Privacy Policy

This policy covers how COSai collects, uses, and protects information gathered through the COSai website (cosai.tech) and the COSai service (app.cosai.tech).

From you directly: Account information (name, email, password), business information (business name, website, industry), billing information (processed by Stripe — we do not store card numbers).

From your connected services: Bank transactions (via Plaid — read-only), accounting data (QuickBooks, Xero), field service management data (Jobber, Housecall Pro, ServiceTitan), payroll data (Gusto, ADP), communication content you authorize (Slack, email).

From your use of the service: Usage logs, IP addresses, device type, browser, and feature usage analytics. We use privacy-first analytics (no Google Analytics).

We use your information to: operate and improve the Service; send you financial insights, anomaly alerts, and weekly digests; communicate with you about your account; and comply with applicable law.

We may use aggregate, anonymized data to improve the Service. Anonymized data cannot be re-identified to any individual user or business.

We use Anthropic API endpoints to process financial data and generate insights. We operate under zero-retention agreements: Anthropic does not store or train on data passed through their API.

We do not fine-tune any AI model on your data. We do not sell your data for model training. We do not use your data to improve any third-party AI product.

We share your data only with: your authorized integration partners (the systems you explicitly connect to COSai); our subprocessors (see our public subprocessor list); and law enforcement when legally required.

We do not sell your data. We do not share your data for advertising purposes. We do not share individual business data with other COSai customers.

We retain financial records for up to 7 years to comply with accounting and tax law requirements. Non-financial data (usage logs, analytics) is retained for 24 months. You may request deletion of your data at any time; we will delete within 30 days subject to legal retention obligations.

We use per-tenant envelope encryption, AWS KMS, and read-only API connections by default. See our security page for full details.

You have the right to: access your data; correct inaccurate data; request deletion (subject to legal retention requirements); export your data in a portable format; and opt out of non-essential communications.

CCPA (California): California residents have the right to know what data we collect, to request deletion, and to opt out of sale (we do not sell data). Contact privacy@cosai.tech.

GDPR (EEA): We are currently US-only. If you are an EEA resident accessing the Service, contact privacy@cosai.tech to exercise GDPR rights.

The Service is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately.

Bank connections are handled by Plaid. We never see or store your bank login credentials. Plaid's privacy policy governs how they handle your banking credentials. COSai receives only read-only transaction data from Plaid.

We will notify you by email 30 days before any material change to this policy. Continued use after the effective date constitutes acceptance.

Privacy questions: privacy@cosai.tech