Privacy Policy
Effective Date: March 4, 2026 · Last Updated: March 26, 2026
Kosmatic Solutions Inc. ("Kosmatic," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered customer analytics platform (the "Service").
1. Definitions
- "Merchant" or "Customer": A business that uses our Service to analyze their e-commerce store visitors.
- "End User" or "Visitor": An individual who visits a Merchant's e-commerce store where our tracking technology is deployed.
- "Personal Data": Any information relating to an identified or identifiable natural person.
- "Data Controller": For Merchants, you are the Data Controller of your End Users' data. For your own account data, Kosmatic is the Data Controller.
- "Data Processor": Kosmatic acts as a Data Processor when processing End User data on behalf of Merchants.
2. Information We Collect
2.1 Information You Provide Directly
Merchant Account Information: Business name and contact information, email address and phone number, billing and payment information, Shopify store domain and credentials, team member names and email addresses.
2.2 Information We Collect Automatically (End User Data)
Device and Browser Information: Browser type, version, and language; operating system and device type; screen resolution and viewport size; time zone and language settings.
Behavioral Signals (50+ data points): Scroll velocity and patterns, mouse movements, hovers, and clicks, time spent on page elements, navigation patterns and backtracking, decision latency, exit trajectory, session depth and return visitor status.
Product Engagement Data: Products viewed and time spent on each, pricing page attention metrics, add-to-cart actions, price tier preferences.
Identification Data (with consent): Email address (when provided via forms), browser fingerprint (ephemeral, 24-hour TTL).
2.3 Information from Third Parties
Shopify store metadata and settings, order history and customer data (as authorized by Merchant), Google OAuth profile information.
3. How We Use Your Information
For Merchants: Provide AI-powered customer analytics and CLV predictions, classify visitors into behavioral archetypes, generate actionable insights and playbook recommendations, sync data with marketing platforms, process payments, provide support.
For End Users: Analyze shopping behavior to improve user experience, personalize content and product recommendations, trigger timely interventions, prevent cart abandonment.
Legal Bases (GDPR): Contract, Consent, Legitimate Interests, Legal Obligation.
3.1 Automated Decision-Making
Our Service uses automated processing to classify visitors into behavioral segments and predict purchase likelihood. These outputs may trigger personalized content or offers. Merchants may override automated classifications manually. Visitors may request human review by contacting the Merchant or emailing privacy@kosmatic.com.
4. How We Share Your Information
| Provider | Purpose | Data Shared |
|---|---|---|
| Render | Cloud hosting | All data (encrypted at rest) |
| Shopify | E-commerce integration | Store data, order information |
| Klaviyo | Email marketing | Archetype, segment, confidence scores |
| HubSpot | CRM integration | Visitor classifications |
| Meta | Ad optimization | Conversion events via CAPI (server-side only) |
| Analytics & auth | Anonymized usage data, OAuth profiles | |
| Slack | Notifications | High-intent visitor alerts |
5. Data Retention
| Data Type | Retention | Rationale |
|---|---|---|
| Ephemeral fingerprints | 24 hours | Temporary visitor identification |
| Behavioral signals (with consent) | 90 days | CLV model training and analytics |
| Merchant account (after termination) | 30 days soft delete, 90 days permanent | Recovery period + legal compliance |
| Aggregate analytics | Indefinite | Anonymized business intelligence |
6. Your Privacy Rights
Depending on your location, you may have the right to: Access your data, Rectify inaccurate data, request Erasure, Restrict processing, Portability, Object to processing, and Withdraw Consent.
Contact privacy@kosmatic.com to exercise any right. We respond within 30 days.
6.1 Rights Related to Automated Decision-Making
Under GDPR Article 22 and similar regulations, you have the right to: (a) be informed about automated decision-making, (b) request human intervention and contest decisions, and (c) object to profiling based on legitimate interests. Contact privacy@kosmatic.com to exercise these rights.
7. International Data Transfers
Kosmatic is based in British Columbia, Canada. Our servers are hosted in the United States (Render cloud infrastructure). We use Standard Contractual Clauses (SCCs) for EU data transfers.
8. Security Measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.3 |
| Access controls | Role-based access, MFA |
| Audits | Quarterly security assessments |
| Incident response | 24-hour breach notification |
9. Children's Privacy
Our Service is not intended for individuals under 16. We do not knowingly collect personal information from children.
10. Cookies
We use essential cookies for authentication, functional cookies for preferences, and analytics cookies (anonymized). We employ cookieless tracking using browser fingerprinting for visitors who have not provided consent. See our Cookie Policy for details.
11. Jurisdiction-Specific Information
California (CCPA): We do not sell your personal information. Contact us for CCPA-specific rights.
European (GDPR): Legal basis outlined in Section 3. You may lodge complaints with your local data protection authority.
Canada (PIPEDA): We comply with PIPEDA. Contact privacy@kosmatic.com.
12. Contact Us
Kosmatic Solutions Inc.
Email: privacy@kosmatic.com
Address: Vancouver, British Columbia, Canada
Data Protection Officer: Ciaran Nugent, privacy@kosmatic.com