Privacy Policy

This policy covers how COSai collects, uses, and protects information gathered through the COSai website (cosai.tech) and the COSai service (app.cosai.tech).

From you directly: Account information (name, email, password), business information (business name, website, industry), billing information (processed by Stripe — we do not store card numbers).

From your connected services: Bank transactions (via Plaid — read-only), accounting data (QuickBooks, Xero), field service management data (Jobber, Housecall Pro, ServiceTitan), payroll data (Gusto, ADP), and — only for the mailboxes you explicitly connect — email content from Gmail (Google) and Outlook / Microsoft 365 (Microsoft). You may connect more than one mailbox per provider. See “Email Connections” below for exactly what we read and why.

From your use of the service: Usage logs, IP addresses, device type, browser, and feature usage analytics. We use privacy-first analytics (no Google Analytics).

We use your information to: operate and improve the Service; send you financial insights, anomaly alerts, and weekly digests; communicate with you about your account; and comply with applicable law.

We may use aggregate, anonymized data to improve the Service. Anonymized data cannot be re-identified to any individual user or business.

We use Anthropic API endpoints to process financial data and generate insights. We operate under zero-retention agreements: Anthropic does not store or train on data passed through their API.

We do not fine-tune any AI model on your data. We do not sell your data for model training. We do not use your data to improve any third-party AI product.

We share your data only with: your authorized integration partners (the systems you explicitly connect to COSai); our subprocessors (see our public subprocessor list); and law enforcement when legally required.

We do not sell your data. We do not share your data for advertising purposes. We do not share individual business data with other COSai customers.

We retain financial records for up to 7 years to comply with accounting and tax law requirements. Financial documents extracted from connected mailboxes are part of those financial records and follow the same schedule; transient material used only to match a single transaction expires within days. Non-financial data (usage logs, analytics) is retained for 24 months.

You may request deletion of your data at any time (see “Your Rights” below); we will delete within 30 days, subject to legal retention obligations. Disconnecting a connected mailbox deletes the data harvested from it.

We use per-tenant envelope encryption, AWS KMS, and read-only API connections by default. See our security page for full details.

You have the right to: access your data; correct inaccurate data; request deletion (subject to legal retention requirements); export your data in a portable format; and opt out of non-essential communications.

How to make a request: submit a request on our data request page or by emailing privacy@cosai.tech. We verify your identity before acting on a request and respond within 45 days (extendable once, with notice, where the law allows).

CCPA / CPRA (California): California residents have the right to know what personal information we collect and how it is used, to access and delete it, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell personal information or share it for cross-context behavioral advertising, and we do not discriminate against you for exercising these rights.

GDPR (EEA): We are currently US-only. If you are an EEA resident accessing the Service, contact privacy@cosai.tech to exercise GDPR rights.

The Service is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately.

Bank connections are handled by Plaid. We never see or store your bank login credentials. Plaid's privacy policy governs how they handle your banking credentials. COSai receives only read-only transaction data from Plaid.

If you connect a Gmail or Microsoft Outlook / Microsoft 365 mailbox, COSai accesses your email on a read-only basis to find and extract financial documents — receipts, invoices, bills, statements, and order confirmations — so it can corroborate bank transactions and capture bills for you. We request only the scopes needed for this: Google gmail.readonly and Microsoft Mail.Read. We never send, modify, or delete your messages. You may connect more than one mailbox per provider, and disconnect any of them at any time in Settings → Integrations; disconnecting a mailbox deletes the data we harvested from it.

Google Limited Use. COSai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we do not sell it, and we do not use it to develop, improve, or train generalized or non-personalized AI/ML models. Humans access Google user data only with your consent, for security or to comply with law, or as needed to provide and support the Service.

Microsoft. Our use of data received from Microsoft Graph adheres to the Microsoft APIs Terms of Use and Microsoft's data-handling requirements, on the same read-only, no-advertising, no-model-training basis described above.

Because COSai accesses and processes consumer financial account information, we treat ourselves as a financial institution under the Gramm-Leach-Bliley Act (GLBA) and follow the FTC Safeguards Rule. This notice summarizes our practices along the lines of the FTC model privacy form:

What we collect: financial account and transaction information (via Plaid, read-only), accounting and payroll records from the systems you connect, and financial documents extracted from connected mailboxes.

How we use it: to operate the Service for you — categorize and reconcile transactions, surface insights and anomalies, and prepare records you can export. We do not use it to market third-party products to you.

Sharing and your opt-out: we do not sell your information and we do not share it with non-affiliated third parties for their own marketing, so no opt-out is required. We share data only with the integration partners you authorize, our subprocessors acting on our behalf, and as required by law.

How we protect it: per-tenant envelope encryption, AWS KMS, encryption in transit and at rest, required multi-factor authentication for access to financial data, immutable access logging, and least-privilege access. See our security page.

We will notify you by email 30 days before any material change to this policy. Continued use after the effective date constitutes acceptance.

Privacy questions: privacy@cosai.tech