Privacy Policy

Last updated: April 11, 2026 · Effective: April 11, 2026

BigBoost AI LLC ("BigBoost," "we," "us," or "our") operates the Cosma platform at cosma.ad ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account information

When you create an account, we collect your name, email address, and organization name. Authentication is handled by Clerk, Inc., our identity provider — we do not store passwords.

1.2 Advertising platform data

When you connect your Google Ads, Meta Ads, or Microsoft Advertising accounts via OAuth, we access and store performance metrics, campaign structures, ad creatives, keywords, search terms, conversion data, and related advertising data. This data is synced periodically and stored in our data warehouse to power the Cosma dashboard, anomaly detection, and intelligence features.

1.3 OAuth tokens

We store encrypted OAuth refresh tokens to maintain your ad platform connections. Tokens are encrypted at rest using Fernet symmetric encryption and are never exposed in logs or API responses.

1.4 Usage data

We automatically collect browser type, IP address, pages visited, and interaction patterns to improve the Service. This data is processed by Vercel Analytics and Sentry for error monitoring.

2. How We Use Your Information

We use collected information to: provide and maintain the Service, including syncing advertising data across platforms; detect anomalies and generate performance intelligence; generate automated daily briefings and alerts; improve and optimize the Service; communicate with you about your account; and comply with legal obligations.

3. Data Storage & Processing

Your data is processed and stored across multiple infrastructure providers:

• Application server: Hostinger VPS, Mumbai, India — processes API requests and runs background sync tasks
• Data warehouse: Google BigQuery, United States — stores advertising performance data
• Application database: Supabase (AWS), US-East-1 — stores account settings, team data, and analysis results
• Authentication: Clerk, Inc., United States — manages user identity and sessions
• Frontend hosting: Vercel, Edge network — serves the web application
• Error monitoring: Sentry, United States — captures application errors for debugging

Data transmitted between these services is encrypted in transit using TLS 1.2 or higher. Advertising data synced from your ad platforms passes through our India-based application server for processing before being stored in US-based services.

4. Data Sharing & Disclosure

We do not sell your personal information. We share data only with: infrastructure subprocessors listed on our Subprocessors page, as necessary to provide the Service; advertising platform APIs (Google, Meta, Microsoft) to sync your data; law enforcement when required by law or valid legal process; and in connection with a merger, acquisition, or sale of assets, with notice to you.

5. Data Retention

Advertising performance data is retained for the duration of your subscription plus 30 days after account termination. OAuth tokens are deleted immediately upon disconnecting a platform or terminating your account. Account information is retained for 90 days after termination for legal and billing purposes, then permanently deleted.

6. Your Rights

6.1 All users

You may access, correct, or delete your account information at any time through Settings. You may disconnect ad platform connections, which immediately stops data syncing and deletes stored OAuth tokens. You may request a complete export of your data by contacting privacy@cosma.ad.

6.2 European Economic Area (GDPR)

If you are in the EEA, you have additional rights including: the right to data portability, the right to restrict processing, the right to object to processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing is: contract performance (providing the Service you subscribed to), legitimate interest (improving the Service), and consent (where applicable). To exercise these rights, contact privacy@cosma.ad.

6.3 California residents (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt out of sale (we do not sell personal information). Contact privacy@cosma.ad for requests.

7. Security

We implement industry-standard security measures including: AES-256 encryption for stored OAuth tokens (Fernet), TLS 1.2+ for all data in transit, parameterized database queries to prevent SQL injection, Row Level Security (RLS) on Supabase PostgreSQL, and role-based access controls within the application. See our Security page for details.

8. International Data Transfers

Data is processed in India (application server) and stored in the United States (BigQuery, Supabase, Clerk). For EEA users, these transfers are made under Standard Contractual Clauses (SCCs) as adopted by the European Commission. You can request copies of the applicable SCCs by contacting privacy@cosma.ad.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance.