privacy

Cosmos stores a graph of what you (and your authorized agents) have said about you. This page describes exactly what we collect, what we do with it, and how to get it out or delete it.

what we collect

• Account. Your email address (or your Apple Sign-In private-relay address). A hashed magic-code if you use email login. An RS256-verified Apple subject id if you use Apple.
• Your graph. Nodes and edges you write, including content text, source tags, timestamps, weights, and confidence. Conversations you have with cosmos in chat. Briefings cosmos generates for you. Sessions, inputs, observations, character snapshots.
• Connector activity. When you connect a client through MCP (claude code, cursor, obsidian, notion, waxfeed, others), that client writes observations into your graph. Each write is tagged with which client did it.
• iMessage sync (opt-in, local). If you run cosmos-mcp imessage sync on your mac, the CLI reads your local chat.db and your AddressBook on your machine, applies a slop filter (no-reply senders, short codes, low-volume contacts are dropped), and ships only the surviving conversational turns into your graph. The read happens locally; we never have access to your chat.db ourselves. What we receive and store are the extracted turns (sender handle, timestamp, message text, thread id) and the names you have for participants.
• Operational logs. Server-side request logs (IP address, user-agent, endpoint, status code, duration), retained for 14 days for security and debugging. We do not log request or response bodies.
• Vectorize embeddings. We compute embeddings of your node labels so cosmos can find semantic matches. Embeddings live in Cloudflare Vectorize indices scoped to your user id.

what we do not collect

• Browser fingerprints, third-party trackers, or cross-site cookies.
• Advertising identifiers.
• Your contacts, your photos, or anything on your device that cosmos was not handed. (The iMessage sync described above is the one exception, and it only runs when you start it.)
• Bodies of the requests and responses going through us, beyond what your graph stores.

where it lives

Cosmos runs on Cloudflare. Your graph is in Cloudflare D1 (SQLite at the edge). KV is used for cache. Vectorize is used for embeddings. Workers AI is used for reasoning. Cloudflare's privacy practices and SOC 2 posture apply to the underlying infrastructure. We do not export your graph to any other backend.

how access is limited

• You. Through the cosmos UI, the chat, and any client whose MCP key you have minted.
• Polarity Lab. We do not provide a routine staff interface for browsing private graphs. Operational access to raw account data is limited to security, incident response, debugging, account recovery, deletion, and legal compliance, and only when needed to handle that specific issue.
• External reasoners. The text needed to answer or process a request may be sent to Cloudflare Workers AI when you use cosmos. We do not send your full graph to external model providers as a general training dataset.

We do not sell your data. We do not share your data with advertisers. We do not feed your data into general-purpose training corpora.

research and product learning

Cosmos is research-stage software. We may study aggregated or de-identified patterns to understand what people use cosmos for, what kinds of things they like or do, which connectors matter, and where the product is wrong or confusing. That research is meant to operate at a high level: feature usage, broad content categories, graph shapes, and aggregate behavior. It is not a license for us to read through identifiable private graphs or publish personal contents without explicit consent.

data you push through connectors

When you connect Notion, Obsidian, WaxFeed, or a future first-party connector, that connector pushes content (pages, taste signals, edits) into cosmos. We store only what the connector sends. You can disconnect a connector and revoke its MCP key from /connectors at any time. Revoking a key does not delete what has already been written into your graph. To delete already-written content, see "deletion" below.

export and deletion

• Export. Call polarity_export through any MCP client you have authorized, or hit /api/polarity/export with your key. You get the full graph as JSON.
• Targeted deletion. Through cosmos chat or the API you can delete individual nodes or edges.
• Full deletion. Email [email protected] from the address on your account. We delete your graph, your sessions, your chat history, your character snapshots, and your MCP keys within 7 days. Backups age out within 30 days.

children

Cosmos is not intended for users under 13. If you believe a child has signed up, email [email protected] and we will delete the account.

security

Magic-code login secrets and Apple Sign-In tokens are verified server-side and never written to disk in plaintext. MCP keys are stored as SHA-256 hashes; the raw key is shown to you once at mint time. Sessions are JWTs signed with HS256 against a server secret. All traffic uses HTTPS. Report a vulnerability privately to [email protected].

jurisdiction

Polarity Lab operates from Rhode Island, USA. By using cosmos you consent to data being processed in the United States. If you are in the EU or UK and want to exercise GDPR / UK-GDPR rights (access, rectification, erasure, portability, restriction, objection), email us and we will action within 30 days.

changes

Material changes to this policy are surfaced in-product before they take effect. The current version is always at cosmos.polarity-lab.com/privacy.

contact

Anything privacy-related: [email protected].