Privacy policy
Effective as of March 20, 2026
This Privacy Policy describes how Forty Steps Inc. d/b/a Coco Health (collectively, “Coco Health”, “we”, “us” or “our”) handles personal information that we collect through our online services that link to this Privacy Policy, including our website and mobile app (collectively, the “Service”), our marketing and social media activities, our communications with you, and the other activities described in this Privacy Policy.
We may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information, such as our Consumer Health Data Privacy Policy.
If you have questions or concerns about our use of your personal information, please contact us.
Scope of this Privacy Policy
Coco Health provides an app for users to manage their health goals with assistance from an AI health guide, “Coco.” This Privacy Policy does not apply to personal information about Coco Health personnel or job candidates that we process in our capacity as an employer.
Personal Information We Collect
The personal information we collect from you, directly or indirectly, will depend on how you interact with us and with our Service. The sources from which we collect personal information include the following:
Information you provide to us
Personal information you may provide to us through the Service or otherwise includes:
Contact Data. Your first and last name and email address.
Account Data. The username and password that you may set to establish an online account on the Service, account preferences, and any other information you choose to include with your account.
User Data. Information you provide, generate, transmit, or otherwise make available to the Service, such as:
Any photos or files that you upload to the Service;
Any medical, health or fitness data you make available to the Service. For example, you may give us access to your medical or health data that is stored on your device, such as health data stored in Apple HealthKit. You may also give us access to your health data stored on third-party apps or to your medical records. We use third-party partners, such as Junction and Fasten Health, to help you give us access to this data where you choose to do so. You may also provide certain medical, health or fitness information to us when you complete our quiz about your health goals; and
Any associated metadata. Metadata includes information on how, when, where and by whom a piece of content was created or collected and how the content has been formatted or edited.
Communications with Coco. Information from your chats and conversations with our chatbot, Coco, including any voice recordings you provide to the Service. When you speak to Coco or otherwise grant the Service access to your device’s microphone, we and our service providers monitor and record the communications to provide the Service and for the other purposes described in the How we use your personal information section below.
Transaction Data. Information about your transaction history and payment card used to make payments.
Communications Data. Data from your interactions with us, including when you send us an e-mail, complete a form through our website, or otherwise communicate with us. Communications data does not include Communications with Coco.
Marketing Data. Your preferences for receiving marketing communications from us about our Service, products, activities, events and publications.
Other Data not specifically listed in this Privacy Policy. We will use this as described in this Privacy Policy or as otherwise made apparent at the time of collection.
Information about others
Do not submit personal information of others to the Service. When you are speaking to Coco, be sure you are only recording your own voice.
Third-party sources
We may combine personal information we receive from you with personal information that we obtain from other sources, such as:
Public sources. Public records, social media platforms, and other publicly available sources.
Third-party sign-in services. For example, you may choose to sign-in to the Services using Google or Apple.
Our business contacts. Professional contacts who share with us contact details about individuals in their networks, including prospective vendors and partners.
Automatic collection
When you access or interact with the Service, our communications, and other online services, we, our service providers, and our advertising partners automatically log, monitor and record information about you, your computer or mobile device, and your interaction over time with the Service and our communications. This information includes:
Device data, such as your computer or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, Bluetooth, LTE, 3G) and location data that can be derived from it, and general location information such as city, state or geographic area that can be derived from your IP address.
Usage data, such as pages and screens you viewed, how long you spent on a page or screen, videos and other content that you view, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, whether you have opened our emails or clicked links within them, and other functional information on Service performance (like diagnostics and crash logs).
Cookies and other technologies
Some of the information we and our service providers automatically collect is captured using the following technologies:
Cookies. These are text files that websites store on a visitor's device to uniquely identify the visitor's browser or to store information or settings in the browser for the purpose of tracking user activity and patterns, helping the visitor navigate between pages efficiently, remembering preferences and whether a visitor is logged in, and improving the visitor's browsing experience. Some cookies store information only during a user session, others persist in your browser and collect data from multiple sessions. You can learn more about cookies and how to control them at www.allaboutcookies.org.
Pixels. Also known as web beacons or clear GIFs, pixels are embedded in software code or invisible as image files within webpages or HTML formatted emails and used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked, at a specific date and time using a particular device, typically to compile statistics about usage of websites and the success of marketing campaigns.
Chatbots. Coco, our chatbot, is operated by third parties. These third parties may monitor and record your chats, and access and use the data described in this Privacy Policy (including the automatic collection section above), for the purposes described in this Privacy Policy. When you use these features, you are not communicating with a human unless we confirm that you are.
Software development kits, or SDKs, which are used to incorporate third party computer code into our mobile app that allows our third-party service providers or advertising partners to collect data directly from one of our apps for a variety of purposes, including to provide us with analytics regarding use of our app, integrate with social media, or add features or functionality to our app, or facilitate targeted advertising and measure its effectiveness.
How We Use Your Personal Information
We may use your personal information for the following purposes or as otherwise described at the time of collection:
Service delivery. We use your personal information to provide the Service, to manage and administer your Service account, to process your payments, and to communicate with you about our Service (including support and administrative messages).
Business operations. We use your personal information to administer and maintain our Service and our IT systems (including monitoring, troubleshooting, data analysis, testing, system maintenance, repair and support, reporting and hosting of data) and to operate and expand our business activities.
Direct marketing. As permitted by applicable law, we may collect and use your personal information to send you marketing emails we think may interest you or contact you by phone about our products, services or events. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
Targeted advertising. Our third-party advertising partners may use cookies and other technologies to collect information about your use of the Service (including the device data and usage data described above), our communications, and other online services over time and with different browsers and devices. Our advertising partners use that information to show you ads online that they think will interest you and measure the ads’ performance. We may also share individuals’ contact data with our advertising partners to facilitate interest-based advertising on their platforms (e.g., social media platforms) to those individuals or others with similar traits.
Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business and to develop new products and services. As part of these activities, we may create aggregated, de-identified and/or anonymized data from personal information we collect. We make personal information into de-identified or anonymized data by removing information that makes the data personally identifiable to you. We may use this aggregated, de-identified or otherwise anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
Compliance and protection. We and our service providers may use your personal information to:
comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims);
audit our internal processes for compliance with legal and contractual requirements or our internal policies;
enforce the terms and conditions that govern the Service; and
prevent, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
How We Share Your Personal Information
Except as otherwise specified in this Privacy Policy, we may share the categories of personal information listed above with the following parties and as otherwise described in this Privacy Policy or at the time of collection.
Service Providers. We share personal information with third parties that provide services on our behalf or help us operate the Service or our business, such as mail delivery, hosting and infrastructure, information technology, customer support, email delivery, marketing, artificial intelligence, chatbot, and website analytics.
Payment Processors. Third-party payment processors that collect your payment card data and other transaction data to process your payments for the Service. For example, we may process your payments through the Apple App Store.
Linked third-party services. If you log into the Service with, or otherwise link your Service account to, a third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.
Advertising partners. Third-party advertising companies may collect, and we may share with them, personal information for the targeted advertising purposes described above. Their use of personal information is subject to their own privacy policies.
Professional Advisors. We may share your personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Authorities and others. We may share your personal information with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above or as otherwise permitted by law.
Business transferees. Parties (and their advisors) to business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, us or our affiliates (including, in connection with a bankruptcy or similar proceedings).
Other parties with your consent or at your direction. We may share your personal information for other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction.
Your Choices
Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information and preferences by logging into your account.
Request account deletion. You may request account deletion of your Service account and associated information through the settings page in our mobile app or by contacting us.
Opt-out of direct marketing. You may request to opt-out of marketing emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us with your request. If you choose to opt-out of marketing emails, you may continue to receive marketing emails until your opt-out is processed.
Cookies. Most browsers let you remove and/or stop accepting cookies from the websites you visit. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, certain features of the Service may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit www.allaboutcookies.org. For example, you can learn more about Google Analytics, one of the analytics services we use, and how to opt out of being tracked by Google Analytics, here: https://tools.google.como/dlpage/gaoptout.
Pixels. Most browsers and devices allow you to configure your device to prevent pixel images from loading. To do this, follow the instructions in your browser or device settings.
Targeted ads. You may be able to limit use of your personal information for targeted advertising through the following settings/options/tools:
Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Ad industry tools. Opting out of targeted ads from companies that participate in the following industry opt-out programs:
Network Advertising Initiative
Digital Advertising Alliance
AppChoices mobile app which will allow you to opt-out of targeted ads in mobile apps served by participating members of the Digital Advertising Alliance.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for targeted advertising purposes.
You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your personal information for targeted advertising purposes. We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.
Linked third-party services. If you choose to log into the Service with, or otherwise link your Service account to, a third-party service, you may be able to use your settings in your account with that service to limit the information we receive from it. If you revoke our ability to access information from a third-party service, that choice will not apply to information that we have already received from that third party.
Do not track signals. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit All About DNT.
Other Sites and Services
The Service may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites and online services you use.
Security and Retention
We employ technical and organizational safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your personal information.
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for the compliance and protection purposes described above. Factors determining the appropriate retention period for personal information include the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, the purposes for which we process the personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it (so that it is no longer personally identifiable with you) or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will isolate your personal information from any further processing, employing security safeguards designed to protect it, until deletion is possible.
International Data Transfers
We are headquartered in the United States, and we and our service providers may store personal information in and process it from the United States and other countries. These countries may have data protection laws that are not as protective as those where you live.
Children's Privacy
Our Service is not intended for anyone under the age of 18. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without the consent of the child's parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.
Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledgment that the modified Privacy Policy applies to your use of the Service and interaction with our business.
Contact Us
If you have any questions or comments concerning this Privacy Policy, please email us at support@cocohealth.com.
Privacy policy
Effective as of March 20, 2026
This Privacy Policy describes how Forty Steps Inc. d/b/a Coco Health (collectively, “Coco Health”, “we”, “us” or “our”) handles personal information that we collect through our online services that link to this Privacy Policy, including our website and mobile app (collectively, the “Service”), our marketing and social media activities, our communications with you, and the other activities described in this Privacy Policy.
We may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information, such as our Consumer Health Data Privacy Policy.
If you have questions or concerns about our use of your personal information, please contact us.
Scope of this Privacy Policy
Coco Health provides an app for users to manage their health goals with assistance from an AI health guide, “Coco.” This Privacy Policy does not apply to personal information about Coco Health personnel or job candidates that we process in our capacity as an employer.
Personal Information We Collect
The personal information we collect from you, directly or indirectly, will depend on how you interact with us and with our Service. The sources from which we collect personal information include the following:
Information you provide to us
Personal information you may provide to us through the Service or otherwise includes:
Contact Data. Your first and last name and email address.
Account Data. The username and password that you may set to establish an online account on the Service, account preferences, and any other information you choose to include with your account.
User Data. Information you provide, generate, transmit, or otherwise make available to the Service, such as:
Any photos or files that you upload to the Service;
Any medical, health or fitness data you make available to the Service. For example, you may give us access to your medical or health data that is stored on your device, such as health data stored in Apple HealthKit. You may also give us access to your health data stored on third-party apps or to your medical records. We use third-party partners, such as Junction and Fasten Health, to help you give us access to this data where you choose to do so. You may also provide certain medical, health or fitness information to us when you complete our quiz about your health goals; and
Any associated metadata. Metadata includes information on how, when, where and by whom a piece of content was created or collected and how the content has been formatted or edited.
Communications with Coco. Information from your chats and conversations with our chatbot, Coco, including any voice recordings you provide to the Service. When you speak to Coco or otherwise grant the Service access to your device’s microphone, we and our service providers monitor and record the communications to provide the Service and for the other purposes described in the How we use your personal information section below.
Transaction Data. Information about your transaction history and payment card used to make payments.
Communications Data. Data from your interactions with us, including when you send us an e-mail, complete a form through our website, or otherwise communicate with us. Communications data does not include Communications with Coco.
Marketing Data. Your preferences for receiving marketing communications from us about our Service, products, activities, events and publications.
Other Data not specifically listed in this Privacy Policy. We will use this as described in this Privacy Policy or as otherwise made apparent at the time of collection.
Information about others
Do not submit personal information of others to the Service. When you are speaking to Coco, be sure you are only recording your own voice.
Third-party sources
We may combine personal information we receive from you with personal information that we obtain from other sources, such as:
Public sources. Public records, social media platforms, and other publicly available sources.
Third-party sign-in services. For example, you may choose to sign-in to the Services using Google or Apple.
Our business contacts. Professional contacts who share with us contact details about individuals in their networks, including prospective vendors and partners.
Automatic collection
When you access or interact with the Service, our communications, and other online services, we, our service providers, and our advertising partners automatically log, monitor and record information about you, your computer or mobile device, and your interaction over time with the Service and our communications. This information includes:
Device data, such as your computer or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, Bluetooth, LTE, 3G) and location data that can be derived from it, and general location information such as city, state or geographic area that can be derived from your IP address.
Usage data, such as pages and screens you viewed, how long you spent on a page or screen, videos and other content that you view, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, whether you have opened our emails or clicked links within them, and other functional information on Service performance (like diagnostics and crash logs).
Cookies and other technologies
Some of the information we and our service providers automatically collect is captured using the following technologies:
Cookies. These are text files that websites store on a visitor's device to uniquely identify the visitor's browser or to store information or settings in the browser for the purpose of tracking user activity and patterns, helping the visitor navigate between pages efficiently, remembering preferences and whether a visitor is logged in, and improving the visitor's browsing experience. Some cookies store information only during a user session, others persist in your browser and collect data from multiple sessions. You can learn more about cookies and how to control them at www.allaboutcookies.org.
Pixels. Also known as web beacons or clear GIFs, pixels are embedded in software code or invisible as image files within webpages or HTML formatted emails and used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked, at a specific date and time using a particular device, typically to compile statistics about usage of websites and the success of marketing campaigns.
Chatbots. Coco, our chatbot, is operated by third parties. These third parties may monitor and record your chats, and access and use the data described in this Privacy Policy (including the automatic collection section above), for the purposes described in this Privacy Policy. When you use these features, you are not communicating with a human unless we confirm that you are.
Software development kits, or SDKs, which are used to incorporate third party computer code into our mobile app that allows our third-party service providers or advertising partners to collect data directly from one of our apps for a variety of purposes, including to provide us with analytics regarding use of our app, integrate with social media, or add features or functionality to our app, or facilitate targeted advertising and measure its effectiveness.
How We Use Your Personal Information
We may use your personal information for the following purposes or as otherwise described at the time of collection:
Service delivery. We use your personal information to provide the Service, to manage and administer your Service account, to process your payments, and to communicate with you about our Service (including support and administrative messages).
Business operations. We use your personal information to administer and maintain our Service and our IT systems (including monitoring, troubleshooting, data analysis, testing, system maintenance, repair and support, reporting and hosting of data) and to operate and expand our business activities.
Direct marketing. As permitted by applicable law, we may collect and use your personal information to send you marketing emails we think may interest you or contact you by phone about our products, services or events. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
Targeted advertising. Our third-party advertising partners may use cookies and other technologies to collect information about your use of the Service (including the device data and usage data described above), our communications, and other online services over time and with different browsers and devices. Our advertising partners use that information to show you ads online that they think will interest you and measure the ads’ performance. We may also share individuals’ contact data with our advertising partners to facilitate interest-based advertising on their platforms (e.g., social media platforms) to those individuals or others with similar traits.
Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business and to develop new products and services. As part of these activities, we may create aggregated, de-identified and/or anonymized data from personal information we collect. We make personal information into de-identified or anonymized data by removing information that makes the data personally identifiable to you. We may use this aggregated, de-identified or otherwise anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
Compliance and protection. We and our service providers may use your personal information to:
comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims);
audit our internal processes for compliance with legal and contractual requirements or our internal policies;
enforce the terms and conditions that govern the Service; and
prevent, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
How We Share Your Personal Information
Except as otherwise specified in this Privacy Policy, we may share the categories of personal information listed above with the following parties and as otherwise described in this Privacy Policy or at the time of collection.
Service Providers. We share personal information with third parties that provide services on our behalf or help us operate the Service or our business, such as mail delivery, hosting and infrastructure, information technology, customer support, email delivery, marketing, artificial intelligence, chatbot, and website analytics.
Payment Processors. Third-party payment processors that collect your payment card data and other transaction data to process your payments for the Service. For example, we may process your payments through the Apple App Store.
Linked third-party services. If you log into the Service with, or otherwise link your Service account to, a third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.
Advertising partners. Third-party advertising companies may collect, and we may share with them, personal information for the targeted advertising purposes described above. Their use of personal information is subject to their own privacy policies.
Professional Advisors. We may share your personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Authorities and others. We may share your personal information with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above or as otherwise permitted by law.
Business transferees. Parties (and their advisors) to business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, us or our affiliates (including, in connection with a bankruptcy or similar proceedings).
Other parties with your consent or at your direction. We may share your personal information for other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction.
Your Choices
Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information and preferences by logging into your account.
Request account deletion. You may request account deletion of your Service account and associated information through the settings page in our mobile app or by contacting us.
Opt-out of direct marketing. You may request to opt-out of marketing emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us with your request. If you choose to opt-out of marketing emails, you may continue to receive marketing emails until your opt-out is processed.
Cookies. Most browsers let you remove and/or stop accepting cookies from the websites you visit. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, certain features of the Service may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit www.allaboutcookies.org. For example, you can learn more about Google Analytics, one of the analytics services we use, and how to opt out of being tracked by Google Analytics, here: https://tools.google.como/dlpage/gaoptout.
Pixels. Most browsers and devices allow you to configure your device to prevent pixel images from loading. To do this, follow the instructions in your browser or device settings.
Targeted ads. You may be able to limit use of your personal information for targeted advertising through the following settings/options/tools:
Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Ad industry tools. Opting out of targeted ads from companies that participate in the following industry opt-out programs:
Network Advertising Initiative
Digital Advertising Alliance
AppChoices mobile app which will allow you to opt-out of targeted ads in mobile apps served by participating members of the Digital Advertising Alliance.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for targeted advertising purposes.
You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your personal information for targeted advertising purposes. We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.
Linked third-party services. If you choose to log into the Service with, or otherwise link your Service account to, a third-party service, you may be able to use your settings in your account with that service to limit the information we receive from it. If you revoke our ability to access information from a third-party service, that choice will not apply to information that we have already received from that third party.
Do not track signals. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit All About DNT.
Other Sites and Services
The Service may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites and online services you use.
Security and Retention
We employ technical and organizational safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your personal information.
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for the compliance and protection purposes described above. Factors determining the appropriate retention period for personal information include the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, the purposes for which we process the personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it (so that it is no longer personally identifiable with you) or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will isolate your personal information from any further processing, employing security safeguards designed to protect it, until deletion is possible.
International Data Transfers
We are headquartered in the United States, and we and our service providers may store personal information in and process it from the United States and other countries. These countries may have data protection laws that are not as protective as those where you live.
Children's Privacy
Our Service is not intended for anyone under the age of 18. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without the consent of the child's parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.
Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledgment that the modified Privacy Policy applies to your use of the Service and interaction with our business.
Contact Us
If you have any questions or comments concerning this Privacy Policy, please email us at support@cocohealth.com.
Privacy policy
Effective as of March 20, 2026
This Privacy Policy describes how Forty Steps Inc. d/b/a Coco Health (collectively, “Coco Health”, “we”, “us” or “our”) handles personal information that we collect through our online services that link to this Privacy Policy, including our website and mobile app (collectively, the “Service”), our marketing and social media activities, our communications with you, and the other activities described in this Privacy Policy.
We may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information, such as our Consumer Health Data Privacy Policy.
If you have questions or concerns about our use of your personal information, please contact us.
Scope of this Privacy Policy
Coco Health provides an app for users to manage their health goals with assistance from an AI health guide, “Coco.” This Privacy Policy does not apply to personal information about Coco Health personnel or job candidates that we process in our capacity as an employer.
Personal Information We Collect
The personal information we collect from you, directly or indirectly, will depend on how you interact with us and with our Service. The sources from which we collect personal information include the following:
Information you provide to us
Personal information you may provide to us through the Service or otherwise includes:
Contact Data. Your first and last name and email address.
Account Data. The username and password that you may set to establish an online account on the Service, account preferences, and any other information you choose to include with your account.
User Data. Information you provide, generate, transmit, or otherwise make available to the Service, such as:
Any photos or files that you upload to the Service;
Any medical, health or fitness data you make available to the Service. For example, you may give us access to your medical or health data that is stored on your device, such as health data stored in Apple HealthKit. You may also give us access to your health data stored on third-party apps or to your medical records. We use third-party partners, such as Junction and Fasten Health, to help you give us access to this data where you choose to do so. You may also provide certain medical, health or fitness information to us when you complete our quiz about your health goals; and
Any associated metadata. Metadata includes information on how, when, where and by whom a piece of content was created or collected and how the content has been formatted or edited.
Communications with Coco. Information from your chats and conversations with our chatbot, Coco, including any voice recordings you provide to the Service. When you speak to Coco or otherwise grant the Service access to your device’s microphone, we and our service providers monitor and record the communications to provide the Service and for the other purposes described in the How we use your personal information section below.
Transaction Data. Information about your transaction history and payment card used to make payments.
Communications Data. Data from your interactions with us, including when you send us an e-mail, complete a form through our website, or otherwise communicate with us. Communications data does not include Communications with Coco.
Marketing Data. Your preferences for receiving marketing communications from us about our Service, products, activities, events and publications.
Other Data not specifically listed in this Privacy Policy. We will use this as described in this Privacy Policy or as otherwise made apparent at the time of collection.
Information about others
Do not submit personal information of others to the Service. When you are speaking to Coco, be sure you are only recording your own voice.
Third-party sources
We may combine personal information we receive from you with personal information that we obtain from other sources, such as:
Public sources. Public records, social media platforms, and other publicly available sources.
Third-party sign-in services. For example, you may choose to sign-in to the Services using Google or Apple.
Our business contacts. Professional contacts who share with us contact details about individuals in their networks, including prospective vendors and partners.
Automatic collection
When you access or interact with the Service, our communications, and other online services, we, our service providers, and our advertising partners automatically log, monitor and record information about you, your computer or mobile device, and your interaction over time with the Service and our communications. This information includes:
Device data, such as your computer or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, Bluetooth, LTE, 3G) and location data that can be derived from it, and general location information such as city, state or geographic area that can be derived from your IP address.
Usage data, such as pages and screens you viewed, how long you spent on a page or screen, videos and other content that you view, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, whether you have opened our emails or clicked links within them, and other functional information on Service performance (like diagnostics and crash logs).
Cookies and other technologies
Some of the information we and our service providers automatically collect is captured using the following technologies:
Cookies. These are text files that websites store on a visitor's device to uniquely identify the visitor's browser or to store information or settings in the browser for the purpose of tracking user activity and patterns, helping the visitor navigate between pages efficiently, remembering preferences and whether a visitor is logged in, and improving the visitor's browsing experience. Some cookies store information only during a user session, others persist in your browser and collect data from multiple sessions. You can learn more about cookies and how to control them at www.allaboutcookies.org.
Pixels. Also known as web beacons or clear GIFs, pixels are embedded in software code or invisible as image files within webpages or HTML formatted emails and used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked, at a specific date and time using a particular device, typically to compile statistics about usage of websites and the success of marketing campaigns.
Chatbots. Coco, our chatbot, is operated by third parties. These third parties may monitor and record your chats, and access and use the data described in this Privacy Policy (including the automatic collection section above), for the purposes described in this Privacy Policy. When you use these features, you are not communicating with a human unless we confirm that you are.
Software development kits, or SDKs, which are used to incorporate third party computer code into our mobile app that allows our third-party service providers or advertising partners to collect data directly from one of our apps for a variety of purposes, including to provide us with analytics regarding use of our app, integrate with social media, or add features or functionality to our app, or facilitate targeted advertising and measure its effectiveness.
How We Use Your Personal Information
We may use your personal information for the following purposes or as otherwise described at the time of collection:
Service delivery. We use your personal information to provide the Service, to manage and administer your Service account, to process your payments, and to communicate with you about our Service (including support and administrative messages).
Business operations. We use your personal information to administer and maintain our Service and our IT systems (including monitoring, troubleshooting, data analysis, testing, system maintenance, repair and support, reporting and hosting of data) and to operate and expand our business activities.
Direct marketing. As permitted by applicable law, we may collect and use your personal information to send you marketing emails we think may interest you or contact you by phone about our products, services or events. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
Targeted advertising. Our third-party advertising partners may use cookies and other technologies to collect information about your use of the Service (including the device data and usage data described above), our communications, and other online services over time and with different browsers and devices. Our advertising partners use that information to show you ads online that they think will interest you and measure the ads’ performance. We may also share individuals’ contact data with our advertising partners to facilitate interest-based advertising on their platforms (e.g., social media platforms) to those individuals or others with similar traits.
Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business and to develop new products and services. As part of these activities, we may create aggregated, de-identified and/or anonymized data from personal information we collect. We make personal information into de-identified or anonymized data by removing information that makes the data personally identifiable to you. We may use this aggregated, de-identified or otherwise anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
Compliance and protection. We and our service providers may use your personal information to:
comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims);
audit our internal processes for compliance with legal and contractual requirements or our internal policies;
enforce the terms and conditions that govern the Service; and
prevent, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
How We Share Your Personal Information
Except as otherwise specified in this Privacy Policy, we may share the categories of personal information listed above with the following parties and as otherwise described in this Privacy Policy or at the time of collection.
Service Providers. We share personal information with third parties that provide services on our behalf or help us operate the Service or our business, such as mail delivery, hosting and infrastructure, information technology, customer support, email delivery, marketing, artificial intelligence, chatbot, and website analytics.
Payment Processors. Third-party payment processors that collect your payment card data and other transaction data to process your payments for the Service. For example, we may process your payments through the Apple App Store.
Linked third-party services. If you log into the Service with, or otherwise link your Service account to, a third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.
Advertising partners. Third-party advertising companies may collect, and we may share with them, personal information for the targeted advertising purposes described above. Their use of personal information is subject to their own privacy policies.
Professional Advisors. We may share your personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Authorities and others. We may share your personal information with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the Compliance and protection purposes described above or as otherwise permitted by law.
Business transferees. Parties (and their advisors) to business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, us or our affiliates (including, in connection with a bankruptcy or similar proceedings).
Other parties with your consent or at your direction. We may share your personal information for other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction.
Your Choices
Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information and preferences by logging into your account.
Request account deletion. You may request account deletion of your Service account and associated information through the settings page in our mobile app or by contacting us.
Opt-out of direct marketing. You may request to opt-out of marketing emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us with your request. If you choose to opt-out of marketing emails, you may continue to receive marketing emails until your opt-out is processed.
Cookies. Most browsers let you remove and/or stop accepting cookies from the websites you visit. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. Please note that if you set your browser to disable cookies, certain features of the Service may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit www.allaboutcookies.org. For example, you can learn more about Google Analytics, one of the analytics services we use, and how to opt out of being tracked by Google Analytics, here: https://tools.google.como/dlpage/gaoptout.
Pixels. Most browsers and devices allow you to configure your device to prevent pixel images from loading. To do this, follow the instructions in your browser or device settings.
Targeted ads. You may be able to limit use of your personal information for targeted advertising through the following settings/options/tools:
Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Ad industry tools. Opting out of targeted ads from companies that participate in the following industry opt-out programs:
Network Advertising Initiative
Digital Advertising Alliance
AppChoices mobile app which will allow you to opt-out of targeted ads in mobile apps served by participating members of the Digital Advertising Alliance.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for targeted advertising purposes.
You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your personal information for targeted advertising purposes. We cannot offer any assurances as to whether the companies we work with participate in the opt-out programs described above.
Linked third-party services. If you choose to log into the Service with, or otherwise link your Service account to, a third-party service, you may be able to use your settings in your account with that service to limit the information we receive from it. If you revoke our ability to access information from a third-party service, that choice will not apply to information that we have already received from that third party.
Do not track signals. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit All About DNT.
Other Sites and Services
The Service may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites and online services you use.
Security and Retention
We employ technical and organizational safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your personal information.
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for the compliance and protection purposes described above. Factors determining the appropriate retention period for personal information include the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, the purposes for which we process the personal information, whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it (so that it is no longer personally identifiable with you) or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will isolate your personal information from any further processing, employing security safeguards designed to protect it, until deletion is possible.
International Data Transfers
We are headquartered in the United States, and we and our service providers may store personal information in and process it from the United States and other countries. These countries may have data protection laws that are not as protective as those where you live.
Children's Privacy
Our Service is not intended for anyone under the age of 18. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without the consent of the child's parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.
Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acknowledgment that the modified Privacy Policy applies to your use of the Service and interaction with our business.
Contact Us
If you have any questions or comments concerning this Privacy Policy, please email us at support@cocohealth.com.