Privacy Policy

Last updated: March 2026

1. Information We Collect

When you create an account, we collect your email address and hashed password. If you sign in via GitHub or Google OAuth, we receive your public profile information (name, email, avatar) from those services.

We collect basic usage data such as message counts and model usage to enforce plan limits and improve the service.

2. API Keys (BYOK)

When you provide your own API keys (Bring Your Own Key), they are stored locally on your machine using OS-level encryption (DPAPI on Windows, Keychain on macOS). Your API keys are never transmitted to or stored on our servers.

3. AI Conversations

Your conversation messages are sent to AI providers (Google Gemini, Anthropic, OpenAI, etc.) to generate responses. When using our provided models, messages pass through our cloud server for rate limiting and plan enforcement. We store conversation metadata (titles, timestamps) to enable conversation history.

4. Local MCP Server

The Cosindra desktop application runs a local MCP server on your machine. All tool executions (spawning actors, modifying blueprints, etc.) happen locally within your Unreal Engine editor. No project files or source code are transmitted to our servers.

5. Data Retention

You can delete your account and all associated data at any time from your account settings. Conversation history is deleted when you delete a conversation or your account.

6. Third-Party Services

We use the following third-party services:

  • Google Gemini API — for AI model inference
  • GitHub / Google — for OAuth authentication

Each of these services has their own privacy policy that governs their use of your data.

7. Security

We use industry-standard security measures including JWT authentication, rate limiting, and encrypted connections. API keys are stored using OS-level encryption. Passwords are hashed with bcrypt.

8. Cookies & Tracking

We do not use Google Analytics, Microsoft Clarity, Facebook Pixel, or any third-party tracking service. Authentication tokens are stored in your browser's localStorage, which is classified as strictly necessary storage and does not require consent.

We run a small, first-party analytics system on our own servers. For each page you visit on cosindra.ai we record: the page path, the referring URL and any UTM campaign parameters, your browser user agent, your country (derived from your IP), your IP address, and an anonymous session identifier stored in a first-party cookie (cosindra_session_id, 2-year lifetime, used only to count unique visitors — not for advertising).

Page-view records are automatically deleted after 90 days. Within that window we retain your raw IP address (until the record is deleted) so we can investigate abuse and respond to data subject access requests; on request we will only disclose a one-way SHA-256 hash of your IP, never the raw value. We respect the browser Do Not Track (DNT) signal — when it is enabled we record nothing at all.

9. Contact

For privacy-related questions, contact us at [email protected].