COSMO - by CyberLifeHacks

Privacy Policy

Effective Date: 22 May 2025

We value your privacy and are committed to protecting your personal and proprietary information. This Privacy Policy explains how we collect, use, disclose, and safeguard data when you interact with our web application.

Whether you're using our platform to manage Threat and Risk Assessments (TARA) or to access optional AI-generated insights, we want you to clearly understand what data is collected, how it is used, and what rights you have.

This document is designed to comply with applicable privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant global data protection frameworks. We are based in Romania, and all legal matters relating to data protection are handled under Romanian jurisdiction.

By using our application, you consent to the practices described in this Privacy Policy. If you do not agree with our policies and practices, we recommend that you do not use our services.

We encourage you to read this policy carefully and contact us if you have any questions or concerns regarding how your data is handled.

1. Information We Collect

We collect and store various types of information to provide, improve, and secure our services. This data falls into the following categories:

Information You Provide
When you submit a request to access the platform, we collect the following information through our request form:
- Full name
- Email address
- Organization name
- Position within the organization
- Brief description of the organization
This data is reviewed as part of our access approval process. If your request is approved, an account is created for you, and the information above is securely stored in your user profile.
Once your account is active, you may submit additional data as part of your work with our platform, including:
- Asset details (names, descriptions, classifications)
- Threat information (descriptions, categories, likelihoods)
- Impact and risk ratings
- Other structured fields related to Threat and Risk Assessments (TARA)
Security and Telemetry Data
To maintain a secure and reliable service, we automatically collect certain technical and usage-related information when you access the platform. This includes:
- IP address
- Browser type and version
- Operating system
- Timestamps of access and activity
- Session duration and navigation behavior
- Other diagnostic and telemetry data
This information is collected for the following purposes:
- Security: Detect, investigate, and respond to unauthorized access, abuse, or suspicious activity
- Usage analytics: Understand how users interact with the platform to improve functionality and performance
- Compliance and audit: Maintain audit trails for regulatory or internal review purposes
AI-Related Data (Third-Party Disclosure)

As described in a separate section of this policy, specific TARA-related input (such as asset names or threat descriptions) may be sent to OpenAI’s API when users choose to utilize our AI-assisted features. No personally identifiable information (e.g., name, email, organization) is sent during these interactions.
No Data Sales or External Sharing
We do not sell, rent, or otherwise share your personal or proprietary data with third parties for marketing or commercial purposes. Data is only shared:
- With OpenAI, for AI feature requests (as explained in section 3)
- When legally required to comply with a valid legal request (e.g., subpoena or court order)
- As necessary to protect our rights, users, or the public

We respect your privacy and apply appropriate safeguards to all stored and transmitted information.

2. Data Security

We are committed to protecting your data and maintaining the confidentiality, integrity, and availability of all information stored on our platform. To achieve this, we implement industry best practices in data protection and apply strict security controls to all layers of the system.

Access to user data is strictly restricted. All sensitive content — such as information related to assets, threats, risk ratings, and organizational data — is logically isolated and cryptographically protected, such that:

Data is tied directly to your account and organization
It cannot be accessed or decrypted by unauthorized individuals, including system administrators, developers, testers, or support staff
Only authenticated users with appropriate permissions within your organization can access relevant content

Internal staff do not have the ability to read or decrypt user-generated content. All access attempts and system interactions are logged, monitored, and subject to strict auditing policies.

We regularly review and update our security practices to adapt to evolving threats and maintain compliance with applicable data protection regulations.

3. Use of AI Features and Third-Party Data Sharing (GDPR & CCPA Compliance)

Our platform offers optional features powered by Artificial Intelligence (AI) via OpenAI, designed to assist users in evaluating Threat Analysis and Risk Assessments (TARA) — such as:

generating or validating impact ratings, attack feasibility, and threat modeling insights.
content generation, question answering
intelligent suggestions — the text you input, or a portion thereof, is transmitted to OpenAI’s API in order to generate a response

When you choose to use these AI features, certain non-personal input data is transmitted to OpenAI’s API for processing. This includes:

Asset names and descriptions
Threat names and descriptions
Other TARA-related fields necessary for contextual analysis

We do not transmit any personal user information, account details, or identifiers to OpenAI.

Proprietary and Confidential Content

Although no personally identifiable information (PII) is shared, the data sent to OpenAI may include proprietary, confidential, or sensitive business information, depending on your specific TARA content. Users are advised to exercise discretion and avoid including trade secrets or highly sensitive internal documentation in AI queries unless they understand and accept the associated risks.

GDPR Notice (EU/EEA Residents)

Under the General Data Protection Regulation (GDPR), while the content shared with OpenAI may not constitute personal data, it may still be subject to regulation if it contains sensitive or business-critical information. As such, we ensure:

Transparent disclosure of third-party processing
Voluntary and informed user consent for using AI features
The ability to opt-out by not using AI functionality

Users retain full control and can access our services without invoking any AI processing, thereby keeping all data entirely within our system.

CCPA Notice (California Residents)

Under the California Consumer Privacy Act (CCPA), we do not "sell" your personal information. However, sharing TARA-related content with a third party (OpenAI) may be considered a form of "data disclosure" under CCPA definitions. You have the right to:

Choose not to use AI features and ensure no third-party sharing occurs
Understand what categories of data are shared (e.g., TARA fields, not personal information)

Optional Use and Data Control

All AI functionality is optional and user-driven. If you do not use any AI-assisted features, no data is shared externally, and your interaction remains local to our platform. This approach ensures maximum control over your content and compliance with data privacy standards.

4. User Consent and Policy Updates

By accessing or using our application, you acknowledge and agree to be bound by this Privacy Policy. Your continued use of the platform following any updates or modifications to this policy constitutes your acceptance of those changes.

We are committed to ensuring that our Privacy Policy remains compliant with applicable international data protection regulations, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). To that end, this document is reviewed and updated regularly to reflect changes in our practices, applicable laws, or new technologies.

We encourage all users to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your data.

Governing Law and Jurisdiction

5. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of law provisions. Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Romania.

6. Contact Us

If you have any questions or concerns regarding our Privacy Policy or the protection of your personal information, you can contact us in one of the following ways:

Option 1: Contact Form

Fill out our contact form to send us a message. We will respond to your inquiry as soon as possible.
Option 2: Email

Send an email directly to our support team at contact@cyberlifehacks.dev. We will get back to you promptly.