Privacy Policy
Last updated: April 20, 2026
1. Who we are
Kosmo ("we", "us", "our") is a social network operated by Quentin Artaud, Paris, France.
For any privacy-related questions, contact us at: qtn.lab+kosmo@gmail.com
As the operator of this service, we act as the data controller for your personal data within the meaning of the EU General Data Protection Regulation (GDPR).
2. Data we collect
We collect the following categories of personal data:
Account data
- Email address (required to create an account)
- Display name and username (optional, set by you)
- Profile picture URL (optional, set by you)
- Bio (optional, set by you)
Authentication & session data
- IP address — collected when you sign in and stored with your session
- User agent (browser / device information) — collected at sign-in
- Session tokens — used to keep you signed in
- Magic link tokens — short-lived (5 minutes), deleted after use
Content & activity
- Posts, comments, and votes you create
- Communities you create or join
- Accounts you follow
- Feedback you submit
- Privacy and appearance preferences
Technical data
- Rate-limit counters — to prevent abuse; keyed by IP address and stored temporarily
We do not use analytics trackers, advertising networks, or fingerprinting tools. We do not sell your data.
3. How we use your data & legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the Kosmo service | Contract — Art. 6(1)(b) |
| Sending magic link sign-in emails | Contract — Art. 6(1)(b) |
| Storing IP address & user agent with sessions (security, abuse prevention) | Legitimate interests — Art. 6(1)(f) |
| Rate limiting to prevent abuse | Legitimate interests — Art. 6(1)(f) |
| Storing user preferences | Contract — Art. 6(1)(b) |
4. Data retention
- Account data: retained for as long as your account is active. Deleted upon account deletion.
- Sessions: active sessions are deleted when you sign out or when they expire. Expired sessions are purged automatically.
- Magic link tokens: deleted immediately after use or after 5 minutes, whichever comes first.
- Rate-limit counters: expire automatically after the rate limit window (typically 30–60 seconds).
- Content (posts, comments): retained until you delete it or delete your account.
5. Third-party processors
We use a limited number of sub-processors. By using Kosmo, you acknowledge that your data may be processed by these providers under their own privacy policies and our data processing agreements with them.
| Provider | Purpose | Data location |
|---|---|---|
| Neon (via AWS eu-central-1) | Database hosting | Frankfurt, Germany (EU) |
| Vercel Inc. | Application hosting & edge delivery | EU & USA (see Vercel DPA) |
| Resend Inc. | Transactional email (magic links) | USA (SCCs apply) |
Resend is located in the United States. The transfer is governed by Standard Contractual Clauses (SCCs) as provided under GDPR Article 46. Your email address is transmitted to Resend solely for the purpose of delivering sign-in links.
6. Cookies & local storage
Kosmo uses a single session cookie to keep you signed in. This cookie is:
- Strictly necessary — the service cannot function without it
- Set only after you sign in
- Deleted when you sign out
- Not used for tracking or advertising
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. No cookie consent banner is shown because the only cookie we set is strictly necessary.
7. Your rights under GDPR
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the data we hold about you
- Right to rectification (Art. 16): correct inaccurate data — you can do this directly in your account settings
- Right to erasure (Art. 17): request deletion of your account and all associated data
- Right to portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests (e.g., IP logging)
- Right to restriction (Art. 18): request that we limit processing of your data
To exercise any of these rights, contact us at qtn.lab+kosmo@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In France, this is the CNIL.
8. Data security
We take reasonable technical and organisational measures to protect your personal data, including:
- HTTPS-only communication
- Passwordless authentication (no passwords stored)
- Short-lived magic link tokens (5-minute expiry)
- Database hosted in an ISO 27001-certified AWS region (eu-central-1, Frankfurt)
In the event of a personal data breach that risks your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
9. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
For significant changes, we will notify you by email if you have an account.
10. Contact
Questions or requests regarding your personal data: qtn.lab+kosmo@gmail.com