Privacy Policy

1. Overview

Cosemble ("Cosemble", "we", "us", "our") provides a platform for businesses to build and operate AI-powered conversational agents across channels including WhatsApp and web chat. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over it.

This policy applies to:

• Customers — businesses and developers who create accounts on Cosemble to build agents.
• End users — individuals who interact with an agent built on Cosemble (for example, a customer messaging a business on WhatsApp).
• Visitors — anyone who visits cosemble.dev or our public properties.

2. Information we collect

2.1 Information you provide directly

• Account information: name, email, password (hashed), workspace name.
• Configuration data: workflows, prompts, knowledge-base content, integration credentials you choose to store with us.
• Billing information: if you subscribe to a paid plan, payment information processed by our payment provider (we do not store full card numbers).
• Support communications: messages you send us, contact preferences, attachments.

2.2 Information collected automatically

• Usage data: log entries, IP address, browser type, referring page, pages viewed, timestamps, feature usage.
• Device data: operating system, device identifiers, language, time zone.
• Performance data: request latency, error traces, workflow execution metrics.

2.3 Information collected via your agents

When end users interact with an agent that you operate on Cosemble, we process the messages and metadata required to run the conversation. This includes:

• Message content (text, media, voice notes, documents).
• Sender identity as provided by the channel (e.g. WhatsApp phone number, web session ID).
• Conversation history and contextual variables that the workflow stores.
• Timestamps and delivery status.

We act as a data processor for end-user data. The data controller is the business operating the agent (our customer). Your relationship with the end user (and the legal basis for processing their data) is governed by your own privacy policy and your agreement with the channel provider.

3. How we use information

We use the information described above to:

• Provide, maintain, and operate the platform.
• Route messages between channels and your workflows.
• Generate AI responses by calling third-party model providers on your behalf.
• Index knowledge-base content for retrieval (RAG).
• Detect, prevent, and address fraud, abuse, security incidents, and violations of our policies.
• Send service announcements, billing notices, and operational communications.
• Improve the product (in aggregate, de-identified form).
• Comply with legal obligations.

4. WhatsApp & messaging platform data

When you connect a WhatsApp Business account (via the Meta Cloud API) or another messaging channel to Cosemble, we receive and process messages and metadata sent by end users to that channel. This data is handled in accordance with:

• This Privacy Policy.
• The WhatsApp Business Messaging Policy and Meta Platform Terms.
• Your agreement with the end user and your own privacy disclosures.

Specifically for WhatsApp data we:

• Process messages only to deliver them through your configured workflow.
• Do not sell, share, or transfer WhatsApp data to advertising networks or data brokers.
• Encrypt messages in transit and at rest.
• Retain messages only for the duration described in § 7 Retention.
• Honor data-deletion requests as described in § 10 Data deletion.

5. How we share information

We do not sell personal information. We share information only as described below:

• With sub-processors who operate parts of our infrastructure (see § 6).
• With AI model providers when your workflow calls a model — message content and conversation context are sent to providers such as Anthropic, OpenAI, or Google, per the workflow you configure.
• With messaging channels (e.g. Meta / WhatsApp) when delivering outbound messages on your behalf.
• With integration partners when your workflow calls an external API or webhook you configure.
• To comply with law — in response to a valid legal request, subpoena, or to protect rights, safety, or property.
• In a business transfer — if Cosemble is acquired or merged, your information may transfer to the successor entity under terms no less protective than this policy.

6. Sub-processors

We use the following categories of sub-processors to operate the platform. A current list is available on request.

7. Data retention

We retain information for as long as needed to provide the service or as required by law:

• Account data: for the lifetime of the account, plus 90 days after closure.
• Conversation messages: for the lifetime of the workspace, unless you configure shorter retention or request deletion.
• Observability traces and logs: 30 days by default; configurable.
• Backups: rolling 30-day backup window; data is purged from backups within 30 days of deletion from primary storage.
• Billing records: retained as required by applicable tax and accounting law (typically 7 years).

8. Security

We implement administrative, technical, and physical safeguards designed to protect your information:

• TLS encryption for data in transit.
• Encryption at rest for stored conversation content.
• Workspace-scoped access controls; tenants cannot access each other's data.
• Per-workspace API tokens with rotation support.
• Audit logging of administrative actions.
• Least-privilege access for our own staff; production access is logged.
• Vulnerability scanning and dependency monitoring.

No system is perfectly secure. If you believe your account has been compromised, please contact us immediately at [email protected].

9. Your rights and choices

Depending on your jurisdiction (GDPR, CCPA/CPRA, and other applicable privacy laws), you may have the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate information.
• Deletion — request that we delete your information (see § 10).
• Portability — request a machine-readable copy of your data.
• Objection / Restriction — object to or restrict certain processing.
• Withdraw consent — where we rely on consent, you can withdraw it.
• Lodge a complaint — with your local data protection authority.

To exercise these rights, email [email protected]. We respond within 30 days.

If you are an end user (you interacted with an agent built on Cosemble), please direct rights requests to the business that operates the agent. We will assist that business in responding to you.

10. Data deletion

You can delete your data in several ways. For step-by-step instructions, see our Data Deletion Instructions.

Summary:

• Self-service: delete individual contacts, conversations, or knowledge-base entries from Studio.
• Account closure: request full workspace deletion from Settings.
• Email request: send a deletion request to [email protected] with the affected workspace, contact ID, or phone number.

We will confirm deletion within 30 days. Some information may be retained where required by law (see § 7).

11. Cookies and tracking

We use a minimal set of first-party cookies:

• Essential cookies — required to authenticate your session and remember workspace preferences.
• Analytics cookies — privacy-respecting usage analytics, aggregated and not tied to individual identity. You can opt out from your account settings.

We do not use third-party advertising cookies or trackers. See our Cookie Policy for the full list.

12. Children's privacy

Cosemble is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact [email protected] and we will delete it.

13. International transfers

Cosemble operates globally and may transfer information to countries other than your own. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you (by email or in-app notice) at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance.

15. Contact

For privacy questions, data requests, or to exercise your rights: