Corha
Legal

Privacy Policy

Last updated: 11 May 2026

1. Who we are

Corha (“Corha”, “we”, “us”) provides an AI-native customer-understanding workspace that helps product, research, and customer teams turn calls, tickets, surveys, and other conversational data into living customer personas, evidence, and insights.

This policy explains what personal data we collect when you use the Corha service, how we use it, who we share it with, and the rights you have over it. If anything here is unclear, email us at info@corha.app.

2. The data we collect

2.1 Account data

When you create a Corha account we collect your email address and a password (which is hashed by our authentication provider — we never see it in plaintext). We may also collect optional profile details if you choose to fill them in: full name, job title, phone number, location, timezone, and a short bio. We also store your notification preferences and the workspace you’re currently active in.

2.2 Workspace content you upload

Corha is designed to ingest evidence from the conversations your team has with your customers. Depending on which sources you connect or upload, this may include:

  • Sales-call transcripts and metadata
  • Customer-interview recordings, transcripts, and notes
  • Support tickets and ticket comments
  • Surveys, NPS responses, and other structured feedback
  • Product or design documents you choose to share with the workspace
  • CRM exports and similar tabular data

This content frequently contains personal data about your customers, not about you. Corha processes that data as your data processor — see section 8 below.

2.3 Live-call audio (stays on your device)

Corha’s Live Calls feature lets you record audio of customer calls directly in your browser. Those audio files are stored only in your browser’s local storage (IndexedDB) — they are not uploaded to Corha’s servers. Only the metadata you choose to save (title, duration, your own notes) is synced to your Corha workspace. If you clear your browser data, the audio is gone.

2.4 AI-generated derivatives

From the content above, Corha generates personas, evidence summaries, insights, and answers to questions you ask the workspace agent. These derivatives are stored in your workspace and treated as your data.

2.5 Billing data

Paid plans are processed by Stripe. We pass your billing email to Stripe and store the Stripe customer and subscription identifiers Stripe returns to us. We do not store your card details. Card information is handled directly by Stripe under their PCI-DSS compliance.

2.6 Technical and usage data

We collect basic technical data necessary to operate the service: the IP address of requests to our servers, request timestamps, and error logs from our hosting provider. We do not use marketing pixels, third-party advertising trackers, or session-replay tools, and we do not set analytics cookies.

3. How we use your data

We use the data described above to:

  • Provide the Corha service — render your workspace, sync your data, and authenticate your sessions.
  • Generate personas, evidence summaries, and insights from the content you’ve uploaded.
  • Power the workspace agent that answers your questions about your data.
  • Process payments and manage subscriptions through Stripe.
  • Send essential service emails (sign-in confirmations, billing receipts, security notices). You can opt out of optional notifications in your profile settings.
  • Detect and prevent abuse, fraud, or breaches of our terms.
  • Comply with our legal obligations.

We do not train AI models on your data. The AI features in Corha use third-party foundation models (see section 4) on a per-request basis; your content is not used to retrain those models beyond the duration of a single request.

4. Who we share data with (sub-processors)

To deliver Corha we rely on a small number of trusted service providers. We share only the data necessary for each one to do its job:

  • Supabase — hosts our database and handles authentication. Your account and workspace data live here. EU region by default.
  • Anthropic — provides the Claude models that power persona generation and the workspace agent. We send the specific workspace content needed to answer your request; Anthropic does not retain it to train their models under their commercial API terms.
  • Stripe — processes payments and stores card data on your behalf. We receive billing status; Stripe receives the email and payment details you provide at checkout.
  • Vercel — hosts the Corha application and serves it to your browser. Request metadata (IPs, timestamps, error logs) is processed here.

We do not sell your data, and we do not share it with advertisers, data brokers, or third-party analytics providers.

5. Where data is stored

Workspace data is stored in the EU (Frankfurt region) by default through Supabase. AI processing requests may be routed to Anthropic infrastructure in the United States. Stripe processes payments in the jurisdictions it operates in. By using Corha you consent to the international transfers necessary to provide the service, subject to Standard Contractual Clauses or equivalent safeguards where required.

6. How long we keep data

We retain personal data only for as long as we need to:

  • Account data — for as long as your account is open. If you delete your account, we remove personal data within 30 days, except where we need to keep limited records for legal, tax, or dispute-resolution purposes.
  • Workspace content — kept while your workspace is active. Retention windows for calls, research, tickets, and evidence are configurable in workspace settings.
  • Billing records — retained for the period required by applicable tax law (typically 6 years in the UK).
  • Server logs — typically retained for up to 30 days for security and debugging.

7. Your rights

Where the UK GDPR or EU GDPR applies, you have rights to access, correct, delete, restrict processing of, and port your personal data, as well as to object to certain processing. You also have the right to lodge a complaint with a data-protection authority (in the UK, that’s the ICO).

To exercise any of these rights, email info@corha.app. We’ll respond within one month.

8. When Corha is a processor (not a controller)

For the customer data you upload to your workspace (call transcripts, tickets, survey responses, etc.), you are the controller and Corha is your processor. We process that data only on your documented instructions, and we will sign a Data Processing Addendum with you on request. Email info@corha.app for a copy.

9. Security

All traffic to Corha is encrypted in transit (TLS). Workspace data is stored encrypted at rest by Supabase. Access to production systems is restricted and authenticated. We never have access to your password or your payment card. Live-call audio never leaves your device.

10. Children

Corha is a workplace tool and is not directed to children under 16. We do not knowingly collect personal data from anyone under 16.

11. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes we will notify account holders by email or in-app.

12. Contact

Questions, requests, or complaints about this policy? info@corha.app.