Privacy & Data Protection Policy

1. Data Controller

COSMOS AI is the data controller for the personal data processed through this platform. Your personal data is processed for the purposes and legal bases described below.

2. Personal Data We Collect

2.1 Identity & Contact Data

• First and last name
• Email address
• Phone number (optional)
• Company / organization name

2.2 Account & Security Data

• Password (stored as a salted hash, never in plain text)
• Session tokens and IP addresses
• Login history and device information
• Two-factor authentication records

2.3 Usage & Analytics Data

• In-platform navigation and page views
• Feature usage statistics
• Error reports and performance metrics
• Browser type, operating system, screen resolution

2.4 Business Data

• CRM records (customers, opportunities, activities)
• Logistics data (shipments, loading plans, fleet info)
• Analytics reports and dashboard definitions
• AI-generated content and analyses

3. Purposes of Processing

• Contract performance: Account creation, authentication, delivery of platform services.
• Legitimate interest: Platform security, fraud prevention, service quality improvement.
• Consent: Marketing communications, anonymized data use for AI model training, third-party integrations.
• Legal obligation: Compliance with applicable laws and regulatory requests.

4. Data Transfers

4.1 Service Providers

• Infrastructure: Cloud hosting and database providers.
• Integration partners: Third-party software vendors providing add-ons.
• Authorities: Public authorities where required by law.
• Security partners: Cybersecurity vendors protecting the platform.

4.2 International Transfers

Some data may be processed on servers outside your country of residence. Such transfers are protected by:

• Standard Contractual Clauses (SCCs) and data processing agreements.
• Transfers only to jurisdictions with adequate protection or with contractual safeguards.

5. Data Use for AI & Machine Learning

• Platform usage patterns may be analyzed in anonymized and de-identified form to improve service quality.
• Any data used in AI model training is irreversibly anonymized; no individual can be re-identified.
• Your business data (CRM, logistics, etc.) is used to produce AI suggestions for you but is never shared with other tenants' models.
• You may opt out of AI-based processing entirely by contacting support.

6. Data Retention

• Account data: while your account is active + 30 days after closure.
• Logs and security data: 2 years.
• Invoicing and payment records: 10 years (legal requirement).
• Anonymized analytics: indefinite (no identifying information).
• Backups: deletion requests propagated to all backups within 90 days.

7. Your Rights

8. Cookies

• Strictly necessary cookies: Required for session and security; cannot be disabled.
• Analytics cookies: Collect usage statistics; can be disabled in your preferences.
• Functional cookies: Remember language, theme, and similar preferences.

9. Security Measures

• All data transfers are protected with TLS/SSL encryption.
• Sensitive data is encrypted at rest with AES-256.
• Regular security audits and penetration tests.
• Least-privilege access controls.
• 24/7 security monitoring and anomaly detection.

10. How to Contact Us

• Email: kvkk@cosmosai.systems
• In-platform "Data Request" form (Account Settings > Privacy).

Your requests are handled free of charge within 30 days. If processing requires additional cost, a fee consistent with the applicable regulation may apply.

11. Google API Services & Gmail Integration

At your explicit request, COSMOS AI can connect to your Gmail account and access your mail data through Google API Services. This section is written in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

11.1 Google API Scopes Used

• gmail.readonly: Used solely to read incoming message headers and bodies. Sending, deleting, or modifying email is technically impossible with this scope.
• userinfo.email / profile: Used to match your Google identity with your COSMOS AI user account.

11.2 Purpose of Use

• Automatically identify freight price quotes, RFQs (Requests for Quotation), and carrier correspondence, and surface them in your dashboard.
• Track unanswered customer requests for SLA management.
• Email contents are fed to the pricing engine as anonymized market signals; party identities (sender/recipient addresses, company names) are irreversibly masked before such aggregation.

11.3 Limited Use Commitment

11.4 Retention & Deletion

• OAuth access and refresh tokens are encrypted at rest using pgsodium AEAD symmetric encryption.
• Raw message bodies are retained for a maximum of 90 days, after which they are automatically purged. Only summarized signals (price, route, date) remain.
• You can disconnect at any time via Mail Assistant > Disconnect inside the app, or by revoking access at Google Account > Connected Apps. After revocation, stored tokens are deleted within 24 hours.

11.5 Security

• All Google API calls are performed over TLS 1.2+ encrypted channels.
• Tokens are stored server-side only; they are never exposed to the browser or third parties.
• Database access is constrained by row-level security (RLS); each organization can only view its own email data.

The same terms apply to Microsoft Outlook (Microsoft Graph API) and IMAP connection methods.

12. Policy Changes

This policy may be updated. Material changes will be announced in-platform and/or by email. Continued use after an update constitutes acceptance of the revised policy.