Legal
AI Data Processing
Cohra uses third-party AI services to power "Ask Cohra." This page explains exactly what happens to your data when AI features run, what we promise about training, and what controls you have. If you also need to enter into a Data Processing Addendum, contact [email protected].
On this page Hide Show (15)
- Scope
- How AI is used in Cohra
- AI sub-processors
- What we send to AI providers
- What AI providers do with the data
- Training commitments
- Retention
- Voice and biometric data
- Your role and our role under data-protection law
- Your controls
- AI output reliability and human oversight
- Transparency and AI identification
- Security
- Changes
- Contact
The short version. Audio never reaches an AI provider. When you Ask Cohra, only a short transcript snippet plus a fixed system prompt is sent to our AI provider (Anthropic) to generate the reply. The reply text is then sent from your device to our voice-synthesis provider (ElevenLabs) to be turned into Cohra’s voice. Cohra never trains AI on your conversations; our providers handle these requests under their own published terms, which we link to below.
Scope
This page describes:
- The AI sub-processors Cohra uses
- What personal data passes through AI components
- Training and retention commitments
- The role of each party under data-protection law
- Your choices and controls
It supplements, rather than replaces, the Privacy Policy and the Terms of Use.
How AI is used in Cohra
Cohra uses AI in two clearly separated places:
- Ask Cohra (language model). When you say or tap “Ask Cohra,” your device sends a short snippet of the recent conversation transcript and a fixed system prompt to our language-model provider through our signaling server. The provider returns a text reply, which is read aloud in the room.
- Cohra’s voice (text-to-speech). Your device then opens a direct, encrypted connection to our text-to-speech provider and sends only the AI reply text to be synthesized into Cohra’s voice. The provider streams audio back to your device, which is shared with the other participants over the encrypted peer-to-peer audio channel.
Audio is never sent to any AI provider. Speech recognition runs on your device.
AI sub-processors
| Provider | Role | Region | Data shared |
|---|---|---|---|
| Anthropic | Language model — generates Cohra’s reply | United States | Recent transcript snippet and a fixed system prompt |
| ElevenLabs | Text-to-speech — synthesizes Cohra’s voice from text | United States | The AI-generated reply text, the voice model ID, and the network connection from your device |
We will update this list and notify users at least 30 days in advance before adding a new AI sub-processor that processes personal data.
What we send to AI providers
Sent to Anthropic when you Ask Cohra
- A short snippet of the recent transcript that gives the AI enough context to answer
- The explicit prompt or question
- A fixed system prompt that describes Cohra’s behavior and guardrails
Sent to ElevenLabs to synthesize Cohra’s voice
- The AI-generated reply text returned by Anthropic
- The voice model ID (which Cohra voice to use)
What we do not send to either provider
- Audio recordings of any kind
- Full session transcripts
- Account identifiers, email addresses, or payment data
- Other participants’ private information beyond what already appears in the recent transcript snippet
- Your name, location, contacts, or device identifiers
Your IP address may be visible to ElevenLabs because your device connects to its TTS service directly. Your IP address is not visible to Anthropic, because Anthropic requests are sent through our signaling server.
What AI providers do with the data
The handling of your AI requests by each provider is governed by that provider’s published terms. We’ve chosen providers and tiers we believe are appropriate for a privacy-respecting consumer voice app, and we link to the authoritative terms below.
- Anthropic. Cohra uses Anthropic’s API as a commercial customer. Anthropic’s Commercial Terms of Service publicly commit that inputs and outputs submitted through their API are not used to train Anthropic’s models.
- ElevenLabs. ElevenLabs receives only the AI-generated reply text from your device for voice synthesis. Their handling of that text is governed by the ElevenLabs Privacy Policy and Data Processing Addendum.
- Both providers act as processors / sub-processors for Cohra and apply Standard Contractual Clauses or equivalent safeguards for international data transfers where applicable.
For the authoritative, current terms, refer to:
- Anthropic — Privacy Policy and Data Processing Addendum
- ElevenLabs — Privacy Policy and Data Processing Addendum
Training commitments
What we control:
- We do not train any Cohra models on your conversations.
- We do not retain or repurpose AI inputs or outputs internally for training, fine-tuning, or evaluation.
- We do not train, fine-tune, or evaluate any model on identifiable user content without explicit, opt-in consent.
What our providers commit to (verifiable in their published terms, linked above):
- Anthropic. Per Anthropic’s Commercial Terms of Service, inputs and outputs submitted through their API are not used to train Anthropic’s models.
- ElevenLabs. ElevenLabs’ handling of the AI reply text Cohra sends for voice synthesis is governed by their Privacy Policy and Data Processing Addendum. We do not republish their commitments here, because the authoritative source is theirs and may evolve — please review the linked documents for the current position.
If we ever introduce an opt-in research program (for example, “help us improve Cohra”), it will be clearly labeled, separate from your normal usage, and revocable at any time.
Retention
- AI inputs (transcript snippet, prompt, reply text) are processed in transit and not retained on Cohra’s infrastructure.
- AI outputs (the reply text) are delivered to participants in your room and not retained on our servers.
- Anonymous operational metadata (request volume, latency, error rates) may be retained for short periods to monitor service quality and prevent abuse.
Voice and biometric data
Cohra does not create voiceprints, perform speaker recognition based on voice biometrics, or send raw audio to any AI provider. Speech-to-text runs on your device and produces ordinary text transcripts. We do not treat voice as biometric data under GDPR Article 9 because we do not use it to uniquely identify individuals.
Your role and our role under data-protection law
In a normal consumer scenario:
- You are the data subject for your own personal data, and you are responsible for any other person’s data you choose to share into a Cohra session.
- Cohra is operated by Sviat Minato, who is the data controller of the personal information described here and in the Privacy Policy.
- Anthropic and ElevenLabs act as sub-processors to Cohra when you Ask Cohra.
If you use Cohra in a business or organizational setting, the responsible organization may also be a controller for data its members share into a session. In that case, the organization can request a Data Processing Addendum (DPA) by emailing [email protected].
Your controls
You can:
- Choose not to use Ask Cohra — the AI feature is invoked only when you explicitly trigger it
- Mute the microphone at any time during a session — your voice will not be transmitted or transcribed while muted (see the Privacy Policy for the full description of what mute does)
- Leave the session to stop all peer-to-peer streaming and AI processing
- Delete your local session history in the History tab
- Request a copy of the data Cohra processes about you
- Request a DPA if you are a business customer
AI output reliability and human oversight
AI replies are content suggestions, not automated decisions about you. They can be inaccurate, biased, or out of date. Use them as a starting point, not as a final answer for medical, legal, financial, safety, or otherwise high-stakes situations.
We refine our system prompts and safety guardrails as we learn from real usage. If you find a reply that is harmful, biased, or seriously wrong, please report it via the in-app Report action so we can review it.
Transparency and AI identification
Whether or not it is required by your local AI regulations, we believe users should always know when they are talking to AI:
- The AI participant is named “Cohra” and is clearly identified as the AI participant throughout the in-app experience.
- We aim to keep this page current as the underlying models or our use of them changes.
- We continue to monitor AI regulation in the markets where Cohra is offered and will update this page if and when new obligations apply.
Security
The same technical and organizational measures described in our Privacy Policy apply to AI processing — encryption in transit, hardware-backed device attestation, signed requests, and limited production access.
Changes
If we materially change our AI processing practices, we will notify you at least 30 days before the change takes effect. Significant changes that introduce new categories of data or new sub-processors will require renewed consent where required by law.
Contact
For AI-related privacy questions, DPA requests, or to opt out of any optional AI processing:
- Email: [email protected]
- Subject line: “AI Data Processing — [your request]”
- Postal: Sviat Minato, 55 Front Street West, Toronto, ON M5J 1E6, Canada
Other legal pages
Need help?
- [email protected] · general
- [email protected] · privacy