Legal

Privacy Policy

This policy explains what we collect, why, who we share it with, and the rights you have over your information.

Last updated: April 29, 2026

1. Who we are

CosmicAI Studio (“we”, “us”) is the data controller for personal information processed through cosmicai.studio. Reach us at privacy@cosmicai.studio.

2. What we collect

Information you provide

  • Account information — name and email when you sign up via Clerk.
  • Profile / onboarding answers — the business and audience details you supply (business story, offer, target audience, inspiration accounts, etc.).
  • Generated content & topics — the scripts, memes, and topic proposals produced for you.
  • Billing details — name and payment method, handled by Stripe. We never see your full card number.
  • Communications — messages you send us by email or in-app.

Information collected automatically

  • Usage data — pages visited, features used, error events, approximate timing of generation requests.
  • Device & network information — IP address, browser type, operating system, referrer, and similar technical details.
  • Cookies & similar technologies — see our Cookie Policy.

Information from third parties

When discovery features are enabled, we collect publicly available content (top posts, captions, view counts) from TikTok, Instagram, and Reddit via Apify and from the open web via Tavily. This data describes third-party creators, not you.

3. How we use your information

  • To operate the service — generate scripts, memes, and analyses.
  • To authenticate you and protect your account.
  • To process payments and prevent fraud.
  • To improve the service — debugging, performance monitoring, feature development.
  • To communicate about your account, security, and updates.
  • To meet legal obligations and enforce our terms.

We do not use your generated content to train our own models, and we configure our AI providers for zero data retention where supported.

4. Legal bases (EEA / UK)

  • Contract — to provide the service you signed up for.
  • Legitimate interests — to secure, improve, and analyze the service.
  • Consent — for non-essential cookies and marketing communications.
  • Legal obligation — to comply with applicable laws.

5. Sharing & processors

We share information with the following processors so they can operate the service on our behalf. Each is bound by a data processing agreement.

  • Clerk — authentication and identity management.
  • Neon — managed Postgres database hosting.
  • Vercel — application hosting, edge network, and AI Gateway routing.
  • Anthropic — large-language-model inference (Claude), via Vercel AI Gateway.
  • Google — multimodal model inference (Gemini), via Vercel AI Gateway.
  • Apify — public content discovery (TikTok, Instagram, Reddit).
  • Tavily — web search for niche-context grounding.
  • Stripe — payment processing and billing.

We may also disclose information when required by law, to enforce our terms, to investigate fraud, or in connection with a corporate transaction (merger, acquisition, etc.).

6. International transfers

Our processors are primarily based in the United States and the European Union. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Retention

  • Account & profile data — kept while your account is active and for up to 12 months after closure.
  • Generated content — retained while your account is active so you can revisit it; deleted on account closure or earlier on request.
  • Billing records — retained for up to 7 years as required for tax and accounting.
  • Logs — typically retained for 30 to 90 days for operational and security purposes.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, port, or object to processing of your personal information, and to withdraw consent. To exercise any of these, email privacy@cosmicai.studio. We’ll respond within the timeframe required by your jurisdiction (typically 30 days).

California residents have additional rights under the CCPA / CPRA, including the right to know what we collect, to delete it, and to opt out of “sale” or “sharing” — we do not sell or share personal information for cross-context behavioral advertising.

9. Security

We use industry-standard safeguards: TLS in transit, encrypted databases at rest, scoped access tokens, OAuth for authentication, and least-privilege access for personnel. No method is 100% secure; suspect a breach? Email security@cosmicai.studio immediately.

10. Children

The service is not directed at children under 18. If we learn we have collected personal information from a child, we will delete it.

11. Changes to this policy

We may update this policy. Material changes will be announced via email or in-app notice. The “Last updated” date above always reflects the current version.

12. Contact

Privacy questions, data requests, or complaints: privacy@cosmicai.studio. EEA / UK users may also lodge a complaint with their local data protection authority.