Privacy Policy

COSGN INC. PRIVACY POLICY

Effective Date: December 7, 2025

Document Version: 1.2

Applies to: All Cosgn Services operated by Cosgn Inc. (Ontario, Canada), including all current and future Cosgn brands, divisions, and product lines (collectively, the “Services”).

0. Definitions and Policy Priority

This Privacy Policy (the “Policy”) explains how Cosgn Inc. (“Cosgn,” “we,” “us,” or “our”) collects, uses, discloses, retains, secures, and otherwise processes personal information and personal data in accordance with:

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Applicable provincial privacy laws, including Québec’s Act respecting the protection of personal information in the private sector, as amended by Law 25

Applicable U.S. state privacy laws

Applicable EU/UK data protection laws where relevant

Other applicable privacy and data protection laws based on user location

Terms vs. Privacy. If any term of this Policy conflicts with the Terms of Service (the “Terms”), the Terms govern the use of the Services; privacy processing remains governed by this Policy and any applicable DPA.

Brand Privacy Policies. Certain Cosgn brands may publish a brand-specific privacy policy or notice for clarity (a “Brand Policy”). Brand Policies may provide additional detail about a specific Service. Unless a Brand Policy expressly states otherwise for that specific Service and processing activity, this Policy remains the controlling master privacy policy for Cosgn’s processing across the Services.

Definitions.

“Personal information” / “personal data”: means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) to an individual, as defined under applicable law.

“Customer Data”: means personal information you submit to the Services about your own customers, clients, end users, or third parties in enterprise, agency, or client-directed use cases.

“Processing”: means collection, use, disclosure, storage, retention, transfer, organization, modification, deletion, or any other handling of personal information.

“Governing Language”: In the event of any inconsistency between translations of this Policy, the English version controls to the extent permitted by law.

1. Cosgn Group Companies and Controller Designation

1.1 Cosgn Group Companies

All references to “Cosgn,” “we,” or “our” include Cosgn Inc. and all current and future brands, divisions, and product lines operated under the Cosgn Group (including, where applicable, Launch In Ten, Lvabl, Cosgn Credit™, and other Cosgn-branded or Cosgn-operated Services).

1.2 Controller Model

For purposes of applicable data protection laws, Cosgn Inc. is the data controller for personal information processed in connection with the Services, unless an executed Data Processing Addendum (“DPA”) or written agreement explicitly states that Cosgn is acting as a processor/service provider for your data.

1.3 Enterprise / Client-Directed Processing

If you upload, provide, or direct Cosgn to process Customer Data, you are the controller/business for that Customer Data and Cosgn acts as your processor/service provider under an applicable DPA where required or offered.

For Customer Data, you represent and warrant that you have provided all required notices and obtained all required consents or lawful bases to disclose Customer Data to Cosgn for processing, and that you have authority to instruct Cosgn to process such data.

2. Internal Segmentation, Firewalls, and Purpose Limitation

Cosgn operates multiple Services under unified corporate governance while applying internal segmentation to reduce privacy risk. We apply safeguards such as:

purpose limitation and data minimization

role-based access controls and least-privilege access

logical and operational separation of environments and systems where appropriate

internal audit logging, monitoring, and access review

Shared infrastructure, personnel, or centralized functions (security, compliance, finance, customer support, fraud prevention, legal, and operations) do not imply pooled databases or unrestricted access.

Where cross-Service processing occurs (for example, account security, fraud prevention, billing reconciliation, customer support, compliance, or internal reporting), Cosgn limits access and use to what is reasonably necessary to perform those functions consistent with this Policy and applicable law.

3. Categories of Personal Information We Collect

Depending on how you interact with Cosgn and the Services, we may collect the following categories of personal information.

3.1 Identity and Contact Information

legal name, business name, and authorized user details

email address, phone number, mailing and billing address

account identifiers and profile details you choose to provide

3.2 Account, Usage, and Technical Information

login credentials (stored in hashed form where appropriate), authentication tokens, and security artifacts

device identifiers, browser type, operating system, app version

IP address, approximate location inferred from IP (coarse)

service logs, telemetry, diagnostics, performance data, crash reports

session metadata and interactions with features

customer support requests, communications, and related records (which may be recorded where permitted by law)

3.3 Project, Delivery, and Content Information

Where applicable to a Service, Cosgn may process:

project specifications, structured inputs, and delivery requirements

files, assets, text, images, and other content you submit

repositories, configuration files, deployment metadata, and environment variables (as provided)

domain configuration, DNS records, and hosting-related technical information

3.4 Billing, Transaction, and Financial Metadata

invoices, payment status, transaction records, refunds, and reconciliation records

tax and VAT identifiers (where applicable)

pre-authorized debit (PAD) authorization logs (where applicable)

No storage of full payment credentials. Cosgn does not store full payment card numbers or full bank account numbers. Payments are processed by third-party payment processors that handle sensitive financial data. Cosgn receives only limited transaction metadata necessary for billing, reconciliation, fraud prevention, and compliance.

3.5 Verification, Compliance, and Risk Information

business registrations, proof of incorporation, beneficial ownership attestations (where applicable)

domain control proofs and account ownership validations

fraud, abuse, and security risk indicators

sanctions screening results where legally required and applicable

identity verification materials (such as government ID) where required for compliance, risk controls, or program rules (subject to additional safeguards)

3.6 Communications and Preference Information

marketing consent records, unsubscribe records, and CASL compliance logs

communication preferences (email/SMS/push)

engagement metrics (such as opens/clicks) where permitted by law and configuration

3.7 Cookies and Similar Technologies

See Section 10 and the Cookies & Tracking Policy below for details on cookies, local storage, SDKs, pixels, tags, and similar technologies.

Accuracy and Lawful Source of Data

Cosgn relies on information provided by users and customers. You represent that personal information you submit is accurate, up-to-date, lawfully obtained, and provided in compliance with applicable law. Cosgn does not independently verify the substantive accuracy or lawful origin of personal information except where required for security, fraud prevention, compliance, or service delivery.

Cosgn is not responsible for inaccuracies in personal information provided by users, customers, or third parties, except where required by applicable law to correct or update such information upon verified request.

3.8 Public or Shared Content

Some Services may allow you to publish or share content publicly or with third parties at your direction (for example, publishing a landing page, directory listing, testimonial, or shareable link). Information you choose to make public or share may be collected and used by others and may not be subject to the same access, deletion, or control mechanisms once shared outside Cosgn’s systems.

3.9 Aggregated and De-Identified Data

Cosgn may create aggregated, anonymized, or de-identified data from personal information. Such data is not treated as personal information where permitted by law. Cosgn may use and disclose such data for business purposes, including analytics, benchmarking, security improvement, and service optimization. Cosgn does not attempt to re-identify de-identified data except where necessary for security, fraud prevention, legal compliance, or service integrity.

3.10 Children and Age Restrictions

Cosgn does not knowingly collect personal information from children. The Services are intended for individuals who are at least 18 years old or the age of majority in their jurisdiction. If we learn we collected personal information from a minor in a manner inconsistent with applicable law, we will take reasonable steps to delete it, subject to legal retention requirements.

3.11 AI-Assisted Outputs and User-Provided Inputs

Some Services may use automated or AI-assisted systems to generate, transform, or deploy content based on information you provide. You remain responsible for the accuracy, legality, and appropriateness of inputs you submit and for reviewing outputs before use or publication.

Cosgn does not independently verify the factual accuracy, legal compliance, or suitability of generated outputs for your specific use case and does not guarantee that outputs will be error-free, complete, or compliant with all laws or third-party requirements.

3.12 Sources of Personal Information

Cosgn may collect personal information from the following sources:

directly from you (for example, when you create an account, submit content, or contact support)

automatically through your use of the Services (for example, logs, device data, cookies/SDKs)

from service providers processing on our behalf (for example, payment processors and communications providers)

from your organization or an authorized administrator (in enterprise or client-directed use cases)

from public or third-party sources where permitted by law (for example, domain registry data, fraud-prevention signals, or compliance screening sources)

4. Sensitive and Special Categories of Data

Where legally permitted and only where necessary, Cosgn may process limited sensitive or special-category data, including:

government-issued identifiers and verification documents

authentication credentials and security artifacts

precise geolocation only if a Service explicitly requires it (for example, security features or location-dependent functionality)

biometric identifiers only if a Service explicitly requires it (for example, identity verification or fraud prevention), and only with any consent required by law

behavioral and device-fingerprinting signals used for security, fraud prevention, and abuse detection

accessibility-related information you voluntarily provide

minors’ data only where legally permitted and with required consent mechanisms

High-risk consent. Where processing of sensitive data requires express consent under applicable law, Cosgn will obtain it prior to collection or use.

Cosgn does not process genetic data or regulated health data unless a Service explicitly requires it, applicable law permits it, and Cosgn provides additional notice and safeguards.

Where permitted by law and where used, biometric identifiers (if any) are used only for the specific verification or security purpose described and are not used to infer characteristics or for marketing.

5. Purposes of Processing (Why We Use Personal Information)

Cosgn processes personal information for the following purposes:

Service provisioning and administration (account creation, authentication, feature delivery)

project delivery and operations (implementation, deployment, hosting operations, and support)

billing, accounting, reconciliation, and collections

security (identity verification, authentication, access control, incident response)

fraud prevention and abuse detection (rate limiting, anomaly detection, risk scoring)

program administration for memberships and internal programs (where applicable)

communications (transactional notices, security alerts, service updates, billing notices)

marketing and promotional communications where permitted by law and based on consent where required

analytics and product improvement (performance, reliability, quality assurance, capacity planning)

legal and regulatory compliance (tax, record keeping, audits, lawful requests)

No sale of personal information. Cosgn does not sell personal information.

No cross-context behavioral advertising. Cosgn does not share personal information for cross-context behavioral advertising as those terms are defined in applicable U.S. state privacy laws.

6. Lawful Bases and Consent

Where required by law (including in the EU/EEA/UK and certain U.S. states), Cosgn relies on one or more lawful bases, including:

Consent (for example, certain marketing communications, optional verification checks, and non-essential cookies where required)

Contract (processing necessary to provide the Services you request, to perform statements of work, or to administer memberships/programs)

Legitimate interests (security, fraud prevention, analytics, service improvement, internal reporting), balanced against your rights and expectations

Legal obligations (tax, accounting, record retention, regulatory reporting, and responses to lawful requests)

Withdrawal of Consent

Where processing is based on your consent, you may withdraw consent at any time by contacting [email protected] or using available controls (such as unsubscribe links). Withdrawal does not affect the lawfulness of processing performed before withdrawal and may limit access to certain features.

Transactional Communications

Unsubscribing from marketing communications does not affect Cosgn’s ability to send transactional or service-related communications, such as security alerts, billing notices, legal notices, or important service updates.

7. Sharing and Disclosure

Cosgn may disclose personal information to the following categories of recipients:

7.1 Service Providers (Vendors)

Cosgn uses trusted vendors to operate the Services, including:

cloud infrastructure and hosting providers

analytics, monitoring, and error-tracking providers

payment processors and billing tools

domain registrars, DNS providers, and related technical providers

email, push, and SMS communications providers

security and anti-fraud vendors

support and ticketing platforms

Service providers are contractually obligated to process data only on Cosgn’s instructions and to implement appropriate confidentiality and security controls.

7.2 Regulators and Law Enforcement

Cosgn may disclose information if required by law, regulation, subpoena, or court order, or when reasonably necessary to:

protect users or the public

enforce the Terms and investigate policy violations

detect, prevent, or address fraud, abuse, or security incidents

respond to lawful requests by authorities

7.3 Corporate Transactions

If Cosgn undergoes a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to confidentiality and data-protection safeguards and any required notices.

7.4 User-Directed Disclosures

Cosgn may share data when you instruct us to do so, including to deploy assets to third-party accounts or integrations under your control.

7.5 Sub-Processor Transparency

Upon written request to [email protected], Cosgn will provide a current list of material sub-processors, subject to reasonable confidentiality and security limitations.

7.6 Data Processing Addendum (DPA)

Where Cosgn processes personal information on your behalf as a processor/service provider, a DPA (including SCCs/UK Addendum where applicable) is available on request and, when executed, forms part of the applicable agreement.

8. International Transfers

Cosgn may process and store personal information inside or outside Canada, including in the United States, the United Kingdom, and the European Union.

When transferring or making data accessible outside your jurisdiction, Cosgn uses safeguards such as contractual protections, access controls, and encryption where appropriate.

Québec (Law 25)

Before communicating personal information outside Québec, Cosgn conducts the required assessments and applies safeguards consistent with Law 25.

EU and UK

Where applicable, Cosgn relies on Standard Contractual Clauses and the UK ICO International Data Transfer Addendum, or successor mechanisms.

Sub-Processor Updates and Objection

Where commercially reasonable, Cosgn will provide notice before adding or replacing a material sub-processor. If you object on reasonable data-protection grounds within the notice period and no alternative is feasible, you may terminate the affected service without penalty where required by law or contract.

9. Retention and Litigation Holds

Cosgn retains personal information only as long as reasonably necessary for the purposes described in this Policy and to meet legal, regulatory, contractual, security, and operational requirements.

Illustrative retention ranges may include:

account and billing records: commonly up to 7 years after closure (subject to tax/accounting rules)

project artifacts and backups: commonly 90–365 days after termination (unless extended by agreement or legal hold)

security logs: commonly 12–24 months (longer where associated with an incident)

marketing consent and unsubscribe records: commonly 3–5 years

Litigation Holds

Cosgn may retain relevant information longer where necessary to preserve evidence, enforce agreements, respond to claims, audits, investigations, or regulatory inquiries.

Backup and Deletion Reality

Even after deletion from active systems, certain data may persist in encrypted backups or logs for limited periods until rotation, subject to security controls and legal retention requirements.

10. Cookies, Tracking, and Similar Technologies (Integrated Summary)

Cosgn uses cookies, pixels, SDKs, local storage, tags, and similar technologies to:

operate and secure the Services

remember preferences and accessibility settings

measure performance and reliability

conduct limited contextual campaign measurement (where applicable)

Where required by law, Cosgn obtains consent for non-essential technologies via a banner or preferences center and honors withdrawal choices. Where legally binding, Cosgn honors Global Privacy Control (GPC) signals.

Full details are provided in the Cookies & Tracking Policy below.

11. Your Rights

Subject to applicable law and certain limitations, you may have rights to:

access your personal information

request correction

request deletion or anonymization where feasible and lawful

request data portability where required

receive information about automated processing where applicable

manage marketing preferences and consents

Identity Verification and Authorized Agents

Cosgn may require verification of identity and/or account ownership before processing a request, and may require additional information where necessary to protect against fraud, unauthorized access, or impersonation. Where permitted by applicable law, you may use an authorized agent to submit a request on your behalf. Cosgn may require proof of the agent’s authority and verification of your identity directly.

Response Timing

Where permitted by applicable law, Cosgn may extend response timelines for complex or high-volume requests and will notify you of any extension and the reason for it.

Deletion Limitations

Deletion may be implemented by anonymization, de-identification, suppression, or removal from active systems, and may not immediately remove data from backups, logs, or systems retained for legal, security, fraud-prevention, or compliance purposes.

Appeals (Where Applicable)

If your request is denied and your jurisdiction provides an appeal right, you may appeal by emailing [email protected] with the subject line “Privacy Request Appeal.”

Québec Residents (Law 25)

Québec residents may request de-indexation or cessation of dissemination in certain circumstances, subject to legal limits and applicable defenses, and may file complaints with the Commission d’accès à l’information (CAI).

For the avoidance of doubt, deletion rights do not require Cosgn to immediately delete information that is subject to legal obligations, dispute-resolution needs, security controls, fraud-prevention requirements, or technical constraints such as backup retention cycles.

Non-Discrimination

Cosgn will not discriminate against you for exercising your privacy rights. However, certain features or Services may be unavailable where personal information is required to provide them.

Abusive or Excessive Requests

Cosgn may deny, charge a reasonable fee for, or limit requests that are manifestly unfounded, excessive, repetitive, abusive, or made in bad faith, as permitted by applicable law.

12. Automated Processing and AI-Assisted Systems

Cosgn may use automated systems and AI-assisted tools for fraud screening, abuse detection, reliability, scaling, and content moderation.

Cosgn does not make decisions producing legal or similarly significant effects solely by automated means where prohibited by law. Where required, you may request human review.

Cosgn does not knowingly profile minors for marketing, advertising, or automated decision-making purposes.

13. Security

Cosgn implements safeguards proportionate to risk, including:

encryption in transit and at rest where appropriate

access controls and role-based permissions

audit logging and monitoring

vulnerability management and patching

incident response procedures

No method of transmission or storage is completely secure; however, Cosgn applies commercially reasonable measures designed to protect personal information.

User Responsibilities

You are responsible for safeguarding credentials and devices and for notifying Cosgn promptly of suspected unauthorized access.

14. Breach Notification

Where legally required, Cosgn will notify affected individuals and regulators of breaches posing a real risk of significant harm and will maintain incident records consistent with applicable law.

15. Third-Party Links and Integrations

The Services may include links to third-party sites and integrations. Those third parties have their own terms and privacy policies. Cosgn is not responsible for third-party practices or content.

16. Changes to This Policy

Cosgn may update this Policy from time to time. Material changes will be notified in advance where required by law (for example, by email or in-product notice), unless earlier implementation is necessary for compliance, security, or fraud prevention.

Cosgn may implement changes immediately where required to address security risks, prevent abuse, comply with law, or respond to urgent regulatory guidance.

17. Contact

Privacy Officer — Head of Privacy and Compliance

Cosgn Inc.

Unit 4800, 1 King Street West

Toronto, ON M5H 1A1, Canada

Email: [email protected]

Complaints may be directed to the Office of the Privacy Commissioner of Canada, applicable provincial regulators (including Québec’s CAI), or other competent authorities.

Cosgn cooperates with applicable data protection authorities and supervisory bodies in matters relating to personal information processing and privacy compliance, consistent with applicable law.

18. No Third-Party Beneficiaries; No Reliance; No Waiver

This Policy does not create any third-party beneficiary rights, fiduciary duties, guarantees, warranties, or enforceable obligations beyond those expressly required by applicable law.

Cosgn’s privacy, security, and compliance programs are implemented for internal governance and regulatory alignment and do not constitute representations, warranties, or commitments that personal information will never be accessed, disclosed, altered, or destroyed.

Cosgn’s failure to enforce any provision of this Policy does not constitute a waiver of its right to do so later.

18.1 No Fiduciary / No Confidential Relationship

The submission of personal information, verification materials, or documents to Cosgn does not create a fiduciary, trustee, escrow, solicitor-client, or other special confidential relationship beyond the obligations imposed by applicable privacy law.

18.2 No Private Right of Action Created

This Policy is intended to comply with applicable privacy and data protection laws and does not create a private right of action, contractual obligation, or independent cause of action beyond those expressly provided by applicable law.

19. U.S. State Privacy Disclosures (California and Similar Laws)

19.1 Scope and Purpose

This Section 19 applies to individuals who reside in U.S. states with comprehensive consumer privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, and any other U.S. state with similar consumer privacy requirements (collectively, “U.S. State Privacy Laws”), to the extent such laws apply to Cosgn’s processing activities.

This Section 19 supplements the rest of this Policy. If there is a conflict between this Section 19 and another section of this Policy, this Section 19 controls only for individuals and processing covered by applicable U.S. State Privacy Laws.

19.2 Definitions (U.S. State Privacy Laws)

For purposes of this Section 19:

“Personal information” / “personal data” has the meaning provided under applicable U.S. State Privacy Laws and generally includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an individual or household.

“Sensitive personal information” / “sensitive data” has the meaning provided under applicable U.S. State Privacy Laws.

“Sell,” “Share,” and “Targeted Advertising” have the meanings defined under applicable U.S. State Privacy Laws. For California, “Share” generally includes sharing personal information for cross-context behavioral advertising.

19.3 Notice at Collection — Categories of Personal Information

Cosgn collects the categories of personal information described in Section 3 of this Policy, depending on how you interact with the Services.

19.4 Purposes for Collection and Use

Cosgn collects and uses personal information for the purposes described in Section 5 of this Policy.

19.5 Categories of Personal Information Disclosed for Business Purposes

In the preceding 12 months (or other period required by applicable law), Cosgn may have disclosed the following categories of personal information for business purposes only, to the categories of recipients described in Section 7 of this Policy:

Identifiers and contact details

Commercial and transaction metadata

Internet or other electronic network activity and technical data

Customer support communications

Verification, compliance, and fraud-prevention information

Content and project information submitted at your direction

Disclosures are limited to what is reasonably necessary to operate, secure, support, and improve the Services.

19.6 No Sale / No Share / No Targeted Advertising

Cosgn does not sell personal information.

Cosgn does not share personal information for cross-context behavioral advertising.

Cosgn does not engage in targeted advertising as defined under applicable U.S. State Privacy Laws, except where explicitly disclosed by a specific Service and enabled with legally required notices and choices.

19.7 Sensitive Personal Information

Cosgn may process limited categories of sensitive personal information as described in Section 4, solely for purposes permitted by law, such as security, fraud prevention, identity verification, compliance, and providing Services you request.

Cosgn does not use sensitive personal information to infer characteristics about individuals and does not use it for purposes requiring opt-out or opt-in rights under U.S. State Privacy Laws, except where expressly disclosed and legally permitted.

19.8 Consumer Rights (U.S. State Privacy Laws)

Subject to applicable law, you may have the right to:

Access or receive information about Cosgn’s processing of your personal information

Request correction of inaccurate personal information

Request deletion of personal information, subject to lawful exceptions

Request a portable copy of certain personal information

Opt out of certain processing, where applicable

Not be discriminated against for exercising privacy rights

These rights are subject to limitations and exceptions under applicable law.

Cosgn does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects as defined under applicable U.S. State Privacy Laws, except where expressly disclosed and legally permitted.

19.9 How to Submit Requests

Privacy requests may be submitted by emailing [email protected] or through other request mechanisms Cosgn may make available for a specific Service.

Cosgn may take reasonable steps to verify identity and/or account ownership before processing requests.

19.10 Authorized Agents

Where permitted by law, you may designate an authorized agent to submit a request on your behalf. Cosgn may require proof of the agent’s authority and may require you to verify your identity directly.

19.11 Appeals

If your request is denied and applicable law provides an appeal right, you may appeal by emailing [email protected] with the subject line “Privacy Request Appeal.”

19.12 Global Privacy Control (GPC)

Where legally binding, Cosgn honors Global Privacy Control (GPC) signals for applicable processing.

19.13 California-Specific Disclosures (If Applicable)

To the extent California law applies:

Rights to Know, Access, Delete, Correct, and Portability: See Sections 19.8–19.9

Sale/Sharing: Cosgn does not sell or share personal information for cross-context behavioral advertising

Sensitive Personal Information: See Section 19.7

Financial Incentives: Cosgn does not offer financial incentives in exchange for personal information unless explicitly disclosed for a specific Service with legally required terms

19.14 Future Changes

If Cosgn’s practices materially change in a way that triggers new obligations under U.S. State Privacy Laws, Cosgn will provide any required notices and legally required opt-out mechanisms before or at the time such processing begins.

Any Service that materially differs from these practices will provide service-specific disclosures and choices prior to or at the time of collection, as required by applicable law.