Legal
Privacy Policy
1. Who we are
Cosine is a product of Blackswan Strategy Partners Limited, a private limited company registered in England and Wales (company number 17158315). Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are the data controller for personal data processed through this website and the Cosine service.
Contact us at: privacy@getcosine.co.uk
2. What data we collect and why
2.1 Data you provide directly
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email address, password (account) | To create and authenticate your Cosine account via our identity provider, Clerk | Contract performance (Art. 6(1)(b)) |
| Name, email, meeting details (call booking) | To schedule a call with us through Cal.com | Consent / contract performance (Art. 6(1)(a)/(b)) |
| LinkedIn GDPR export file | To enrich your network and surface recommendations | Contract performance (Art. 6(1)(b)) |
| Declared capability profile (gaps, sectors, levels) | To match your skills against company gaps | Contract performance (Art. 6(1)(b)) |
| Feedback you submit via the in-app form (free-text message, your email address, your account identifier) | To triage bugs, ideas and product issues. We forward each submission to our issue tracker (JetBrains YouTrack) so the team can respond and follow up | Legitimate interests (Art. 6(1)(f)) — improving the product and supporting beta users |
2.2 Data we enrich from third-party sources
When you upload a LinkedIn export, we query proprietary commercial databases to enrich the companies in your network with firmographic data (headcount, funding stage, sector, hiring signals). This data relates to companies and their publicly-known leadership, not to private individuals.
Where enrichment surfaces data about named individuals (e.g. “no CTO named”), the source is publicly available professional data. We do not store this data beyond the session unless you save a recommendation.
2.3 Analytics and advertising data
Subject to your consent (see “Cookies” below), we use:
- PostHog (hosted in the EU by PostHog Inc.) — to measure how people use this website, including which pages and buttons they interact with. PostHog sets cookies and uses local storage to record a pseudonymous device identifier, your truncated IP address, device and browser information, referrer, pages viewed, and click events on individually identified buttons. We do not enable PostHog session replay, surveys, or AI features. Do-Not-Track signals are honoured.
- LinkedIn Insight Tag — to measure the performance of our LinkedIn advertising and to build audiences for advertising on LinkedIn. LinkedIn collects cookies and pseudonymous identifiers, IP address, page URL, timestamp, and referrer.
These tools run only after you click “Accept” on the cookie banner. The legal basis is your consent (Art. 6(1)(a)) and, for the cookies themselves, regulation 6 of the Privacy and Electronic Communications Regulations (PECR). You can withdraw consent at any time using the “Manage cookies” link in the footer.
2.4 Server logs
We collect standard server logs (IP address, browser type, pages visited, timestamps) for security and performance monitoring. These are essential for operating the service and are not used to track you across sites.
3. How long we keep your data
| Data | Retention period |
|---|---|
| Account data (via Clerk) | For the lifetime of your account, then deleted within 30 days of account closure |
| Call booking data (via Cal.com) | For 24 months after the booking, unless you ask us to delete it sooner |
| LinkedIn export file | Deleted after processing (within 24 hours of upload) |
| Enriched network data | For the duration of your active subscription, then deleted within 30 days of cancellation |
| PostHog product analytics data | 12 months for raw events; aggregated metrics may be retained longer |
| LinkedIn Insight Tag data | Up to 180 days for direct identifiers; up to 365 days for ad event data, per LinkedIn's policy |
| Server logs | 90 days |
| Feedback submissions (in our issue tracker) | For the lifetime of the related issue. Closed issues are kept for up to 24 months for product history, then deleted on request |
4. Who we share data with
We do not sell your data. We share it only with the following categories of processors and recipients:
- Clerk, Inc. — identity, authentication and user management. Processes name, email, password hash, session and device metadata. Operates under a data processing agreement, with hosting in the US under appropriate transfer safeguards (Standard Contractual Clauses and the UK Addendum / EU–US Data Privacy Framework).
- Cal.com, Inc. — meeting scheduling. Processes name, email, scheduled time, time zone and any details you enter when booking. Operates under a data processing agreement with appropriate transfer safeguards.
- PostHog Inc. — product analytics (only with your consent). Processes the data described in section 2.3 under PostHog's data processing addendum. Data is stored on PostHog's EU infrastructure (Frankfurt); any transfer outside the EEA is covered by Standard Contractual Clauses with the UK Addendum.
- LinkedIn Ireland Unlimited Company / LinkedIn Corporation — advertising measurement and audiences via the Insight Tag (only with your consent). LinkedIn acts as an independent controller for some of this processing; see LinkedIn's privacy policy for details.
- Infrastructure providers — hosting, database and email services operating under data processing agreements.
- Data enrichment providers — commercial databases queried to enrich company records. Queries contain company names and domains only; your personal details are not shared.
- JetBrains s.r.o. (YouTrack) — our issue tracker. When you submit feedback through the in-app form we send the message you wrote, your email address and your Cosine account identifier so the team can triage and reply. Hosted in the EU under JetBrains' data processing agreement.
- Legal or regulatory authorities — if required by law or to protect our legal rights.
Any transfer of personal data outside the UK is protected by UK adequacy regulations, the UK International Data Transfer Addendum, or Standard Contractual Clauses, together with appropriate supplementary measures.
5. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (“right to be forgotten”) where we have no overriding legitimate reason to retain it.
- Restriction — ask us to pause processing your data in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
- Withdraw consent — where processing is based on consent (including analytics and advertising cookies), you may withdraw it at any time without affecting prior lawful processing. Use the “Manage cookies” link in the footer.
To exercise any of these rights, email privacy@getcosine.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
6. Cookies
We use two categories of cookies and similar technologies.
6.1 Essential (always on)
Session and authentication cookies set by Clerk and by our own application are required to keep you signed in and to operate the service. They are exempt from consent under PECR because they are strictly necessary.
6.2 Analytics and advertising (opt-in)
We only load PostHog and the LinkedIn Insight Tag after you click “Accept” on the cookie banner. Until then, no analytics or advertising cookies are set. You can change your choice at any time using the “Manage cookies” link in the footer; this clears your stored preference, instructs PostHog to stop capturing, and re-displays the banner.
For more on the third parties involved, see PostHog's privacy policy and LinkedIn's privacy policy.
7. Security
We use TLS encryption for all data in transit. Data at rest is encrypted using AES-256. Access to personal data is restricted to authorised personnel under a need-to-know basis. We conduct periodic security reviews and maintain an incident response process. Clerk and Cal.com each maintain their own security programmes (including SOC 2) covering the data they process on our behalf.
If we become aware of a personal data breach that poses a risk to your rights, we will notify the ICO within 72 hours and affected individuals without undue delay where required by UK GDPR.
8. Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated by email to active users at least 14 days before they take effect. The “last updated” date at the top of this page will always reflect the current version.