Privacy Policy

Last updated: March 10, 2026

1. Who We Are

Chief of Staff is operated by HKO Engineering OÜ, a company registered in Estonia (registry code 16587065). We are the data controller for the personal data processed through this Service.

Contact: hello@getcos.ai

2. Data We Collect

Account data

When you sign up, we collect your name, email address, and timezone. If you sign in with Google, we receive your name and email from Google's OAuth flow.

Channel data

When you connect communication channels (Gmail, Slack, Calendar), we access:

  • Email: sender, recipient, subject, body text, timestamps
  • Calendar: event titles, times, attendees, descriptions
  • Slack: messages in channels you authorize, sender names, timestamps

We process this data to classify items, generate summaries, and draft responses. We store AI-generated summaries and metadata. We do not store full email bodies or message content longer than necessary for processing (typically deleted within 24 hours of classification).

Usage data

We collect anonymized usage analytics: pages visited, features used, actions taken (approve/reject/rewrite counts). We do not track you across other websites.

Payment data

Payments are processed by Stripe. We do not store your credit card number. Stripe's privacy policy governs payment data handling.

3. How We Use Your Data

  • Provide the Service: classify messages, generate briefs, draft responses, manage your inbox
  • Improve AI quality: when you rewrite an AI draft, we store the before/after pair to improve future drafts for your account. This data is used only for your personalization and is never shared with other users or used to train third-party AI models
  • Send transactional emails: account confirmations, billing receipts, security alerts
  • Product updates: occasional emails about new features (you can unsubscribe at any time)

Legal basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): providing the Service, processing your messages, generating briefs and drafts
  • Legitimate interest (Art. 6(1)(f)): improving AI quality for your account, usage analytics, security measures
  • Legal obligation (Art. 6(1)(c)): retaining billing records as required by Estonian tax law
  • Consent (Art. 6(1)(a)): product update emails (you can withdraw consent at any time)

4. AI Processing

We use Anthropic's Claude AI models to process your messages. Anthropic is our sole AI sub-processor. When we send data to Anthropic for processing:

  • Data is transmitted over encrypted connections (TLS)
  • Anthropic does not use your data to train their models (per their commercial API terms)
  • We send only the minimum context needed for each classification or draft
  • No personally identifiable information is included in AI prompts when it is not necessary for the task
  • A Data Processing Agreement (DPA) is in place with Anthropic

If we add or change AI providers in the future, we will update this policy and notify you at least 14 days in advance (see Section 12).

5. Data Storage and Security

  • Data is stored on AWS infrastructure in the EU (Frankfurt, eu-central-1)
  • Database is encrypted at rest (AES-256) and in transit (TLS)
  • OAuth tokens for your connected channels are encrypted at rest using AES-256 with a per-deployment encryption key
  • Access to production systems is restricted to authorized personnel only
  • We do not sell your data to third parties

6. Data Sharing and Sub-processors

We share your data only with the following sub-processors:

  • Anthropic (San Francisco, USA): AI processing — message classification and draft generation (see Section 4)
  • Stripe (San Francisco, USA): payment processing and billing
  • Clerk (San Francisco, USA): authentication and account management
  • AWS (Frankfurt, Germany): infrastructure, database, and file storage

We do not sell, rent, or trade your personal data. We may disclose data if required by law or to protect our legal rights.

7. International Data Transfers

Your data is stored in the EU (AWS Frankfurt). However, some sub-processors (Anthropic, Stripe, Clerk) are based in the United States. These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-U.S. Data Privacy Framework (DPF) where applicable
  • Data Processing Agreements (DPAs) with each sub-processor

8. Your Rights (GDPR)

As we are based in the EU (Estonia), the General Data Protection Regulation (GDPR) applies. You have the right to:

  • Access: request a copy of all personal data we hold about you
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your data ("right to be forgotten")
  • Portability: receive your data in a machine-readable format
  • Restriction: limit how we process your data
  • Objection: object to data processing based on legitimate interest
  • Withdraw consent: revoke consent at any time where processing is based on consent

To exercise any of these rights, email us at hello@getcos.ai. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. As we are based in Estonia, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

9. Data Retention

  • Account data: retained while your account is active, deleted within 30 days of account closure
  • Channel data: AI summaries retained while your account is active. Raw message content deleted within 24 hours of processing
  • Voice examples: draft before/after pairs retained while your account is active for personalization
  • Billing records: retained for 7 years as required by Estonian tax law
  • Audit logs: retained for 90 days

10. Cookies

The marketing website (getcos.ai) does not set cookies. The web application (app.getcos.ai) uses strictly necessary session cookies for authentication. We do not use advertising cookies, third-party tracking pixels, or analytics cookies that require consent.

11. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The "last updated" date at the top of this page indicates the most recent revision.

13. Contact

For privacy-related questions or to exercise your data rights, contact us at:

HKO Engineering OÜ
Tallinn, Estonia
Registry code: 16587065
Email: hello@getcos.ai