Privacy Policy

Last updated: May 2026

This privacy policy explains how Cooperatr — operated by Paradise Street Capital, S.L.U. (in constitution; pending registration at the Registro Mercantil de Sevilla) — collects, uses, and protects personal data when you use cooperatr.com and related services. We comply with Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 (LOPDGDD).

1. Data controller

Paradise Street Capital, S.L.U. (in constitution) — Seville, Andalusia, Spain. Until the entity is fully registered, the founder Leo Watts acts as data controller in personal capacity. Contact: privacy@cooperatr.com.

2. What we collect

• Account data: email address, authentication tokens (via Supabase magic link or password).
• Company profile: sector, capabilities, geography, certifications, and any free-text descriptions you submit.
• AI interaction data: prompts, generated outputs, and the company-profile context passed to AI agents.
• Local browser storage: language preference (cooperatr_locale) and current company identifier (cooperatr_companyId). These never leave your device.
• Server logs: IP, user-agent, timestamps for security and abuse prevention.

3. Purposes and legal bases

• Providing the platform and AI-generated outputs — contractual necessity (Art. 6.1.b GDPR).
• Authentication and account security — contractual necessity (Art. 6.1.b) and legitimate interest (Art. 6.1.f).
• Service improvement and analytics — legitimate interest (Art. 6.1.f).
• Legal and tax compliance — legal obligation (Art. 6.1.c).

4. Sub-processors and international transfers

We use the following processors. As of this policy date, both involve transfers of personal data to the United States.

• Supabase Inc. (database, authentication). Project currently hosted in AWS us-east-1 (Virginia, USA). We are evaluating a migration to an EU region. Until that migration is complete, transfers rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses where applicable.
• Anthropic, PBC (AI inference for the agent platform). Inference occurs in U.S. AWS regions. Transfers rely on Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. We do not send personal data beyond what is necessary to generate the requested project concepts and proposals.

We are actively working towards EU-only data residency for both database storage and AI inference; status will be disclosed transparently as the migration progresses.

5. Retention

• Account data: until you request deletion or close the account.
• AI prompts and outputs: linked to your account; deleted on account closure unless retained for legal obligations.
• Server logs: 12 months.
• Tax and accounting records: 6 years (Spanish Commercial Code Art. 30).

6. Your rights

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise any of these rights, email privacy@cooperatr.com. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

7. Cookies and similar technologies

We do not use third-party analytics, advertising, or tracking pixels. The cookies and storage used are strictly necessary for the service to function: an authentication cookie set by Supabase, and two browser-local items (cooperatr_locale, cooperatr_companyId). No consent banner is required for strictly necessary cookies under Spanish AEPD guidance.

8. Automated decisions and AI transparency

Cooperatr uses AI agents to generate project concepts, proposals, and partner risk analyses. These outputs are decision-support, not automated decisions in the sense of Art. 22 GDPR — a human user always reviews and selects before any external action is taken. AI outputs are grounded in cited sources and the platform records which sources informed each output for audit purposes, in line with the EU AI Act transparency requirements.

9. Changes

We will publish material changes to this policy on this page with an updated date. For substantive changes, we will notify registered users by email.