Yosa Copilot Privacy Policy (Beta 1.0)

Last Updated: March 12, 2025

Introduction

Yosa Copilot (Product of The Yosa Company Ltd, formerly known as Yosage Ltd) ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Yosa Copilot Chrome extension (the "Extension").

Please read this Privacy Policy carefully. By using the Extension, you consent to the data practices described in this policy. If you do not agree with the practices described in this policy, please do not install or use the Extension.

Data Controller Information

The Yosa Company Ltd (formerly Yosage Ltd) is the data controller responsible for your personal information. Our full details are:

• Company Name: The Yosa Company Ltd (formerly Yosage Ltd)
• Company Registration Number: 15543473
• Registered Address: 3RD FLOOR, 86-90 Paul Street, London, EC2A 4NE
• ICO Registration: We will be registered with the Information Commissioner's Office (ICO) prior to the full public launch of our service.

Information We Collect

Personal Information

We may collect the following types of personal information:

• Account Information: Email address and authentication details when you create an account
• User Preferences: Settings and preferences you configure within the Extension
• Session Data: Information related to therapy sessions, including:
  • Audio recordings (temporarily during transcription)
  • Transcripts of therapy sessions
  • Notes and summaries created during sessions
  • Sentiment analysis and other session metrics

Special Category Data

Some of the information collected during therapy sessions may constitute special category data under UK data protection law, particularly health-related information. We process this data only with your explicit consent and implement additional safeguards as described in the "Data Storage and Security" section.

Non-Personal Information

We may also collect non-personal information, including:

• Usage Data: Information about how you use the Extension, including features accessed and time spent
• Device Information: Browser type, version, and operating system
• Performance Data: Technical information about Extension performance and errors

Permission Management

Our Extension requires certain permissions to function properly. We follow a principle of minimal permissions and only request access to what's necessary for the features you use.

Required Permissions

• Storage: To save your preferences and encrypted session data
• Identity: For user authentication

Feature-Specific Permissions

• Microphone: For capturing audio during therapy sessions (requested only when needed)
• Tab Capture: For capturing audio from browser tabs during therapy sessions (requested only when needed)

How to Review and Manage Permissions

1. Chrome Extensions Page: Visit chrome://extensions, find Yosa Copilot, and click "Details"
2. Extension Settings: Access permission controls through the Extension's settings menu
3. Browser Settings: Manage site permissions through Chrome settings

You can revoke any permission at any time, though this may limit certain functionality. We will never change permission usage without informing you and obtaining appropriate consent.

Microphone Access

Our Extension requires microphone access to provide transcription services during therapy sessions. We handle this sensitive permission as follows:

• Permission Request: We request microphone access only when you initiate a recording session
• Explicit Consent: Chrome will display a permission request that you must explicitly approve
• Purpose Limitation: Audio data is used solely for real-time transcription
• Temporary Processing: Audio is processed in real-time and is not permanently stored
• Revoking Permission: You can revoke microphone access at any time through:
  • Chrome browser settings (chrome://settings/content/microphone)
  • The Extension settings menu
  • Your device's system settings

If you deny or revoke microphone access, transcription features will not be available, but you can still use other Extension features.

Tab Capture Access

Our Extension uses Chrome's tab capture functionality to record audio from therapy sessions conducted in browser tabs (such as video conferencing platforms). We handle this permission as follows:

• Permission Request: We request tab capture access only when you initiate a recording session
• Explicit Consent: Chrome will display a permission request that you must explicitly approve
• Limited Capture: We capture only audio data, not video or screen content
• Purpose Limitation: Captured audio is used solely for real-time transcription
• Temporary Processing: Captured audio is processed in real-time and is not permanently stored
• Revoking Permission: You can revoke tab capture access at any time through:
  • Chrome browser settings (chrome://settings/content/tabCapture)
  • The Extension settings menu

If you deny or revoke tab capture access, you won't be able to transcribe audio from browser tabs, but you can still use other Extension features or microphone input for transcription.

Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases to process your personal information:

• Consent: When you explicitly agree to the processing of your personal data for specific purposes
• Contract: When processing is necessary for the performance of our contract with you to provide the Extension services
• Legitimate Interests: When processing is necessary for our legitimate interests, such as to improve our services, provided these interests are not overridden by your rights and freedoms

For special category data (such as health-related information in therapy sessions):

• We process this data only with your explicit consent
• We implement additional safeguards including end-to-end encryption

How We Use Your Information

We use the information we collect for the following purposes:

• Provide Core Functionality: To deliver the primary features of the Extension, including transcription, note-taking, and summary generation
• Improve Our Services: To analyze usage patterns and enhance the Extension's features and performance
• Personalization: To customize your experience based on your preferences and usage patterns
• Technical Support: To diagnose problems and provide assistance when needed
• Communication: To respond to your inquiries and provide updates about the Extension

Data Access and Security

End-to-End Encryption

Yosa Copilot implements strong end-to-end encryption to protect sensitive user data:

• All session transcripts, notes, and summaries are encrypted in your browser before being stored
• We use industry-standard encryption algorithms with strong keys
• Encryption keys are securely stored and managed in your browser
• Important: Due to our end-to-end encryption implementation, we cannot access your unencrypted session data. Only you have access to your decrypted information.

Data Storage Locations

Your information may be stored in the following locations:

• Local Storage: Some data is stored locally in your browser
• Cloud Storage: Encrypted data is stored in secure cloud databases, but we cannot decrypt this data
• Temporary Processing: Audio data is temporarily processed for transcription but is not permanently stored

Data Retention

• Session data is retained until you explicitly delete it, with a maximum retention period of 7 years
• Account information is retained as long as you maintain an active account and for up to 12 months after account closure
• Usage data may be retained for up to 12 months

Limited Data Sharing

Due to our end-to-end encryption system, we do not have access to your unencrypted session data, which significantly limits what information could potentially be shared. We do not sell, trade, or otherwise transfer your personal information to outside parties except in the following limited circumstances:

• Service Providers: We use service providers for cloud storage of encrypted data and processing services, but these providers do not have access to decryption keys. We have Data Processing Agreements in place with all service providers who process personal data on our behalf, ensuring they maintain appropriate security standards and comply with data protection laws.
• Legal Requirements: In the extremely unlikely event we are required by law to disclose information, we can only provide encrypted data that we cannot decrypt.
• Business Transfers: If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your encrypted information may be transferred as part of that transaction, but would remain encrypted and inaccessible without your decryption keys.

We may share aggregated, anonymized usage statistics (such as number of users or sessions) that contain no personal information and cannot be linked to individual users.

Cookies and Similar Technologies

Our Extension uses local storage and similar technologies to store information locally on your device. These technologies help us provide and improve our services.

We categorize cookies and similar technologies as follows:

• Strictly Necessary: Required for the Extension to function (no consent required)
• Functional: Enhance your experience but not essential
• Analytical: Help us understand how users interact with our Extension

The specific storage technologies we use include:

Name	Purpose	Type	Duration
auth_token	Authentication	Strictly Necessary	Until session ends
user_preferences	Store user settings	Functional	Until deleted
encryption_keys	Store encryption keys	Strictly Necessary	Until deleted
usage_analytics	Anonymous usage statistics	Analytical	12 months

Under the UK Privacy and Electronic Communications Regulations (PECR), we:

• Inform you about our use of these technologies through this policy
• Only use strictly necessary cookies without explicit consent
• Obtain your consent before using non-essential cookies or similar technologies through a consent banner when you first use the Extension
• Provide you with the ability to withdraw consent at any time through the Extension settings

You can manage your preferences regarding cookies and local storage through your browser settings and the Extension's settings menu.

Third-Party Services

The Extension uses third-party services for various functions including:

• Authentication and data storage
• Speech-to-text transcription
• AI-powered summary generation

Each of these services has their own privacy policies and practices. We carefully select our service providers and ensure they maintain appropriate security and privacy standards. Due to our encryption model, these services only process encrypted data or temporary audio streams with your explicit permission.

We have Data Processing Agreements in place with all third-party processors to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures to meet UK GDPR requirements and ensure the protection of your rights.

Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you. While we use AI technology to generate summaries and insights, these are always presented as suggestions and are under the control of the human user.

International Data Transfers

Your personal data may be transferred, stored, and processed in countries outside the UK. When we transfer your data outside the UK, we ensure that:

• The country has been deemed to provide an adequate level of protection for personal data by the UK government; or
• We have implemented appropriate safeguards such as standard contractual clauses approved by the UK government; or
• We have obtained your explicit consent to the proposed transfer after informing you of the possible risks.

We implement appropriate safeguards for all international data transfers in compliance with UK data protection laws. It's important to note that due to our encryption model, any data transferred internationally remains encrypted and inaccessible without your decryption keys.

Your Rights Under UK Data Protection Law

Under UK data protection law, you have the following rights:

• Right to be informed about how your data is used (which this privacy policy addresses)
• Right of access to your personal data
• Right to rectification if your data is inaccurate or incomplete
• Right to erasure (or 'right to be forgotten') in certain circumstances
• Right to restrict processing in certain circumstances
• Right to data portability, allowing you to obtain and reuse your data
• Right to object to certain processing activities
• Rights related to automated decision making and profiling

To exercise these rights, please contact us at james@yosacompany.com. We will respond to your request within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

Data Protection Impact Assessment

As our Extension processes special category data related to therapy sessions, we have conducted a Data Protection Impact Assessment (DPIA) to identify and minimize data protection risks. This assessment is regularly reviewed and updated as our services evolve.

We maintain Records of Processing Activities as required by Article 30 of the UK GDPR, documenting all our data processing operations, categories of data subjects and personal data, recipients of personal data, and security measures implemented.

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) without undue delay and within 72 hours of becoming aware of the breach
• Inform affected users directly if the breach is likely to result in a high risk to their rights and freedoms
• Provide information on the nature of the breach, likely consequences, and measures taken to address the breach and mitigate possible adverse effects

It's important to note that due to our end-to-end encryption, even in the event of a data breach, your session data would remain encrypted and inaccessible without your decryption keys.

Children's Privacy

The Extension is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will provide a more prominent notice or direct notification. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: james@yosacompany.com
• Website: www.yosacompany.com/privacy
• Data Protection Officer: james@yosacompany.com

Company Name Change

Please note that Yosage Ltd has changed its name to The Yosa Company Ltd. This Privacy Policy applies to all services previously provided under the Yosage Ltd name and now provided under The Yosa Company Ltd name. The change of name does not affect your rights or our obligations under this Privacy Policy.

Consent

By using the Extension, you consent to our Privacy Policy and agree to its terms and conditions. For the processing of special category data, we obtain your explicit consent when you first use features that involve such data.