CopyMe

Privacy Policy

Last updated: 22 April 2026 · Effective: 22 April 2026

At a glance

  • We collect the minimum we need to run CopyMe.
  • We never sell personal data.
  • You can export or delete your account at any time in Settings.
  • Your phone number and email are stored as one-way hashes; the plaintext never sits in our database.
  • Messages are retained for the Rule-of-7 cycle (last 7 per contact) and then cycled out.

1. Who we are

CopyMe ("CopyMe", "we", "us") is a messaging platform operated jointly by InteractiveIntel (United States) and Pimdom d.o.o. (Slovenia, European Union). For the purposes of the EU / UK GDPR, the data controller is the legal entity that owns the CopyMe trademark (listed below). For California residents, CopyMe is the "business" as defined under the CCPA / CPRA.

Contact the privacy team at info@copyme1.com. For EU-specific requests we will route you to our EU representative.

2. Data we collect

Categories of personal data we process:

  • Account identifiers — display name, account tier, currency preference, creation timestamp.
  • Contact identifiers — phone number and email address, stored as SHA-256 hashes only. We never retain plaintext phone or email in our database.
  • Authentication data — bcrypt password hash (12 rounds), session and refresh tokens.
  • Profile data you provide — location (optional, visible only if you opt-in), interests (up to 7), role / institution description.
  • Communication content — messages, message attachments, voice and video clip durations. Only the last 7 messages per contact are retained.
  • Operational data — request logs, IP address for rate limiting, device and browser metadata, approximate last-active timestamp.
  • AI interaction data — messages sent to the Yogi assistant, when you choose to use it. This data is processed by our AI subprocessor and not used to train their general models.

3. Why we process it (lawful basis)

Under the EU / UK GDPR, we rely on:

  • Contract (Art. 6(1)(b)) — to operate your account, deliver messages, and enforce Rule-of-7 limits.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and improve quality. You can object at any time.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, optional marketing emails, and Yogi AI features that process your conversations.
  • Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from authorities.

4. How long we keep it

  • Messages — only the last 7 per contact; older messages are auto-deleted.
  • Account — retained until you delete it. On deletion, profile and identifying data are removed within 30 days; anonymized operational logs may be kept for up to 12 months.
  • Security logs — up to 90 days.
  • Billing records — retained for statutory periods required under US / EU tax law (typically 7 years) after the last transaction.

5. Who we share data with

We share personal data only with processors contracted under written agreements (including EU Standard Contractual Clauses where applicable):

  • Vercel (application hosting, US / EU regions)
  • Neon (Postgres database, US region)
  • Resend (transactional email, US)
  • Anthropic (Yogi AI, US) — processes only messages you choose to send to Yogi
  • Twilio (SMS delivery, when SMS verification is enabled)
  • PostHog or a comparable product-analytics processor (anonymized events only)

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

6. International transfers

If you are in the EU / UK, your data may be transferred to the United States for hosting and processing. Transfers are covered by the EU Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

7. Your rights

Depending on your location, you have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. To exercise any of these rights:

  • In-app: Profile → Settings → Delete account (immediate).
  • Email: info@copyme1.com — we respond within 30 days.
  • You may also complain to your national supervisory authority. In Slovenia this is the Information Commissioner (Informacijski pooblaščenec).

8. Security

We use bcrypt (cost 12) for password storage, TLS for all transport, JWT access tokens with short expiry and server-verified refresh, SHA-256 hashing of identifiers, and rate limiting on authentication endpoints. Despite these measures, no online service is perfectly secure; in the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.

9. Cookies & local storage

CopyMe uses the minimum set of cookies and local-storage entries required to keep you signed in. Non-essential cookies (analytics, feature preferences) are only placed after you accept them via the consent banner.

10. Children

CopyMe is not intended for children under 13 (under 16 in the EEA, or the local age of digital consent, whichever is higher). We do not knowingly collect personal data from children below that age.

11. Changes to this policy

We will post material changes on this page and, where they meaningfully affect your rights, notify you in-app or by email before they take effect.

12. Contact

Privacy questions and data-subject requests: info@copyme1.com.