Your brain. Your Supabase. Your Gmail.

What we do not store

• We do not store your Plaud audio. It lives in your Plaud account.
• We do not store your Gmail messages. We read messages tagged [memib] and write parsed segments to your Supabase, then move on.
• We do not store your Google Calendar in our systems. We write events directly to your calendar via OAuth.
• We do not store your open-brain in our database. It lives on a Supabase project provisioned exclusively for you.

What we do store, and where

• Your account record (email, name, plan, billing reference) lives in our customer system. This is the minimum required to operate the subscription.
• Your connection metadata (which Supabase project belongs to you, OAuth refresh tokens for Gmail and Calendar) is encrypted at rest and used only to run the ingestion service on your behalf.
• Your open-brain memories, vital signs, and compliance log live entirely on your private Supabase instance.

Per-user Supabase isolation

micoco.ai provisions a dedicated Supabase project per subscriber. Schema, row-level security, and database keys are unique to your account. There is no shared "memories" table where your row sits next to another subscriber's. If we are subpoenaed for "all customer memories," there is no such table to produce — only your own project, behind your own keys.

Built on a HIPAA-certified pipeline

The audio side of micoco.ai rides on infrastructure that already meets HIPAA's bar. Plaud.ai is SOC 2 and HIPAA certified (announced April 2025) — meaning the recorder, the upload, and the cloud parsing have all been independently audited against operational and healthcare-data standards. That covers the whole left half of our pipeline before a transcript ever reaches us.

For the right half — Gmail, Supabase, our daily-report engine — micoco.ai is HIPAA-ready, not HIPAA-certified. The architecture follows HIPAA-grade practice (per-tenant database isolation, encryption at rest and in transit, audit logging, least-privilege service accounts), and we sign the necessary Business Associate Agreements on the Agency tier:

• BAA with Plaud for the audio + transcript chain.
• BAA with Supabase for the open-brain database (paid HIPAA add-on).
• BAA with Vercel for hosting (Pro/Enterprise plan).
• BAA with our email provider for evening reports.
• BAA with the customer organization as the covered entity or its business associate.

The customer's own Gmail also has to be HIPAA-eligible — that means a Google Workspace account with a BAA, not a consumer @gmail.com. Agency-tier onboarding includes a Workspace check.

Solo and Family + Caregiver tiers are sold direct to consumers. They run on accounts you own (Plaud, Gmail, Google Calendar). We do not sign BAAs at those tiers — the simpler relationship reflects the consumer-direct posture, and Plaud's certification still protects the audio side.

What happens when you cancel

• We export your full Supabase project (SQL dump + JSON archive) and email it to you.
• We destroy the Supabase project after a 30-day grace window.
• We revoke the Gmail and Google Calendar OAuth tokens on our end.
• Your Plaud audio, Gmail messages, and Google Calendar entries remain in your accounts, untouched.

Caregiver report sharing

The evening report is sent only to the email recipients you explicitly designate. You can change recipients, pause delivery, or revoke access at any time from the dashboard. Each report includes a footer with a one-click "Pause future reports" link for the recipient.

Cookies and analytics

The marketing site uses a single first-party cookie for session continuity. We do not use third-party advertising trackers. Aggregate, IP-anonymized analytics help us understand which pages need work; no behavior is tied to a person.

Reach us

Privacy questions: privacy@micoco.ai
Security disclosures: security@micoco.ai