Privacy Policy

Func Digital LTD (“Cooperly”, “we”, “us” or “our”) operates cooperly.ai and the Cooperly software service (the “Service”). This Privacy Policy explains how we process personal data.

Last updated: 20 May 2026

Overview

This Policy is not a contract for data processing services. Where a customer organisation uses Cooperly for its team, our processing of that organisation’s team, member and candidate data is also governed by our customer agreement and Data Processing Addendum (“DPA”).

1. Our role

For website visitors, marketing contacts, account administration, security, billing and our own service operations, Func Digital LTD acts as a data controller.

Where a customer organisation uses Cooperly for its team, that customer is normally the data controller for personal data about its employees, contractors, candidates and other invited users. In that context, Func Digital LTD acts as a data processor and processes personal data on the customer’s documented instructions.

Customers are responsible for deciding whether to use Cooperly, what data to enter, which users and integrations to enable, who may access outputs, and whether they have a lawful basis for processing personal data through the Service. Customers are also responsible for providing any required privacy notices to their team members, candidates and other invited users.

2. Data we process

Depending on how the Service is used, we may process:

  • account data, such as name, business email, role, password, organisation name, team name, invitation status and account settings;
  • billing data, such as selected plan, billing cycle, trial status, trial end date, cancellation or end date, billing address, tax/VAT details where provided, Stripe customer, subscription, price, invoice and payment method identifiers, invoice summary links, invoice PDF links, payment method type and last four digits where Stripe provides them, billing requirement/status metadata and cancellation feedback where provided;
  • team and member data, such as team context, goals, roles, profile answers, Coop Profile results, Fundamentals answers, Pulse check-ins, comments, feedback, member facts, summaries, trends, recommendations and dashboard outputs;
  • candidate data, such as candidate name, email, role, invite status, profile answers, profile results, team-fit analysis, onboarding notes and hiring-related recommendations;
  • integration data, such as OAuth consents, scopes, workspace or tenant identifiers, user mapping data, chat or channel identifiers, bot metadata, access tokens, API keys, session metadata and access logs;
  • notification data, such as recipient address, channel, message content, delivery status, attempts, provider message identifiers and error metadata;
  • usage, analytics, security and technical data, such as IP address, device and browser data, log data, timestamps, pages visited, actions taken, product events, funnel or milestone events, session or distinct identifiers, browser-side errors, authentication events and error reports;
  • AI-related data, such as prompts, inputs, generated outputs, model configuration, provider metadata, usage data, errors and operational logs;
  • cookies and similar technologies, where permitted by law and your settings.

We do not ask users to provide special category data, such as health information, political opinions, religious beliefs or biometric data. Users must not include such data in free-text fields unless they are authorised to do so and it is necessary. If special category data is provided, we may process it as part of the Service or delete/restrict it where appropriate.

3. Sources of data

We may receive personal data directly from you, from a customer organisation, from team leaders or account owners, from invited users or candidates, from connected third-party services, from AI or MCP clients authorised by a user or customer, and from service providers used to operate the Service.

If you are invited to Cooperly by your employer, client or another organisation, that organisation is normally responsible for explaining why your data is used in Cooperly and how it will use Cooperly outputs.

4. How we use data

We process personal data to:

  • provide, secure and maintain the Service;
  • create accounts, manage teams, process invitations and operate product features;
  • create and manage paid registrations, trials, subscriptions, invoices, taxes and billing through Stripe;
  • generate profiles, team assessments, Pulse summaries, dashboards, candidate team-fit outputs and other AI-assisted insights;
  • send service messages, reminders, digests, alerts and support communications;
  • operate integrations selected by users or customers;
  • troubleshoot, monitor abuse, prevent fraud and protect the Service;
  • measure website and product usage, analyse activation and billing funnels, debug errors and improve the Service, where permitted by law and contract;
  • comply with legal obligations and enforce our agreements.

Cooperly outputs are advisory. The Service is not intended to make employment, hiring, dismissal, disciplinary, compensation, medical, legal or similarly significant decisions. Customers and authorised users are responsible for any decisions they make using the Service and must not use Cooperly outputs as the sole basis for such decisions.

5. Lawful bases

Where we act as a controller, we rely on one or more of the following lawful bases:

  • performance of a contract;
  • legitimate interests, such as operating, securing and improving the Service;
  • legal obligations;
  • consent, where required, such as for non-essential cookies or certain marketing communications.

Where we act as a processor, the customer is responsible for identifying the lawful basis for processing. We process customer-controlled personal data in accordance with the customer’s documented instructions, our DPA and applicable law.

6. Sharing data

We may share personal data with:

  • customer organisations, account owners, team leaders, co-leads and authorised team members according to their permissions;
  • Stripe, our payment processor, which may receive billing and payment information, payment method details, billing address, tax/VAT details, subscription details and related metadata;
  • email and notification providers, which may receive recipient details, message content, delivery metadata and error data;
  • Telegram, Slack and Microsoft Teams, where enabled, which may receive user mapping data, message content, reminders, digests, alerts and Cooperly links;
  • Microsoft Graph and Bot Framework, where Microsoft Teams integration is enabled;
  • AI providers, such as OpenAI or similar providers, to generate product outputs selected or enabled by the customer or user;
  • external AI or MCP clients, such as ChatGPT-compatible, Claude-compatible, Linear, Notion, Codex or other authorised clients, where enabled by a customer or user and limited by scopes, grants and permissions;
  • hosting, storage, analytics, product telemetry, logging, security, payment, customer support, consent-management and operational service providers, including Google Analytics, PostHog and CookieYes where enabled;
  • professional advisers, insurers, regulators, law enforcement or courts where necessary;
  • a buyer, investor or successor if our business or assets are reorganised, sold or transferred.

Third-party services may process personal data under their own terms and privacy policies. Customers and users are responsible for deciding whether to enable integrations and for ensuring they are authorised to disclose data to those services.

Stripe may process payment details directly. Cooperly does not store full card numbers, CVC codes or raw payment credentials.

PostHog may process analytics, product telemetry, marketing-site session replay or heatmap data, and browser-side error information where enabled. PostHog's privacy materials are available at PostHog Privacy and its DPA is available at PostHog DPA.

7. Integrations and external AI access

Customers and users may choose to connect Cooperly to external services. Integrations may disclose personal data outside Cooperly, including message content, team context, profile information, Pulse or Fundamentals summaries, dashboard outputs, candidate information, links and access metadata.

MCP / External AI access is intended to be read-only. Access may be controlled by workspace settings, team grants, OAuth scopes, user permissions and service-client approvals. Human sessions may be approved by users. Service-client access may be approved by account owners. We may record consent, token, scope, access, denial and revocation events for security and audit purposes.

Customers are responsible for managing integrations, approvals, user permissions, revocation and any downstream use of data by connected services.

8. Cookies, analytics and PostHog

We use strictly necessary cookies and similar technologies to operate the Service. We may also use analytics and consent-management tools, including Google Analytics, PostHog and CookieYes, to understand website and product usage, improve the Service, measure funnels, debug errors and manage cookie preferences.

Where enabled, PostHog may collect page views, product events, web vitals, limited identifiers, browser and device data, error information and, on our marketing website, sampled session replay and heatmap data. Product-app session replay and product-app heatmaps are not intended to be enabled unless we change our settings.

We do not intend to send PostHog raw survey answers, Pulse free text, member facts, invite tokens, authentication tokens, OAuth codes, AI prompts or responses, full payment details or Stripe PII as analytics data.

Where required by law, we will ask for consent before using non-essential cookies, analytics, session replay, heatmaps or similar technologies. You can change your browser settings or cookie preferences where available. Some parts of the Service may not work properly without necessary cookies.

9. Marketing and service communications

We may send service communications, such as account notices, security alerts, invitations, reminders, product notifications, billing notices and support messages.

Stripe may send billing-related communications, such as receipts, invoices, failed-payment notices, renewal notices, trial reminders and payment-method notices, where enabled.

We may send marketing communications where permitted by law. You can opt out of marketing communications at any time. Opting out of marketing does not stop necessary service communications.

10. Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Policy, our customer agreements, legal obligations, security, audit, dispute resolution and legitimate business needs.

Customer-controlled team, member and candidate data is retained according to the customer agreement, DPA, customer settings and deletion requests accepted by us. Some data may remain for a limited period in backups, logs, audit records or legal records.

Integration credentials, tokens and related records are retained while the integration is active or as needed for security, audit or legal purposes. After disconnection, we may delete or disable credentials, subject to backup and legal retention limits.

Billing, invoice, subscription, tax and payment-status records may be retained for accounting, tax, audit, dispute, fraud-prevention and legal purposes.

11. Security

We use reasonable technical and organisational measures designed to protect personal data. These may include access controls, encryption in transit, encrypted storage of certain credentials, logging, monitoring and operational security controls.

Cooperly does not store full card numbers, CVC codes or raw payment credentials. Payment method details are handled by Stripe.

No online service is completely secure. Customers and users are responsible for using strong credentials, controlling account access, managing permissions and avoiding unauthorised disclosure of personal data through the Service or connected integrations.

12. International transfers

We may process or transfer personal data outside the United Kingdom or the European Economic Area. Where required, we use safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, contractual protections or other lawful transfer mechanisms.

Customers and users are responsible for considering international transfer implications before enabling third-party integrations or external AI clients.

13. Your rights

Depending on your location and the context of processing, you may have rights to access, correct, erase, restrict, object to processing, request portability, withdraw consent and complain to a supervisory authority.

If your data is processed through a customer organisation’s Cooperly workspace, that customer is normally the controller and should receive your request first. We will assist customers with data subject requests where required by our DPA and applicable law.

For requests relating to data for which Func Digital LTD is the controller, contact us at privacy@cooperly.ai. We may need to verify your identity before responding.

You also have the right to complain to the UK Information Commissioner’s Office or another competent supervisory authority.

14. Children

The Service is not intended for anyone under 18. If we learn that we have collected personal data from a person under 18 without appropriate authorisation, we may delete it.

15. Changes

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify users or customers, such as by posting an updated version on our website or through the Service.

16. Contact

Func Digital LTD is a company registered in England and Wales.

Company number: 13684637

Registered office: 124 City Road, London, England, EC1V 2NX

Email: support@cooperly.ai

Privacy contact: privacy@cooperly.ai