Privacy Policy
Last updated: April 29, 2026
Version 2026-04-29 · Effective April 29, 2026
This Privacy Policy explains how Costa Security Inc. (“Costa,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use the Costa Platform, our website at costa.app, and related services (collectively, the “Services”).
What Costa is: Costa is an AI gateway and observability platform — an intermediary between your AI coding agents and third-party AI model providers. Costa does not generate AI content, train AI models, or operate as an AI model provider. Under Article 3 of the EU AI Act (Regulation 2024/1689), Costa operates as an intermediary, not an AI Provider or Deployer.
Our core data commitment: We never train on your data. Not on the free tier. Not on Enterprise. Not ever. See our full data commitments in our Cloud Service Agreement.
1. Data Controller
Costa Security Inc. 3790 El Camino Real #1090, Palo Alto, CA 94306 privacy@costa.app
For customers using eu.costa.app: all Customer data is processed and stored exclusively within the EEA. See our Cloud Service Agreement §18.
2. Data We Collect
2.1 Data You Provide
| Data Type | What it includes |
|---|---|
| Account Data | Name, email address, organization name and details |
| Payment Data | Payment information processed by Stripe. Costa does not store full credit card numbers. |
| Support Data | Information you provide when contacting support |
| Provider Tokens | Third-party API keys you choose to store with Costa for proxy routing. Stored encrypted at rest (AES-256). |
2.2 Data Collected Through the Proxy
When your AI agents route requests through Costa:
| Data Type | What it includes | Purpose |
|---|---|---|
| Interaction Metadata | Timestamps, token counts, model identifiers, tool call names, latency, agent identifiers, app labels | Observability, security analysis, analytics, billing |
| Thread Content | Prompts and responses passing through the proxy | Thread viewing, security analysis |
| Security Scan Results | Tool Defender analysis outputs, flagged patterns | Security monitoring |
2.3 Data Collected Automatically
| Data Type | What it includes |
|---|---|
| Technical Data | IP address, browser type, device information, OS, referring URLs |
| Usage Data | Pages viewed, features used, access timestamps |
| Cookies | Essential cookies only. See our Cookie Policy. |
3. How We Use Your Data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing the Services | All data types | Performance of contract |
| Security and observability | Interaction metadata, thread content, security scan results | Legitimate interests |
| Billing and payment | Account data, payment data, interaction metadata | Performance of contract; legal obligation |
| Product improvement | Aggregated, de-identified usage data only | Legitimate interests |
| Support communications | Account data, support data | Performance of contract |
| Marketing communications | Account data, email | Consent |
| Legal and compliance | All data types as required | Legal obligation |
What we never do with your data:
- Train, fine-tune, or improve any AI/ML model using your prompts, responses, or thread content
- Sell personal data
- Share personal data for cross-context behavioral advertising
See Cloud Service Agreement §13 for our complete and legally binding no-training commitment.
4. How We Share Your Data
We share personal data only in the following circumstances:
AI Model Providers. When your agents route requests through Costa, we forward those requests to the model provider you specify. Costa acts as a technical conduit — see Cloud Service Agreement Additional Term 1. Those providers process data under their own privacy policies:
Costa is not responsible for upstream providers’ privacy practices.
Subprocessors. We use the subprocessors listed at trust.costa.app for infrastructure, payments, and communications.
Legal Requirements. When required by law, regulation, legal process, or governmental request.
Business Transfers. In connection with a merger, acquisition, or sale of assets, with notice to affected users.
With Your Consent. When you explicitly direct us to share data.
5. Data Retention
| Data Type | Default Retention | Notes |
|---|---|---|
| Interaction Metadata | Subscription Period + 60 days | Enterprise: configurable per Order Form |
| Thread Content | 30 days | Configurable in Costa settings |
| Account Data | Duration of account + 30 days | 30-day export window on termination |
| Billing Data | 6 years | Tax and audit requirements |
| Security Scan Results | Same as Interaction Metadata | Tied to metadata lifecycle |
| Provider Tokens | Until revoked by customer | Encrypted at rest (AES-256) |
After the applicable retention period, data is permanently deleted or irreversibly de-identified.
6. Your Rights
6.1 Rights for All Users
Regardless of location, you may:
- Access the personal data we hold about you
- Export your data in machine-readable format (JSON)
- Delete your account and associated data
- Update your account information in the Costa dashboard
6.2 Account Deletion
To request deletion, access, export, or correction of your data, submit a data request. You can also contact privacy@costa.app or use account settings. Every request is logged and tracked through to resolution.
| Step | Timeline |
|---|---|
| Acknowledge request | Within 5 business days |
| Disable account access | Within 5 business days |
| Provide data export (if requested) | 30-day export window |
| Delete account data, metadata, thread content | Within 30 days after export window closes |
| Delete provider tokens | Immediately on account disable |
Retained after deletion: billing data (6 years, tax/audit); legally required data; aggregated de-identified data that cannot identify you.
6.3 Additional Rights — EEA, Switzerland, and UK (GDPR)
- Rectification of inaccurate personal data
- Restriction of processing in certain circumstances
- Objection to processing based on legitimate interests
- Portability of your data to another service
- Withdrawal of consent at any time
- Lodge a complaint with your local supervisory authority: edpb.europa.eu
6.4 Additional Rights — California (CCPA/CPRA)
- Know what personal data we collect and how it is used
- Delete personal data we hold about you
- Opt out of sale or sharing of personal data (we do not sell or share)
- Non-discrimination for exercising your rights
6.5 Response Timelines
| Request Type | Initial Response | Completion |
|---|---|---|
| GDPR rights (access, rectification, erasure, portability) | Within 30 days | May extend 60 days for complex requests (with notice) |
| CCPA rights (know, delete, opt-out) | Within 45 days | May extend 45 days (with notice) |
| Account deletion | Within 5 business days | See §6.2 |
To exercise any rights: privacy@costa.app
7. Data Transfers
Costa is headquartered in the United States. For transfers from the EEA, Switzerland, or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and adequacy decisions where applicable.
For customers using eu.costa.app: all Customer data is processed and stored exclusively within the EEA.
8. Security
We implement administrative, technical, and organizational measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based least-privilege access controls
- Multi-factor authentication for internal systems
- Regular security assessments
For details: costa.app/security
9. Cookies
Costa uses only essential cookies for authentication and session management. We do not use tracking, advertising, or third-party analytics cookies.
For full details see our Cookie Policy.
10. Global Privacy Control and Do Not Track
Costa honors Global Privacy Control (GPC) signals as a valid opt-out request under applicable laws including CCPA/CPRA. Costa does not respond to browser Do Not Track (DNT) signals as there is no industry-wide standard for DNT.
11. Data Protection Officer
Costa has not yet appointed a formal Data Protection Officer. For all data protection inquiries, contact privacy@costa.app. A DPO will be appointed when required under GDPR Article 37.
12. Data Processing Addendum
Enterprise customers requiring GDPR-compliant data processing terms can find our Data Processing Addendum at costa.app/legal/dpa.
13. Children
Costa is not directed to individuals under 18. We do not knowingly collect personal data from children. Contact privacy@costa.app if you believe a child has provided us personal data.
14. Changes to This Policy
We will provide at least 30 days notice before making material changes. The effective date at the top of this page reflects the last update.
15. Contact
Email: privacy@costa.app Mail: Costa Security Inc., 3790 El Camino Real #1090, Palo Alto, CA 94306
Changelog
| Version | Date | Summary |
|---|---|---|
| 2026-04-29 | April 29, 2026 | Full rewrite. Added EU AI Act Article 3 statement; published DPA link; separated cookie section to Cookie Policy; consolidated GDPR legal bases into data use table; improved structure and scannability throughout. |
| 2026-03-17 | March 17, 2026 | Initial version. |