Privacy Policy

Last updated: April 29, 2026

Version 2026-04-29 · Effective April 29, 2026

This Privacy Policy explains how Costa Security Inc. (“Costa,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use the Costa Platform, our website at costa.app, and related services (collectively, the “Services”).

What Costa is: Costa is an AI gateway and observability platform — an intermediary between your AI coding agents and third-party AI model providers. Costa does not generate AI content, train AI models, or operate as an AI model provider. Under Article 3 of the EU AI Act (Regulation 2024/1689), Costa operates as an intermediary, not an AI Provider or Deployer.

Our core data commitment: We never train on your data. Not on the free tier. Not on Enterprise. Not ever. See our full data commitments in our Cloud Service Agreement.


1. Data Controller

Costa Security Inc. 3790 El Camino Real #1090, Palo Alto, CA 94306 privacy@costa.app

For customers using eu.costa.app: all Customer data is processed and stored exclusively within the EEA. See our Cloud Service Agreement §18.


2. Data We Collect

2.1 Data You Provide

Data Type What it includes
Account Data Name, email address, organization name and details
Payment Data Payment information processed by Stripe. Costa does not store full credit card numbers.
Support Data Information you provide when contacting support
Provider Tokens Third-party API keys you choose to store with Costa for proxy routing. Stored encrypted at rest (AES-256).

2.2 Data Collected Through the Proxy

When your AI agents route requests through Costa:

Data Type What it includes Purpose
Interaction Metadata Timestamps, token counts, model identifiers, tool call names, latency, agent identifiers, app labels Observability, security analysis, analytics, billing
Thread Content Prompts and responses passing through the proxy Thread viewing, security analysis
Security Scan Results Tool Defender analysis outputs, flagged patterns Security monitoring

2.3 Data Collected Automatically

Data Type What it includes
Technical Data IP address, browser type, device information, OS, referring URLs
Usage Data Pages viewed, features used, access timestamps
Cookies Essential cookies only. See our Cookie Policy.

3. How We Use Your Data

Purpose Data used Legal basis (GDPR)
Providing the Services All data types Performance of contract
Security and observability Interaction metadata, thread content, security scan results Legitimate interests
Billing and payment Account data, payment data, interaction metadata Performance of contract; legal obligation
Product improvement Aggregated, de-identified usage data only Legitimate interests
Support communications Account data, support data Performance of contract
Marketing communications Account data, email Consent
Legal and compliance All data types as required Legal obligation

What we never do with your data:

See Cloud Service Agreement §13 for our complete and legally binding no-training commitment.


4. How We Share Your Data

We share personal data only in the following circumstances:

AI Model Providers. When your agents route requests through Costa, we forward those requests to the model provider you specify. Costa acts as a technical conduit — see Cloud Service Agreement Additional Term 1. Those providers process data under their own privacy policies:

Costa is not responsible for upstream providers’ privacy practices.

Subprocessors. We use the subprocessors listed at trust.costa.app for infrastructure, payments, and communications.

Legal Requirements. When required by law, regulation, legal process, or governmental request.

Business Transfers. In connection with a merger, acquisition, or sale of assets, with notice to affected users.

With Your Consent. When you explicitly direct us to share data.


5. Data Retention

Data Type Default Retention Notes
Interaction Metadata Subscription Period + 60 days Enterprise: configurable per Order Form
Thread Content 30 days Configurable in Costa settings
Account Data Duration of account + 30 days 30-day export window on termination
Billing Data 6 years Tax and audit requirements
Security Scan Results Same as Interaction Metadata Tied to metadata lifecycle
Provider Tokens Until revoked by customer Encrypted at rest (AES-256)

After the applicable retention period, data is permanently deleted or irreversibly de-identified.


6. Your Rights

6.1 Rights for All Users

Regardless of location, you may:

6.2 Account Deletion

To request deletion, access, export, or correction of your data, submit a data request. You can also contact privacy@costa.app or use account settings. Every request is logged and tracked through to resolution.

Step Timeline
Acknowledge request Within 5 business days
Disable account access Within 5 business days
Provide data export (if requested) 30-day export window
Delete account data, metadata, thread content Within 30 days after export window closes
Delete provider tokens Immediately on account disable

Retained after deletion: billing data (6 years, tax/audit); legally required data; aggregated de-identified data that cannot identify you.

6.3 Additional Rights — EEA, Switzerland, and UK (GDPR)

6.4 Additional Rights — California (CCPA/CPRA)

6.5 Response Timelines

Request Type Initial Response Completion
GDPR rights (access, rectification, erasure, portability) Within 30 days May extend 60 days for complex requests (with notice)
CCPA rights (know, delete, opt-out) Within 45 days May extend 45 days (with notice)
Account deletion Within 5 business days See §6.2

To exercise any rights: privacy@costa.app


7. Data Transfers

Costa is headquartered in the United States. For transfers from the EEA, Switzerland, or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and adequacy decisions where applicable.

For customers using eu.costa.app: all Customer data is processed and stored exclusively within the EEA.


8. Security

We implement administrative, technical, and organizational measures including:

For details: costa.app/security


9. Cookies

Costa uses only essential cookies for authentication and session management. We do not use tracking, advertising, or third-party analytics cookies.

For full details see our Cookie Policy.


10. Global Privacy Control and Do Not Track

Costa honors Global Privacy Control (GPC) signals as a valid opt-out request under applicable laws including CCPA/CPRA. Costa does not respond to browser Do Not Track (DNT) signals as there is no industry-wide standard for DNT.


11. Data Protection Officer

Costa has not yet appointed a formal Data Protection Officer. For all data protection inquiries, contact privacy@costa.app. A DPO will be appointed when required under GDPR Article 37.


12. Data Processing Addendum

Enterprise customers requiring GDPR-compliant data processing terms can find our Data Processing Addendum at costa.app/legal/dpa.


13. Children

Costa is not directed to individuals under 18. We do not knowingly collect personal data from children. Contact privacy@costa.app if you believe a child has provided us personal data.


14. Changes to This Policy

We will provide at least 30 days notice before making material changes. The effective date at the top of this page reflects the last update.


15. Contact

Email: privacy@costa.app Mail: Costa Security Inc., 3790 El Camino Real #1090, Palo Alto, CA 94306


Changelog

Version Date Summary
2026-04-29 April 29, 2026 Full rewrite. Added EU AI Act Article 3 statement; published DPA link; separated cookie section to Cookie Policy; consolidated GDPR legal bases into data use table; improved structure and scannability throughout.
2026-03-17 March 17, 2026 Initial version.