Privacy Policy

Last updated: April 22, 2026

Cour is a people-first briefing that pulls together messages, events, and updates across the apps you already use. This policy explains what data we collect, how we use it, and what choices you have.

Cour is operated by Cabildo Strategy Services, LLC (Louisiana, USA). If anything here is unclear, email privacy@mycour.app.

The short version

• Cour is read-only. We pull data from connected sources (Gmail, Google Calendar, Google Contacts). We don’t send, post, or modify anything on your behalf.
• We don’t sell your data and we don’t run an ad network that reads your content to target you. Any ads in the product are source-app ads that already exist inside the content you chose to connect.
• Your connected-source data is visible to you and Cour’s systems only. It is not shared with other users except where you deliberately choose to share (e.g. memory pins you mark public).
• You can disconnect any source, delete your account, and export your data at any time.

What we collect

Account data

• Email address (used as your account identifier)
• Display name, if you provide one
• Authentication tokens from Google (Sign in with Google) or Apple (Sign in with Apple) when you choose those sign-in methods

Connected-source data

When you connect a data source (Gmail, Google Calendar, Google Contacts), Cour receives the OAuth scopes you explicitly approved and reads the data that those scopes allow. This includes:

• Email metadata and message bodies from Gmail
• Calendar events and attendees
• Contacts (name, email, phone, photo)

Cour uses this data to build your personal briefing, the people lanes in your Feed, and the answers you get in Chat. Access tokens are stored encrypted at rest and refreshed automatically.

Content you create inside Cour

• Memory pins, tours, and comments — text, photos, audio, and places you attach to people you care about. Visibility is your choice per pin (private, household, network, public).
• Chat messages — what you ask Cour and what the assistant replies. Used to answer the current request and, if you keep chat history on, to personalize future answers.
• Briefing archives— a snapshot of each day’s briefing so “that day, three years ago” surfaces can rehydrate after source content has been purged upstream.

Behavioral data

Cour records which cards you tap, impress, save, and follow through to their source app. This is used to rank your Feed and Briefing. The page /observationsshows you the underlying events we’ve logged and lets you delete any of them.

We do not use behavioral data to build advertising profiles or sell to third parties.

Device + technical data

• Device identifier (for cross-device session merging)
• IP address (for rate-limiting and abuse prevention, not tracking)
• Browser / OS version (for compatibility + support)

How we use your data

• To build your personal briefing, Feed, and Chat answers
• To surface memories and tours about the people you care about, subject to the visibility rules you set
• To keep the service secure (rate limits, abuse detection, audit logs)
• To respond to your support requests
• To improve the product — we measure which features get used, never by selling that measurement to anyone else

Who we share data with

We share only the minimum data needed to operate Cour. Specifically:

• Supabase — our primary database + auth provider. All user data is stored with Supabase in the US.
• Vercel — our hosting provider. Transient request processing; no persistent user data stored on Vercel.
• Anthropic + Google AI — our chat models. The message content you send to Chat is transmitted to these providers to generate a reply. Neither provider trains on Cour traffic.
• Google OAuth — when you Sign in with Google or connect Gmail/Calendar/Contacts, Google is a party to the authentication round-trip.
• Apple — when you Sign in with Apple, Apple is a party to the authentication round-trip.
• Portage — Cour shares a backend database with Portage, a sister app by the same operator that builds geographic memory pins around landmarks. If you choose to pin a memory at a Portage landmark, that pin is visible on both surfaces per the visibility you set.

We do not sell, rent, or license your data to third parties for advertising or any other purpose. We do not share with law enforcement except in response to a valid legal process.

Your choices and rights

• Disconnect a source— Settings → Connected Sources → Disconnect. We immediately stop ingesting new data; historical ingested data stays until you delete it explicitly.
• Delete behavioral events — visit /observationsto see the events we’ve recorded and remove any or all.
• Delete your account — email privacy@mycour.app. We delete your account + all associated data within 30 days. Backups purge within 60 days.
• Export your data — email the same address. We return a JSON bundle of everything associated with your account.
• GDPR rights— if you’re in the EU/EEA you have additional rights (access, rectification, erasure, restriction, portability, objection). Email us to exercise any of them.
• CCPA rights— if you’re in California you have the right to know, delete, and opt out of sale of personal information. We don’t sell personal information; the know/delete paths are the same as above.

Security

We use encrypted connections (TLS 1.3) for all traffic. Passwords are never stored in plaintext; we delegate authentication to Supabase Auth, Google, or Apple depending on your sign-in method. OAuth refresh tokens are stored in a row-level-security-isolated table accessible only to the server processes that need them to fetch on your behalf. Our production secrets are rotated on a schedule and on any suspicion of compromise. See SECURITY.md for more.

Despite our efforts, no method of transmission or storage is perfectly secure. If we become aware of a breach that affects your personal data, we’ll notify you within 72 hours and describe the scope, the data involved, and what we’re doing.

Children

Cour is not intended for children under 13. We don’t knowingly collect data from children under 13. If you believe a child has created a Cour account, email privacy@mycour.appand we’ll delete it.

Changes to this policy

We’ll update this page when our practices change. Material changes will also be notified via an in-app banner and/or email. The “Last updated” date at the top reflects the most recent change.

Contact