Privacy Policy

Last updated: March 2026

1. Who we are

Cosmy is a product of Laizy S.r.l., an AI-first product studio incorporated in Italy.

Data Controller: Laizy S.r.l. Via Paolo da Cannobio 9, 20122 — Milan, Italy VAT number: IT04138990926 Contact: privacy@cosmy.ai

As data controller, Laizy S.r.l. determines the purposes and means of processing your personal data in connection with the Cosmy platform.

2. What data we collect and why

2.1 Account and login data

What: Name, email address, company name, role, and password (hashed).

Why: To create and manage your Cosmy account and authenticate your access to the platform.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

2.2 ASIN inputs and listing data

What: Amazon Standard Identification Numbers (ASINs) and product URLs you submit to the platform, along with the Amazon listing content associated with them — titles, bullet points, descriptions, A+ content.

Why: To perform listing analysis, generate scores, and produce optimised content on your behalf.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

2.3 Scraped Amazon data

What: Publicly available data retrieved from Amazon in connection with ASINs you submit — including customer reviews, questions and answers surfaced by Rufus, and competitor listing content where requested by you.

Why: To power Cosmy's Rufus and CoSMo analysis and competitor benchmarking features.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). This data is publicly available on Amazon and is processed solely to deliver the service you have requested.

2.4 Payment data

What: Billing name, company name, billing address, and payment method details.

Why: To process payments for your usage of the platform.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

Note: Payment card data is processed directly by our payment processor and is never stored on Cosmy's servers.

2.5 Usage and analytics data

What: Log data, feature usage, session duration, browser type, operating system, IP address, and behavioural data collected via Google Analytics (GA4) and PostHog.

Why: To maintain platform security, monitor performance, fix bugs, and improve the product.

Legal basis: Consent (Art. 6(1)(a) GDPR) for analytics cookies and tracking; legitimate interests (Art. 6(1)(f) GDPR) for strictly necessary operational data.

2.6 Cookies

What: Essential cookies required for the platform to function, and — where you have consented — analytics cookies placed by Google Analytics and PostHog to understand how the platform is used.

Why: To deliver a functional and optimised experience.

Legal basis: Consent (Art. 6(1)(a) GDPR) for non-essential cookies; legitimate interests (Art. 6(1)(f) GDPR) for strictly necessary cookies.

For full details on cookies used, including names, durations, and purposes, see our Cookie Policy.

3. How long we keep your data

Data type

Account and login data

ASIN inputs and listing data

Scraped Amazon data

Payment data

Usage and analytics data

Cookies

Retention period

Duration of account + 12 months after closure

Duration of account + 6 months after closure

Only for as long as necessary to deliver your analysis

10 years, as required by Italian and EU fiscal law

13 months on a rolling basis

As specified in our Cookie Policy

4. Who we share your data with

Laizy S.r.l. does not sell your personal data. We share data only with the following sub-processors, strictly to deliver the Cosmy service:

Cloud infrastructure Scaleway (Scaleway S.A.S., France) — hosting and data storage within the EU.

AI model provider Anthropic (Anthropic, PBC, USA) — powering Cosmy's AI copywriting agent. Data transfers to the USA are governed by Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR and the EU–US Data Privacy Framework (DPF).

Product analytics PostHog (PostHog Inc., USA) — product analytics and session tracking, deployed on PostHog Cloud EU with data stored on servers in Frankfurt, Germany. No personal data leaves the EU in connection with PostHog. A Data Processing Agreement is in place.

Web analytics Google Analytics 4 (Google LLC, USA) — website and platform usage analytics. Google is certified under the EU–US Data Privacy Framework. Cosmy has implemented Google Consent Mode v2, IP anonymisation, and data minimisation settings. Analytics cookies are only activated following your explicit consent. A Data Processing Agreement is in place with Google.

Payment processor A PCI-DSS compliant payment provider — processing billing transactions. Payment card data is handled exclusively by the payment processor and never stored by Laizy S.r.l.

All sub-processors are bound by Data Processing Agreements requiring them to process your data only on our instructions and in accordance with applicable data protection law.

5. International data transfers

Cosmy's primary infrastructure is hosted within the European Union. Where data is transferred outside the EU/EEA — specifically in connection with Anthropic's infrastructure and Google Analytics — such transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, and where applicable by the EU–US Data Privacy Framework adequacy decision of July 2023.

Please note that while the EU–US Data Privacy Framework currently provides a valid legal basis for transatlantic data transfers, its long-term legal status remains subject to ongoing judicial review. We monitor regulatory developments and will update our practices accordingly.

6. Your rights under GDPR

As a data subject, you have the following rights:

Right of access — You can request a copy of the personal data we hold about you.

Right to rectification — You can ask us to correct inaccurate or incomplete data.

Right to erasure — You can request that we delete your personal data, subject to any legal retention obligations.

Right to restriction of processing — You can ask us to restrict how we process your data in certain circumstances.

Right to data portability — You can request your data in a structured, machine-readable format.

Right to object — You can object to processing based on legitimate interests at any time.

Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing. Cookie preferences can be updated at any time via our cookie settings panel.

To exercise any of these rights, contact us at privacy@cosmy.ai. We will respond within 30 days. In complex cases, this may be extended by a further 60 days — we will inform you if this applies.

You also have the right to lodge a complaint with the Italian supervisory authority:

Garante per la protezione dei dati personali Piazza Venezia 11, 00187 — Rome, Italy www.garanteprivacy.it

7. Data security

Cosmy implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. In the event of a data breach posing a risk to your rights, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay.

8. Children

Cosmy is a B2B platform intended for professional use. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us at privacy@cosmy.ai and we will delete it promptly.

9. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via a prominent notice on the platform before the changes take effect. The date at the top of this page always reflects the most recent version.

10. Contact

For any questions about this Privacy Policy or how we handle your personal data:

Laizy S.r.l. Via Paolo da Cannobio 9, 20122 — Milan, Italy privacy@cosmy.ai