Privacy PolicyTerms of ServiceCookie Policy

Privacy Policy

Learn how we collect, use, and protect your personal information in compliance with UK law

Last Updated: May 15, 2025

This Privacy Policy has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK privacy laws. It outlines how we collect, use, store, and protect your personal information.

1. Introduction

COSA ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our AI-powered call compliance services.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

For the purposes of UK data protection laws, COSA (Skynet Solutions LTD) is the data controller of your personal information. Our company registration number is 12345678.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us when you:

  • Register for an account
  • Sign up for our newsletter
  • Request a demo
  • Submit a contact form
  • Participate in surveys or promotions

This information may include:

  • Name
  • Email address
  • Phone number
  • Company name and position
  • Mailing address

2.2 Call Data

When you use our AI-powered call compliance services, we process call recordings and transcripts. This data may contain personal information about your customers, including:

  • Names
  • Contact information
  • Financial information
  • Health information
  • Other personal details shared during calls

Some of this information may constitute "special category data" under UK data protection law, which requires additional protections. We only process such data with explicit consent or where another legal basis applies under the UK GDPR.

2.3 Automatically Collected Information

When you visit our website, we automatically collect certain information about your device, including:

  • IP address
  • Browser type and version
  • Operating system
  • Time zone setting
  • Pages visited and time spent on those pages
  • Referral sources
  • Device information

This information is collected using cookies and similar technologies. For more information about our use of cookies, please see our Cookie Policy.

3. Legal Basis for Processing

Under UK data protection law, we must have a valid legal basis for processing your personal information. The legal bases we rely on include:

Consent

Where you have given clear consent for us to process your personal data for a specific purpose

Contract

Where processing is necessary for the performance of a contract with you

Legal Obligation

Where processing is necessary for compliance with a legal obligation

Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party

Where we rely on legitimate interests, we have carried out a legitimate interests assessment to ensure that our processing is necessary and that your fundamental rights do not override these interests.

4. How We Use Your Information

We may use the information we collect for various purposes, including to:

Provide Services

Operate and maintain our services

Improve Experience

Personalize and expand our services

Analyze Usage

Understand how you use our services

Develop Features

Create new products and functionality

Communication

Send updates and other information

Process Transactions

Handle payments and related information

Prevent Fraud

Find and prevent fraudulent activities

Legal Compliance

Meet our legal obligations

4.1 Call Data Processing

We process call recordings and transcripts to provide our AI-powered compliance services, including:

  • Analyzing calls for compliance with FCA regulations
  • Detecting potential vulnerabilities in customers
  • Identifying areas for improvement in call handling
  • Generating compliance reports and analytics

We act as a data processor for this information, and you remain the data controller. We process this data in accordance with our Data Processing Agreement and in compliance with UK GDPR requirements for data processors.

5. Data Retention

We will retain your personal information only for as long as is necessary for the purposes set out in this privacy policy. We will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

For call data, we retain information according to the terms specified in our Data Processing Agreement with you, or as required by applicable regulations.

In accordance with UK data protection law, we maintain a documented retention schedule that sets out the specific retention periods for different categories of data. You may request information about our retention periods for specific types of information by contacting our Data Protection Officer.

6. Data Security

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure.

Our security measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection and security
  • Physical security measures for our facilities
  • Regular data protection impact assessments
  • Incident response procedures
  • Regular security audits and compliance checks

We have procedures in place to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office (ICO) of a breach where we are legally required to do so, within the timeframes required by the UK GDPR.

7. Your Data Protection Rights

Under UK data protection law, you have significant rights regarding your personal information. These include:

Right to Access

Request copies of your personal information

Right to Rectification

Request correction of inaccurate information

Right to Erasure

Request deletion of your personal information (the 'right to be forgotten')

Right to Restrict Processing

Request limits on how we use your data

Right to Object

Object to our processing of your information

Right to Data Portability

Request transfer of your data in a machine-readable format

Rights Related to Automated Decision Making

Rights regarding decisions made without human involvement

Right to Withdraw Consent

Withdraw consent where processing is based on consent

If you would like to exercise any of these rights, please contact our Data Protection Officer using the information provided in the "Contact Us" section below. We will respond to your request within one month.

You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

8. Third-Party Disclosure

We may share your information with third parties in the following situations:

  • Service Providers - We may share your information with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf.
  • Business Transfers - If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.
  • Legal Requirements - We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.
  • To Protect Rights - We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We maintain a register of all third parties with whom we share personal data and ensure appropriate data processing agreements are in place in accordance with UK GDPR requirements.

9. International Data Transfers

We may transfer, store, and process your information in countries other than your own. Our servers are located in the United Kingdom and the European Economic Area (EEA).

Following the UK's exit from the European Union, the UK has established its own international data transfer mechanisms. Where we transfer your personal data outside the UK, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

  • Transferring to countries that have been deemed to provide an adequate level of protection for personal data by the UK government.
  • Using specific contracts approved by the UK government (known as the "International Data Transfer Agreement" or "UK Addendum to the EU SCCs") which give personal data the same protection it has in the UK.
  • Where we use providers based in the US, we may transfer data to them if they are part of a framework that ensures they provide similar protection to personal data shared between the UK and other countries.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we can take necessary actions.

In the UK, the Age Appropriate Design Code (or Children's Code) sets out additional protections for children's personal data. Although our services are not directed at children, we are committed to complying with these principles where applicable.

11. Automated Decision Making and Profiling

Our AI-powered call compliance services involve automated processing, including profiling, which may produce legal effects concerning individuals or similarly significantly affect them. This processing is used to analyze call recordings for compliance with FCA regulations and to identify potential vulnerabilities in customers.

Under UK data protection law, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where:

  • It is necessary for entering into, or performance of, a contract between you and us;
  • It is authorized by UK law; or
  • It is based on your explicit consent.

Where we use automated decision-making, we implement suitable safeguards, including:

  • Human oversight and intervention in the decision-making process;
  • Regular testing and auditing of our algorithms;
  • Clear explanations of decisions made; and
  • A process for contesting automated decisions.

12. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

Data Protection Officer

Email: dpo@cosa.com

Phone: +44 20 1234 5679

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this page. You are advised to review this Privacy Policy periodically for any changes.

For significant changes, we will provide a more prominent notice, which may include an email notification to the email address we have on file for you.

14. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

  • Email:privacy@cosa.com
  • Phone:+44 20 1234 5678