Skip to content

Your cart is empty

Have an account? Log in to check out faster.

Continue shopping

How we handle data

Data Practices

The Privacy Policy is the legal document. This page is the plain-language version: exactly what data COTIS collects, where it goes, how long we keep it, and what we never do with it. Read both. If they ever conflict, the Privacy Policy controls.

What gets collected, and when

When a parent creates an account

  • Parent name, email, mailing address, phone
  • Payment information (stored by our payment processor, not by us)
  • Child's first name or nickname, age, and any personalization details the parent enters

When a child presses a button on COTIS

  • The voice input from that interaction (a few seconds of audio)
  • Which button was pressed (Ask, Translate, or Calm)
  • The device's response
  • Basic technical data (timestamp, device ID, battery level)

What we never collect

  • Continuous audio. COTIS has no wake-word and no always-on microphone.
  • Video. COTIS has no camera.
  • Precise GPS location (unless the parent specifically opts in for safety features).
  • Contacts, browsing history, or data from other apps on the parent's phone.
  • Biometric data (face, fingerprint, voiceprint identification).

Where data lives

Account data and de-identified interaction logs are stored on encrypted servers in the United States. Voice processing happens in a dedicated cloud environment under a contract that prohibits the processor from using the audio for any purpose other than handling the request, and that requires the audio to be deleted after processing.

How long we keep things

Data type Default retention Notes
Voice audio Up to 30 days Deleted from our systems after; processing partner deletes immediately after responding
Transcript of voice interaction Up to 90 days De-identified after 30 days; kept for debugging only
Companion-app interaction logs 13 months For product analytics
Account information While account is active + 12 months Or until you ask us to delete it
Payment records 7 years Required by tax and accounting law
Customer-support tickets 3 years So we can find prior context if you contact us again

Who we share data with

We share the minimum necessary with a small number of service providers. Each one has a written data-processing agreement that prohibits them from using your child's data for their own purposes, training their own AI, or selling it on.

Categories of providers

  • Cloud hosting (the database, the file storage)
  • Speech-processing and language-model partners (for Ask and Translate features)
  • Payment processor (for handling card transactions)
  • Shipping partners (for delivering devices)
  • Transactional email and SMS providers (for order confirmations, safety alerts)
  • Aggregated analytics (de-identified data only)

What we will never do

  • Sell your data, or your child's data, to anyone.
  • Share your child's data with advertisers, data brokers, or marketing platforms.
  • Use your child's voice recordings to train AI models — ours or anyone else's — unless you have explicitly opted in via a separate consent flow that explains exactly what would happen.
  • Allow any third party to advertise to your child through COTIS.
  • Use your child's voice to identify them through biometrics.
  • Build a behavioral profile of your child for commercial purposes.

AI training: the specifics

This deserves its own section because it's the question parents ask first.

Default: No child data — voice, transcript, or otherwise — is used to train, fine-tune, or improve any AI model.

If you opt in (and only if you do), you may agree to share de-identified transcripts to help improve COTIS responses for kids like yours. You can withdraw consent at any time. Opting in is never required to use any feature.

Our processing partners are contractually barred from training on our data. We audit this annually.

How a parent reviews or deletes data

  1. Open the COTIS companion app.
  2. Go to Settings → Your Data.
  3. You can view the last 30 days of transcripts, download a full export of your child's data, or request deletion. Deletion requests are processed within 72 hours.

You can also email hello@cotis.ai from the email on the account and we will handle it manually.

Security in plain terms

  • In transit: All communication between the device, app, and our servers is encrypted with TLS 1.3.
  • At rest: Account data and transcripts are encrypted on disk.
  • Access: Only employees with a documented business reason can access account data, and every access is logged.
  • Reviews: Annual third-party security audit; quarterly internal review; bug-bounty program for external researchers.

Data-breach response

If a breach affects your child's data, we will notify you by email within 72 hours of confirming the breach, tell you what was affected and what we are doing about it, and provide concrete next steps. We will also notify regulators where the law requires it.

Questions

Email hello@cotis.ai with the subject line "Data Practices." We respond to data questions within five business days.