Privacy Policy

1. Our role

For website visitors, marketing contacts, account administration, security, billing and our own service operations, Func Digital LTD acts as a data controller.

Where a customer organisation uses Cooperly for its team, that customer is normally the data controller for personal data about its employees, contractors, candidates and other invited users. In that context, Func Digital LTD acts as a data processor and processes personal data on the customer’s documented instructions.

Customers are responsible for deciding whether to use Cooperly, what data to enter, which users and integrations to enable, who may access outputs, and whether they have a lawful basis for processing personal data through the Service. Customers are also responsible for providing any required privacy notices to their team members, candidates and other invited users.

2. Data we process

Depending on how the Service is used, we may process:

• account data, such as name, business email, role, password, organisation name, team name, invitation status and account settings;
• team and member data, such as team context, goals, roles, profile answers, Coop Profile results, Fundamentals answers, Pulse check-ins, comments, feedback, member facts, summaries, trends, recommendations and dashboard outputs;
• candidate data, such as candidate name, email, role, invite status, profile answers, profile results, team-fit analysis, onboarding notes and hiring-related recommendations;
• integration data, such as OAuth consents, scopes, workspace or tenant identifiers, user mapping data, chat or channel identifiers, bot metadata, access tokens, API keys, session metadata and access logs;
• notification data, such as recipient address, channel, message content, delivery status, attempts, provider message identifiers and error metadata;
• usage, security and technical data, such as IP address, device and browser data, log data, timestamps, pages visited, actions taken, authentication events and error reports;
• AI-related data, such as prompts, inputs, generated outputs, model configuration, provider metadata, usage data, errors and operational logs;
• cookies and similar technologies, where permitted by law and your settings.

3. Sources of data

We may receive personal data directly from you, from a customer organisation, from team leaders or account owners, from invited users or candidates, from connected third-party services, from AI or MCP clients authorised by a user or customer, and from service providers used to operate the Service.

If you are invited to Cooperly by your employer, client or another organisation, that organisation is normally responsible for explaining why your data is used in Cooperly and how it will use Cooperly outputs.

4. How we use data

We process personal data to:

• provide, secure and maintain the Service;
• create accounts, manage teams, process invitations and operate product features;
• generate profiles, team assessments, Pulse summaries, dashboards, candidate team-fit outputs and other AI-assisted insights;
• send service messages, reminders, digests, alerts and support communications;
• operate integrations selected by users or customers;
• troubleshoot, monitor abuse, prevent fraud and protect the Service;
• improve the Service, where permitted by law and contract;
• comply with legal obligations and enforce our agreements.

5. Lawful bases

Where we act as a controller, we rely on one or more of the following lawful bases:

• performance of a contract;
• legitimate interests, such as operating, securing and improving the Service;
• legal obligations;
• consent, where required, such as for non-essential cookies or certain marketing communications.

6. Sharing data

We may share personal data with:

• customer organisations, account owners, team leaders, co-leads and authorised team members according to their permissions;
• email and notification providers, which may receive recipient details, message content, delivery metadata and error data;
• Telegram, Slack and Microsoft Teams, where enabled, which may receive user mapping data, message content, reminders, digests, alerts and Cooperly links;
• Microsoft Graph and Bot Framework, where Microsoft Teams integration is enabled;
• AI providers, such as OpenAI or similar providers, to generate product outputs selected or enabled by the customer or user;
• external AI or MCP clients, such as ChatGPT-compatible, Claude-compatible, Linear, Notion, Codex or other authorised clients, where enabled by a customer or user and limited by scopes, grants and permissions;
• hosting, storage, analytics, logging, security, payment, customer support and operational service providers;
• professional advisers, insurers, regulators, law enforcement or courts where necessary;
• a buyer, investor or successor if our business or assets are reorganised, sold or transferred.

7. Integrations and external AI access

Customers and users may choose to connect Cooperly to external services. Integrations may disclose personal data outside Cooperly, including message content, team context, profile information, Pulse or Fundamentals summaries, dashboard outputs, candidate information, links and access metadata.

MCP / External AI access is intended to be read-only. Access may be controlled by workspace settings, team grants, OAuth scopes, user permissions and service-client approvals. Human sessions may be approved by users. Service-client access may be approved by account owners. We may record consent, token, scope, access, denial and revocation events for security and audit purposes.

Customers are responsible for managing integrations, approvals, user permissions, revocation and any downstream use of data by connected services.

8. Cookies and analytics

We use strictly necessary cookies and similar technologies to operate the Service. We may also use analytics or similar technologies to understand usage and improve the Service.

Where required by law, we will ask for consent before using non-essential cookies or similar technologies. You can change your browser settings or cookie preferences where available. Some parts of the Service may not work properly without necessary cookies.

9. Marketing and service communications

We may send service communications, such as account notices, security alerts, invitations, reminders, product notifications and support messages.

We may send marketing communications where permitted by law. You can opt out of marketing communications at any time. Opting out of marketing does not stop necessary service communications.

10. Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Policy, our customer agreements, legal obligations, security, audit, dispute resolution and legitimate business needs.

Customer-controlled team, member and candidate data is retained according to the customer agreement, DPA, customer settings and deletion requests accepted by us. Some data may remain for a limited period in backups, logs, audit records or legal records.

Integration credentials, tokens and related records are retained while the integration is active or as needed for security, audit or legal purposes. After disconnection, we may delete or disable credentials, subject to backup and legal retention limits.

11. Security

We use reasonable technical and organisational measures designed to protect personal data. These may include access controls, encryption in transit, encrypted storage of certain credentials, logging, monitoring and operational security controls.

No online service is completely secure. Customers and users are responsible for using strong credentials, controlling account access, managing permissions and avoiding unauthorised disclosure of personal data through the Service or connected integrations.

12. International transfers

We may process or transfer personal data outside the United Kingdom or the European Economic Area. Where required, we use safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, contractual protections or other lawful transfer mechanisms.

Customers and users are responsible for considering international transfer implications before enabling third-party integrations or external AI clients.

13. Your rights

Depending on your location and the context of processing, you may have rights to access, correct, erase, restrict, object to processing, request portability, withdraw consent and complain to a supervisory authority.

If your data is processed through a customer organisation’s Cooperly workspace, that customer is normally the controller and should receive your request first. We will assist customers with data subject requests where required by our DPA and applicable law.

For requests relating to data for which Func Digital LTD is the controller, contact us at privacy@cooperly.ai. We may need to verify your identity before responding.

You also have the right to complain to the UK Information Commissioner’s Office or another competent supervisory authority.

14. Children

The Service is not intended for anyone under 18. If we learn that we have collected personal data from a person under 18 without appropriate authorisation, we may delete it.

15. Changes

We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify users or customers, such as by posting an updated version on our website or through the Service.

16. Contact