Privacy Settings
Data retention, privacy settings, and data sharing preferences
Privacy Settings
Control how Cothon collects, stores, and uses your data. Configure data retention policies, manage privacy preferences, and control what information you share.
Privacy Overview
Cothon is committed to protecting your privacy and giving you control over your data. These settings let you manage:
- What data Cothon collects about your usage
- How long data is retained
- Who can see your activity and information
- What data is shared with third parties
- Your rights under privacy regulations
Note
Cothon is compliant with Canadian privacy laws (PIPEDA), GDPR, and other international privacy regulations.
Data Collection Settings
Usage Analytics
Control what usage data Cothon collects to improve the product.
Analytics Categories
| Category | What's Collected | Used For | Default |
|---|---|---|---|
| Product Analytics | Page views, feature usage, clicks | Improve features | On |
| Performance | Load times, errors, latency | Optimize speed | On |
| User Behavior | Workflows, task completion | Better UX | On |
| Search Analytics | Search terms, filters used | Improve search | On |
What We Do NOT Collect
Cothon never collects:
- Document content: Your RFPs, proposals, and analyses
- Proprietary data: Company secrets, capabilities, pricing
- Personal communications: Messages, comments, emails
- Authentication credentials: Passwords, API keys
- Financial details: Payment card numbers, banking info
How Analytics Data is Used
Analytics help us:
- Identify issues: Detect bugs and performance problems
- Improve features: Understand which features are valuable
- Optimize UX: Make the interface more intuitive
- Prioritize development: Build features users actually need
- Measure success: Track if improvements work
All analytics data is:
- Anonymized: Not tied to your identity
- Aggregated: Combined with other users' data
- Encrypted: Protected in transit and at rest
- Private: Never sold to third parties
Tip
We recommend leaving analytics enabled. It helps us improve Cothon for everyone while protecting your privacy.
Error Reporting
Configure automatic error and crash reporting.
Error Report Contents
When an error occurs, reports may include:
- Error message: What went wrong
- Stack trace: Technical debugging info
- Browser info: Browser version, OS
- User context: What you were doing (anonymized)
- Session ID: For correlating related errors
Error reports do NOT include:
- Document content or user data
- Personal information
- Proprietary business information
Error Reporting Options
| Option | Description | Recommended For |
|---|---|---|
| Automatic | Send all errors automatically | Most users |
| Ask First | Prompt before sending | Privacy-conscious users |
| Manual | Only send if you click "Report" | Maximum privacy |
| Disabled | Never send error reports | Restricted environments |
Set in Settings > Privacy > Error Reporting.
Note
Error reports are critical for fixing bugs. We recommend "Automatic" for the best experience.
Diagnostic Data
Detailed diagnostic data for troubleshooting.
What's Included
- System information (OS, browser, memory)
- Cothon version and configuration
- Performance metrics
- Network connectivity data
- Recent actions (anonymized)
When It's Collected
Diagnostic data is only collected:
- When you explicitly request support
- When you click "Send Diagnostics"
- When a critical error occurs (if enabled)
Enable automatic diagnostic collection in Settings > Privacy > Diagnostics > Auto-collect.
AI Processing Consent
Control whether your documents are sent to external AI providers (OpenAI, Google Gemini) for analysis. This is a PIPEDA individual consent control that applies regardless of your organization's AI settings.
User-Level Default
Navigate to Settings > Privacy > AI Processing Consent.
| Setting | Description |
|---|---|
| AI Processing Enabled (default) | Uploaded documents may be sent to AI providers for automated requirement extraction, compliance analysis, and proposal generation. |
| AI Processing Disabled | Your documents are stored but NOT sent to any external AI provider. You can still view documents and add requirements manually. |
When AI Processing is disabled at the user level, all new document uploads will default to skipping AI processing. You can override this on a per-upload basis.
Per-Upload Override
When uploading a document for bid analysis, you can toggle "Skip AI Processing" to prevent that specific document from being sent to AI providers, even if your default setting is enabled.
This creates a stub analysis record where you can manually add requirements, but no document text is transmitted to OpenAI or Google Gemini.
Note
Organization vs. Individual consent: Your organization administrator may enable or disable AI features for the entire team. However, PIPEDA requires individual consent — even if AI is enabled at the organization level, you always retain the right to opt out for your own uploads. When you opt out, an ai_processing.opted_out event is recorded in the audit log for compliance tracking.
Data Retention Settings
Control how long Cothon retains different types of data.
Content Retention
| Content Type | Default Retention | Adjustable Range | Notes |
|---|---|---|---|
| Active Analyses | Indefinite | N/A | Until you delete |
| Active Proposals | Indefinite | N/A | Until you delete |
| Draft Documents | 90 days | 30-365 days | Auto-deleted if inactive |
| Deleted Items | 30 days | 0-90 days | Recoverable from trash |
| Archived Projects | Indefinite | N/A | Until you delete |
Warning
Content deleted after retention period expires is permanent and cannot be recovered.
Activity Data Retention
Control how long activity logs and history are kept.
| Activity Type | Default | Range | Purpose |
|---|---|---|---|
| Activity Feed | 90 days | 30-365 days | Recent activity |
| Search History | 30 days | 7-90 days | Search suggestions |
| View History | 90 days | 30-180 days | Recently viewed |
| Edit History | Indefinite | 90 days-indefinite | Document versions |
| Collaboration | Indefinite | 90 days-indefinite | Comments, changes |
Immediate Deletion Options
Delete activity data immediately:
- Clear Search History: Remove all saved searches
- Clear View History: Remove recently viewed items
- Clear Activity Feed: Remove activity log
- Clear All: Wipe all activity data
Access in Settings > Privacy > Data Retention > Clear Now.
Deleted Items
Configure trash/recycle bin behavior.
Trash Retention Period
| Setting | Behavior | Use Case |
|---|---|---|
| Immediate | Permanent deletion, no trash | Maximum privacy |
| 7 days | Short recovery window | Quick cleanup |
| 30 days (default) | Balanced recovery time | Most users |
| 90 days | Extended recovery | Safety-conscious |
Auto-Empty Trash
- Enabled: Automatically empty trash after retention period
- Disabled: Items stay in trash until manually deleted
- Schedule: Choose when auto-empty runs (daily, weekly)
Tip
Use 30-day retention with auto-empty enabled. This gives you time to recover accidentally deleted items without manual cleanup.
Audit Logs
For compliance and security, configure audit log retention.
| Log Type | Default | Required For | Adjustable |
|---|---|---|---|
| Security Events | 1 year | Compliance | No |
| Access Logs | 90 days | Auditing | 90-365 days |
| Change Logs | 1 year | Version control | 90 days-indefinite |
| Admin Actions | 2 years | Governance | 1-7 years |
Note
Some audit logs have minimum retention periods for compliance. These cannot be reduced below the required duration.
Visibility & Sharing Settings
Control who can see your information and activity.
Profile Visibility
Configure what other users see about you.
Visibility Options
| Setting | Who Can See | What They See |
|---|---|---|
| Public | Everyone in org | Full profile |
| Team | Team members only | Full profile |
| Limited | Everyone in org | Name and photo only |
| Private | Only admins | Name only |
Set in Settings > Privacy > Profile Visibility.
Profile Components
Toggle visibility for each component:
- Profile photo: Show or use generic avatar
- Job title: Display or hide
- Department: Show or hide
- Phone number: Display or hide
- Bio: Show or hide
- Location: Display or hide
Activity Visibility
Control who sees your activity in activity feeds.
| Activity Type | Visibility Options | Default |
|---|---|---|
| Content Creation | Public, Team, Private | Team |
| Comments | Public, Team, Private | Public |
| Edits | Public, Team, Private | Team |
| Shares | Public, Team, Private | Team |
| Reactions | Public, Team, Private | Public |
Public: Everyone in organization Team: Only your team members Private: Only you (and content owner)
Presence & Status
Control online presence visibility.
Presence Indicators
| Setting | Effect | Who Sees |
|---|---|---|
| Online | Green dot, "Active now" | Everyone |
| Away | Yellow dot, "Away" | Everyone |
| Do Not Disturb | Red dot, "DND" | Everyone |
| Invisible | Appear offline | No one |
Status Settings
Configure automatic status:
- Auto-away: Mark as away after N minutes of inactivity
- Auto-offline: Mark as offline after N minutes
- Show last seen: Display "Last active X ago"
- Hide typing: Don't show "typing..." indicator
Tip
Use "Do Not Disturb" when working on urgent bids. Team members will see you're online but focused, reducing interruptions.
Work Hours
Set your working hours to manage expectations.
Team members see:
- "Available" during work hours
- "Outside work hours" when you're off
- Your next availability time
Data Sharing & Third Parties
Control what data is shared with external services.
Integration Data Sharing
When you connect integrations (Slack, Teams, etc.), control what data they can access.
Integration Permissions
| Integration | Data Shared | Can Be Limited |
|---|---|---|
| Slack | Notifications, summaries | Yes |
| Teams | Notifications, summaries | Yes |
| Google Workspace | Calendar, email | Yes |
| Microsoft 365 | Calendar, email | Yes |
| Analytics Tools | Usage data | Yes |
Review and adjust permissions:
- Go to Settings > Privacy > Integrations
- Select an integration
- Review requested permissions
- Toggle off any you don't want to grant
- Save changes
Warning
Limiting permissions may reduce integration functionality. For example, disabling calendar access means Cothon can't check your availability.
AI Model Providers
Cothon uses AI models from Google (Gemini) and OpenAI (GPT).
Data Sent to AI Providers
When using AI features, we send:
- Document text (for analysis)
- User prompts and questions
- Context from your capabilities
We do NOT send:
- Your personal information
- Other users' data
- Unrelated documents
- Authentication credentials
AI Data Retention
| Provider | Retention | Used For Training | Opt-Out |
|---|---|---|---|
| 0 days | No | N/A | |
| OpenAI | 30 days | No (opted out) | N/A |
Note
Cothon has opted out of AI training for both Google and OpenAI. Your data is never used to train their models.
AI Privacy Settings
Configure AI-specific privacy:
- Disable AI features: Opt out of AI entirely
- Use only Google: Avoid OpenAI
- Use only OpenAI: Avoid Google
- Local processing: Use on-device AI when available (beta)
Set in Settings > Privacy > AI Privacy.
Analytics & Tracking
Control third-party analytics and tracking.
What We Use
- Sentry: Error tracking and performance monitoring
- PostHog: Product analytics and feature usage
- Stripe: Payment processing (if subscribed)
Opt-Out Options
| Service | Can Opt Out | Impact |
|---|---|---|
| Product Analytics | Yes | We can't improve features |
| Error Tracking | Yes | Harder to fix bugs |
| Performance Monitoring | Yes | Slower support |
| Payment Analytics | No | Required for billing |
Opt out in Settings > Privacy > Third-Party Services.
Marketing Communications
Control marketing emails and communications.
| Communication | Description | Frequency | Opt-Out |
|---|---|---|---|
| Product Updates | New features, improvements | Monthly | Yes |
| Best Practices | Tips and guides | Bi-weekly | Yes |
| Webinars | Training events | Monthly | Yes |
| Newsletters | Industry news | Weekly | Yes |
| Surveys | Feedback requests | Quarterly | Yes |
| Transactional | Account, billing, security | As needed | No |
Note
Transactional emails (password resets, security alerts, billing notices) cannot be opted out as they're essential for account management.
Privacy Rights & Requests
Exercise your privacy rights under GDPR, PIPEDA, and other regulations.
Your Privacy Rights
Under privacy laws, you have the right to:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure: Delete your data ("right to be forgotten")
- Portability: Export your data in machine-readable format
- Restriction: Limit how your data is processed
- Objection: Object to certain processing activities
- Withdraw Consent: Revoke previously given consent
Data Access Request
Request a copy of all data Cothon holds about you.
Note
Data access requests are fulfilled within 30 days as required by GDPR. Most requests are completed within 7 days.
Data Correction Request
Correct inaccurate or incomplete personal data.
For most data, you can self-correct in Settings. For data you cannot edit:
- Go to Settings > Privacy > Privacy Rights > Request Correction
- Describe what data is incorrect
- Provide correct information
- Submit request
We'll review and update within 7 days.
Data Deletion Request
Request deletion of your personal data.
What Can Be Deleted
- Your account and profile
- Your analyses and proposals
- Your activity history
- Your preferences and settings
What Cannot Be Deleted
- Legal records (required for compliance)
- Financial records (required for accounting)
- Audit logs (required for security)
- Data in backups (deleted on next backup cycle)
Warning
Deletion is permanent after the grace period. Export your data before requesting deletion.
Data Portability Request
Export your data in machine-readable formats for transfer to another service.
Supported export formats:
- JSON: Complete data with metadata
- CSV: Tabular data for spreadsheets
- XML: Structured data for integration
- ZIP: Combined archive of all formats
Request in Settings > Privacy > Privacy Rights > Request Portability.
Objection to Processing
Object to specific processing activities:
- Go to Settings > Privacy > Privacy Rights > Object to Processing
- Select processing activities you object to:
- Marketing communications
- Usage analytics
- AI processing
- Third-party sharing
- Provide reason for objection
- Submit objection
We'll review and respond within 7 days.
Children's Privacy
Cothon is not intended for users under 16 years of age.
Age Verification
- Users must be 16+ to create accounts
- Age is verified during signup
- Accounts created by users under 16 are terminated
COPPA Compliance
For US users under 13:
- Cothon does not knowingly collect data from children under 13
- If we learn of data from a child under 13, we delete it immediately
- Parents can request deletion of child's data
Report underage accounts to privacy@cothon.ca.
Cookie & Tracking Settings
Manage cookies and tracking technologies.
Cookie Categories
| Category | Purpose | Required | Can Opt Out |
|---|---|---|---|
| Essential | Core functionality | Yes | No |
| Functional | Enhanced features | No | Yes |
| Analytics | Usage tracking | No | Yes |
| Marketing | Personalization | No | Yes |
Cookie Settings
Configure cookie preferences:
Do Not Track
Cothon respects Do Not Track (DNT) browser headers.
If DNT is enabled in your browser:
- Analytics cookies disabled
- Third-party tracking disabled
- Behavioral tracking disabled
- Essential cookies still used (required for functionality)
Enable DNT in your browser settings. Cothon will automatically detect and respect it.
Tip
Most modern browsers support DNT. Search "[Your Browser] enable do not track" for instructions.
Tracking Prevention
Use Cothon's built-in tracking prevention:
- Block third-party trackers: Prevent external tracking
- Block cross-site cookies: Limit cross-site tracking
- Fingerprinting protection: Prevent browser fingerprinting
- Referrer masking: Hide where you came from
Enable in Settings > Privacy > Tracking Prevention.
Data Security & Encryption
How Cothon protects your privacy through security.
Encryption
| Data State | Encryption | Standard |
|---|---|---|
| In Transit | TLS 1.3 | AES-256 |
| At Rest | AES-256 | FIPS 140-2 |
| Backups | AES-256 | FIPS 140-2 |
| Exports | Optional | User's choice |
Data Location
| Data Type | Location | Region | Compliance |
|---|---|---|---|
| Primary | Canada | Multi-region | PIPEDA |
| Backups | Canada | Multi-region | PIPEDA |
| CDN Cache | Global | Edge locations | GDPR |
Note
All primary data is stored in Canadian data centers. Content may be cached globally via CDN for performance, but only metadata, not sensitive content.
Data Access Controls
Who can access your data:
| Role | Access | Purpose | Logged |
|---|---|---|---|
| You | Full | Your data | Yes |
| Your Team | Shared only | Collaboration | Yes |
| Support | With permission | Troubleshooting | Yes |
| Admins | Organization data | Administration | Yes |
| Engineers | Anonymized | Development | Yes |
All data access is logged and auditable.
Privacy Compliance
Cothon's compliance with privacy regulations.
Regulations We Comply With
- PIPEDA: Canada's privacy law
- GDPR: European General Data Protection Regulation
- CCPA: California Consumer Privacy Act
- SOC 2 Type II: Security and privacy controls
- ISO 27001: Information security management
Privacy Certifications
- ✓ SOC 2 Type II certified
- ✓ ISO 27001 certified
- ✓ Privacy Shield (EU-US)
- ✓ PIPEDA compliant
- ✓ GDPR compliant
Data Processing Agreements
For enterprise customers:
- Data Processing Agreement (DPA) available
- Business Associate Agreement (BAA) for HIPAA (if applicable)
- Custom privacy terms negotiable
Contact legal@cothon.ca for enterprise privacy agreements.
Privacy by Design
Cothon follows Privacy by Design principles:
- Proactive: Privacy built in, not bolted on
- Default: Privacy is the default setting
- Embedded: Privacy integrated into design
- Positive-sum: Not zero-sum (privacy AND functionality)
- End-to-end: Lifecycle protection
- Visible: Transparency in operations
- User-centric: Your privacy, your control
Incident Response
In case of a data breach:
Our Response
- Immediate: Contain the breach
- 24 hours: Assess impact
- 72 hours: Notify affected users
- 7 days: Notify regulators (if required)
- 30 days: Publish incident report
Your Actions
If we notify you of a breach:
- Review the incident report
- Change your password
- Review account activity
- Enable 2FA if not already enabled
- Monitor your account
Breach Notifications
You'll be notified if:
- Your personal data was accessed
- Risk of harm to you
- Required by law
Notification methods:
- Email to primary address
- In-app alert
- SMS (if phone number on file)
Privacy Resources
Learning More
- Privacy Policy: Full legal document
- Cookie Policy: Detailed cookie information
- Data Processing Agreement: For enterprise
- Privacy FAQs: Common questions
- Privacy Blog: Updates and best practices
Access in Settings > Privacy > Resources.
Privacy Support
Contact our privacy team:
- Email: privacy@cothon.ca
- Phone: 1-800-COTHON (privacy extension)
- Live Chat: Available during business hours
- Privacy Portal: Submit requests online
Data Protection Officer
Reach our DPO:
Email: dpo@cothon.ca Address: Cothon Inc., Attn: Data Protection Officer, [Address]
Privacy Checklist
Recommended privacy settings for procurement professionals:
- Review and adjust data collection settings
- Set appropriate data retention periods
- Configure profile visibility (recommend "Team")
- Set activity visibility to "Team" or "Private"
- Configure work hours to manage availability
- Review integration permissions
- Verify AI privacy settings
- Opt out of marketing emails (if desired)
- Enable Do Not Track (in browser)
- Review cookie settings
- Set up 2FA (in Security settings)
- Review active sessions regularly
FAQ
Next Steps
- Security - Protect your account
- Advanced - API keys and developer settings
- General - Basic preferences
- Organization - Organization-wide privacy settings
Was this page helpful?