CoSmith logo
GitHub

Privacy Policy

Last Updated: 21/07/2025
Version: 1.0
Effective Date: 21/07/2025

1. Introduction

This Privacy Policy explains how CoSmith Research Lab ("CoSmith", "we", "us", or "our") collects, uses, shares, and protects information when you use our project coordination platform, including our website, web application, iOS application, and Android application (collectively, the "Platform").

1.1 Data Controller

CoSmith Research Lab is a trading name of COSMITH LIMITED, a company registered in England and Wales (Company No. 16597265), with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

For the purposes of UK GDPR and EU GDPR, we are the data controller responsible for your personal data.

1.2 Pilot Programme Status

Important: CoSmith is currently in a research and pilot phase. All users of the Platform are considered pilot programme participants until we announce general availability. By using the Platform, you acknowledge and agree to the pilot programme terms described in Section 10 of this Policy, including extended data retention periods and the use of your data for research and platform improvement purposes.

1.3 Scope

This Policy applies to all users of the Platform. Where local laws provide additional rights or protections, we address these in Section 13 (Jurisdiction-Specific Rights).

1.4 Contact Information

For all privacy-related enquiries, data requests, or concerns, please contact us at:

Email: support@cosmith.ai

All requests are subject to verification procedures as described in Section 6.

2. Information We Collect

We collect various types of information to provide and improve our Platform. This section describes the categories of information we collect and how we obtain it.

2.1 User Account Data

When you create an account or use our Platform, we collect:

  • Identity information: Name, email address, and phone number
  • Organisation details: Company or organisation affiliation
  • Professional information: Professional credentials (optional), role, and position on projects
  • Authentication data: Login credentials and authentication tokens
  • Age verification: Confirmation that you meet our minimum age requirements

2.2 Voice and Communication Data

Our Platform processes voice-enabled project coordination and team communications, which involves:

  • Voice recordings: Audio recordings from field updates and voice commands
  • Transcriptions: Text transcriptions of voice recordings, processed through third-party AI services
  • Platform messages: Communications between team members within the Platform, including direct messages and project discussions
  • AI agent interactions: Your queries, commands, and conversations with our AI-powered agents
  • Metadata: Associated information including timestamps, device information, and location data (if enabled)

2.3 Project Data

To enable project coordination, we collect and process:

  • Schedules and timelines: Project planning information, milestones, and deadlines
  • Financial information: Budget data if you choose to include it
  • Technical documentation: Specifications, plans, and technical details
  • Media files: Site photographs, videos, and other visual content
  • Documents: Uploaded files including PDFs, Word documents, spreadsheets, and drawings
  • Analysis data: Dependency mappings, conflict detection results, and priority rankings
  • Issue tracking: Problem reports, resolution history, and project logs

2.4 Team and Collaboration Data

For team coordination features, we collect:

  • Assignments: Team member roles and project assignments
  • Permissions: Access levels and visibility settings
  • Communication logs: Records of information routing and notifications
  • Preferences: Notification settings and communication preferences

2.5 Device and Technical Data

We automatically collect certain technical information:

  • Device information: Device type, operating system, and version
  • Application data: App version and configuration
  • Network data: IP address and general location information
  • Usage analytics: Features accessed, session duration, and interaction patterns
  • Performance data: Crash reports, error logs, and diagnostic information
  • Location data: GPS coordinates for site-specific updates (optional, with your permission)

2.6 AI Processing Data

Our Platform uses artificial intelligence to process your information:

  • Input data: Information you submit for AI processing
  • Output data: Results and responses generated by AI models
  • Analysis results: Semantic analysis, conflict detection outcomes, and recommendations
  • Training data: Data that may be used to train and improve AI models (see Section 3.3)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Core Platform Functions

  • Voice and text processing: Extracting intent, actions, and context from your communications
  • Conflict detection: Identifying project dependencies and potential conflicts
  • Information routing: Delivering relevant information to appropriate stakeholders
  • Intelligence generation: Creating project insights and recommendations
  • Team coordination: Enabling communication and collaboration between team members
  • AI agent services: Providing intelligent responses and assistance through our AI-powered agents

3.2 AI Model Processing

Your data is processed by third-party AI providers for:

  • Speech-to-text: Converting voice recordings to text transcriptions
  • Natural language understanding: Interpreting the meaning and intent of communications
  • Semantic analysis: Understanding relationships between project elements
  • Dependency mapping: Identifying connections and dependencies across project components
  • Priority assessment: Ranking and prioritising project items

Model Selection: CoSmith determines which AI model(s) are optimal for processing your data based on performance, cost, and availability. You do not have control over which specific AI models process your data unless specified in an enterprise contract.

3.3 Research and Platform Improvement

As a pilot programme participant, your data is used for:

  • Platform validation: Testing and validating Platform functionality
  • System improvement: Enhancing features and capabilities
  • Model training: Training and improving AI models (no opt-out available for standard users)
  • Research findings: Publishing anonymised metrics and insights
  • Case studies: Creating case studies (with your separate explicit consent only)

Important: Standard users cannot opt out of data being used for AI model training. Enterprise contracts may include different terms regarding this use.

3.4 Analytics and Operations

  • Performance monitoring: Ensuring Platform stability and reliability
  • User experience improvement: Analysing usage patterns to enhance the Platform
  • Security monitoring: Detecting and preventing threats and unauthorised access
  • Customer support: Resolving issues and responding to enquiries

4. How We Share Your Information

We share your information with third parties in the following circumstances:

4.1 AI Processing Providers

We use various third-party AI services to process your data. These may include large language models and other machine learning services from established providers.

What we share with AI providers:

  • Voice recordings (temporarily, for transcription)
  • Text content (for semantic processing)
  • Project context (for dependency analysis)
  • User queries and commands

Important: These providers operate under their own privacy policies and terms of service. Data Processing Agreements are in place where applicable. Your data may be used by these providers for their own model training purposes. Standard users cannot opt out of this use.

4.2 Infrastructure and Service Providers

We engage third-party service providers to perform functions and provide services to us, including:

  • Cloud hosting: Data storage, computing, and database services
  • Content delivery: File delivery and distribution
  • Authentication: Identity verification and secure login
  • Analytics: Understanding how the Platform is used
  • Error monitoring: Crash reporting and performance monitoring

We may share your private personal data with such service providers subject to obligations consistent with this Privacy Policy and appropriate confidentiality and security measures.

4.3 Future Services

  • Payment processing: Payment services providers (when commercial features are introduced)

4.4 Legal and Safety Disclosures

Notwithstanding anything to the contrary in this Privacy Policy, we may preserve, use, or disclose your personal data if we believe that it is reasonably necessary to:

  • Comply with applicable laws, regulations, or legal processes
  • Protect the safety of any person
  • Protect the safety or integrity of our Platform, including to help prevent spam, abuse, or malicious actors
  • Address fraud, security, or technical issues
  • Protect our rights or property or the rights or property of those who use our services

4.5 Change of Ownership

In the event that we are involved in a bankruptcy, merger, acquisition, reorganisation, or sale of assets, your personal data may be sold or transferred as part of that transaction. This Privacy Policy will apply to your personal data as transferred to the new entity.

5. Data Retention

5.1 General Retention Policy

CoSmith retains data for the duration necessary to fulfil our research objectives, improve the Platform, and meet our contractual and legal obligations. During the pilot phase, extended retention periods apply to support research and validation activities.

5.2 Specific Retention Periods

Voice Recordings:

  • Retained for research, quality improvement, and Platform development purposes
  • Duration: As needed for pilot validation and ongoing improvement
  • Deletion: Available upon request, or anonymisation if full deletion is not feasible

Transcriptions and Processed Data:

  • Retained throughout the research phase and for Platform improvement
  • May be retained beyond the pilot phase for validation purposes
  • Deletion: Available upon request, or anonymisation if full deletion is not feasible

Platform Messages and Communications:

  • Retained while your account is active and for a reasonable period thereafter
  • Recipients retain their own copies of messages you send
  • Deletion of your account does not delete copies held by other users

Project Data:

  • Retained while a project is active, plus an extended period for research purposes
  • Pilot participants: Extended retention applies to support research objectives
  • Contract-specific: Enterprise agreements may specify different retention periods
  • Deletion: Available upon request, or anonymisation if full deletion is not feasible

User Accounts:

  • Active accounts: Data retained for the duration of the account
  • Deleted accounts: Data retained for a reasonable grace period, then deleted or anonymised

AI Model Training Data:

  • Data used for AI model training may be retained indefinitely for this purpose
  • No opt-out is available for standard users
  • Enterprise contracts may specify different terms

5.3 Anonymisation

Where full deletion is not technically feasible or conflicts with our research or contractual obligations, we will anonymise your data so that it can no longer be linked to you.

6. Your Rights and Choices

6.1 General Principles

All user rights requests must be submitted to support@cosmith.ai and are subject to verification to prevent fraudulent or abusive requests. We will process verified requests as soon as reasonably possible.

6.2 Access Rights

You may request:

  • Information about your account and the categories of data we hold about you
  • A copy of your personal data in a commonly used format

Limitations: You do not have access to internal processing logs, intermediate processing steps, proprietary algorithms, or model selection logic. This protects our intellectual property and the integrity of our systems.

6.3 Correction Rights

You may:

  • Update your account information at any time through the Platform
  • Request corrections to inaccurate personal data by contacting support@cosmith.ai

6.4 Deletion Rights

You may request deletion of your account and personal data by contacting support@cosmith.ai.

Important limitations:

  • During the pilot phase, full deletion may not be feasible if your data is required for ongoing research
  • Contractual obligations may require data retention
  • Technical limitations may prevent complete deletion
  • Where full deletion is not possible, we will anonymise your data as an alternative
  • Messages you sent to other users remain in their accounts even after you delete yours

For free and standard users: Deletion requests may result in anonymisation rather than complete removal of all data.

For enterprise users: Deletion terms will be specified in your contract.

6.5 Data Portability

  • You may request an export of your personal data by contacting support@cosmith.ai
  • We will provide your data in a reasonable format upon verification of your request
  • Processing time: A reasonable period following successful verification

6.6 Opt-Out Rights

AI Model Training:

  • No opt-out is available for standard users
  • Enterprise contracts may include opt-out provisions

Marketing Communications:

  • You may unsubscribe via the link in marketing emails or by contacting support@cosmith.ai

Analytics:

  • You may request an opt-out by contacting support@cosmith.ai

Location Tracking:

  • You may disable location services in your device or app settings

6.7 Request Verification

To protect against fraudulent or abusive requests, we verify all user rights requests through:

  • Email confirmation to your registered address
  • Account authentication
  • Other reasonable verification methods

We reserve the right to deny requests that are unreasonable, repetitive, or appear to be automated or abusive.

7. Security

7.1 Technical Safeguards

We implement security measures including:

  • Cloud infrastructure: Industry-standard cloud services with enterprise security features
  • Encryption in transit: TLS/SSL encryption for all data transmission
  • Encryption at rest: Encryption for stored data
  • Access control: Role-based access control for system access
  • API security: Authentication and authorisation for all API access

7.2 Organisational Safeguards

  • Data isolation: Multi-tenant architecture with separation between organisations
  • Audit trails: Access logs and monitoring
  • Training: Employee training on data handling and security procedures
  • Incident response: Procedures for responding to security incidents
  • Vendor management: Data Processing Agreements with third-party providers
  • Internal policies: Security policies and procedures governing data handling

7.3 Data Breach Procedures

In the event of a data breach:

  • We will detect and assess the breach as soon as we become aware
  • We will notify affected users within legally required timeframes and as soon as reasonably possible
  • We will notify relevant regulatory authorities as required by applicable laws
  • We will take appropriate remediation steps based on the nature and severity of the breach

8. International Data Transfers

8.1 Data Storage and Processing

Your data is stored and processed on cloud infrastructure which may be located in various regions worldwide. Your data may be transferred to and processed in countries other than your country of residence.

8.2 Safeguards

We protect international data transfers through:

  • Data processing agreements with our service providers
  • Standard Contractual Clauses (SCCs) where required
  • Other appropriate safeguards as required by applicable law

8.3 Consent

By using the Platform, you consent to the international transfer of your data as described in this section.

9. Children's Privacy

Our services are not directed to children, and you may not use our services if you are under the age of 13. You must also be old enough to consent to the processing of your personal data in your country (in some countries we may allow your parent or guardian to do so on your behalf).

We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information as soon as possible.

Users between 13 and 17 years of age may use the Platform for educational purposes, such as school project management, and receive the same privacy protections as adult users. Parents or guardians may request access to a minor's data upon verified request.

10. Pilot Programme Participation

10.1 Pilot Status

All users of the Platform are pilot programme participants until CoSmith announces general availability. This status applies regardless of whether you have a free, standard, or enterprise account, unless your enterprise contract specifies otherwise.

10.2 What Pilot Participation Means

As a pilot participant:

  • Your data is used for research, validation, and Platform improvement purposes
  • Your data contributes to AI model training and system optimisation
  • Extended data retention periods apply during the pilot phase
  • Deletion rights are limited; anonymisation may be used instead of full deletion where necessary
  • Anonymised findings derived from your usage may be published in research materials
  • Case studies involving your identifiable information will only be created with your separate explicit consent

10.3 Acknowledgement

By using the Platform during the pilot phase, you acknowledge and agree to these terms. If you do not agree, please do not use the Platform.

11. Changes to This Policy

11.1 Updates

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our processing of your personal data and will always be available on our website.

11.2 Notification

If we make a change to this policy that, in our sole discretion, is material, we will notify you via email to the address associated with your account or through a notice within the Platform. By continuing to access or use the services after those changes become effective, you agree to be bound by the revised Privacy Policy.

12. Contact Us

Thoughts or questions about this Privacy Policy? Please let us know by contacting us at support@cosmith.ai.

Please include sufficient detail in your request to allow us to understand and respond appropriately. All requests are subject to the verification procedures described in Section 6.7.

13. Jurisdiction-Specific Rights

13.1 United Kingdom and European Union (UK GDPR / EU GDPR)

If you are located in the United Kingdom or European Union, you have additional rights under the General Data Protection Regulation:

Legal Basis for Processing:

  • Contractual necessity: Processing required to provide the Platform to you
  • Legitimate interests: Processing for research, security, and Platform improvement
  • Consent: Processing for optional features where you have provided consent
  • Legal obligations: Processing required to comply with applicable laws

Your GDPR Rights:

  • Right of access: Obtain confirmation of processing and a copy of your data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your data (subject to limitations described in Section 6.4)
  • Right to restriction: Request restriction of processing in certain circumstances
  • Right to data portability: Receive your data in a portable format (subject to limitations described in Section 6.5)
  • Right to object: Object to processing based on legitimate interests
  • Rights related to automated decision-making: Information about and the right to contest significant automated decisions

Pilot Phase Limitations: During the pilot phase, certain rights (particularly erasure and data portability) may be limited as described elsewhere in this Policy.

Complaints: If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13.2 United States

California (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act:

Your CCPA Rights:

  • Right to know: Information about what personal information we collect, use, disclose, and sell
  • Right to delete: Request deletion of your personal information (subject to limitations)
  • Right to opt out: Opt out of the sale of your personal information (we do not sell personal information)
  • Right to non-discrimination: We will not discriminate against you for exercising your rights

Pilot Phase Limitations: During the pilot phase, deletion rights may be limited as described in Section 6.4.

Do Not Sell My Personal Information: We do not sell your personal information as defined under the CCPA.

Other US States: Other US states may provide similar rights under their respective privacy laws. Contact support@cosmith.ai for information about your specific state.

If you have questions about your rights under the laws of your jurisdiction, please contact us at support@cosmith.ai.

14. Additional Information

14.1 Enterprise Contracts

If you have an enterprise contract with CoSmith, the terms of your contract may modify or supersede certain provisions of this Privacy Policy. Enterprise contracts may include:

  • Different data retention periods
  • Specific AI model selection or restrictions
  • AI training opt-out provisions
  • Enhanced deletion rights
  • Specific data residency requirements
  • Custom support arrangements

In the event of a conflict between your enterprise contract and this Policy, the terms of your contract will govern.

14.2 Cookies and Similar Technologies

We may use cookies and similar technologies to collect additional usage data and to operate our services. For information about our use of cookies, please refer to our Cookie Policy (forthcoming).

14.3 Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties, and we encourage you to review their privacy policies.

This Privacy Policy was last updated on 21/07/2025.

Version 1.0