Privacy policy

When you are our customer

For data processed on behalf of our customers through the Service (for example, their end users' interactions with our agents), we generally act as a data processor or service provider under applicable data protection laws. Your organization is the data controller and determines what personal data is collected, how agents are configured, who the agents contact, whether interactions are recorded, and what business decisions are made using outputs. We process personal data in this context only on the documented instructions of the customer and as necessary to provide the Service, subject to the applicable agreement and data processing terms.

When you visit our website or interact with us directly

When you visit our website, sign up for an account, or communicate with our sales or operations teams, we act as a data controller. In this capacity, we determine how and why we process personal data for purposes such as website analytics and performance, marketing and communications, account creation and management, billing and collections, and customer support and business operations.

Information we collect

Account and business information: We collect information you provide directly to us, including your name, work email address, and other business contact details. We also collect account registration information and authentication credentials, billing and payment information processed on our behalf by payment processors, service usage preferences and settings, and any communications with us such as support tickets and feedback.

Service interaction data: When customers deploy agents using the Service, we may process information on their behalf. This includes communication data such as call audio and recordings, messages across channels like SMS and email, and language or sentiment metadata where configured. It also includes customer end-user data provided by our customers, policy or account identifiers, and related notes. We additionally process operational metadata including timestamps and interaction durations, workflow steps and decision paths, routing and escalation records, and integration responses and system events. Our customers control which data elements are collected and processed through the Service.

Automatically collected technical data: When you use the Service, we may automatically collect technical information such as your IP address and approximate location derived from it, device type and operating system, browser type and settings, access times and pages viewed, and log data including performance metrics and error and reliability diagnostics.

Cookies and similar technologies: We use cookies and similar technologies on our website to authenticate users and maintain sessions, enhance security and prevent abuse, remember preferences and improve user experience, and perform analytics and measure performance. We do not use customer conversation content processed through our platform for advertising or cross-site behavioral tracking.

How we use information

As a processor: When acting as a processor or service provider for our customers, we process personal data only as necessary to operate and deliver the Service — including to route and manage conversations and interactions, generate transcripts and summaries, execute workflows and integrate with third-party systems, provide audit logs and quality assurance, maintain and secure the platform, and troubleshoot issues and provide customer support. We do not use customer conversation data for our own marketing or advertising purposes in this context.

As a controller: When acting as a controller, we may use information to create and manage user accounts, provide and improve the website and Service, respond to inquiries and provide customer support, send transactional messages and service notifications, monitor and improve performance and security, conduct analytics and product development, comply with legal obligations and enforce our agreements, and investigate fraud, abuse or security incidents.

Model training and customer data

We design our platform to respect enterprise data boundaries. We do not use customer conversation content or Customer Data to train general-purpose foundation models. Customer Data is used only as necessary to operate workflows, provide and support the Service, maintain system quality, detect and remediate failures, and improve reliability and security.

We may use aggregated and de-identified telemetry data (such as latency statistics or general usage patterns) to improve infrastructure performance, provided such data does not identify a specific customer or individual. Any future use of customer content for model training beyond what is necessary to provide the Service would require explicit, prior customer consent through an enterprise setting or written agreement.

Sharing of information

We do not sell personal data. We may share information with trusted third-party vendors who assist us in operating the Service, including cloud hosting and data center providers, telephony and messaging providers, storage and database providers, monitoring and security vendors, and analytics and support tools used for operations. These providers act as our processors or subprocessors and are contractually required to protect personal data and use it only to provide services to us.

We may disclose information if we believe in good faith that doing so is reasonably necessary to comply with applicable laws or governmental requests, respond to valid subpoenas or court orders, or protect the rights, property or safety of Cozmo AI and its users.

International data transfers

We operate globally, and personal data may be stored and processed in the United States and other countries where we or our service providers maintain operations. When personal data is transferred across borders, we implement appropriate safeguards such as contractual data protection clauses (standard contractual clauses), technical measures such as encryption and access controls, least-privilege access restrictions, and vendor due diligence and data protection agreements with subprocessors. The specific protections applied may vary depending on your location and applicable data protection laws.

How long we keep data

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by applicable law or legitimate business needs. Platform logs and technical telemetry are retained for a limited period to ensure security and reliability. Transcripts and interaction content are retained in accordance with customer configuration and instructions. Account and contract records may be retained for the duration of the customer relationship and for a period thereafter as required by law.

Technical and organizational safeguards

We implement administrative, technical and physical safeguards designed to protect personal data against unauthorized access, loss or alteration. These include encryption of data in transit and at rest, least-privilege access controls, multi-factor authentication and credential security, logging and monitoring for security events, vulnerability management and security testing, and incident response and breach notification procedures. No security measures are perfect or impenetrable, and we cannot guarantee absolute security. We continuously work to enhance and adapt our security controls in line with industry practices and risk assessments.

Your privacy rights

Depending on your jurisdiction, you may have the right to access and receive information about the personal data we hold about you, request correction of inaccurate or incomplete data, request deletion of personal data in certain circumstances, restrict or object to certain processing activities, receive your data in a portable format where technically feasible, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory or regulatory authority.

If you interacted with an agent operated by one of our customers (for example, a virtual assistant representing your bank or insurer), that customer is typically the controller of your personal data, and you should contact that organization directly to exercise your privacy rights.

Age restrictions

The Service is intended for business and professional use and is not directed to children under the age of 16, or such other age of digital consent applicable in your jurisdiction. We do not knowingly collect personal data from children in this context. If we learn that we have collected personal data from a child in violation of this Policy or applicable law, we will take reasonable steps to delete such data promptly.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice in a manner we consider appropriate, such as a notice on the website or an email to registered users. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

Get in touch

If you have any questions or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact us at: Cozmo AI, Inc. · privacy@hellocozmo.ai