Coheso Privacy Policy
Effective Date: 7/2/2026
Coheso LLC (“Coheso,” “we,” “our,” or “us”) respects your privacy and is committed to protecting your information.
1. Information We Collect
Personal information may include name, email, phone number, billing information, and business information.
Account information includes login credentials and data uploaded to the platform.
Customer Data may be stored by users who manage their own clients.
Payment processing is handled by third-party processors such as Stripe. Coheso does not store full credit card numbers.
Usage data may include IP address, browser type, device information, and usage activity.
2. How We Use Information
Information is used to operate the platform, manage accounts, process payments, provide support, improve services, prevent fraud, and comply with legal obligations.
3. Customer Data Responsibilities
Users retain ownership of their Customer Data. Coheso processes this data solely to provide the Services.
4. Data Sharing
Coheso does not sell personal data. Data may be shared with infrastructure providers, analytics providers, email services, or payment processors.
Data received from Google Workspace APIs is not transferred or sold to third parties, and is not used to serve advertising, retarget users, or determine credit-worthiness. Data received from Zoom APIs is likewise not transferred or sold to third parties, and is not used to serve advertising, retarget users, or determine credit-worthiness.
5. Data Retention
Data is retained only as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements.
6. Data Security
Coheso implements reasonable safeguards including encryption and secure infrastructure.
7. Data Usage
Coheso does NOT use Customer Data or personal data to train artificial intelligence or machine learning models.
Data is used solely to operate and improve the platform for the account owner.
Coheso does not sell, repurpose, or use user data for model training.
This commitment applies to data Coheso receives from Google Workspace APIs: Coheso does not use such data to develop, improve, or train any artificial intelligence or machine-learning model, including non-personalized models. This commitment applies equally to data Coheso receives from Zoom APIs.
8. Google Workspace Data (Google Calendar & Google Meet)
Coheso offers an optional integration with Google Calendar and Google Meet that coaches may choose to connect to their Coheso account. Coheso does not request a Google connection from clients.
Information we access.When a coach connects their Google account to Coheso, Coheso requests the following OAuth scopes through Google’s standard consent screen:
openid,email, andprofile— to identify the connected Google account so Coheso can show the coach which account is connected and label the integration in the Coheso interface.https://www.googleapis.com/auth/calendar.calendarlist.readonly— to read the list of calendars to which the coach has write access, so the coach can choose which calendar Coheso writes session events to.https://www.googleapis.com/auth/calendar.freebusy— to read the start and end times of busy intervals on the coach’s selected calendar, so Coheso can avoid double-booking the coach. This scope does not grant Coheso access to the titles, descriptions, attendees, or locations of those events.https://www.googleapis.com/auth/calendar.events— to create, update, and delete the calendar events that Coheso publishes on behalf of the coach for sessions booked through Coheso, and to read events on the calendars the coach chooses to sync, so Coheso can show them alongside the coach’s sessions and detect scheduling conflicts.https://www.googleapis.com/auth/meetings.space.created(optional) — to generate a Google Meet conference link for a session when the coach has enabled Meet provisioning. This scope is limited to Meet spaces that Coheso creates; it does not grant Coheso access to any other Meet spaces.
Coheso requests the narrowest scopes that support each feature.
Information we store. Coheso stores:
- The email address and display name associated with the connected Google account, used to label the integration in Coheso.
- The list of calendars in the connected Google account that the coach has write access to — each calendar’s name, identifier, time zone, and whether it is the primary calendar — so the coach can pick which calendars to use without Coheso re-fetching the list from Google on every page load. This is calendar names only, not the contents of any events.
- OAuth access and refresh tokens, used to call Google APIs on the coach’s behalf. Tokens are encrypted at rest using AES-256-GCM.
- For each session Coheso has published to Google, the Google calendar and event identifiers and the event’s revision token, used so that Coheso can later update or remove that specific event.
- The meeting link for a session, when there is one — either a link the coach enters in Coheso or, if the coach has enabled Google Meet provisioning, a Google Meet link Coheso generates for that session. It is stored on the session record so the coach and client can join.
- For each calendar the coach chooses to sync into their Coheso calendar, and for each event on it, an event identifier together with the event’s start and end times and its confirmed/tentative status, so Coheso can show those events alongside the coach’s sessions and detect conflicts. For a synced calendar where the coach has turned on “Sync event details,” Coheso also stores that calendar’s event titles so they appear in the coach’s Coheso calendar; turning the setting off again deletes the stored titles.
Infrastructure.Encrypted tokens and integration records are stored on DigitalOcean managed infrastructure (managed Postgres, United States region) under Coheso’s control. Google data is not processed by any third-party subprocessor other than the infrastructure providers used to host the Coheso platform.
Aside from the synced-calendar event identifiers, start and end times, status, and — only where the coach has enabled “Sync event details” — titles described above, Coheso does notstore the contents of the events it reads from a coach’s calendars, including event descriptions, attendees, locations, or the Google Meet URLs attached to those events, in its own database. (Coheso does store a Google Meet link it generates for a coach’s own Coheso session, as described above.) The free/busy lookups Coheso performs to check a coach’s availability when booking a session are used in the moment and are not persisted.
Information we send to Google.When a coach books, reschedules, or cancels a session through Coheso, Coheso sends to the coach’s selected Google Calendar only the information the coach has entered in Coheso for that session — the session title, description, start and end times, location (if applicable), and the participating client’s email and name. Coheso does not send Google any data about coaches who have not connected a Google account, or about clients who are not participating in a booked session.
Sharing. Coheso does not transfer, sell, rent, or share data received from Google Workspace APIs with third parties for advertising, retargeting, behavioral analytics, machine-learning training, credit determination, or any other purpose unrelated to providing the calendar integration. Coheso does not use this data to serve advertising of any kind.
AI and machine learning. Coheso does not use data received from Google Workspace APIs to develop, improve, or train any artificial intelligence or machine-learning model, including non-personalized models.
Retention and deletion.A coach may disconnect their Google account at any time from Coheso’s account settings. When a coach disconnects:
- Coheso revokes the OAuth refresh token at Google.
- Coheso deletes the calendar integration record and the encrypted OAuth tokens from its database.
- Coheso deletes the coach’s synced calendars and every external event stored from them — including event times, status, and any stored titles — from its database.
- Coheso deletes the cached list of the coach’s calendars.
- Google event identifiers and revision tokens previously stored on the corresponding Coheso session records are retained alongside those session records as part of Coheso’s session history. These identifiers cannot be used to access Google data without an active OAuth token.
To request deletion of records associated with a disconnected Google account, coaches may contact Coheso at support@coheso.io.
Human access.Coheso employees and contractors do not read data received from Google Workspace APIs except (a) with the coach’s affirmative consent for a specific case (e.g., a support ticket the coach has opened), (b) where necessary for security investigations or to comply with applicable law, or (c) where the data has been aggregated and anonymized for internal operations.
Limited Use.Coheso’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
9. Zoom Data
Coheso offers an optional integration with Zoom that coaches may choose to connect to their Coheso account. Coheso does not request a Zoom connection from clients.
Information we access.When a coach connects their Zoom account to Coheso, Coheso requests the following OAuth scopes through Zoom’s standard consent screen:
meeting:write:meeting— to create a Zoom meeting on the coach’s behalf when the coach books a session through Coheso, so the session has a Zoom join link. This is the only scope the integration requires.user:read:user(optional) — to read the email address and display name of the connected Zoom account, used solely to show the coach which account is connected and label the integration in the Coheso interface. A coach may decline this scope and the integration continues to work without an account label.
Coheso requests the narrowest scopes that support each feature.
Information we store. Coheso stores:
- The email address, display name, and account identifier associated with the connected Zoom account (when the optional scope above is granted). The email and display name label the integration in Coheso; the account identifier is what lets Coheso recognize the account and delete its records if the coach later removes Coheso’s access from within Zoom.
- OAuth access and refresh tokens, used to call Zoom APIs on the coach’s behalf. Tokens are encrypted at rest using AES-256-GCM, with the encryption key held outside the database.
- For each session booked with a Zoom meeting, the meeting’s join link, stored on the session record so the coach and the participating client can join.
Coheso does not store Zoom meeting content of any kind — no recordings, transcripts, chat, participant lists, or telemetry — and does not request scopes that could access them. Coheso never accesses or stores the host start link for a meeting.
Infrastructure.Encrypted tokens and integration records are stored on DigitalOcean managed infrastructure (managed Postgres, United States region) under Coheso’s control. Zoom data is not processed by any third-party subprocessor other than the infrastructure providers used to host the Coheso platform.
Information we send to Zoom.When a coach books a session, Coheso sends Zoom only the session’s title and its scheduled start time and duration, so the meeting is created at the right time under the right name. Coheso does not send Zoom any information about the participating client, or about coaches who have not connected a Zoom account.
Sharing. Coheso does not transfer, sell, rent, or share data received from Zoom APIs with third parties for advertising, retargeting, behavioral analytics, machine-learning training, credit determination, or any other purpose unrelated to providing the conferencing integration. Coheso does not use this data to serve advertising of any kind.
AI and machine learning. Coheso does not use data received from Zoom APIs to develop, improve, or train any artificial intelligence or machine-learning model, including non-personalized models.
Retention and deletion.A coach may disconnect their Zoom account at any time from Coheso’s account settings. When a coach disconnects:
- Coheso revokes the OAuth token at Zoom.
- Coheso deletes the Zoom connection record and irreversibly overwrites the encrypted OAuth tokens in its database.
- Meeting join links previously stored on booked sessions are retained alongside those session records as part of Coheso’s session history. These links cannot be used to act on the coach’s Zoom account.
If a coach removes the Coheso app from within Zoom, Zoom notifies Coheso and Coheso deletes the Zoom connection record and irreversibly overwrites the stored tokens automatically.
If Zoom otherwise ends the connection from its side (for example, when a refresh token passes Zoom’s 90-day idle expiry), Coheso stops using the connection and overwrites the stored tokens when it next detects the expired credentials, and the coach is prompted in Coheso to reconnect or disconnect.
To request deletion of records associated with a disconnected Zoom account, coaches may contact Coheso at support@coheso.io.
Human access.Coheso employees and contractors do not read data received from Zoom APIs except (a) with the coach’s affirmative consent for a specific case (e.g., a support ticket the coach has opened), (b) where necessary for security investigations or to comply with applicable law, or (c) where the data has been aggregated and anonymized for internal operations.
10. Privacy Rights
Users may have rights to access, correct, or delete personal data depending on jurisdiction.
11. Cookies
Cookies may be used to improve functionality and analyze platform usage.
12. International Data Transfers
Data may be transferred to and processed in the United States.
13. Children’s Privacy
Services are not intended for individuals under 18.
Contact
Coheso LLC
2655 Donna Drive
Columbus, Ohio 43220
support@coheso.io