Privacy Policy

Last updated: March 2026

1. Information We Collect

When you create an account, we collect your email address and hashed password. If you sign in via GitHub or Google OAuth, we receive your public profile information (name, email, avatar) from those services.

We collect basic usage data such as message counts and model usage to enforce plan limits and improve the service.

2. API Keys (BYOK)

When you provide your own API keys (Bring Your Own Key), they are stored locally on your machine using OS-level encryption (DPAPI on Windows, Keychain on macOS). Your API keys are never transmitted to or stored on our servers.

3. AI Conversations

Your conversation messages are sent to AI providers (Google Gemini, Anthropic, OpenAI, etc.) to generate responses. When using our provided models, messages pass through our cloud server for rate limiting and plan enforcement. We store conversation metadata (titles, timestamps) to enable conversation history.

4. Local MCP Server

The Cosindra desktop application runs a local MCP server on your machine. All tool executions (spawning actors, modifying blueprints, etc.) happen locally within your Unreal Engine editor. No project files or source code are transmitted to our servers.

5. Data Retention

You can delete your account and all associated data at any time from your account settings. Conversation history is deleted when you delete a conversation or your account.

6. Third-Party Services

We use the following third-party services:

  • Google Gemini API — for AI model inference
  • GitHub / Google — for OAuth authentication

Each of these services has their own privacy policy that governs their use of your data.

7. Security

We use industry-standard security measures including JWT authentication, rate limiting, and encrypted connections. API keys are stored using OS-level encryption. Passwords are hashed with bcrypt.

8. Cookies & Tracking

We do not use cookies or third-party tracking technologies. Authentication tokens are stored in your browser's localStorage, which is classified as strictly necessary storage and does not require consent. We do not use Google Analytics, Facebook Pixel, or any other analytics service.

9. Contact

For privacy-related questions, contact us at [email protected].