legal

Privacy Policy

Last updated May 25, 2026 · ← back to cooperbuild.ai

Cooper Build (“Cooper,” “we,” “us”) builds the ontology layer for construction — software that turns the unstructured artifacts of a construction firm into a coherent, queryable object graph. This policy explains what we collect, how we use it, who we share it with, and the choices you have. It is effective as of May 25, 2026.

1. Who this policy covers

This policy applies to cooperbuild.ai, the Cooper web application at app.cooperbuild.ai, and related services, demos, and communications (together, the “Services”). It is operated by CooperBuild, headquartered in New York, with an additional office in Miami, Florida.

When you use Cooper as part of an organization (a “Customer”), that organization is generally the controller of the project data, specifications, and other content it puts into Cooper, and Cooper acts as its processor under a separate customer agreement and data processing addendum (“DPA”). For that content, the Customer's own privacy notices govern; this policy describes how Cooper itself handles personal information.

2. Information we collect

Account information

  • Account & contact details — name, work email, organization, role, and credentials when you request access, book a demo, or create an account.
  • Customer content — the documents, data, and objects you or your organization load into Cooper: plans and drawings, specification sets, RFIs, change orders, schedules, estimates, line items, subcontractor and vendor records, purchase orders, and the relationships between them.
  • Communications — messages, support requests, and feedback you send us, including any attachments.

Project and usage data

  • Usage data — pages and features used, queries run, actions taken, timestamps, and approximate location derived from IP address.
  • Device & log data — browser type, operating system, device identifiers, referring URLs, and error logs.
  • Cookies & similar technologies — used to keep you signed in, remember preferences, and understand aggregate product usage. You can control cookies through your browser settings; some features may not work without them.

Google user data (via OAuth)

When you choose to connect your Google account in Cooper Settings, we request access to your Gmail data using the Google OAuth 2.0 authorization flow. We collect Google user data only after you grant explicit permission. The specific data collected depends on which OAuth scopes you authorize — see Section 3 for the full scope-by-scope breakdown.

We do notaccess your Google account unless you have connected it through Cooper Settings. Connecting your Google account is optional and is never required to use Cooper's core construction management features.

3. Google User Data

Cooper Build requests the following Google OAuth scopes when a user connects their Google account. Each scope, the data it provides access to, how that data is used, how it is stored, and how long it is retained are described below.

Scope: https://www.googleapis.com/auth/gmail.readonly

User-facing description: View your email messages and settings.

  • Data accessed: Inbound email message metadata (sender, subject, timestamp) and body content for new messages received after the connection is established. Cooper does not import or retroactively read your existing mailbox history.
  • Purpose: To surface project-relevant emails inside the Cooper workspace, link communications to the correct project objects (RFIs, change orders, submittals), and allow your team to act on them without leaving Cooper.
  • Storage: Email data is stored in MongoDB Atlas (encrypted at rest, AES-256) within a tenant-scoped data store accessible only to users of your organization. Attachments are stored in AWS S3 with server-side encryption. Inbound message delivery is handled via Google Cloud Pub/Sub push notifications.
  • Retention: Email data is retained for the duration of your Cooper subscription or until you disconnect your Google account (whichever comes first), after which it is deleted or anonymized in accordance with our standard data-deletion schedule.

Scope: https://www.googleapis.com/auth/gmail.modify

User-facing description: Read, compose, and send emails from your Gmail account.

  • Data accessed: The same inbound message data as gmail.readonly, plus the ability to draft and send reply emails on your behalf from within the Cooper interface.
  • Purpose: To allow users to reply to project-related emails — such as RFI responses, submittal acknowledgements, and vendor correspondence — directly from Cooper without switching to Gmail. Messages are sent only when you explicitly trigger the action in Cooper.
  • Storage: Same as above. Outbound drafts composed inside Cooper are stored temporarily and deleted once sent or discarded. Cooper does not retain copies of sent messages beyond what is needed to confirm delivery.
  • Retention: Same retention schedule as gmail.readonly data.

Important clarifications

  • Data is processed only after you explicitly connect your Google account in Cooper Settings → Integrations → Connect Gmail.
  • Cooper mirrors only new inbound messages received after connection. We do not import, scan, or index your existing mailbox history.
  • Google user data is used exclusively to provide the Gmail integration feature within your Cooper workspace. It is not used for advertising, profiling, or model training. See the Limited Use Disclosure below.

4. Limited Use Disclosure

Cooper Build's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to Google user data:

  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or ML models.
  • We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing features of Cooper Build, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use or transfer Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless we have the user's affirmative agreement for specific messages, doing so is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.

5. How we use information

  • To provide, operate, and maintain the Services, including modeling your data into the ontology graph and running the queries you request.
  • To authenticate users, secure accounts, and prevent fraud and abuse.
  • To provide support, respond to inquiries, and communicate about the Services, including service and security notices.
  • To monitor, debug, and improve the Services — for example, fixing errors and tuning performance — using usage and log data.
  • To send product updates and marketing communications where permitted; you can opt out of marketing at any time.
  • To comply with legal obligations and enforce our agreements.

Google user data is not used for advertising, interest-based profiling, or training any AI or machine learning model. Its use is strictly limited to providing and improving the Gmail integration feature within your Cooper workspace, as described in Sections 3 and 4.

Where required by law, we rely on the following bases to process personal information: performance of a contract, our legitimate interests in operating and securing the Services, your consent (for example, for non-essential cookies or marketing), and compliance with legal obligations.

6. AI models and your data

Your business data is never used to train a public model. Cooper is the harness — your data, modeled so a frontier model can reason over it. The model is a swap; the graph is yours.

Cooper is model-agnostic by design. To answer your queries, the Services route reasoning through one or more frontier models — which may be operated by third-party providers (for example, Anthropic, OpenAI, or Google) or run on infrastructure you control in a self-hosted deployment. We will identify the model providers in use as subprocessors in our DPA and subprocessor list.

  • No training on your content. We do not use Customer content (including Google user data) to train, fine-tune, or improve any foundation model that is offered to other customers or the public. Where we use third-party model APIs, we use offerings and contractual terms that exclude your inputs and outputs from provider model training.
  • The wiki and ontology compound for you alone.Templates, pricing heuristics, and the object graph that get sharper with every closed project belong to your organization's deployment. They are not pooled across customers.
  • Self-hosting. Where you run Cooper in your own environment, your Customer content stays in your infrastructure and is not transmitted to us except as you configure (for example, diagnostic logs you choose to share).
  • Aggregate, de-identified telemetry. We may use aggregated, de-identified usage statistics that do not identify you, your organization, or any project to operate, secure, and improve the Services.

7. How we share information

We do not sell personal information. We share it only as described here:

  • Service providers / subprocessors — hosting, storage, model providers, analytics, error monitoring, email, and (if applicable) payment processors, each bound by confidentiality and data-protection obligations and permitted to use the data only to provide services to us. Key subprocessors for the Gmail integration include:
    • Google Cloud Pub/Sub — inbound email push-notification delivery
    • MongoDB Atlas — primary storage for email message data (encrypted at rest)
    • AWS S3 — attachment storage (server-side encryption)
  • Within your organization— content and activity may be visible to other authorized users and administrators of your organization's Cooper workspace.
  • Legal & safety — when we believe disclosure is required by law or legal process, or is necessary to protect the rights, property, or safety of Cooper, our users, or others.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy or a successor policy with comparable protections. Users will be notified of any such transfer that affects Google user data.
  • With your direction — when you ask us to share information or integrate with a third-party service you connect.

8. Data retention

We retain personal information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Customer content is retained for the term of the applicable customer agreement and deleted or returned thereafter as described in that agreement and our DPA, subject to backup retention cycles and any legal hold.

Google user data is retained for the duration of your active Gmail connection in Cooper. When you disconnect your Google account (via Cooper Settings → Integrations → Disconnect Gmail), we initiate a stop-watch on inbound push notifications, deactivate the stored OAuth tokens, and mark the connection inactive. Associated email data is deleted or anonymized within 30 days of disconnection, subject to backup cycles.

Account and contact data tied to demos or trials that do not convert is retained for a limited period and then deleted or anonymized.

9. Security

We use administrative, technical, and physical safeguards designed to protect information, including:

  • AES-256 encryption at rest for all stored data, including OAuth refresh tokens.
  • HTTPS / TLS encryption for all data in transit.
  • Access controls and least-privilege practices — your email data is scoped to your organization's tenant and inaccessible to other organizations.
  • Network segmentation, logging, and monitoring.
  • Regular review of our security controls.

Cooper's security program is built toward SOC 2 attestation. No system is perfectly secure; you are responsible for keeping your credentials confidential and for the security of devices you use to access the Services. See our Terms of Service for more on your responsibilities.

10. International data transfers

Cooper is headquartered in the United States and stores data in US-region infrastructure. We may process information in other countries where we or our service providers operate. Where required, we use appropriate safeguards — such as the European Commission's Standard Contractual Clauses or equivalent mechanisms — for transfers of personal data out of the EEA, the UK, or Switzerland.

11. Your rights and choices

Depending on where you live, you may have the right to access, correct, delete, or port your personal information; to object to or restrict certain processing; and to withdraw consent. You can also opt out of marketing emails using the unsubscribe link in any such message.

To revoke Cooper's access to your Google account:

  • Within Cooper: Go to Settings → Integrations → Disconnect Gmail. This immediately deactivates the OAuth connection and stops all further data collection.
  • Via Google: Visit https://myaccount.google.com/permissions and remove Cooper Build from the list of connected apps.

To exercise any other rights, or to request deletion of Google user data, contact us at hello@cooperbuild.ai. If you are a user within a Customer organization, please direct requests about Customer content to that organization; we will assist them as their processor. We will not discriminate against you for exercising your rights. You may also have the right to lodge a complaint with your local data protection authority.

12. Mobile messaging (SMS) and your phone number

We collect mobile phone numbers only when you provide them — for example, when you book a demo, create an account, contact support, or expressly opt in to receive SMS messages from CooperBuild. We use those numbers to send account-related and transactional messages (such as security codes, confirmations, and service notices), to respond to support requests, and — where you have specifically opted in — to send program-related SMS communications (such as product updates or demo follow-ups).

No mobile information (mobile phone numbers, opt-in data, or consent records) will be shared with third parties or affiliates for marketing or promotional purposes. We do not sell or rent mobile phone numbers, and we do not pass them to lead generators.

If you opt in to an SMS program from CooperBuild:

  • You may opt out at any time by replying STOP to any message. We will send a single confirmation that you have been unsubscribed and will stop sending you messages from that program.
  • You may request assistance by replying HELP, or by contacting us at hello@cooperbuild.ai.
  • Message frequency varies by program; for recurring programs the frequency will be disclosed at the point of opt-in.
  • Message and data rates may apply, depending on your wireless plan.
  • Wireless carriers — including T-Mobile, AT&T, and Verizon — are not liable for delayed or undelivered messages.

Even if you opt out of marketing or program SMS, we may still send essential transactional or security messages where permitted by law. The SMS program terms that govern your enrollment are in our Terms of Service.

13. Children's privacy

The Services are intended for businesses and are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. If we make material changes — including any changes to how we handle Google user data — we will update the “Last updated” date and provide additional notice (for example, by email or in-product). Your continued use of the Services after an update means you accept the revised policy.

15. Contact us

Questions about this policy, our data practices, or to request deletion of your data? Email hello@cooperbuild.ai. Postal address: CooperBuild, 276 5th Ave STE 704 PMB 170, New York, NY 10001.