Cosgn

Privacy Policy

Effective Date: December 11, 2025

Document Version: 1.0

Applies to: Cosgn Services operated by Cosgn Inc.

This Policy explains how we collect, use, disclose, retain, and protect personal information under PIPEDA and applicable provincial privacy laws (including Québec Law 25), as well as other applicable privacy and data protection laws where our users are located.

If any term here conflicts with the Terms of Service (the “Terms”), the Terms control your use of the Services; privacy processing remains governed by this Policy.

Cosgn Group Companies; Unified Privacy Processing

All references to “Cosgn,” “we,” or “our” include Cosgn Inc. and all current and future brand divisions, including Launch In Ten, Lvabl, Cosgn Pay, Cosgn Cloud, Cosgn Hi, Cosgn Credit™, and any other product lines operated under the Cosgn Group.

All personal information collected across any Cosgn brand is controlled and processed centrally by Cosgn Inc. as a unified entity. No Cosgn brand operates as a separate data controller. All privacy rights and obligations described in this Policy apply identically across all Cosgn products and services.

Aggregated and De-Identified Data

We may create aggregated, anonymized, or de-identified data from personal information. Such data does not identify you and is not treated as personal information under this Policy. We may use and disclose aggregated or de-identified data for our business purposes, including analytics, benchmarking, and improving the Services.

1. Information We Collect

Depending on how you interact with us, we may collect the following categories of information:

  1. Identity and Business Details:
  2. Legal name, company name, registration numbers, role/title. For plan eligibility we may request ID for authorized signers or beneficial owners where required by law or program rules.
  3. Contact Information:
  4. Email address, phone number, billing and mailing address, and similar contact data.
  5. Account and Usage Data:
  6. Logins, authentication and security data, account settings, in-product actions and feature usage, device/browser/OS information, IP address, session metadata, error reports, and support interactions (which may be recorded where permitted by law).
  7. Project and Delivery Data:
  8. Project specifications, assets, content, repositories, configuration files, environment variables (as provided), deployment metadata, and related technical records.
  9. Billing and Transactions:
  10. Invoices, payment status, transaction records, tax/VAT numbers, pre-authorized debit (PAD) consent logs (where applicable), and related accounting data.
  11. Verification and Fraud Prevention:
  12. Domain control proofs, business registrations, proof of incorporation, beneficial ownership attestations, and optional enhanced checks (such as government ID) where required for risk or compliance.
  13. Communications and Marketing:
  14. CASL consent/unsubscribe records, email engagement data (opens, clicks where permitted), and preferences for newsletters or product updates.
  15. Technical Data:
  16. Cookies and similar technologies, SDKs, logs, diagnostics, and security telemetry.
  17. End-Customer Content (Enterprise):
  18. If you upload or direct us to process personal data about your own customers, clients, or end users, you are the controller or business for that data and Cosgn acts as your service provider/processor under the applicable Data Processing Addendum.

We do not knowingly collect personal information from children. Users must be 18 years or older, or the age of majority in their province, state, or country.

No Storage of Full Financial Information

Cosgn does not store full payment card numbers, full bank account numbers, or comparable financial-instrument details. Payments are processed through regulated payment processors (such as Stripe, PayPal, or Wise) that handle sensitive financial data on Cosgn’s behalf. Cosgn receives only limited transaction metadata necessary for billing, reconciliation, fraud prevention, and compliance.

2. Purposes (Why We Use Data)

We use personal information for the following purposes:

  1. Provisioning and maintaining accounts and memberships
  2. Project delivery, implementation, launches, and ongoing support
  3. Billing, collections, and payment reconciliation
  4. Fraud prevention, abuse detection, and security (including rate-limiting and anomaly detection)
  5. Program administration for Cosgn Credit™ and related membership programs
  6. Communications, including:
  7. Transactional notices (service updates, security alerts, billing notices)
  8. Marketing and promotional communications where you have provided consent or where permitted by law
  9. Analytics, product improvement, capacity planning, and quality assurance
  10. Compliance with legal obligations, including tax, bookkeeping, audits, and responses to lawful requests by regulators or law enforcement

We do not sell personal information.

No “Sale” or “Sharing” for Cross-Context Behavioural Advertising (U.S. States)

For residents of U.S. states with specific privacy laws, Cosgn does not “sell” or “share” personal information for cross-context behavioural advertising, as those terms are defined in applicable state laws. If this ever changes, we will update this Policy and provide any required opt-out mechanisms before expanding such activities.

Profiling and Automated Evaluation (Law 25; PIPEDA Legitimate Interests)

We may use limited automated evaluation systems, such as fraud scoring, anomaly detection, usage analysis, or risk-flagging, to protect account security, detect abuse, and maintain service integrity. These systems do not make decisions that produce legal or similarly significant effects without human review. You may request human review or object to profiling where required by law (see §7 “Your Rights”).

3. Lawful Bases and Consent

Where required by law (for example in the EU/EEA, UK, or certain U.S. states), we rely on the following lawful bases for processing:

  1. Consent:
  2. For example, certain marketing communications, some optional verification checks, and non-essential cookies in the EU/EEA/UK.
  3. Contract:
  4. Processing necessary to provide the Services you request, perform Statements of Work (SOWs), or administer memberships and Cosgn Credit™ projects.
  5. Legitimate Interests:
  6. Security, fraud prevention, analytics, service improvement, internal reporting, and product development, balanced against your rights and expectations.
  7. Legal Obligations:
  8. Tax, accounting, record retention, regulatory reporting, anti-fraud/anti-money-laundering controls where applicable, and responses to lawful requests.

Where enhanced checks (such as government ID) are used, we request explicit consent where required by law.

Withdrawal of Consent

Where processing is based on your consent, you may withdraw that consent at any time by contacting [email protected] or using the tools provided (such as unsubscribe links). Withdrawal does not affect the lawfulness of processing performed before withdrawal and may limit access to certain features or Services.

4. Sharing and Disclosures

Service Providers

We share limited personal or service data with trusted vendors that help us operate the Services, including:

  1. Cloud and hosting providers
  2. Analytics and monitoring tools
  3. Billing and payment processors
  4. Domain registrars and DNS providers
  5. App-store and repository platforms
  6. Email, push, and SMS providers
  7. Security and anti-fraud vendors
  8. Customer-support and ticketing platforms

All such service providers are contractually bound to process data only on Cosgn’s documented instructions and to maintain appropriate confidentiality and security controls.

Regulators and Law Enforcement

We may disclose information if required by law, regulation, subpoena, or court order, or when we believe it is reasonably necessary to:

  1. Protect users or the public
  2. Enforce our Terms
  3. Investigate or prevent fraud, abuse, or security incidents
  4. Respond to lawful requests from regulators or law enforcement authorities

Corporate Transactions

If Cosgn undergoes a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction, subject to equivalent confidentiality and data-protection safeguards.

User-Directed Disclosures

We share data when you instruct us to do so — for example, to deploy assets to your domain registrar, app-store account, repository host, payment account, or third-party integration under your control.

Sub-Processor Transparency

Upon written request to [email protected], Cosgn will provide a current list of material sub-processors, subject to reasonable confidentiality.

Data Processing Addendum (DPA)

Where Cosgn processes personal information on your behalf as a processor or service provider, a Data Processing Addendum — including Standard Contractual Clauses (SCCs) or UK Addendum where applicable — is available on request at [email protected] and, when executed, forms part of the Terms or your applicable Statement of Work (SOW). Standard forms and the current list of authorized sub-processors are available on request at [email protected].

Cross-Brand Administrative Processing

To operate integrated features (including hosting, domain management, project delivery, verification, and Cosgn Credit™ administration), personal information may be processed across internal Cosgn departments and brand divisions. All intra-group disclosures occur under the same privacy safeguards and do not constitute “sales,” “sharing,” or transfers to external third parties.

5. International Transfers

We may process and store data inside or outside Canada, including in the United States, the United Kingdom, and the European Union.

When we transfer or make data accessible outside your jurisdiction, we apply contractual, organizational, and technical safeguards, such as confidentiality obligations, role-based access, encryption in transit and at rest, and data processing agreements with third parties.

Canada and Québec (Law 25)

Before communicating personal information outside Québec, Cosgn conducts transfer impact assessments and applies appropriate safeguards in accordance with Law 25.

EU and UK Visitors

Where applicable, Cosgn relies on the European Commission’s Standard Contractual Clauses (SCCs) and the UK ICO International Data Transfer Addendum, or any successor adequacy mechanism, for international transfers.

U.S. and Other Regions

Cosgn complies with applicable privacy and data transfer laws in the jurisdictions where it operates or serves customers. For U.S. residents in states with specific privacy rights (such as California, Colorado, Virginia, Connecticut, Utah, or others), Cosgn honours applicable access, deletion, correction, and opt-out rights consistent with the relevant legislation.

Cross-border transfers are performed only to jurisdictions that provide comparable levels of data protection or with contractual safeguards ensuring equivalent protection.

For details about your privacy rights or to exercise them, contact [email protected] (see §7 “Your Rights”).

Transfer Justification and Residual Risk (Law 25)

When transferring personal information outside Québec, Cosgn evaluates:

(a) the sensitivity of the data;

(b) the purpose of the transfer;

(c) the safeguards applied by the foreign service provider;

(d) the laws of the receiving jurisdiction; and

(e) potential residual risks.

Cosgn proceeds only where protections are comparable and appropriate contractual, technical, and organizational safeguards are in place.

EU/UK Representative

If and when Cosgn is required to appoint an EU or UK representative, we will publish their contact details in this Policy and on cosgn.com/legal, and route EU/UK privacy inquiries to that representative. Until then, EU/UK residents may contact [email protected].

Sub-Processor Updates and Objection

We will provide at least 30 days’ advance notice (email or in-app) before adding or replacing a material sub-processor. If you reasonably object on data-protection grounds within that period, we will work in good faith to propose an alternative, or you may terminate the affected service without penalty.

Data Residency Preference (When Supported)

Upon request and subject to technical limitations, Cosgn may provide options for regional data hosting (for example, Canada-only environments). These options may affect performance or cost and are not guaranteed for all Services.

6. Retention

We retain personal information only as long as necessary for the purposes described in this Policy and to meet legal, regulatory, and contractual obligations.

Illustrative ranges include:

  1. Account and billing records: typically 7 years after closure
  2. Project artifacts and backups: approximately 90–365 days after termination, unless longer retention is required by agreement or legal hold
  3. Security logs: typically 12–24 months (longer where associated with an incident)
  4. Marketing consent and unsubscribe records: typically 3–5 years

Actual periods may vary by system, data type, and applicable law. For a detailed retention schedule and examples, see our Help Centre → Data Retention section.

Retention Rationale

Retention periods are determined according to:

  1. statutory or regulatory requirements;
  2. the purpose for which the information was collected;
  3. contractual obligations;
  4. dispute-resolution and fraud-prevention requirements;
  5. technical feasibility of secure deletion; and
  6. business continuity considerations (including backups and archives).

Cosgn deletes or anonymizes personal information when it is no longer required for these purposes.

7. Your Rights

Subject to applicable law and certain limits, you may have the right to:

  1. access your personal information;
  2. request correction of inaccurate or incomplete data;
  3. request deletion or anonymization of personal information (where feasible and lawful);
  4. request data portability (where required by law);
  5. receive information about automated decision-making where applicable; and
  6. manage your marketing preferences and consents.

We will verify your identity before responding and aim to respond within 30 days or any shorter or longer period required by law.

  1. Québec residents: You may seek review or file a complaint with the Commission d’accès à l’information (CAI).
  2. Other Canadian provinces: You may contact your provincial privacy commissioner or the Office of the Privacy Commissioner of Canada (OPC).

Right to De-Indexation (Québec Law 25)

If you are a Québec resident, you may request de-indexation or cessation of dissemination of personal information that is inaccurate, outdated, unlawful, or prejudicial, subject to legal limits and applicable defences.

International Visitors

Cosgn Inc. is headquartered in Canada and primarily governed by PIPEDA and applicable provincial privacy laws. We recognize that individuals outside Canada — including those located in the United States, United Kingdom, European Union, and other jurisdictions — may have additional privacy rights (such as access, deletion, correction, objection, portability, or appeal). Where required by applicable law, Cosgn will honour those rights and provide mechanisms to exercise them by contacting [email protected].

For international data transfers, Cosgn relies on safeguards such as SCCs, the UK Addendum, and other adequacy or equivalent mechanisms as required. Cosgn has designated a data-protection contact reachable at [email protected] for privacy requests from EU and UK residents.

Appeals (U.S. States Where Applicable)

If we deny your privacy request and you are in a jurisdiction that provides an appeal right, you may appeal by emailing [email protected] with the subject line “Privacy Request Appeal.” We will respond with our final decision and reasons within 45 days (or the period required by law).

7.1 Submitting Privacy Requests

You may submit privacy requests by emailing [email protected] and providing enough information for Cosgn to verify your identity and understand the nature of the request. Cosgn may introduce a dedicated online request form in the future, which will be linked from this Policy when available. If introduced, the form will operate in addition to, not in replacement of, the [email protected] address unless otherwise stated.

8. Automated Systems

We use automated systems (and may use AI-assisted tooling) for fraud screening, abuse detection, performance scaling, reliability, and content moderation. We do not make decisions producing legal or similarly significant effects solely by automated means.

You may request human review where automation materially influences an outcome, subject to applicable law.

No Profiling of Minors

Cosgn does not knowingly collect, use, or profile personal information of minors under the age of majority for marketing, advertising, or automated decision-making purposes.

9. Security

We implement safeguards proportionate to risk, including:

  1. encryption in transit and at rest where appropriate;
  2. access controls and role-based permissions;
  3. audit logging and monitoring;
  4. vulnerability management and patching;
  5. incident response and escalation procedures.

No method of transmission or storage is entirely secure, but we apply commercially reasonable measures designed to protect information against unauthorized access, use, alteration, or destruction.

Internal Privacy Governance (Law 25; PIPEDA)

Cosgn maintains an internal privacy management program that includes:

  1. documented policies and procedures;
  2. employee training and awareness;
  3. role-based access controls and least-privilege principles;
  4. vendor due-diligence and ongoing monitoring;
  5. data-mapping and classification;
  6. incident-response protocols; and
  7. periodic audits and reviews of compliance.

The Privacy Officer oversees adherence to this program and reports directly to senior leadership.

10. Breach Notification

Where legally required, we will notify you and relevant authorities of a breach posing a real risk of significant harm. We maintain incident registers (including Law 25 requirements) and notify regulators where mandated.

Timeliness Standard

Where a breach creates a real risk of significant harm, Cosgn will notify affected individuals and regulators as soon as feasible after confirmation, consistent with PIPEDA, Law 25, and other applicable laws.

11. Cookies and Similar Technologies

We use cookies, pixels, SDKs, local storage, and similar technologies for essential operations, preferences, analytics, and limited advertising measurement. Details are provided in the Cookies & Tracking Policy below.

Where required (for example in Québec or the EU/EEA/UK), we obtain consent for non-essential cookies via a banner or preferences centre and honour your selections.

Where supported and legally binding, we honour Global Privacy Control (GPC) or equivalent signals in applicable jurisdictions to the extent required by law.

12. Third-Party Links and Integrations

The Services may contain links to external sites and integrations with third-party platforms. Those third parties have their own terms and privacy policies. Your use of registrars, app stores, payment processors, analytics providers, or other third parties is governed by their policies, not ours. Cosgn is not responsible for the privacy practices or content of those third parties.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified at least 30 days in advance (for example, by email or in-app notice), unless earlier implementation is required for compliance, security, or fraud prevention.

Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact

Privacy Officer — Head of Privacy and Compliance

Cosgn Inc.

Unit 4800, 1 King Street West

Toronto, ON M5H 1A1, Canada

Email: [email protected]

Complaints may be directed to the Office of the Privacy Commissioner of Canada, your provincial commissioner (including the Québec CAI), or any other competent authority in your jurisdiction.