We use service providers who process it on our behalf, under contract:

ProviderPurposeLocation
Amazon Web ServicesHosting, database, encrypted file storage, authentication, AI (Bedrock)UK / EU
Google, Microsoft, Apple, Oura, Hevy, Last.fmOnly the source you choose to connectPer provider

We may disclose data if required by law or to protect users' safety.

6. Where it's stored

Your data is stored in the UK (AWS London). AI processing occurs in the UK/EU. Any transfer outside the UK relies on appropriate safeguards.

7. How long we keep it

While your account is active. Disconnect a source → its data is deleted. Delete a capture → it and its file are deleted. Delete your account → all your data is permanently and automatically deleted.

8. How we protect it

9. Your rights

Under UK GDPR you can access, correct, erase, export, restrict or object to processing, and withdraw consent — most directly in the app (export, delete, disconnect). Contact privacy@bitbots.co.uk. You can also complain to the UK Information Commissioner's Office.

10. Children

Cola is for adults 18+. We do not knowingly collect data from under-18s.

11. Changes

We may update this policy and will notify you of material changes.

Cola · built in the UK · Home · Terms · privacy@bitbots.co.uk