Trust Center

Recovery is personal.
Your data stays that way.

Cope Compass meets healthcare compliance standards. Your data is encrypted, access is audited, and providers sign a BAA before seeing any patient information.

HIPAACompliant

NISTSP 800-66

BAAIncluded

TLS 1.3Encrypted

CCPACompliant

Data breaches

Since launch

100%

Data encryption

In transit & at rest

Ad trackers

No third parties

24h

Access revocation

From any device

What we never do

Sell your data to anyone

Run ads or retargeting pixels

Share data with gambling platforms

Use your messages to train AI models

Require a subscription to use core tools

Show your name or data to other users

Privacy Officer, Cope Compass · [email protected]
General support · (240) 883-5445

Security Controls

HIPAA Compliant

Full compliance with the Health Insurance Portability and Accountability Act. All technical, physical, and administrative safeguards are in place.

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3. API connections enforce HTTPS with HSTS preloading.

Encryption at Rest

Database connections require SSL. Managed database encryption at rest. Sensitive fields follow NIST guidelines.

Audit Logging

Every access to patient data is logged with accessor identity, patient ID, endpoint, IP address, and timestamp. Logs are immutable and retained indefinitely.

Consent-Based Access

Providers can only view patient data after the patient explicitly grants consent in-app. Patients can revoke access at any time, immediately.

Business Associate Agreement

Every provider signs a BAA before accessing any patient data. Digital signature with IP address, timestamp, and version tracking.

Rate Limiting

Authentication endpoints are rate-limited to prevent brute force attacks. Login: 5 attempts per 15 minutes. Signup: 3 per hour per IP.

Right to Access & Delete

Users can export all their data at any time (HIPAA right to access). Full account deletion is available. Your data is yours.

Full compliance documentation, including our risk assessment, BAA template, breach notification procedure, and 7 additional policy documents, is available on request.

Request documentation →

Your Rights

Access all your data

Export your data anytime

Delete your account

Revoke provider access

See who viewed your data

Request data amendment

Restrict data use

File a complaint with HHS

AI and the services that process your data

Cope Compass runs on a small set of vetted service providers. Any provider that can touch your health information operates under a Business Associate Agreement (BAA) or equivalent safeguard. We never sell your data, and we use zero third-party ad trackers.

Orby, your AI support companion

Orby is powered by Anthropic’s Claude, accessed through Google Cloud’s Vertex AI under our HIPAA Business Associate Agreement with Google Cloud. Your conversations are never used to train AI models, and we minimize what we send. You are always told you are talking to an AI, not a clinician, and Orby routes you to human and emergency resources the moment it detects a crisis. It does not diagnose or replace professional care.

Hosting and database

Your account, journals, and recovery data live in an encrypted database operated by our infrastructure provider, encrypted in transit and at rest, with restricted, audit-logged access.

No model training on your data. A full, current list of subprocessors is available on request, and we update it before adding any new provider that processes your data.

Research use of de-identified data

Cope Compass partners with academic and clinical research orgs on studies that improve recovery outcomes for everyone, for example identifying which urge-management techniques correlate with longer abstinence streaks. Sharing de-identified data with those partners is optional. It is on by default when you sign up, and you can opt out at signup or anytime in Profile settings.

What “de-identified” means

Your name, email, phone number, IP, exact location, and any other direct identifier are removed before any data leaves Cope Compass. We follow the HIPAA Safe Harbor standard for de-identification.

What partners receive

Aggregated, de-identified patterns: which techniques you tried during urges, how long they lasted, your recovery stage. Never your journal text, never your messages, never identifying details.

IRB oversight

Any partner study is reviewed by an Institutional Review Board (IRB) — the federal ethics committee that protects human research subjects — before it runs.

Revoke any time

Toggle off in Profile settings. Future data stops being eligible immediately; already-shared aggregated data may live on in published research per standard IRB practice.

Always de-identified, always optional. The research option is on by default at signup. Opt out there or anytime in Profile settings. We never share anything that identifies you.

A note from the founder

“Recovery asks you to be honest about the hardest parts of your life. The least we can do is protect that honesty. Your journal entries, your moments, your messages, your progress: they stay yours. We will never sell your data, never share it with advertisers, and never use it for anything other than helping you. That is not a feature. It is the foundation everything else is built on.”

Austin Taylor

Founder, Cope Compass

Last updated: April 11, 2026 · Assessment version 1.1