Privacy Policy

Last Updated: 27 October 2025

1. INTRODUCTION

Welcome to CosmosTune ("we", "us", "our", "the App", "the Service"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our mobile application and services.

This Privacy Policy applies to all users of the CosmosTune mobile application, regardless of location. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MUST NOT USE THE SERVICE.

1.1 Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), the data controller is:

CosmosTune
Email: privacy@cosmostune.com
Data Protection Officer: dpo@cosmostune.com

2. INFORMATION WE COLLECT

We collect several types of information from and about users of our Service. The information we collect depends on how you interact with the Service and the permissions you grant.

2.1 Personal Information You Provide

Account Information:

• Email address
• Username
• Password (encrypted)
• Profile information (name)
• Profile picture (if uploaded)
• Account preferences and settings

User-Generated Content:

• Personal voice recordings (affirmations recorded in your own voice)
• Custom playlists and playlist names
• Favourited tracks and content
• Notes or journal entries (if feature is used)
• Progress tracking data and goal settings

Mental State and Wellness Data:

• Mental state selections (Sleep, Focus, Meditate, Play, Connect, Learn, Relax)
• Wellness preferences and mood indicators
• Progress tracking related to mindset goals
• IMPORTANT: We treat this data as potentially sensitive information and apply enhanced protections

2.2 Information Collected Automatically

Usage Data:

• App usage patterns and session data
• Features accessed and time spent on each feature
• Affirmation tracks listened to and listening history
• Mental state selections and frequency
• Progress metrics (listening hours, session counts, streak data)
• Audio playback behaviour (play, pause, skip, repeat)

Device Information:

• Device type and model (iPhone, iPad)
• Operating system and version (iOS version)
• Device identifier (IDFA/IDFV, where permitted)
• Mobile network information
• Time zone and language settings
• Screen resolution and device specifications

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Service

• Create and manage your account
• Authenticate your identity and provide secure access
• Process and manage your subscription
• Deliver personalised content and recommendations
• Store and sync your preferences, playlists, and progress across devices
• Process your voice recordings for personalised affirmations
• Track your progress and display analytics
• Provide customer support and respond to your enquiries

3.2 To Improve and Optimise the Service

• Analyse usage patterns to understand how users interact with the Service
• Identify and fix technical issues, bugs, and errors
• Test new features and conduct A/B testing
• Improve app performance, speed, and reliability
• Develop new features and enhance existing functionality
• Conduct research and analytics on user behaviour

4. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:

CRITICAL: We do not sell, rent, trade, or share your personal information to third parties for their marketing or advertising purposes.

4.1 FTC Health Breach Notification Rule Compliance

NO UNAUTHORIZED HEALTH DATA SHARING FOR ADVERTISING:

We comply with the U.S. Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318), which prohibits unauthorized disclosure of health information for advertising purposes.

OUR COMMITMENTS:

• We do NOT share mental state selections, wellness data, or usage patterns with Facebook, Google, TikTok, or other advertising platforms for targeted advertising
• We do NOT sell or share health-related information with third-party advertisers or data brokers
• We do NOT use your wellness data to create advertising profiles
• Any data shared with service providers is limited to operational purposes only and is protected by strict contractual agreements

5. DATA RETENTION

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Retention Periods

Account Data:

• Retained whilst your account is active
• Retained for 30 days after account deletion to allow for account recovery
• Permanently deleted after 30 days unless legal obligations require longer retention

Voice Recordings:

• Retained whilst your account is active
• Deleted within 30 days of account deletion
• You may delete individual voice recordings at any time through the App

6. YOUR RIGHTS AND CHOICES

You have certain rights regarding your personal information under applicable data protection laws, including the UK GDPR, EU GDPR, and other privacy laws.

6.1 Rights Under GDPR (UK and EU Users)

Right to Access (Art. 15 GDPR):

• You have the right to request access to your personal data
• You can request a copy of the personal information we hold about you
• You can request information about how we process your data

Right to Rectification (Art. 16 GDPR):

• You have the right to request correction of inaccurate or incomplete personal data
• You can update your account information directly in the App

Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR):

• You have the right to request deletion of your personal data in certain circumstances
• You can delete your account and data through the App settings
• Note: We may retain certain information where legally required

7. CHILDREN'S PRIVACY AND COPPA COMPLIANCE

IMPORTANT: The Service is not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages without verifiable parental consent.

7.1 Age Restrictions

• Minimum Age (United States): 13 years
• Minimum Age (European Economic Area/UK): 16 years
• Users Under 18: Require parental or legal guardian consent and supervision
• COPPA 2.0 Compliance: We comply with enhanced protections for minors under 17 (effective June 23, 2025)

8. DATA SECURITY

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.

8.1 Security Measures

Our security measures include:

Encryption:

• All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols
• Sensitive data stored on our servers is encrypted at rest using AES-256 encryption
• Passwords are hashed and salted using bcrypt or similar secure algorithms

9. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

CosmosTune Privacy Team

Email: privacy@cosmostune.com
Data Protection Officer: dpo@cosmostune.com
General Support: support@cosmostune.com
Website: www.cosmostune.com

Response Time: We aim to respond to all privacy enquiries within 48 hours for general enquiries and within 30 days for formal data subject requests.

By using the Service, you acknowledge that:

• You have read and understood this Privacy Policy
• You consent to the collection, use, and disclosure of your personal information as described
• You understand your rights and how to exercise them
• You agree to the transfer of your data to countries outside your country of residence

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MUST IMMEDIATELY DISCONTINUE USE OF THE SERVICE AND DELETE YOUR ACCOUNT.

10. THIRD-PARTY SERVICES AND LINKS

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by us.

10.1 Third-Party Privacy Policies

We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party service before providing your personal information.

Key Third-Party Services:

• Apple App Store: https://www.apple.com/legal/privacy/
• RevenueCat: https://www.revenuecat.com/privacy
• Analytics Providers: Refer to individual provider privacy policies

10.2 Social Media Integration

If you choose to connect your account to social media platforms (Facebook, Instagram, etc.):

• You authorise us to access certain information from your social media account
• The data we access is governed by the privacy settings you have set on those platforms
• You can disconnect social media integrations at any time through App Settings

10.3 No Endorsement

The inclusion of any third-party link does not imply endorsement of that service's privacy practices.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

11.1 Notification of Changes

When we make changes to this Privacy Policy:

11.2 Your Acceptance

Your continued use of the Service after we post changes to this Privacy Policy constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Service and may delete your account.

11.3 Review Regularly

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

12. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with applicable laws.

Contact Our DPO:

• Email: dpo@cosmostune.com
• Subject: "Data Protection Enquiry"

Our DPO is available to answer questions about this Privacy Policy, our data processing activities, and your rights.

13. SUPERVISORY AUTHORITY CONTACT

If you are located in the UK or European Economic Area and have concerns about our data processing activities, you have the right to lodge a complaint with your local supervisory authority.

United Kingdom:

• Information Commissioner's Office (ICO)
• Website: https://ico.org.uk
• Telephone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

European Union:

• European Data Protection Board (EDPB)
• Website: https://edpb.europa.eu
• Find your local Data Protection Authority: https://edpb.europa.eu/about-edpb/board/members_en

United States (California):

• California Attorney General's Office
• Website: https://oag.ca.gov/privacy
• Telephone: (916) 210-6276

14. SPECIFIC DISCLOSURES FOR JURISDICTIONS

14.1 United Kingdom

Under UK GDPR, the lawful bases for processing your personal data are set out in Section 3.7 of this Privacy Policy. You have the rights outlined in Section 8.1.

14.2 European Union

Under EU GDPR, the lawful bases for processing your personal data are set out in Section 3.7 of this Privacy Policy. You have the rights outlined in Section 8.1.

14.3 California, United States

Under CCPA and CPRA, California residents have the rights outlined in Section 8.2. We do not "sell" or "share" personal information as defined by the CCPA.

California "Shine the Light" Law: California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. As we do not share personal information with third parties for their direct marketing purposes, we are exempt from this requirement.

14.4 Brazil (LGPD)

For users in Brazil, we process personal data in accordance with the Lei Geral de Proteção de Dados (LGPD). You have rights similar to those outlined in Section 8.1, including rights to access, correction, deletion, portability, and to withdraw consent.

14.5 Australia (Privacy Act)

For users in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. You have rights to access and correct your personal information and to make complaints to the Office of the Australian Information Commissioner (OAIC).

15. ADDITIONAL INFORMATION

15.1 Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.

We may use algorithms and machine learning to:

• Recommend affirmations and content based on your listening history
• Personalise your app experience based on usage patterns
• Optimise app performance

These processes do not produce legal or similarly significant effects and do not require human intervention for override.

15.2 Sensitive Personal Data

We generally do not collect "sensitive personal data" (also known as "special categories of personal data" under GDPR), which includes:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data for identification purposes
• Health data (with limited exceptions as noted below)
• Sex life or sexual orientation

Mental State Data: While the mental state selections you make in the App (e.g., "Sleep", "Focus", "Relax") could potentially infer wellness preferences, we treat this data with heightened protections and do not use it to infer health conditions or make health-related decisions.

Voice Recordings: Your personal voice recordings are stored securely and used only to provide the Service to you. We do not use voice recordings for biometric identification.

15.3 Data Minimisation

We adhere to the principle of data minimisation and collect only the personal data that is necessary to provide and improve the Service. We regularly review the data we collect to ensure it remains relevant and limited to what is necessary.

15.4 Anonymisation and Pseudonymisation

Where possible, we anonymise or pseudonymise personal data to reduce privacy risks. Anonymised data cannot be traced back to you and is not subject to data protection laws.

16. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

CosmosTune Privacy Team

Email: privacy@cosmostune.com Data Protection Officer: dpo@cosmostune.com General Support: support@cosmostune.com Website: www.cosmostune.com

Mailing Address: CosmosTune - XPRESS CODERS LTD, 27 Old Gloucester Street, London, WC1N 3AX United Kingdom

Response Time: We aim to respond to all privacy enquiries within 48 hours for general enquiries and within 30 days for formal data subject requests.

17. ACKNOWLEDGEMENTS

By using the Service, you acknowledge that:

• You have read and understood this Privacy Policy
• You consent to the collection, use, and disclosure of your personal information as described
• You understand your rights and how to exercise them
• You agree to the transfer of your data to countries outside your country of residence

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MUST IMMEDIATELY DISCONTINUE USE OF THE SERVICE AND DELETE YOUR ACCOUNT.

APPENDIX A: CATEGORIES OF PERSONAL DATA COLLECTED

For transparency, here is a summary of the personal data we collect:

APPENDIX B: THIRD-PARTY SERVICE PROVIDERS

APPENDIX C: YOUR PRIVACY RIGHTS AT A GLANCE

This Privacy Policy was last updated on 27 October 2025 and is effective immediately for all users.

CosmosTune © 2025. All Rights Reserved.