GDPR & Data Protection
Last updated: April 8, 2026
Techdome LLC ("Cosmo") is committed to protecting the personal data of all users, including those in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains how we comply with the General Data Protection Regulation (GDPR) and your specific rights under it.
1. Data Controller & Data Processor
Cosmo as Controller: For account data, billing data, and usage analytics, Techdome LLC acts as the data controller — we determine the purposes and means of processing.
Cosmo as Processor: For content you create within Cosmo (artifacts, documents, workspace data), we act as a data processor on behalf of your organization. Your organization's administrator is the data controller for this content.
2. Legal Bases for Processing
We process personal data under the following legal bases as defined by GDPR Article 6(1):
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Account creation & authentication | Contract performance | Necessary to provide the Service you signed up for |
| Billing & payment processing | Contract performance | Required to fulfill our contractual obligations |
| Sending data to LLM providers (Anthropic, OpenAI) | Contract performance | Necessary to deliver the AI features you actively use |
| Usage analytics | Legitimate interest | To improve the Service; anonymized and minimal |
| Security monitoring | Legitimate interest | To protect users and the Service from threats |
| Marketing communications | Consent | Only with your explicit opt-in; withdraw anytime |
3. International Data Transfers
Cosmo's infrastructure is hosted in Azure East US. If you are located in the EEA, UK, or Switzerland, your data is transferred to the United States for processing. We rely on the following safeguards for these transfers:
- Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our sub-processors (Azure, Clerk, Anthropic, OpenAI, Stripe)
- EU-U.S. Data Privacy Framework: Where applicable, our sub-processors are certified under the DPF
- Supplementary measures: Encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, and data minimization
4. Your Rights Under GDPR
If you are in the EEA, UK, or Switzerland, you have the following rights:
Right of Access (Art. 15)
Request a copy of the personal data we hold about you, including data stored by our sub-processors.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data. You can update most data directly in your account settings.
Right to Erasure (Art. 17)
Request deletion of your personal data. We will delete your account, artifacts, conversation history, and integration credentials within 30 days.
Right to Restrict Processing (Art. 18)
Request that we limit how we use your data while a dispute or complaint is being resolved.
Right to Data Portability (Art. 20)
Request your data in a structured, machine-readable format (JSON). This includes your artifacts, workspace data, and account information.
Right to Object (Art. 21)
Object to processing based on legitimate interest (e.g., analytics). We will cease processing unless we have compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)
Where processing is based on consent (e.g., marketing), you may withdraw consent at any time without affecting prior processing.
To exercise any right, email support@getcosmo.app with the subject line "GDPR Request." We will verify your identity and respond within 30 days. If we need additional time, we will inform you within the initial 30-day period.
5. Sub-Processors
We use the following sub-processors that may process personal data of EEA/UK users:
| Sub-Processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| Microsoft Azure | US (East) | Infrastructure & database | SCCs + DPF |
| Clerk | US | Authentication | SCCs |
| Anthropic | US | AI model inference | SCCs + DPF |
| OpenAI | US | AI model inference | SCCs + DPF |
| Stripe | US | Payment processing | SCCs + DPF |
| Cloudflare | Global | Object storage (R2) | SCCs |
We will notify existing users at least 14 days before adding a new sub-processor. You may object by contacting us within that period.
6. Data Protection Measures
We implement the following technical and organizational measures per GDPR Article 32:
- Encryption: AES-256 at rest, TLS 1.2+ in transit
- Tenant isolation: Row-level data separation per organization — no cross-tenant data access is possible at the application layer
- Access controls: Role-based access (RBAC) with least-privilege principles
- Data minimization: We only send the minimum necessary context to LLM providers for each request
- Zero-retention AI: We use API agreements with zero data retention where available — LLM providers do not store or train on your data
- Audit logging: Access to personal data is logged for accountability
- Incident response: We will notify affected users and relevant supervisory authorities within 72 hours of discovering a personal data breach, as required by GDPR Article 33
7. Data Retention Periods
- Account data: Duration of your account + 30 days after deletion request
- Artifacts & content: Until you or your organization admin deletes them
- AI conversation history: Until you delete it, or 90 days after account closure
- Integration credentials: Until disconnection or account closure (deleted immediately)
- Billing records: As required by tax law (typically 7 years)
- Security logs: 90 days rolling retention
8. Right to Lodge a Complaint
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found on the EDPB website.
We encourage you to contact us first at support@getcosmo.app so we can try to resolve your concern directly.
9. Contact
For GDPR-related inquiries:
Techdome LLC
Email: support@getcosmo.app
Subject line: "GDPR Inquiry"