Legal

Privacy Policy

Last updated: July 2026

1. Who We Are

Cossmic operates an applicant tracking, recruiting and onboarding platform for employers in India. This policy explains what personal data we handle, why, and the rights you have over it. It is written to align with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000.

For any privacy question or to exercise your rights, contact privacy@cossmic.in. Cossmic is being incorporated as a private limited company registered in Maharashtra; our registered entity details and named Grievance Officer will be published here once incorporation completes.

2. Roles — Who Controls the Data

When an employer uses Cossmic to hire, the employer decides what candidate data is collected and why — they are the Data Fiduciary. Cossmicprocesses that data on the employer's behalf, under their instructions — we are the Data Processor. For our own account, billing and website data, Cossmic is the Data Fiduciary.

3. Data We Collect

  • Account data: name, work email, organization name, billing contact.
  • Candidate data: résumés, contact details, interview notes, offer and onboarding documents — submitted by the employer or by candidates applying to posted jobs.
  • Onboarding / HR data: where an employer onboards a hire, employment records and government identifiers. Sensitive identifiers such as PAN are encrypted at rest.
  • Usage data: pages visited, actions taken, timestamps — for security, support and product improvement.
  • Website data: if you contact us or book a demo, the details you submit plus your IP address and referral source. See our Cookie Policy.
  • Billing data: processed exclusively by Razorpay. We never store card details.

4. How We Use Your Data

  • Provide and operate the Cossmic platform for the employer that engaged us.
  • Send transactional email (interview invites, offer notifications, onboarding).
  • Process payments via Razorpay.
  • Respond to support requests and secure the service.
  • Meet our legal obligations under Indian law, including the DPDP Act, 2023.

We do not sell personal data, and we do not use candidate data to train any machine-learning model.

5. Data Storage, Security & Residency

Data is stored on cloud-hosted PostgreSQL with row-level security, encrypted connections (TLS 1.2+) and encryption at rest. Tenant isolation is enforced at the database level — one organization cannot access another's data. Access to production data by Cossmic staff is role-restricted, logged, time-boxed and attributable; see our Security Overview.

Where your data lives. Cossmic's infrastructure is India-resident:

LayerProviderRegion
DatabaseSupabase (AWS ap-south-1, Mumbai)India
Application computeVercel (bom1, Mumbai)India
Transactional emailZeptoMail — Zoho (India region)India
Error monitoringSentry — PII-scrubbed, fingerprints onlyNo personal data leaves region

6. Data Retention

We keep personal data only as long as needed for the purpose it was collected:

  • Candidate & applicant data: up to 2 years, or until consent is withdrawn — after which it is deleted or anonymised.
  • Account data: for the duration of your subscription plus 90 days after cancellation.
  • Employee / HR records: retained for the applicable Indian statutory retention period (typically up to 8 years for payroll, PF and tax records), then erased.

Full details are in our Data Retention Policy. You can request deletion at any time — see section 8.

7. Subprocessors

We use a small set of vetted service providers to run Cossmic. Each processes data only to provide its service to us:

  • SupabaseDatabase, authentication & file storage (India (AWS ap-south-1)).
  • VercelApplication hosting & compute (India (bom1)).
  • ZeptoMail (Zoho)Transactional & notification email (India).
  • RazorpayPayment processing (PCI-DSS; no card data stored by Cossmic) (India).
  • SentryError monitoring (PII-scrubbed — fingerprints only) (PII-scrubbed).
  • Google (optional)Calendar & Gmail sync — only if the customer connects it (Global).

The maintained list, and how we notify customers before adding a subprocessor, is on our Subprocessors page.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Erase your personal data (the right to be forgotten).
  • Withdraw consent where processing is based on consent — as easily as it was given.
  • Nominate someone to exercise these rights on your behalf.
  • Raise a grievance about how your data is handled.

Candidates can submit a request directly from any Cossmic careers or application page. You can also email privacy@cossmic.in. We verify the identity of the requester before acting, and respond within 30 days.

9. If You Are Outside India

Cossmic is built for the Indian market and data is processed in India. If you apply to an employer from outside India — including the EU/UK — your data is handled under this policy and the DPDP Act, 2023. Where the GDPR applies to a specific processing activity, we honour the equivalent access, correction, erasure and objection rights; contact privacy@cossmic.in.

10. Grievances & Contact

Privacy questions, rights requests and grievances: privacy@cossmic.in. A named Grievance Officer (as required under DPDP Act, 2023 §13) will be published here on incorporation; until then this inbox is the grievance route.