Data Deletion Policy

You can ask us to delete the personal and business data we hold about you at any time. This applies to you as a COSai customer and to individuals whose data we process on a customer's behalf (for example, a customer's employees, customers, or vendors), as provided by laws such as the California Consumer Privacy Act (CCPA/CPRA).

You can request deletion in either of two ways:

• Email privacy@cosai.tech with the subject “Data deletion request.”
• From inside the app, use Settings → Delete workspace (owners), or disconnect an individual source to delete only that source's data.

We verify your identity before acting on a request — typically by confirming control of the account email — so that no one can delete your data without authorization.

On a verified request we delete the data we hold about you across our systems — your account and business profile, transactions and financial records derived for you, documents extracted from connected mailboxes, cached search context, and stored files — except data we are legally required to keep (see below). Disconnecting a connected source (a mailbox, bank, accounting, or payroll connection) deletes the data we harvested from that source.

Some records carry a legal retention obligation and cannot be deleted before that period ends. While retained, they remain protected and are not used for any other purpose. These include:

• Certain financial records — up to 7 years (tax and accounting law).
• Immutable security/access logs — at least 12 months (FTC Safeguards Rule).
• Signed attestations and their linked documents, where applicable — 7 years.

We keep a minimal record that a deletion request was made and honored; that record is itself retained as required by law.

We complete deletion within 30 days of a verified request, subject to the legal retention obligations above. For requests under CCPA/CPRA we confirm receipt and respond within 45 days (extendable once, with notice, where the law allows). We do not discriminate against you for exercising your deletion rights.

Deleting your COSai data does not by itself delete data held by the services you connected (for example, Google, Microsoft, Plaid, QuickBooks, or your payroll provider). To delete data those providers hold, use their own controls. When you disconnect or delete, we stop accessing those services and delete the copies we held.

Deletion and privacy requests: privacy@cosai.tech