Privacy Policy

Last updated: June 2026

Introduction

Kosmos Safety Ltd (including its affiliates and subsidiaries, “Kosmos Safety”, “Kosmos Safety Ltd” or “We”) value your privacy and are committed to protecting it. This Privacy Notice explains how we collect, use, share, and store personal information about you. It also outlines your rights regarding your personal data and how to exercise them.

‍

This privacy notice applies to personal data we collect through Kosmos Safety.app or other websites that Kosmos Safety Ltd operates that link to this policy (“collectively Websites”), as well as through our products and related service offerings. If you have any questions or concerns about how we handle your personal data, please contact us using the contact information provided at the end of this document.

Information We Collect

Information You Provide Voluntarily

Certain areas of our websites may require you to provide personal information willingly, such as when you register for an account, request technical support, subscribe to marketing communications, sign up for events, access content, or submit enquiries. We will clearly inform you of the data we collect and the reasons for collecting it at the point of collection.

Information Collected Automatically

When you visit our websites, we may automatically collect certain information from your device. In some jurisdictions, including those in the European Economic Area, this information may be considered personal data under applicable data protection laws. This information may include your IP address, device type, unique device identifiers, browser type, broad geographic location (country or city level), and other technical data. We may also collect information about how your device interacts with our websites, such as the pages you access and links you click.

Collecting this information allows us to better understand who visits our websites, where they come from, and which content they find most relevant. We use this information for internal analytics and to improve the quality and relevance of our websites for our visitors. Some of this information is collected using privacy-preserving analytics technology that does not use cookies or store information on your device. See the “Cookies” section below for more details.

We are committed to protecting your personal data. We implement appropriate technical and organisational security measures to protect your personal data from unauthorised access, use, disclosure, alteration, destruction, or accidental loss.

Specific Data We Collect

We collect information you provide directly to us, including:

• Account information (name, email address)

• Usage data and analytics

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service

• Send you technical notices and support messages

• Respond to your comments, questions, and requests

We may share your personal data in the following limited circumstances:

Legal and Regulatory Requirements

We may disclose your data to competent law enforcement bodies, regulators, government agencies, courts, or other third parties when we believe disclosure is necessary to comply with applicable laws or regulations, enforce our legal rights, protect your vital interests or those of others, or investigate potential wrongdoing.

Legal Basis for Processing Personal Data

The foundation upon which we collect and utilise the personal information described above is contingent on the specific data type and the context in which it is obtained. Typically, we will gather your personal information only if:

‍

Contractual necessity: We need the data to fulfil our obligations under a contract we have with you.

‍

Legitimate interests: Processing personal data is essential to operate our platform and communicate with you as needed. For instance, when responding to your enquiries, analysing platform usage, improving our services, marketing to existing customers within legal limits, and identifying or preventing illegal activities.

‍

Consent: You have granted us explicit authorisation to process your personal data.

In certain situations, we may also be legally obligated to collect your personal information or require it to safeguard your or someone else’s vital interests. If we request your personal information to comply with a legal obligation or fulfil a contract, we will clearly inform you at the appropriate time and advise you whether providing your personal information is necessary or not (along with the possible consequences of not providing such data).

‍

If we collect and utilise your personal information based on our legitimate interests (or those of any third party), it will typically be to operate our platform and communicate with you as required. For example, responding to your enquiries, analysing platform usage and improving our services, undertaking marketing activities for existing customers within legal limits, and detecting or preventing illegal activities. We may have other legitimate interests, and we will inform you at the relevant time what those interests are.

‍

If you have any questions or require further information regarding the legal basis upon which we collect and utilise your personal information, please contact us using the contact information provided under the “Contact Us” heading at the bottom of this notice.

Third-Party Services

Our Service integrates with and relies on the following third-party services:

‍

Firebase & Cloud Services (Google) — Authentication, database, and hosting

Revolut — Payment processing

Anthropic, PBC (USA) — AI processing. When you use ORBIT features (template extraction, translation, and guidance suggestions), the relevant document text you provide is sent to Anthropic’s API to generate the result. Anthropic processes this data under its Data Processing Agreement and does not train its models on it.

Each of these services has their own privacy policy governing their use of your data.

Data Security

Kosmos Safety Ltd employs appropriate technical and organisational measures to safeguard personal data collected and processed. These measures aim to provide a security level commensurate with the risk associated with handling personal data.

Kosmos Safety Ltd resides on leading cloud service providers utilising industry-standard security protocols to protect personal data. Personal data is stored on private servers within a secure security group. End-user to server connections are encrypted using SSL, and server software is updated regularly with the latest security patches.

Data Transfers

Your personal data may be transferred to, and processed in, countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. However, we have taken appropriate safeguards to ensure that your personal data will remain protected in accordance with this Privacy Notice.

‍

Kosmos Safety Ltd is accountable for the personal data it receives under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, even if it is subsequently transferred to a third party. This means that Kosmos Safety Ltd remains responsible and liable if these third-party agents process the personal data in a manner inconsistent with the principles of the DPFs, unless Kosmos Safety Ltd can demonstrate that it is not at fault for the resulting harm. Where document text is processed by Anthropic, PBC (USA) via ORBIT features, such transfers are covered by Standard Contractual Clauses under Anthropic’s Data Processing Agreement.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our Service. You may request deletion of your data at any time by contacting us.

Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access your personal data

• Rectify inaccurate personal data

• Request erasure of your personal data

• Object to processing of your personal data

• Request restriction of processing

• Data portability

Cookies

We operate a privacy first policy and this website uses Plausible Analytics which does not use cookies or similar technologies that require information to be stored on your device. Plausible Analytics focuses on data protection and processes data in a way that protects the privacy of users. By using techniques such as pseudonymization and anonymization, the data is processed in such a way that the privacy of users is largely preserved. We do not use or store any other cookies.

Furthermore, since Plausible Analytics does not collect personal data for advertising purposes or similar, this practice can be regarded as a legitimate interest of the website operator (Art. 6 (1) (f) GDPR) therefore no explicit consent of the user is required, as the processing is carried out in a manner that does not unreasonably prejudice the rights of the user. Additionally Since Plausible Analytics does not store any information on the user’s device, Article 5(3) of the ePrivacy Directive does not require explicit consent.

‍

Plausible Analytics does not use cross-platform tracking and does not pass on data to third parties. It primarily uses data that is recorded by default in server logs, such as requested URLs, access times, HTTP status codes and transferred data volumes. This information is used to analyze website traffic in accordance with the data protection principles of data minimization and storage limitation.

‍

Data processing at Plausible takes place in two steps:

‍

Pseudonymization: When the data is received, it is pseudonymized using a hash function and a regularly changing key (“salt”). This process aims to change personal data in such a way that the persons are no longer directly identifiable, but a distinction between sessions is made possible.

‍

Anonymization after 24 hours: Within 24 hours of pseudonymization, the data is completely anonymized by removing the “salt” so that it can no longer be traced back to the original user data. The remaining data does not allow any direct or indirect identification of persons.

Sensitive Personal Data

We do not use or disclose your sensitive personal data, except for the purposes of providing services to our customers.

Non-discrimination

We will not discriminate against you for exercising your data protection rights.

Authorised Agent

You can authorise another person to make a data privacy request on your behalf. To do this, you will need to provide us with a written authorisation that includes the specific data protection request you want the authorised agent to make.

Data Protection Authority

You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.

Appealing Our Decision

If you are not satisfied with our response to your data privacy request, you have the right to appeal our decision. To do this, please contact us using the contact details provided under the “Contact Us” heading at the bottom of this notice. If you are not satisfied with the result of the appeal, you have the right to contact your respective attorney general depending on where you reside.

Verifying Data Protection Requests

We verify data protection requests to ensure that they are legitimate and to prevent unauthorised access to your personal data. Our verification process is based on matching personal data provided by the requestor with personal data that we have on file with the requestor. The personal data points matched vary based on what Kosmos Safety Ltd has on the requestor, but Kosmos Safety Ltd uses multiple personal data points for verification. During the verification process, Kosmos Safety Ltd aims to avoid collecting additional personal data from the requester that has not been previously collected by Kosmos Safety Ltd.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

Contact Us

For questions about this Privacy Policy or to exercise your data rights, please contact us at privacy@kosmossafety.com

Glossary of Terminology

1.1 “controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) will have the meanings given in EU/UK Data Protection Law.

1.2 “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU/UK Data Protection Law, US Data Protection Law, Serbian Data Protection Law, Canadian Data Protection Law, and the Swiss DPA.

1.3 “Breach” means an accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access that is in violation of Kosmos Safety Ltd’s security obligations under this Agreement by Kosmos Safety Ltd or its agents of which Kosmos Safety Ltd becomes aware. Breach will not include an unsuccessful Breach, which is one that results in no unauthorised access to Personal Data or to any Kosmos Safety Ltd equipment or facilities storing the Personal Data, and could include (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.

1.4 “Canadian Data Protection Law” means: (i) the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5; (ii) applicable provincial law; (iii) any and all applicable data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case as may be amended or superseded from time to time.

1.5 “Data Privacy Framework” means the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce.

1.6 “Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles).

1.7 “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

1.8 “US Data Protection Law” means: (i) the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §1798.100 et seq., upon the CPRA’s enforcement date of July 1, 2023 (together with its implementing regulations) (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Personal Data Privacy and Online Monitoring Act; (v) the Utah Consumer Privacy Act; (vi) the Iowa Consumer Data Protection Act; (vii) the Indiana Consumer Data Protection Act; (viii) the Tennessee Information Protection Act; (ix) the Montana Consumer Data Privacy Act; (x) the Texas Data Privacy and Security Act; (xi) the Oregon Consumer Privacy Act; (xii) the Delaware Personal Data Privacy Act; and (xiii) any and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time.

1.9 “Serbian Data Protection Law” means: Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018). In the case of a transfer of Personal Data to a Non-Adequate Country, by entering into this DPA, the Customer is entering into the Serbian Standard Contractual Clauses (“Serbian SCCs”) as adopted by the “Serbian Commissioner for Information of Public Importance and Personal Data Protection”, to provide an adequate level of protection. References to the Standard Contractual Clauses in this DPA will include the Serbian SCCs.

1.10 “Supplemental Principles” will have the meaning given in the Data Privacy Framework.

1.11 “Standard Contractual Clauses” means: (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where Serbian Data Protection Law applies, the Serbian SCCs.

1.12 “Swiss DPA” means the revised Swiss Federal Act on Data Protection enacted on September 25, 2020, and effective on September 1, 2023, as may be amended or superseded from time to time.

‍