privacy
Privacy Policy
How Cosmic Stack collects, uses, and protects data across our website and products. Local-first by default; minimum-necessary collection; clear retention windows; no dark patterns.
1. What this policy covers
This Privacy Policy explains how Cosmic Stack ("we", "us", "our") collects, uses, discloses, and safeguards your data when you visit cosmicstack.ai or use any of our products, including Mercury Agent (the open-source CLI and the managed cloud service) and Sav.ink. This policy is the overall privacy notice for all Cosmic Stack surfaces.
Where a product has specific data practices that differ from or add to what's described here, those details are noted in the product-specific sections below. In the event of a conflict between this policy and a product-specific notice, the product-specific notice governs for that product's data flows.
We are a Delaware-based entity. Where applicable, this policy is designed to comply with the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and other jurisdictional privacy frameworks. Your statutory rights under those frameworks are not reduced by anything in this policy.
2. Data we collect
2.1 This website (cosmicstack.ai)
- Server access logs. Standard request metadata (IP address, user agent, requested path, status code, timestamp) is logged at the edge by Cloudflare for security, debugging, and abuse prevention. Retained for 30 days.
- Contact & form submissions. When you submit a form (contact, careers, waitlist), we store the submitted fields plus your email address in our transactional email provider (Resend) and, for persistence, in a Cloudflare KV namespace under our control. We use these to respond to you.
- Aggregated, privacy-preserving analytics. We use a self-hosted, cookieless Plausible analytics instance that records anonymous, aggregated page views. No fingerprints, no cross-site tracking, no advertising identifiers, no cookies. The analytics endpoint is under our control at
analytics.cosmicstack.org. - Theme preference. Your light/dark theme choice is stored in
localStorageon your device and never transmitted to our servers.
2.2 Mercury Agent — open-source CLI
The MIT-licensed Mercury Agent CLI runs entirely on your machine. It does not phone home, does not collect telemetry, and does not transmit your code, prompts, or model responses to Cosmic Stack.
- Model API keys you configure are stored in your operating system keychain and never sent to us.
- Prompts, tool outputs, and Second Brain memory are stored locally in your project directory. They are yours; we never see them.
- If you route tools to a third-party provider (OpenAI, Anthropic, xAI, Mistral, Cohere, OpenRouter), your requests go directly to that provider under your own API key and subject to that provider's privacy policy.
2.3 Mercury Agent — managed cloud service
When you subscribe to a Mercury Agent cloud plan (Standard or Advanced), we additionally process:
- Account data. Email address, password hash (bcrypt), organization membership, and role assignments.
- Billing data. Name, billing email, payment method metadata (last four digits, brand, expiry — never the full card number; we use a PCI-compliant payment processor and never touch raw card data), invoices, and transaction history.
- Usage & run metadata. Which models were invoked, token counts, tool calls, duration, and error rates. This powers your usage dashboards and our cost analytics. We do not store the contents of your prompts or model responses on the cloud service unless you explicitly enable run logging for your own audit trail.
- Collaborative knowledge. Second Brain entries shared within a workspace are stored encrypted at rest and visible only to workspace members.
2.4 Sav.ink
Sav.ink-specific data practices are described in the Sav.ink product-specific privacy notice, linked from the Sav.ink product page. Where that notice is silent, this overall policy applies.
3. How we use data
- To operate, maintain, and improve the website and our products.
- To provision and authenticate cloud accounts and manage subscription billing.
- To respond to your inquiries submitted through contact, careers, or waitlist forms.
- To detect, prevent, and respond to security incidents, fraud, and abuse.
- To provide aggregated, anonymized usage analytics that help us understand product direction — never to profile individuals.
- To comply with legal obligations.
We do not use your data to train machine learning models without explicit, specific, opt-in consent. We do not sell data to anyone, under any condition. We do not run third-party ad pixels or marketing trackers.
4. Data sharing & subprocessors
We share data only with vendors who provide infrastructure we rely on to operate, and only under written agreements that require them to protect it at least to the standard of this policy. Current subprocessors include:
- Cloudflare — edge delivery, DDoS protection, Workers runtime, KV storage, and bot/abuse management. Processes request metadata and, for cloud products, application state.
- Resend — transactional email delivery for contact, careers, and billing notifications. Processes the email address and message body.
- Cloudflare Turnstile — bot detection on public forms. Processes a browser challenge token; no personal data is submitted beyond what the form already collects.
- Payment processor — subscription billing for Mercury Agent cloud plans. We never receive or store full card numbers; the processor handles PCI-DSS-scoped data directly.
- Model providers — when you use the managed gateway, your inference requests are routed to OpenAI, Anthropic, xAI, Mistral, Cohere, or OpenRouter subject to those providers' own privacy policies. If you bring your own keys, requests go directly to the provider and we never see the contents.
We will disclose data to law enforcement only where required by valid legal process and only the minimum necessary to comply. We will challenge overbroad requests where appropriate.
5. Cookies & local storage
This website uses no cookies for tracking, marketing, or personalization. The only client-side state we set:
cs:theme— your light/dark theme preference, stored inlocalStorage, never transmitted.__turnstile— a Cloudflare Turnstile anti-bot token, set only when you submit a public form, and scoped to the form submission.
The managed cloud product uses a first-party session cookie (HTTP-only, Secure, SameSite=Lax) to keep you logged in. No third-party cookies are set on any Cosmic Stack surface.
6. Data retention
- Server access logs: 30 days.
- Contact & form submissions: retained for as long as needed to respond, plus up to 12 months for record-keeping, unless you request earlier deletion.
- Cloud account & billing data: retained for the life of your account plus 7 years for tax / accounting compliance. You can request deletion of your account at any time; billing records required by law are kept anonymized.
- Usage metadata: 13 months rolling, aggregated and anonymized thereafter.
- Collaborative knowledge: retained for the life of the workspace. On cancellation, the workspace is deactivated for 30 days, then deleted.
7. Your rights
Wherever you are in the world, you can email hello@cosmicstack.ai and ask us to:
- Tell you what personal data we hold about you (access).
- Delete it (erasure / right to be forgotten).
- Correct inaccurate or incomplete data.
- Export it in a portable, machine-readable format (portability).
- Restrict or object to certain processing.
- Withdraw consent for any processing based on consent.
We will respond within 30 days. If we refuse a request (for example where we are legally required to keep the data), we will tell you why and how to appeal.
California residents: you have additional rights under the CCPA, including the right to know what categories of personal information we collect, the right to opt out of the "sale" or "sharing" of your data (we do neither), and the right not to be discriminated against for exercising your rights.
8. International transfers
Cosmic Stack is based in the United States. When we process data from users in the EU, UK, or other jurisdictions, we rely on the European Commission's adequacy determinations, Standard Contractual Clauses, or another lawful transfer mechanism where required. Our subprocessors are contractually bound to use equivalent protections.
9. Children's privacy
Our website and products are not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email hello@cosmicstack.ai and we will delete it.
10. Security
- All traffic is served over HTTPS. HSTS is enforced at the edge.
- Passwords are hashed with bcrypt; we never store plaintext passwords.
- Payment card data is handled exclusively by a PCI-DSS-compliant processor — we never receive or store full card numbers.
- Cloud account data and collaborative knowledge are encrypted at rest.
- Access to production systems is restricted, logged, and reviewed.
No system is perfectly secure. If we become aware of a data breach that is likely to result in a risk to your rights or freedoms, we will notify affected users and the relevant supervisory authority without undue delay, in line with applicable law.
11. Changes to this policy
We will note material changes here and update the "Last updated" date at the top. Substantive changes that affect data handling will be communicated by email to affected customers at least 30 days before they take effect. Continued use after the effective date constitutes acceptance of the revised policy.
12. Contact
Privacy questions, data subject requests, and breach reports: hello@cosmicstack.ai.
Legal and privacy counsel correspondence: legal@cosmicstack.ai.
Billing and account deletion requests: billing@cosmicstack.ai.