Privacy Policy

This Privacy Policy applies to:

• Visitors to the CosX website
• Customers, prospects, and partners
• Users of CosX platforms, APIs, dashboards, AI systems, and services
• Business contacts and vendors

For the purposes of GDPR:

• CosX acts as a Data Controller for website and marketing data.
• CosX acts as a Data Processor when processing customer data under contractual services.
• Processing is governed by contractual agreements and Data Processing Addendums (DPAs) where applicable.

3.1Personal data you provide

• Name, email address, phone number
• Company name, designation, and business contact details
• Information submitted through forms, emails, contracts, or demos

3.2Automatically collected data

• IP address and approximate location
• Browser type, device information
• Website usage data and logs
• Cookies and similar technologies

3.3Customer-provided & operational data

When delivering services, CosX may process:

• Operational, financial, ESG, asset, or workflow data
• Documents, logs, datasets, and integrations
• AI-generated outputs derived from customer data

CosX does not use customer data to train generalized AI models unless explicitly agreed in writing.

CosX processes personal data on the following lawful bases:

• Contractual necessity
• Legitimate business interests
• Legal and regulatory compliance
• Consent, where required

We process data to:

• Deliver contracted services
• Operate and secure platforms
• Communicate with clients and partners
• Improve products and services
• Meet legal, audit, and compliance obligations

CosX follows ISO 27001 principles of:

• Collecting only necessary data
• Using data strictly for defined purposes
• Periodic review and deletion of unnecessary data

CosX implements appropriate technical and organisational measures including:

• Role-based access control (RBAC)
• Encryption in transit and at rest (where applicable)
• Secure cloud infrastructure
• Audit logging and monitoring
• Documented access provisioning and offboarding
• Incident response and escalation procedures

Security controls are reviewed periodically as part of the Information Security Management System (ISMS).

Personal data is retained only for as long as:

• Required to fulfil contractual obligations
• Necessary for legitimate business purposes
• Required under applicable laws

Retention schedules are documented internally.

CosX may share data with:

• Cloud hosting and infrastructure providers
• Analytics and communication service providers
• Professional advisors (legal, audit, compliance)
• Authorities when legally required

All sub-processors are subject to confidentiality and data-protection obligations.

Where personal data is transferred outside the EU/UK:

• Appropriate safeguards are applied (e.g., SCCs)
• Transfers comply with GDPR Chapter V requirements

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure (“right to be forgotten”)
• Restrict or object to processing
• Request data portability
• Withdraw consent (where applicable)

Requests may be sent to admin@cosx.ai.

CosX uses cookies for:

• Website functionality
• Analytics and performance measurement

You may manage cookie preferences via browser settings.

In the event of a personal data breach:

• CosX will assess impact promptly
• Notify relevant authorities and customers where legally required
• Take corrective and preventive actions

This Privacy Policy may be updated periodically. Material changes will be published on this page.