Team & Sharing

Data Privacy and Client Isolation

How Coppermind protects client data, enforces isolation between clients, and handles data ownership.


The Core Guarantee#

A fractional CMO's Client A must never see Client B's strategy, brand voice, or campaign data. Coppermind enforces this through three independent layers of protection.


Three Layers of Isolation#

1. Application Layer#

Every SQL query includes WHERE mind_id = $active_mind. The active client mind is set per-session via switch_client. There is no tool that returns client content across client minds.

  • search_memory filters by mind_id before running similarity search
  • briefing and get_campaign_history are scoped to the active client mind
  • get_brand_voice reads only from the active client's row
  • Even mind returns only names and metadata -- never memories or Brand DNA

2. Ownership Layer#

Each client mind has a customer_id that tracks who owns it. The customer_mind_access table tracks shared access for team features. When you switch to a client, Coppermind verifies that you own the client mind or have explicit access.

3. Database Layer (Row-Level Security)#

PostgreSQL Row-Level Security (RLS) policies enforce isolation at the database level. Each transaction runs SET LOCAL app.customer_id = $customer_id, and RLS policies filter rows automatically.

This means: even if there is a bug in the application code, the database will not return another customer's data.


What This Means in Practice#

If you switch from Acme Corp to Bluebell and search for "ad budget", you only see Bluebell's ad budget information -- never Acme's, even if Acme's memory is a closer semantic match.

Cross-client analysis (spotting trends across multiple clients) is done by the CMO using their own judgment, not by Coppermind tools. The briefing and briefing tools aggregate statistics (memory counts, meeting counts) but never expose memory content across client minds.


Data Ownership#

  • Your data is yours. All memories, client minds, Brand DNA, and campaign data belong to you and your clients.
  • Client client minds are portable. When an engagement ends, you export the client mind as a deliverable.
  • Coppermind never trains on your data. Data is stored and retrieved. It is not used for model training, analytics, or any purpose beyond providing the service.

What Gets Sent Where#

DataWhere It LivesWhere It Gets Sent
Client client minds (Brand DNA)Supabase PostgreSQLNowhere beyond the database
Memories (all types)Supabase PostgreSQLNowhere beyond the database
Memory embeddingsPostgreSQL pgvectorNowhere beyond the database
Meeting transcriptsYour local diskLLM for extraction (via gateway)
Memory text (for classification)PostgreSQLGateway to Anthropic API (stateless call)
Memory text (for embedding)PostgreSQLGateway to Voyage AI (stateless call)

LLM Data Processing#

When you store a memory or ingest a transcript:

  1. Classification -- The memory text is sent to Claude (via the gateway) for type classification. This is a stateless API call. Anthropic does not retain the data.
  2. Embedding -- The memory text is sent to Voyage AI for vector embedding. Voyage AI does not retain input text after processing.
  3. Extraction -- During transcript ingestion, chunks are sent to the LLM for knowledge extraction. Only the transcript content and client name are included -- never other clients' data.

Sensitive And Internal Notes#

When you store or jot a note, Coppermind classifies visibility at write time:

  • open: visible to owner, editor, VA, and viewer roles; eligible for client-safe briefs and handoff.
  • sensitive: visible to owner/editor only; hidden from VA/viewer roles and excluded from client-safe handoff.
  • cmo-only: visible to owner/editor only; excluded from VA/viewer access, client-facing briefs, and client handoff.

Use sensitive/internal notes for CMO judgment, compensation details, legal/medical details, layoffs, contract terms, or strategic observations you do not want in a client handoff. The capture response includes visibility copy and handoff eligibility so you can see what will and will not be shared.


Data Retention#

  • Active subscription: Data is retained as long as your subscription is active.
  • After cancellation: Data is retained for 30 days, then permanently deleted.
  • Export anytime: You can export all data at any time.

Security Summary#

AspectImplementation
Encryption in transitTLS 1.2+ for all API calls
Encryption at restAES-256 via Supabase
AuthenticationUnique API key per customer
Authorizationcustomer_id + customer_mind_access checks on every operation
Database isolationPostgreSQL Row-Level Security policies
Audit trailbrand_dna_history tracks all Brand DNA changes
Memory attributionsource_type, source_tool, follows_tool_call track how every memory was created

Error Telemetry#

Coppermind collects anonymous error reports to help diagnose issues across the user base. These reports are sent automatically when a tool call fails, and they are designed with privacy in client mind.

What gets reported:

FieldDescription
Error codeThe type of error that occurred (e.g., CONNECTION_TIMEOUT)
Tool nameWhich Coppermind tool failed
Stack trace hashA one-way hash of the error location -- not the actual code or data
Mind ID hashA one-way hash of the active client ID -- not the client name
Client versionYour installed Coppermind version
PlatformYour operating system (e.g., macOS, Linux)

What is NOT reported:

  • Memory content, client names, or Brand DNA
  • Meeting transcripts, notes, or any user-entered text
  • Your API key
  • Any data that could identify you or your clients

Reports are rate-limited to 10 per minute and sent in the background with a 5-second timeout. If the report fails to send, it is silently dropped -- it never interferes with your workflow.

Opting Out#

To disable error telemetry, tell Coppermind in any chat:

Turn off error telemetry

When telemetry is off, no error reports are sent. This does not affect any other Coppermind functionality.


Key Details#

  • Deletion cascades. Deleting a client mind deletes all its memories, ingest sources, ingest logs, meeting briefs, raw documents, and Brand DNA history.
  • Hidden memories are not deleted. memory sets is_current = false but keeps the data in the database. A future memory tool is planned for permanent removal.
  • No cross-client joins. The database schema has no queries or tools that join data across different client minds.
  • Session state is ephemeral. The active client mind resets when the MCP server process restarts. There is no persistent session that could accidentally carry over a client context.

Ready to try this yourself?

Coppermind is free to start and runs inside Claude. Your first meeting prep will convince you.

Try Coppermind Free
Browse all guides →