Cocobox.io
Legal

Privacy Policy

Last updated: 2026-04-24

The short version

  • Database passwords are encrypted with AES-256 at rest and only decrypted in memory when you run a query.
  • Encryption keys live in session storage, not localStorage — so an XSS or a closed tab can't exfiltrate them.
  • We don't sell your data and we don't run ad pixels. There's no Facebook, LinkedIn, or TikTok tracker on this site.
  • When you use AI features, requests go through a zero-retention agreement with the provider. Your data is not used to train models.
  • Billing is handled by Stripe. We never see your card number.
  • Export everything or delete your account in one click.

Who we are

Cocobox.io ("Cocobox", "we", "us") is the data controller for the information described here. Contact: privacy@cocobox.io.

What we collect

Only what's necessary to run the product:

  • Account data: email, display name, optional profile image, workspace name. Authentication is delegated to Auth0 — passwords are hashed there, we never see the plaintext.
  • Billing data: subscription status, plan, and invoice history. Card details are tokenized and handled by Stripe under their PCI-DSS certified infrastructure — we never touch raw card data.
  • Connection metadata: the host, port, user, and database options you enter. Passwords and SSH keys are encrypted.
  • Snippets & queries you save: stored in our database so you can come back to them. You can optionally mark a snippet as encrypted, in which case only you (or people you explicitly share with) can decrypt it.
  • Usage telemetry: anonymized feature usage and error reports so we can fix what breaks. No cross-site tracking, no fingerprinting.
  • Support emails: anything you send us when you ask for help.

How we protect credentials

  • At rest: database passwords are AES-256 encrypted with per-workspace keys. The raw passwords never land in our logs or backups in plaintext.
  • In transit: everything is TLS 1.2+. Optional SSH tunneling is supported for databases behind a bastion host.
  • Client-side keys: the AES key material used for client-side encryption of snippets lives in sessionStorage and expires with the tab. It is never written to localStorage and never broadcast via postMessage.
  • Rotation: you can rotate any connection credential from the dashboard; no redeploy required.

No data sharing or sale

We do not sell, rent, or license your personal data to anyone. The only parties that process your data on our behalf are the sub-processors listed below, and they're contractually limited to the function we hired them for.

Sub-processors

  • Auth0 (Okta, Inc.) — authentication & identity.
  • Stripe, Inc. — billing & payment processing.
  • Amazon Web Services (AWS) — application hosting and encrypted storage.
  • OpenAI / Anthropic / Google (Gemini) / DeepSeek / GitHub — AI inference, only when you explicitly invoke AI features. Requests run under zero-retention terms where available, and under your own API key when you bring one.
  • Postmark or equivalent — transactional email (receipts, password resets).

A current list with DPAs is available on request from privacy@cocobox.io.

AI features & your data

When you invoke an AI feature (chat, query generation, MCP tool call), we send the minimum context required — your prompt plus relevant schema or selected text — to the model you chose. If you supplied your own API key for OpenAI, Anthropic, Gemini, or DeepSeek, the request hits that provider directly under their terms. When you use Cocobox-managed tokens, we forward the request under a zero-retention agreement: the provider does not store the prompt, and does not use it to train models.

We do not read your queries, snippets, or AI chats for any purpose other than delivering the Service (e.g., debugging a failing request at your request, or answering a legal demand — see "Legal requests" below).

GitHub Copilot & MCP

When you enable the Cocobox MCP SQL server, Copilot (or any MCP client — Cursor, opencode, Zed, Claude Desktop) can request schema information and run queries under permissions tied to the API key you issue. Each key can be scoped to specific models, given a token budget, and toggled between read-only and tool-enabled. Every MCP invocation is logged. Revoking a key is instant and unconditional.

Cookies

  • Strictly necessary: session cookies for authentication. Without these, the app doesn't work.
  • Preferences: theme (light/dark), language, and layout settings. Stored locally in your browser.
  • Analytics: an anonymized, cookieless (or first-party) analytics signal. You can block it and the product still works.

We do not use advertising cookies or third-party re-targeting pixels.

Retention

  • Active account: we keep your data as long as your account is open.
  • Account deleted: we purge personal data within 30 days, except where we're legally required to retain specific items (invoices for tax purposes, etc.).
  • Backups: encrypted, rotated on a 30-day cycle.

Your rights

  • Access & portability: export all your data from the dashboard.
  • Correction: update your profile and workspace settings directly in-app.
  • Deletion: one-click account deletion from Profile → Settings.
  • EU / UK (GDPR): right of access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with your supervisory authority.
  • California (CCPA/CPRA): right to know, right to delete, right to correct, right to opt out of sale or sharing (we do neither), and right against discrimination for exercising any of these.

Exercise any right by emailing privacy@cocobox.io. We respond within 30 days.

Legal requests

We will not hand over user data without a valid legal process. If we receive one, we notify the affected user before disclosure unless legally prohibited from doing so.

International transfers

Cocobox is operated from infrastructure hosted primarily in the United States. If you access the Service from outside the US, your data is transferred to and processed in the US under Standard Contractual Clauses (or an equivalent mechanism where applicable).

Children

Cocobox is a professional developer tool not directed at children under 16, and we do not knowingly collect data from them. If you believe we have, email privacy@cocobox.io and we'll delete it.

Changes

We'll announce material changes by email and an in-app notice at least 14 days before they take effect. Minor clarifications are reflected here with a new "Last updated" date.

Contact

Privacy questions or requests: privacy@cocobox.io. General support: devs@cocobox.io.