Privacy Policy

Effective: 2026-05-06 · Last updated: 2026-05-06

Cofounded ("we", "us", "our") is operated by CARBON LLC, an Arizona limited liability company. This Privacy Policy explains what data we collect when you use Cofounded, how we use and store it, and what rights you have. If you have questions, contact support@navaretworldwide.com.

1. Who this policy applies to

Cofounded is currently a single-tenant tool used by its founder to operate his own businesses. It is not a multi-tenant SaaS at this time. If and when we open Cofounded to additional users, this policy will be updated and we will notify users via the email address on their account.

2. What data we collect

Data you connect via OAuth

When you connect a third-party service (e.g. QuickBooks, Shopify, Google, Slack), we receive an OAuth access token from that service. Cofounded uses these tokens to read your data from the provider via their official API. We do not see or store your provider account password.

Examples of data we read on your behalf:

• QuickBooks: company info, accounts, transactions, invoices, customers, vendors.
• Shopify: orders, products, customers, store information.
• Google (Gmail): message metadata (sender, subject, date, snippet) for an inbox digest. We do not retain message body text.
• Google Calendar: upcoming events for the next 7 days.

We request the minimum scopes needed for the agent functionality you've enabled. Scope details are visible in the provider's OAuth consent screen before you authorize the connection.

Data you generate within Cofounded

As you use Cofounded, agent conversations, decisions, approvals, and panel data are stored locally in our database. This includes:

• Chat messages between you and the agents.
• Agent memory entries (facts agents have learned).
• Panel snapshots (financial summaries, milestones, growth metrics — derived from your connected services).
• Audit logs of approvals, tool executions, and connector events.

Operational data

We log infrastructure events (server starts, orchestrator cycles, webhook deliveries) to local log files for debugging. These logs do not contain provider data or chat content.

3. How we store data

All Cofounded data is stored on infrastructure operated by CARBON LLC:

• Application database: SQLite (WAL mode), on-disk on a private server.
• OAuth tokens: encrypted at rest using AES-256-GCM with a per-installation encryption key, OR brokered through a self-hosted instance of Nango which holds tokens in its own encrypted Postgres database.
• Network: all external connections (to provider APIs, to Cloudflare's edge, to Nango) are over HTTPS / TLS.

4. Who has access

As a single-tenant tool, only the founder (Ceasar Navarrete, owner of CARBON LLC) has access to Cofounded's data. We do not share data with third parties for marketing, advertising, or any commercial purpose. We do not sell user data, ever.

Third-party services we use to operate Cofounded:

• Anthropic Claude — for agent reasoning. Chat messages and relevant memory context are sent to Claude's API per-request and are subject to Anthropic's data handling policies. Anthropic does not train on our API traffic by default.
• Cloudflare — for DNS, Tunnel, and CDN services. Request metadata (IP, user agent, path) transits Cloudflare's edge.
• Nango (self-hosted) — for OAuth brokerage. Nango runs on our infrastructure; no data leaves to Nango Cloud.

5. Your rights

You can:

• Disconnect any service at any time via the in-app Connectors panel. See /disconnect for details. Disconnection revokes our token with the provider and removes our local credential row.
• Request full data export by emailing support@navaretworldwide.com. We'll send a copy of your stored data (database tables relevant to your account) within 7 business days.
• Request full account deletion by emailing support@navaretworldwide.com. We'll confirm within 48 hours and complete deletion within 7 business days. This deletes your account, all associated data, all OAuth tokens, all chat history, and all derived panel data.
• Revoke our access from the provider's side at any time using the provider's "Connected apps" management UI. See /disconnect for direct links.

6. Compliance posture

We acknowledge the principles of GDPR (right to access, right to deletion, data minimization) and CCPA (right to know, right to delete, right to opt out of sale). As a single-tenant tool, formal compliance certifications (SOC 2, ISO 27001, HIPAA) are not currently in scope. If you require evidence of these certifications for a specific use case, contact us.

7. Data retention

We retain data for as long as your account is active. On account deletion, all data is removed within 7 business days. Operational logs are retained for 30 days then rotated.

8. Security incidents

If we discover unauthorized access to your data, we will notify you within 72 hours of discovery via the email address on your account, with details of what data was affected and what remediation we've taken.

9. Children's privacy

Cofounded is not intended for use by anyone under 13. We do not knowingly collect data from children.

10. Changes to this policy

If we materially change this policy, we will update the "Last updated" date at the top and notify active users via email. Continued use of Cofounded after a change constitutes acceptance of the updated policy.

11. Contact

CARBON LLC
Arizona, United States
Email: support@navaretworldwide.com

© 2026 CARBON LLC · Terms of Service