Privacy Policy

Data Controller

Levi Yosef Singerstraße 33, 10243 Berlin, Germany E-Mail: levi@usecosa.ai

What We Collect

  • Analytics (Pirsch): Cookie-free, privacy-friendly page view tracking. No personal data stored. No consent required under GDPR as no personal data is processed.
  • Product Analytics (PostHog): EU-hosted (eu.posthog.com). Consent-gated — only activated after explicit opt-in via the consent banner. Collects anonymized usage patterns to improve the product. Data stored within the EU.
  • Anthropic API: Transcript data submitted to the pipeline is sent to Anthropic's Claude API for processing. Data is not used for model training. See Anthropic's privacy policy. Data processing agreement (DPA) in place.
  • Lead Capture: When you apply for early access or request a resource, we collect your name, email, and optional fields (company website, role, referral source). This data is used solely to contact you about Cosa and product updates. Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by contacting us. Data is retained until consent is withdrawn or 24 months after your last interaction. We do not share lead data with third parties.
  • Local Storage: Your view preferences are stored in your browser's local storage. API keys are stored in session storage (cleared when you close the tab). No cookies are used for authentication.
  • Stripe: Payment data is processed by Stripe, Inc. We do not store credit card numbers. See Stripe's privacy policy.

Legal Basis for Processing (Art. 6 GDPR)

  • Analytics (Pirsch): Legitimate interest (Art. 6(1)(f)) — no personal data processed.
  • Product analytics (PostHog): Consent (Art. 6(1)(a)) — opt-in via consent banner.
  • Lead capture (early access, resource requests): Consent (Art. 6(1)(a)) — opt-in via checkbox on submission forms.
  • Pipeline processing: Contract performance (Art. 6(1)(b)) — necessary to deliver the service you requested.
  • Payment: Contract performance (Art. 6(1)(b)).

Your Rights (GDPR)

You have the right to access, rectify, delete, restrict processing, and port your data. You can withdraw consent at any time. Contact us at levi@usecosa.ai. You may also lodge a complaint with the Berlin Commissioner for Data Protection (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

Data Retention

Pipeline results are stored in-memory during your active session. Persistent storage (when enabled) retains deal data until you delete it. Account and credit data is retained for the duration of your account. Lead data (early access applications, resource requests) is retained until consent is withdrawn or 24 months after last interaction. Analytics data is retained for 12 months.

Third-Party Processors

  • Anthropic (San Francisco, USA) — AI model inference. Standard Contractual Clauses apply.
  • PostHog (EU hosted) — product analytics.
  • Stripe (San Francisco, USA) — payment processing. Standard Contractual Clauses apply.
  • Railway (USA) — infrastructure hosting.
  • Vercel (USA) — website hosting.

Last updated: March 2026. This policy will be reviewed by legal counsel.

We use cookie-free analytics by default. Accept to enable session replay for a better experience.