Privacy Policy

Last updated: February 2026

Data Collection

We collect information you provide when creating an account and setting up your profile, including your name, email address, phone number, date of birth, and billing address. To verify your identity and enable card issuing, we collect identity verification data through Stripe Identity. We also collect transaction data processed through our platform, device tokens for push notifications, and agent configuration data such as spending limits and merchant restrictions. When your AI agent submits a purchase request, we also collect the merchant information, item details, and shipping address if provided. For recurring payments, we store subscription mandate details including billing amounts, frequencies, and service names. We also collect your notification preferences. We do not sell your personal data.

How We Use Your Data

Your data is used to provide and maintain the Cosign service, process purchase requests and issue virtual cards, enforce agent spending limits and merchant restrictions, manage subscription mandates and auto-approve recurring charges within your configured tolerances, send notifications about agent activity and account updates, and communicate with you about your account. Shipping addresses submitted with purchase requests are displayed to you during the approval process and stored as part of the transaction record.

Purchase Approval & Shipping Addresses

When an AI agent includes a shipping address in a purchase request, that address is shown to you for verification before you approve or deny the request. By approving a purchase request, you confirm that the shipping address and all other details are correct. Shipping addresses are stored as part of the purchase request record for dispute resolution and regulatory compliance. Cosign does not use shipping addresses for any purpose other than displaying them for your approval and retaining them in transaction records.

Third Parties

We share data with Stripe for payment processing, card issuing, identity verification, and treasury services. We use Firebase for authentication and push notifications, and Resend for transactional email delivery. All third parties are bound by data processing agreements. We do not share shipping addresses with any third parties beyond what is necessary to process the transaction.

Data Retention

We retain your account data for as long as your account is active. When you delete your account, your personal information is immediately scrubbed (name, email, phone, date of birth, and address are removed). Transaction records, purchase requests, and related data are retained for 2 years after account deletion to support dispute resolution and regulatory compliance, after which they are permanently deleted. You may request deletion of your account at any time.

Data Security

We take the security of your personal information seriously. Sensitive personal data — including date of birth, phone number, address, and shipping information — is encrypted at rest using AES-256-GCM encryption. Data is transmitted over TLS and access to production systems is restricted to authorized personnel.

Your Rights

You have the right to access, correct, or delete your personal data. You can view and update your profile information from your account settings, and delete your account at any time. To exercise additional rights or make requests regarding your data, contact us at privacy@cosign.dev.

Contact

If you have questions about this privacy policy, please contact us at privacy@cosign.dev.