This Privacy Policy describes how Cozmo AI LTD. and its affiliates ("Cozmo AI", "we", "us", or "our") collect, use, disclose, and protect information in connection with: (i) our website located at www.hellocozmo.ai; (ii) our AI employee platform, APIs, agents, and workflows; and (iii) voice, messaging, and multimodal interactions powered by our systems (collectively, the "Service"). By accessing or using the Service, you agree to this Privacy Policy.

Roles and Scope

1.1 When You Are Our Customer

For data processed on behalf of our customers through the Service, for example, their end users' interactions with AI agents, we generally act as a data processor or service provider under applicable data protection laws. Your organization is the data controller and determines what personal data is collected, how AI agents are configured, who the agents contact, whether interactions are recorded, and what business decisions are made using outputs.

We process personal data in this context only on the documented instructions of the customer and as necessary to provide the Service, subject to the applicable agreement and data processing terms.

1.2 When You Visit Our Website or Interact With Us Directly

When you visit our website, sign up for an account, receive marketing, or communicate with our sales, support, or operations teams, we generally act as a data controller. In this capacity, we determine how and why we process personal data for purposes such as website analytics and performance, marketing and communications, account creation and management, billing and collections, and customer support and business operations.

Information We Collect

2.1 Account and Business Information

We collect information you provide directly to us, including your name, work email address, phone number, company name, role, and other business contact details. We also collect account registration information and authentication credentials, billing and payment information processed on our behalf by payment processors, service usage preferences and settings, and any communications with us such as support tickets and feedback.

2.2 Service Interaction Data

When customers deploy AI agents using the Service, we may process information on their behalf. This includes communication data such as call audio and recordings, messages across channels like SMS, WhatsApp, chat, and email, interaction transcripts, and language or sentiment metadata where configured. It also includes customer end-user data provided by our customers — such as names, contact details, policy or account identifiers, case details, uploaded files, conversation history, and related notes.

We additionally process operational metadata including timestamps and interaction durations, workflow steps and decision paths, routing and escalation records, and integration responses and system events. Our customers control which data elements are collected and processed through the Service, and we do not determine the substance of end-user content our customers choose to process.

2.3 Automatically Collected Technical Data

When you use the Service, we may automatically collect technical information such as your IP address and approximate location derived from it, device identifiers, device type and operating system, browser type and settings, access times and pages viewed, and log data including performance metrics, latency, and error and reliability diagnostics.

2.4 Cookies and Similar Technologies

We use cookies and similar technologies on our website to authenticate users and maintain sessions, enhance security and prevent abuse, remember preferences and improve user experience, and perform analytics and measure performance. We do not use customer conversation content processed through our platform for advertising or cross-site behavioral tracking.

How We Use Information

3.1 As a Processor

When acting as a processor or service provider for our customers, we process personal data only as necessary to operate and deliver the Service and AI agents, route and manage conversations and interactions, generate transcripts and summaries, execute workflows and integrate with third-party systems, provide audit logs and quality assurance, maintain and secure the platform, and troubleshoot issues and provide customer support. We do not use customer conversation data for our own marketing or advertising purposes in this context.

3.2 As a Controller

When acting as a controller, we may use information to create and manage user accounts, provide and improve the website and Service, respond to inquiries and provide customer support, send transactional messages and service-related updates, handle billing, invoicing, and collections, monitor and improve performance and security, conduct analytics and product development, comply with legal obligations and enforce our agreements, and detect, prevent, and investigate fraud, abuse, or security incidents.

AI Outputs and Automated Decisions

4.1 Platform Capability and Customer Responsibility

Our platform may generate automated outputs, recommendations, or actions — for example, responses to customer inquiries, triage decisions, or conversation routing. Cozmo AI provides the technical capability and infrastructure for such automation, while customers configure the rules, prompts, workflows, and business logic governing how outputs are used. Customers remain responsible for decisions that materially impact individuals, including any regulatory or high-risk decisions.

4.2 Disclosure of Automated Decision-Making

Where applicable law requires disclosure of automated decision-making or AI-based interactions, customers are responsible for providing appropriate notices to their end users. Cozmo AI does not determine the disclosure obligations that apply to any specific customer deployment.

Model Training and AI Learning

5.1 Our Approach to Customer Data

We design our platform to respect enterprise data boundaries. By default, we do not use customer conversation content or Customer Data to train general-purpose foundation models. Customer Data is used only as necessary to operate workflows, provide and support the Service, maintain system quality, detect and remediate failures, and improve reliability and security.

5.2 Aggregated and De-identified Data

We may use aggregated and de-identified telemetry data — such as latency, error rates, or general usage patterns — to improve infrastructure performance, scalability, and resilience, provided such data does not identify a specific customer or individual. Any future use of customer content for model training beyond what is necessary to provide the Service would require explicit, prior customer consent through an enterprise setting or written agreement.

Sharing of Information

6.1 Service Infrastructure Providers and Subprocessors

We do not sell personal data. We may share information with trusted third-party vendors who assist us in operating the Service, including cloud hosting and data center providers, telephony and messaging providers, storage and database providers, monitoring and security vendors, and analytics and support tools used for operations. These providers act as our processors or subprocessors and are contractually required to protect personal data and use it only to provide services to us.

6.2 Legal and Safety Disclosures

We may disclose information if we believe in good faith that doing so is reasonably necessary to comply with applicable laws, regulations, or governmental requests, respond to valid subpoenas or court orders, protect the rights, property, or safety of Cozmo AI, our customers, users, or the public, or detect, investigate, and help prevent fraud, security incidents, and other harmful activities.

6.3 Business Transfers

If Cozmo AI is involved in a merger, acquisition, financing, corporate reorganization, or sale of assets, information may be transferred as part of that transaction, subject to appropriate confidentiality and security obligations and consistent with this Privacy Policy.

International Data Transfers

7.1 Global Operations and Safeguards

We operate globally, and personal data may be stored and processed in the United States and other countries where we or our service providers maintain operations. When personal data is transferred across borders, we implement appropriate safeguards such as contractual data protection clauses (including standard contractual clauses where applicable), technical measures such as encryption and access controls, internal least-privilege access restrictions, and vendor due diligence and data protection agreements with subprocessors.

The specific protections applied may vary depending on your location and the applicable data protection laws in your jurisdiction.

Data Retention

8.1 How Long We Keep Data

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by applicable law, contract, or legitimate business needs. Platform logs and technical telemetry are retained for a limited period to ensure security, performance, and auditability. Transcripts and interaction content are retained in accordance with customer configuration and instructions, where applicable, and backups are retained for limited periods consistent with our disaster recovery policies.

Account, billing, and contract records may be retained for the duration of the customer relationship and for a period thereafter as required by law or for legitimate business purposes such as recordkeeping, dispute resolution, and compliance. Where we act as a processor, our retention of end-user data is primarily determined by the customer's instructions and the applicable agreement.

Security Measures

9.1 Technical and Organizational Safeguards

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or disclosure. These include encryption of data in transit and at rest, role-based and least-privilege access controls, authentication and credential security, logging and monitoring for security-relevant events, vulnerability management and security testing, and incident response and breach notification procedures.

No security measures are perfect or impenetrable, and we cannot guarantee absolute security. However, we continuously work to enhance and adapt our security controls in line with industry practices and risk assessments.

Your Privacy Rights

10.1 Rights You May Have

Depending on your jurisdiction, you may have the right to access and receive information about the personal data we hold about you, request correction of inaccurate or incomplete data, request deletion of personal data in certain circumstances, restrict or object to certain processing activities, receive your data in a portable format where technically feasible, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory or regulatory authority.

10.2 Interactions via Our Customers' AI Agents

If you interacted with an AI agent operated by one of our customers — for example, an AI assistant representing your bank or insurer — that customer is typically the controller of your personal data, and you should contact that organization directly to exercise your privacy rights. You may also contact us using the details in Section 15, and where appropriate we will assist our customer in responding to your request or direct you to the relevant controller.

California, GDPR, UAE PDPL, and Similar Laws

11.1 Our Role Under Applicable Regulations

Where laws such as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the UAE Personal Data Protection Law (PDPL), or similar regulations apply, we act as a processor or service provider for Customer Data processed on behalf of our enterprise customers, and as a controller for personal data we process for our own purposes such as website usage, marketing, and account management.

11.2 Data Processing Agreements

When acting as a processor or service provider, we process personal data only on documented instructions from the customer and in accordance with our data processing terms. Where required, we will enter into appropriate data processing, data transfer, or service provider agreements with our customers and vendors.

Children's Privacy

12.1 Age Restrictions

The Service is intended for business and professional use and is not directed to children under the age of 13, or such other age of digital consent applicable in your jurisdiction. We do not knowingly collect personal data from children in this context. If we learn that we have collected personal data from a child in violation of this Policy or applicable law, we will take reasonable steps to delete such data promptly.

Third-Party Links and Integrations

13.1 External Services

The Service may contain links to or integrations with third-party websites, products, or services. This Privacy Policy does not apply to those third parties, and their own privacy policies govern their handling of personal data. We encourage you to review the privacy policies of any third-party services you use in connection with our platform.

Changes to This Privacy Policy

14.1 How We Notify You

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice in a manner we consider appropriate — for example, by updating the "Last Updated" date, posting a notice on the website, or sending an email. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

15.1 Get in Touch

If you have any questions or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise your privacy rights, please contact us at:

Cozmo AI Ltd.

Email: privacy@cozmo.ai

Ready to see Cozmo AI handle real operations?

We’ll open up a real workflow and show you exactly what happens with voice, documents, decisions and system updates.

Book a demo