This Privacy Policy describes how Crosmos collects, uses, and protects information when you use Crosmos, including our websites, the console, the documentation site, the API, the MCP server, the official SDKs, and any related skills or integrations (together, the "Service").

It is written to be specific about what we do, and deliberately silent about details that do not affect your privacy.

1. Who we are

Crosmos is operated by the Crosmos Labs team. A legal entity is in the process of being established and this policy will be updated once that registration is complete. Until then, you can reach us at support@crosmos.dev for any matter relating to this policy or your personal data.

2. Scope

This policy applies to information we collect through the Service. Capitalized terms used here have the same meaning as in our Terms of Service.

In this policy, "Customer Data" means the content you submit to the Service together with data we derive from it on your behalf. "Personal Data" means information that identifies, relates to, or could reasonably be linked with an identifiable individual.

3. Information we collect

We collect information in the following categories:

Account information. When you sign in, we receive your name and email address from the third-party identity provider you sign in with, along with an identifier for your account at that provider.
Customer Data. Anything you choose to submit to the Service — for example, conversations, documents, and other content you ingest — and data we derive from it on your behalf.
Usage information. Information about how the Service is used, such as the volume of requests, features accessed, and quota consumption.
Technical information. Standard request information such as IP address, user agent, timestamps, and error reports generated when something goes wrong.
Communications. Messages you send us, for example via email or our contact channels.
Billing information. If and when we introduce paid plans, payment will be processed by a third-party payment provider. We do not store full payment card numbers on our systems.

4. Cookies

We use a small number of cookies for two purposes:

Essential and authentication cookies. Required to sign you in and keep you signed in. The Service will not work without these.
Privacy-preserving analytics cookies. Used to understand aggregate usage patterns so we can improve the Service.

We do not use advertising cookies, and we do not allow third parties to use cookies on our sites to build cross-site advertising profiles.

5. How we use information

We use information to:

Provide, secure, and maintain the Service, including processing your Customer Data so that you can store, search, and retrieve it.
Authenticate you, enforce limits, and detect abuse.
Communicate with you about your account, security matters, and changes to the Service.
Improve the Service through aggregate, anonymized analytics.
Comply with legal obligations and enforce our Terms of Service.

When paid plans launch, we will also use information to bill you and to keep the financial records required by applicable law.

6. How your memory data flows through Crosmos

Because memory is the core of the Service, we want to be explicit about the lifecycle of the content you ingest.

Ingestion. When you submit content to a Memory Space, it is transmitted to the Service over an encrypted connection and stored in your Memory Space.
Extraction. The Service processes that content to derive structured Memories and the relationships between them so you can retrieve it later. This processing happens automatically and is performed only at your direction.
Storage. Your content and the structured data we derive from it are stored together with the Memory Space they belong to. Memory Spaces are isolated from each other, and content from one Memory Space is never used to answer queries from another.
Retrieval. When you query a Memory Space, we use your query to find and return relevant Memories. We do not retain queries for any purpose other than serving the request and basic abuse detection.
Deletion. You can delete individual Memories, entire Memory Spaces, or your account at any time. Once you delete content, it is removed from active systems on the timelines described in section 9.

At every step, your content stays inside your own Memory Spaces and is not used to train, fine-tune, or evaluate any AI or machine-learning model.

7. AI and machine learning

We do not use your Customer Data to train, fine-tune, evaluate, or improve any artificial intelligence or machine learning model, whether ours or any third party's.

When the Service uses third-party AI providers to perform processing you have requested, your Customer Data is sent to those providers only for that purpose. Our agreements and provider configurations require that Customer Data not be retained for model training.

Aggregate, anonymized usage statistics (for example, total request counts) may be used for capacity planning and service improvement. These statistics are not derived from the substantive content of your Customer Data.

8. Third-party service providers

We share information only with a limited set of service providers who help us deliver the Service. Each provider receives only the information needed to perform its role, is bound by confidentiality and data-protection obligations, and is prohibited from using Customer Data to train AI or machine learning models.

The categories are:

Identity — to let you sign in.
AI providers — to process Customer Data for extraction and retrieval at your direction.
Cloud database — to store Customer Data and account information.
Hosting and content delivery — to serve the websites, console, and API.
Email delivery — for transactional emails such as account notifications.
Error monitoring — to detect and diagnose problems with the Service.
Web analytics — to understand aggregate usage of our marketing site and console.
Embedded scheduling — used on the contact page to let you book a call.
Payment processing — only when paid plans launch.

A current list of the named third parties, including the data each receives and the region they process it in, is available to customers on written request to support@crosmos.dev.

9. Data retention

We keep information for as long as we need it to provide the Service or to meet a legal obligation, and no longer.

Account information is kept while your account is active. After you close your account or request closure, we remove it from active systems within 30 days.
Customer Data is kept for as long as you keep it. You can delete it at any time through the Service. After deletion, some derived data and backups may persist for up to 90 days before being purged.
Technical logs are typically retained for up to 90 days for security and debugging purposes.
Billing records, once paid plans launch, will be retained for the period required by applicable tax and accounting law.

We may retain information longer where required by law, to resolve disputes, or to enforce our agreements.

10. Security

We protect information using industry-standard safeguards. These include encryption of data in transit (TLS) and at rest, strict tenant isolation so that one customer's data is not accessible to another, role-based access controls within our team, audit logging, and continuous monitoring for unusual activity.

No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify you and applicable regulators where required by law.

11. Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you.
Request that we correct inaccurate personal data.
Request that we delete your personal data.
Receive your personal data in a portable format.
Object to or restrict certain processing.
Withdraw consent where processing is based on consent.

To exercise these rights, email support@crosmos.dev. We will respond within 30 days. During beta, full data export is best-effort and we may take the full 30 days to fulfill an export request.

We will not retaliate against you for exercising any of these rights.

12. International transfers

We and our service providers may process information in regions outside the country where you live. When we do, we use appropriate safeguards required by applicable law. Customers requiring specific transfer mechanisms (for example Standard Contractual Clauses) can contact support@crosmos.dev.

13. Children

The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact support@crosmos.dev and we will delete it.

14. Region-specific notes

We process personal data on the legal bases of performance of a contract with you, our legitimate interests in operating and improving the Service, your consent where required, and compliance with legal obligations. You have the right to lodge a complaint with your local supervisory authority.

14.2 California (CCPA / CPRA)

We collect the categories of information described in section 3. We do not sell or share personal information for cross-context behavioral advertising. California residents may exercise the rights described in section 11.

14.3 India (Digital Personal Data Protection Act, 2023)

We process personal data on the basis of consent and applicable legitimate uses. Data Principals may contact our grievance officer at support@crosmos.dev with any complaint regarding the processing of their personal data, and we will respond within 30 days.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the dates at the top of this page. For material changes, we will provide reasonable advance notice — for example by email or an in-product notice — before the changes take effect.

16. Contact

For any matter relating to this Privacy Policy or your personal data — including data-rights requests — email support@crosmos.dev.