Privacy Policy

Effective Date: March 4, 2026 Last Updated: May 16, 2026

Kosmatic Solutions Inc. ("Kosmatic," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at https://kosmatic.com (the "Site") or use our AI-powered customer analytics platform (the "Service").

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Site or use the Service.

1. Definitions

"Merchant" or "Customer": A business that uses our Service to analyze their e-commerce store visitors.
"End User" or "Visitor": An individual who visits a Merchant's e-commerce store where our tracking technology is deployed.
"Personal Data": Any information relating to an identified or identifiable natural person.
"Processing": Any operation performed on Personal Data, including collection, storage, use, and disclosure.
"Data Controller": For Merchants, you are the Data Controller of your End Users' data. For your own account data, Kosmatic is the Data Controller.
"Data Processor": Kosmatic acts as a Data Processor when processing End User data on behalf of Merchants.
"Profiling": Any form of automated processing of Personal Data to evaluate, analyze, or predict aspects concerning a natural person's behavior, preferences, or economic situation.
"Automated Decision-Making": A decision made solely by automated means, without meaningful human involvement, that produces legal or similarly significant effects.
"AI Workflow": A scheduled or triggered automated process that uses artificial intelligence to analyze data, generate insights, or take actions within the Service.
"MCP (Model Context Protocol)": An API protocol that allows authorized AI assistants and agents to interact with the Service on behalf of a Merchant.

2. Information We Collect

2.1 Information You Provide Directly

Merchant Account Information:

Business name and contact information
Email address and phone number
Billing and payment information
Shopify store domain and credentials
Team member names and email addresses
Third-party integration credentials (API keys for Klaviyo, HubSpot, Slack, Meta, Google Analytics)

Support Communications:

Messages, feedback, and correspondence with our support team

2.2 Information We Collect Automatically (End User Data)

On-device classification (privacy by architecture). Where the visitor's browser supports WebGPU, the behavioral archetype classifier runs entirely inside the visitor's browser. Raw signals (scroll velocity, hover patterns, dwell times, etc.) are converted into a single archetype + confidence score on the device, and only the resulting classification is transmitted to Kosmatic's servers. Raw signal vectors do not leave the browser in that path. Visitors on browsers without WebGPU support fall through to a server-side classifier that processes the same signals, in which case the raw signals are transmitted under the consent model below.

When our technology is deployed on a Merchant's store, we collect data according to a three-tier consent model:

Tier 1 — Anonymous Data (collected without consent)

This data cannot identify you individually and is collected for aggregate analytics:

Scroll velocity and maximum scroll depth
Reading pattern classification (scanner, reader, deep reader)
Rage clicks and dead clicks (interaction friction indicators)
Form interaction patterns (errors, abandonment — no form content)

Tier 2 — Pseudonymous Data (collected via ephemeral fingerprint, 24-hour TTL)

This data is linked to a temporary identifier that expires within 24 hours:

Decision latency (time from interest to action)
Navigation backtracks
Mouse hesitation patterns
Pricing page attention metrics
Call-to-action engagement signals
Exit trajectory (mouse movement toward close/tab switch)
Session depth and return visitor status
Product attention data (hover duration, viewport time, scroll-backs, clicks per product)

Tier 3 — Identified Data (requires explicit consent)

This data is linked to a persistent visitor profile and collected only with consent:

Email address and name (when provided via forms, quizzes, or checkout)
Cart value and checkout progress
Order history, lifetime spend, and average order value
Email subscription and marketing consent status
Phone number (if provided)
UTM parameters and campaign attribution data (fbclid, gclid)
Quiz/form responses (purchase timeline, budget authority, pain severity, decision style, price sensitivity)

2.3 Information from Third Parties

Shopify Integration:

Store metadata and settings
Order history and customer data (as authorized by Merchant)
Product catalog information
Customer marketing consent status

Authentication Providers:

Google OAuth profile information (name, email) — used solely to authenticate your account and populate your profile. We do not use this information for advertising, profiling, or any purpose beyond account authentication.
Shopify OAuth store information

Google API Services:

Kosmatic's use of information received from Google APIs (including Google Analytics Data API and Google Analytics Admin API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Read access (analytics.readonly scope): Google Analytics data accessed via our platform is used solely to display your own analytics data within your Kosmatic dashboard — including campaign performance, conversion funnels, archetype-level engagement metrics, and audience attribution
Write access (analytics.edit scope): We use this scope only to (a) register custom dimensions in your GA4 property that correspond to Auraflow's behavioral classifications (archetype, tier, predicted CLV, etc.), and (b) create audience definitions in your GA4 property based on dimensions you select. We do not modify your existing GA4 configuration, reports, conversion settings, or any data outside of Auraflow-namespaced custom dimensions and audiences you explicitly create through our interface.
We do not use Google Analytics data to serve advertisements, build profiles for advertising, or share with third parties for advertising purposes. Audience membership and ad targeting are handled by your linked Google Ads account, not by Kosmatic.
We do not allow humans to read Google user data unless you have given explicit permission, it is necessary for security purposes, or we are required to do so by law
We do not transfer Google user data to others except as necessary to provide and improve our Service, as required by law, or as part of a merger or acquisition after explicit notice to you
We do not use Google user data to develop, improve, or train generalized AI and/or ML models

2.4 Cookies and Similar Technologies

We use:

Essential Cookies: Authentication and security (JWT tokens, session management)
Functional Cookies: User preferences and consent status
Analytics Cookies: Aggregate usage patterns (anonymized)

We employ cookieless tracking using browser fingerprinting for visitors who have not provided consent. This creates an ephemeral identifier that expires after 24 hours. See our Cookie Policy for full details.

3. How We Use Your Information

3.1 For Merchants (Our Customers)

Provide AI-powered customer analytics and CLV predictions
Classify visitors into behavioral archetypes (see Section 3.4)
Generate actionable insights and playbook recommendations
Execute AI Workflows for automated analysis and reporting (see Section 3.5)
Provide MCP API access for authorized AI assistants (see Section 3.6)
Run A/B tests to optimize engagement strategies (see Section 3.7)
Sync data with integrated marketing platforms (Klaviyo, HubSpot, Meta, Google)
Build and sync audience segments to advertising platforms
Process payments and manage subscriptions
Provide customer support and technical assistance
Send product updates and service notifications
Improve and develop new features

3.2 For End Users (Merchant's Customers)

Analyze shopping behavior to improve user experience
Personalize content and product recommendations
Trigger timely interventions (discounts, support offers)
Prevent cart abandonment through targeted engagement
Classify visitors into behavioral archetypes for personalized experiences
Predict customer lifetime value to optimize merchant marketing spend

3.3 Legal Bases for Processing (GDPR)

| Legal Basis | Processing Activity | |-------------|---------------------| | Contract | Processing necessary to provide the Service to Merchants | | Consent | Tier 3 (Identified) data collection; marketing communications; quiz/form responses | | Legitimate Interests | Tier 1 (Anonymous) and Tier 2 (Pseudonymous) data collection for aggregate analytics; fraud prevention; security; service improvement | | Legal Obligation | Tax, accounting, regulatory compliance; GDPR/CCPA request fulfillment |

3.4 Automated Decision-Making and Profiling

We engage in automated profiling of End Users. In accordance with GDPR Article 22 and applicable laws, we disclose the following:

What We Do

| Automated Process | Description | Data Used | |-------------------|-------------|-----------| | Behavioral Archetype Classification | Visitors are automatically classified into one of five behavioral archetypes (e.g., Researcher, Impulse Buyer, Price Checker, Comparison Shopper, Hesitant Abandoner) based on browsing behavior. | Scroll patterns, click behavior, session depth, pricing attention, CTA engagement, exit signals | | Customer Lifetime Value (CLV) Prediction | A Bayesian statistical model (BG/NBD) predicts the probability of future purchases and estimated lifetime monetary value. | Purchase history, visit frequency, recency, archetype, behavioral signals | | Playbook Recommendation | The system recommends intervention strategies (e.g., discount popups, email flows, support offers) based on archetype, segment, and predicted value. | Archetype, CLV score, segment membership, engagement history | | Segment Assignment | Visitors are automatically assigned to segments based on rules defined by the Merchant (e.g., "high intent," "cart abandoner"). | Any combination of behavioral and transactional data | | A/B Test Variant Assignment | Visitors are deterministically assigned to test variants based on a hash of their visitor identifier. | Visitor identifier (hashed) | | Purchase Probability Scoring | Daily purchase probability calculated per visitor, including peak conversion window prediction. | Visit patterns, archetype, CLV model parameters |

Significance and Consequences

These automated processes determine:

Which marketing messages, offers, or interventions a visitor may see
How marketing spend is allocated across visitor segments
Which email flows or ad audiences a visitor is included in
The timing and frequency of engagement attempts

Your Rights Regarding Automated Decisions

Under GDPR Article 22 and equivalent laws, you have the right to:

Obtain an explanation of how automated decisions are made about you
Contest an automated decision and request human review
Express your point of view regarding automated processing
Opt out of profiling for direct marketing purposes (see Section 6)

To exercise these rights, contact support@kosmatic.com or contact the Merchant whose store you visited.

3.5 AI Workflows

Merchants may configure AI Workflows — scheduled automated processes that use artificial intelligence to analyze visitor data, generate reports, create segments, or recommend actions. These workflows:

Run on schedules set by the Merchant (hourly, daily, weekly, or monthly)
May access visitor behavioral data, segment data, and analytics
May create or modify segments, email flows, and audience lists
May fetch data from external URLs approved by the Merchant
Are logged with full audit trails (action type, parameters, timestamp, cost)
Operate within the Merchant's existing data access permissions

AI Workflows do not make decisions with legal or similarly significant effects on End Users without Merchant review. Merchants are responsible for reviewing and approving workflow outputs that affect End User treatment.

3.6 MCP API (Model Context Protocol)

The Service provides an MCP API that allows authorized AI assistants (such as Claude, or custom AI agents) to interact with the platform on behalf of a Merchant. Through the MCP API:

AI agents can query visitor analytics, create segments, manage flows, and export data
All actions are scoped to the Merchant's own data and permissions
All actions are logged in the AI action log with timestamps
Access requires valid Merchant authentication
AI agents cannot access data belonging to other Merchants

The MCP API does not expose End User data to third-party AI model training. Data accessed via MCP is processed under the same legal bases as direct dashboard access.

3.7 A/B Testing

The Service allows Merchants to run A/B tests comparing different engagement strategies (playbooks, email flows, content variants, timing). During A/B testing:

Visitors are assigned to test variants using a deterministic hash of their visitor identifier
Assignment is persistent within a test but visitors are not informed of variant assignment
The system uses statistical analysis (Bayesian inference) to determine winning variants
An epsilon-greedy exploration algorithm may assign some visitors to less-proven variants to gather performance data
Merchants control test creation, parameters, and conclusion

A/B test participation does not produce legal or similarly significant effects on End Users. Tests affect only the presentation or timing of marketing content.

4. How We Share Your Information

4.1 Service Providers

We share data with trusted third parties who provide services on our behalf:

| Provider | Purpose | Data Shared | |----------|---------|-------------| | Render | Cloud hosting (Node + Python + managed PostgreSQL + Redis) | All data (encrypted at rest) | | Cloudinary | Image hosting + transforms (logos, product imagery, AI-generated assets) | Image binaries and metadata only — no behavioral signals or End User PII | | Postmark | Transactional email delivery (verification, login codes, breach notices, billing) | Email address, message contents | | Stripe | Card / SCA billing (non-Shopify-Billing path) | Merchant billing identifiers (no End User data) | | Cloudflare | Edge proxy, DDoS mitigation, DNS (when enabled) | IP addresses and TLS metadata for proxied traffic | | Shopify | E-commerce platform integration, Shopify Billing, theme app extension hosting | Store data, order information, billing identifiers | | Klaviyo | Email marketing automation | Email, archetype, segment, confidence scores, CLV, suggested playbook | | HubSpot | CRM integration | Email, visitor classifications, engagement data, CLV, suggested playbook | | Meta (Facebook) | Advertising optimization | Hashed emails, conversion events via Conversions API (server-side only, no raw behavioral data) | | Google | Analytics, authentication, advertising | Anonymized usage data, OAuth profiles, GA4 measurement events | | Slack | Merchant notifications | High-intent visitor alerts (archetype, score — sent to Merchant's own Slack workspace) | | Anthropic | AI model provider (Claude family) | Merchant-scoped generation prompts; no End User PII included in default routing | | OpenAI | AI model provider (GPT family) | Merchant-scoped generation prompts; no End User PII included in default routing | | Google (Gemini) | AI model provider (Gemini family) | Merchant-scoped generation prompts; no End User PII included in default routing | | Moonshot AI (Kimi) | AI model provider (Kimi family) | Merchant-scoped generation prompts; no End User PII included in default routing |

The four AI model providers above are selectable by the Merchant. The Merchant's selection in Settings → AI Agent determines which provider receives generation requests originated from that Merchant's account. Generation requests carry only the prompt context the Merchant has configured for the relevant workflow or feature; raw End User behavioral signals are not routed to AI model providers by default.

For a complete and continuously-updated list of all Sub-Processors, including infrastructure providers, regions, transfer mechanisms, and audit rights, see our Sub-Processor List.

4.2 Audience Sync to Advertising Platforms

Merchants may sync audience segments to Meta (Facebook) and Google Ads for advertising purposes. When synced:

Data shared: Hashed email addresses (SHA-256), hashed phone numbers (if available), external IDs
Audience types: High-intent visitors, high-CLV visitors, cart abandoners, archetype-based segments
How it works: Audiences are maintained dynamically; visitors are added/removed as their data changes
Merchant responsibility: Merchants must ensure they have lawful basis to share End User data with advertising platforms and must comply with Meta and Google's advertising policies

We do not share raw behavioral signals, archetype labels, or CLV scores directly with advertising platforms. Only hashed identifiers are transmitted for audience matching.

4.3 Integration Hooks (Automatic Data Sharing)

When a Merchant configures integrations (Klaviyo, HubSpot, Slack, Meta, or a custom webhook), visitor data is automatically shared with those platforms when a visitor is classified. Specifically:

Trigger: Visitor identification (email capture) or archetype classification
Data sent: Email, name, archetype, confidence tier, net score, suggested playbook, top product, current segment
Frequency: Once per classification event (not continuous)
Merchant control: Merchants enable/disable each integration independently via dashboard settings
Custom webhooks: Merchants may configure a custom webhook URL to receive classification payloads. Kosmatic is not responsible for data handling by custom webhook endpoints.

4.4 Data Sharing by Merchants

Merchants control how their End User data is shared. Through our platform, Merchants may:

Export data to CSV or JSON (visitors, signals, segments, performance)
Sync segments with their Klaviyo, HubSpot, or advertising accounts
Access data via MCP API using authorized AI assistants
Trigger Meta Pixel or GA4 events

Merchants are responsible for ensuring their data sharing complies with applicable laws.

4.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

4.6 Business Transfers

If Kosmatic is involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different Privacy Policy.

5. Data Retention

5.1 Merchant Data

We retain your account information for as long as your account is active or as needed to provide you with the Service. After account termination:

30 days: Soft delete period (data recoverable; export available)
90 days: Permanent deletion of personal data
Indefinite: Anonymized aggregate analytics (no PII)

5.2 End User Data

| Data Type | Retention Period | Rationale | |-----------|------------------|-----------| | Ephemeral fingerprints | 24 hours | Temporary visitor identification | | Anonymous behavioral signals (Tier 1) | Configurable by Merchant (default 90 days) | Aggregate analytics | | Pseudonymous behavioral signals (Tier 2) | Configurable by Merchant (default 90 days) | CLV model and analytics | | Identified visitor profiles (Tier 3) | Configurable by Merchant (default 90 days) | Customer analytics | | Consent records | 90 days from consent withdrawal | Legal compliance | | Aggregate analytics | Indefinite | Business intelligence (fully anonymized, no PII) | | AI action logs | 1 year | Audit trail and accountability | | Authentication logs | 1 year | Security |

Merchants may configure custom retention periods through their dashboard settings. An automated daily process permanently deletes data that exceeds the configured retention period.

5.3 Data Deletion

Merchants can request deletion of their End User data through:

Dashboard "Delete Profile" functionality
GDPR webhook endpoints (for Shopify merchants)
GDPR API endpoints (programmatic deletion)
Email request to support@kosmatic.com

Upon deletion:

All personally identifiable visitor data is permanently removed
Consent records are retained for the legally required period
Anonymized aggregate statistics are retained (not linked to any individual)

6. Your Privacy Rights

6.1 For All Individuals

Depending on your location, you may have the following rights:

| Right | Description | How to Exercise | |-------|-------------|-----------------| | Access | Request a copy of your personal data | Email support@kosmatic.com | | Rectification | Correct inaccurate data | Contact the Merchant or email us | | Erasure | Request deletion of your data | Email support@kosmatic.com with proof of identity | | Restriction | Limit how we process your data | Email support@kosmatic.com | | Portability | Receive data in a machine-readable format (JSON/CSV) | Email support@kosmatic.com | | Objection | Object to processing based on legitimate interests | Email support@kosmatic.com | | Withdraw Consent | Withdraw previously given consent at any time | Via consent banner, cookie settings, or email | | Opt Out of Profiling | Opt out of automated profiling for direct marketing | Email support@kosmatic.com or contact the Merchant | | Contest Automated Decisions | Request human review of automated decisions that significantly affect you | Email support@kosmatic.com | | Explanation | Receive meaningful information about the logic of automated decision-making | Email support@kosmatic.com |

6.2 Response Time

We will respond to all privacy requests within 30 days. Complex requests may take up to 60 days (or 90 days under CCPA), with notification of the extension.

6.3 For Merchants (Data Controller Obligations)

As Data Controllers of End User data, Merchants must:

Provide their own privacy policy to End Users that discloses use of Kosmatic's analytics
Disclose the use of automated profiling and behavioral classification
Obtain appropriate consent for Tier 3 (Identified) data collection
Honor End User data subject requests (access, deletion, portability, objection to profiling)
Ensure lawful basis for processing and for sharing data with integrated platforms
Conduct Data Protection Impact Assessments where required (see Section 6.4)

6.4 Data Protection Impact Assessment (DPIA)

The Service involves high-risk processing activities including automated profiling and behavioral scoring. Under GDPR Article 35, Merchants operating in the EEA should conduct a DPIA before deploying the Service. Kosmatic provides:

Documentation of processing activities and data flows
Technical details of automated decision-making logic
Assistance with DPIA completion upon request (email support@kosmatic.com)

7. International Data Transfers

Kosmatic is based in British Columbia, Canada. Our servers are hosted in the United States (Render cloud infrastructure).

7.1 Transfer Mechanisms

| Data Origin | Transfer Destination | Mechanism | |-------------|---------------------|-----------| | EEA/UK | Canada | EU adequacy decision for Canada (conditional) | | EEA/UK | United States | Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) per Commission Decision 2021/914 | | UK | United States | UK International Data Transfer Addendum to SCCs | | Switzerland | United States | Swiss-specific SCC addendum | | Canada | United States | PIPEDA adequacy + contractual safeguards |

7.2 Additional Safeguards

Where required, we implement supplementary measures including:

Encryption of data in transit and at rest
Access controls limiting data access to authorized personnel
Data minimization (processing only what is necessary)
Regular review of transfer impact assessments

By using our Service, you acknowledge that your data may be transferred to countries outside your country of residence, including the United States and Canada, subject to the protections described above.

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

| Measure | Implementation | |---------|----------------| | Encryption at rest | Render-managed disk encryption for database storage | | Encryption in transit | TLS for all data transmission (PostgreSQL SSL, HTTPS endpoints) | | Access controls | Role-based access, MFA recommended | | Authentication | Argon2id password hashing; JWT with 15-minute expiry; account lockout after 5 failed attempts | | API security | Merchant-scoped access; rate limiting on all endpoints | | Regular audits | Quarterly security assessments | | Incident response | 24-hour breach notification protocol | | Data minimization | Three-tier consent model; collect only what's necessary per tier | | Automated deletion | Daily cron job enforces retention periods |

Despite our efforts, no security system is impenetrable. We cannot guarantee the security of our databases or that information you supply won't be intercepted while being transmitted to us over the Internet.

8.x Personal Data Breach Notification

In the event of a Personal Data Breach, we follow the procedure described in our Personal Data Breach Response Procedure. This includes:

Notification to the relevant Supervisory Authority within 72 hours where required by GDPR / UK GDPR
Notification to affected Customers without undue delay
Notification to affected End Users where the breach is likely to result in a high risk to their rights and freedoms
A documented assessment and post-incident review for every breach, retained for at least 3 years

To report a suspected breach, contact support@kosmatic.com with subject line "Security Incident — Auraflow."

9. Children's Privacy

Our Service is not intended for individuals under the age of 16 (or 13 in jurisdictions where a lower age of consent applies under COPPA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@kosmatic.com. We will promptly delete such information.

10. Cookie Policy

For full details on cookies, browser fingerprinting, and tracking technologies, see our dedicated Cookie Policy.

11. Third-Party Links

Our Site may contain links to third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Sending an email notification for material changes (including changes to automated decision-making practices)

Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Kosmatic Solutions Inc. Email: support@kosmatic.com Address: Vancouver, British Columbia, Canada

Data Protection Contact: Kosmatic Solutions Inc. Email: support@kosmatic.com

14. Jurisdiction-Specific Information

14.1 European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are in the EEA or UK, you have specific rights under the General Data Protection Regulation:

Legal basis: See Section 3.3
Automated decision-making: See Section 3.4. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our automated processing (archetype classification, CLV prediction) is used to personalize marketing content and does not produce legal effects. You may still object under Article 21.
Right to lodge a complaint: You may lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)
Data transfers: See Section 7.1. We use SCCs for transfers to the US.
Data Protection Impact Assessment: See Section 6.4
Representative: For EEA inquiries, contact support@kosmatic.com. We are evaluating the appointment of an EU representative under Article 27.

14.2 California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Categories of Personal Information Collected:

| Category | Examples | Sold? | Shared for Cross-Context Behavioral Advertising? | |----------|----------|-------|--------------------------------------------------| | Identifiers | Email address, name, visitor ID | No | Yes (hashed, to Meta/Google for ad matching) | | Internet activity | Browsing behavior, scroll patterns, click data | No | No | | Commercial information | Products viewed, purchase history, cart contents | No | No | | Inferences | Behavioral archetype, CLV prediction, purchase probability | No | Yes (segment membership synced to ad platforms) | | Geolocation | Approximate location (from IP, not precise GPS) | No | No |

Your CCPA/CPRA Rights:

Right to Know: Request the categories and specific pieces of personal information collected
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sharing: Opt out of sharing for cross-context behavioral advertising
Right to Limit Use of Sensitive Personal Information: We do not collect sensitive PI as defined by CPRA
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Do Not Sell or Share: We do not sell personal information. We share hashed identifiers with advertising platforms (Meta, Google) for audience matching when a Merchant has configured these integrations. You may opt out by:

Enabling Global Privacy Control (GPC) in your browser
Contacting the Merchant whose store you visited
Emailing support@kosmatic.com

Automated Decision-Making Technology (CPRA §1798.185(a)(16)): We use automated decision-making technology for behavioral profiling and customer value prediction. See Section 3.4 for details. You have the right to opt out of this processing and to request access to information about the logic involved.

14.3 Canadian Residents (PIPEDA / Quebec Law 25)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25):

Consent: We obtain meaningful consent for collection, use, and disclosure of personal information
Purpose limitation: Personal information is used only for the purposes disclosed in this Policy
Automated decision-making (Law 25): Quebec residents have the right to be informed when a decision is made exclusively by automated processing. See Section 3.4. You may request that the decision be reviewed by a person.
Transparency: We provide access to our personal information handling practices upon request
Privacy Impact Assessment: Available upon request for Quebec Law 25 compliance
Complaints: Contact the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec

14.4 Brazilian Residents (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados provides you with rights similar to those under GDPR, including the right to confirmation of processing, access, correction, anonymization, portability, deletion, and information about automated decision-making. Contact support@kosmatic.com to exercise these rights.

14.5 Australian Residents (Privacy Act 1988)

We comply with the Australian Privacy Principles (APPs). You have the right to access your personal information and request correction. If you believe we have breached the APPs, you may complain to the Office of the Australian Information Commissioner (OAIC).

END OF PRIVACY POLICY