← Back to Coru

Privacy

Placeholder policy. Last updated: pending legal review.

Coru is an SMS-first assistant that helps people manage personal health and household logistics. We take privacy seriously because the data you share with us — symptoms, medications, appointments, family context — is personal by nature. This page explains what we collect, how we use it, what we don't do with it, and how you can get it back or have it deleted.

This is a plain-language summary. A full legal privacy policy will replace this page before we open early access beyond the initial waitlist.

What we collect

  • Account basics: your name, email address, mobile phone number, and time zone.
  • Household context you share: who's in your home, anyone you're caring for, and any health information you explicitly log (symptoms, medications, appointments, observations).
  • SMS conversation history: the messages you send to the assistant and the replies we send back.
  • Optional integrations: if you connect a Google Calendar or email account, we receive the scopes you approved during OAuth. You can revoke those at any time.
  • Operational metadata: timestamps, delivery status, error logs. Standard stuff that lets us notice when something is broken.

How we use it

  • To do the thing you're asking us to do — log an observation, send a reminder, generate a physician summary, deliver a morning briefing.
  • To keep your data synced across the SMS interface and the web dashboard so you see the same history in both places.
  • To send you transactional messages (verification codes, reminders you asked for, critical alerts for things you've opted into).
  • To improve the service for you — spotting when something is broken, fixing bugs, and making the assistant's responses less wrong over time.

What we don't do

  • We don't sell your data. Not to advertisers, data brokers, pharmaceutical companies, insurers, or anyone else. We have no business model that depends on selling personal information, and we will not introduce one quietly.
  • We don't use your health data to train general-purpose AI models. Your conversations are not pooled into a training corpus for third-party language model providers outside the scope of answering your own messages.
  • We don't share your data with your employer, insurer, or school unless you explicitly ask us to — for example, by asking us to generate a physician summary or a 504-plan update that you then choose to send yourself.
  • We don't read your messages as a human unless you ask us to. Automated systems process your texts to generate responses. Humans only look at individual conversations if you specifically request support, or if we're investigating a bug you've reported.

Data sharing with third parties

Coru is built on top of a small number of vendor services. The ones that touch your personal data are:

  • Supabase — our database provider. Your data is stored there encrypted at rest.
  • Twilio — our SMS provider. Messages between you and the assistant route through Twilio, under Twilio's own privacy terms.
  • Language model providers (OpenAI, Anthropic, Google) — we send your messages to one of these to generate responses. We use their enterprise-grade APIs with zero-retention / no-training settings where those are available.
  • Google (calendar / email) — only if you explicitly connect a Google account. The data accessed is limited to the OAuth scopes you approved.

We do not share data with other parties for marketing, analytics profiling, or any other purpose beyond the ones listed above.

Getting your data back or deleting it

You can request a copy of everything Coru has about you, or ask us to delete it, at any time. We respond within 30 days. To make a request:

  • Text DELETE to the assistant and we'll start the account-closure flow. (This is a planned feature — until it ships, email us.)
  • Email us at the address in the Contact section below with the subject line “Data request” and the email address on your account. We'll confirm ownership and process the request.

Deletion is permanent — once processed, we cannot recover your data. Some records may be retained for legal or security reasons (fraud investigation, tax records) but those are limited and documented in the full policy once it's published.

Security

OAuth refresh tokens and other access secrets are encrypted at rest with AES-256-GCM. Data in transit uses TLS. We do not store passwords — dashboard login is handled by Supabase Auth via OAuth providers. Phone-based SMS access is gated by a one-time 6-digit code at signup and by an allowlist of verified phone numbers thereafter.

No system is perfectly secure. If you believe your account has been compromised, text STOP to the assistant and email us immediately.

Kids

Coru is designed to be used by adults who may be managing the health or logistics of children in their household. We do not knowingly collect information directly from children under 13. Parents using Coru to track a child's health should understand that the child's data is stored under the parent's account and governed by this policy.

Contact

Questions, data requests, or concerns about this policy can go to the operator's email address (to be published with the full legal policy). For now, reach out through the signup form on the homepage and the operator will follow up directly.

This placeholder policy is intentionally conservative. If anything here turns out to conflict with how the service actually operates as of a specific date, the behavior described here is the commitment — we'll change the code, not the policy.