Last updated: 2026-05-10
Effective from: 2026-05-09
This Privacy Policy explains how CosmosPM Ltd (referred to as “we”, “us”, or “our” in this policy) collects, uses, and protects personal data when you visit our website, sign up for early access, or interact with our products and services.
1. Who we are
CosmosPM Ltd is a private limited company registered in England and Wales.
| Detail | Value |
|—|—|
| Registered company number | 16886156 |
| Registered office | 5th Floor, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom |
| ICO Data Protection registration | C1928514 |
| General contact | contact@cosmospm.com |
| Data protection contact | privacy@cosmospm.com |
We are the data controller for personal data we collect about you on this website and in our products.
2. The personal data we collect
We collect different categories of personal data depending on how you interact with us. The categories are:
a) Information you give us directly
- Name, email address, role, company when you sign up to our early-access list, fill in our Suggest a Feature form, or contact us by email.
- Account credentials and profile data if you register for a member account, including username and any optional profile fields you complete.
- Project schedule data that you upload during a paid pilot — files such as XER, MPP, Asta XML, or CSV exports from your scheduling tool. These files may incidentally contain names of individuals (project team members, resources). See section 7 for how we handle this.
b) Information collected automatically when you visit our website
- Technical data: IP address, browser type and version, operating system, time zone setting, language, the pages you view, the times of your visits, and the website that referred you.
- Cookies and similar technologies: see our Cookies Policy for the full list. Non-essential cookies are only set after you give consent.
- Security logs: requests to our site and login attempts, recorded by our security plugin, for the purpose of preventing abuse.
c) Information from third parties
- Anti-spam services may flag your form submissions if they look automated. The provider may share a score or classification with us.
- Authentication services may share basic identity claims if you sign in via a federated provider (we do not currently offer this; this clause applies if we add it).
We do not intentionally collect special-category personal data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation). If you submit such data to us inadvertently (for example, in a free-text feedback field), we will delete it.
3. How we use your personal data — and our lawful basis
UK GDPR requires us to identify a lawful basis for each purpose for which we use your personal data. The bases we rely on are:
| Purpose | Personal data used | Lawful basis |
|—|—|—|
| Maintaining a list of people interested in early access | Name (optional), email | Consent — you opt in by submitting the form |
| Sending you product updates and early-access invitations | Email, prior engagement | Consent — withdraw any time via the unsubscribe link |
| Operating member accounts (login, profile, account recovery) | Username, email, profile data | Contract — to provide the service you requested |
| Replying to enquiries you send by email or contact form | Whatever you include in the message | Legitimate interest in responding to people who contact us |
| Running pilot projects on schedules you upload | Schedule data files | Contract — under the pilot agreement signed with your organisation |
| Securing our website against attack | IP address, request logs, login attempt logs | Legitimate interest in protecting our service |
| Improving our website (analytics) | Pseudonymous behavioural data | Consent — only after you accept analytics cookies |
| Complying with legal obligations (tax records, ICO requests) | Whatever the obligation requires | Legal obligation |
You have the right to object to processing carried out under “legitimate interest” — see section 9.
4. Marketing communications
We will only send you marketing emails if you have given us specific consent to do so (for example, by ticking a box on the early-access signup form). You can withdraw consent at any time by clicking the unsubscribe link in any email or by emailing privacy@cosmospm.com.
We do not sell your personal data to third parties for their own marketing purposes. We do not share your data with advertising networks.
5. Who we share your personal data with
We use a number of carefully selected third parties to operate our website and products. Each of these processes personal data on our behalf and is bound by a Data Processing Agreement (DPA). They are:
| Provider | Service | Location of processing | Personal data shared |
|—|—|—|—|
| Hostinger International Ltd (Cyprus) / Hostinger UK Limited | Website and email hosting, SSH | EU / UK data centres | All website data including this site’s contents, member data, security logs |
| WordPress.org | Software platform | N/A (software, not a service) | None |
| Wordfence | Website security plugin | UK / EU (data stays on our server) | IP addresses, login attempts, request logs |
| Google LLC (with Google Ireland Limited as the EU contracting entity) | Google Analytics 4, Site Kit | United States with EU/UK edge locations | Pseudonymous behavioural data, only after analytics consent |
| Anthropic PBC (with Anthropic Ireland Limited as the EU contracting entity) | AI features in our product (Claude API) | United States (workspace data) with global inference routing | Schedule descriptions, activity titles, and other content sent to the AI feature when you use it. Personal names are stripped before transmission where feasible. Anthropic retains API inputs and outputs for 30 days. |
| Microsoft Corporation (with Microsoft Ireland Operations Limited as the EU contracting entity) | Microsoft 365 / Outlook for outbound email and internal admin productivity | United Kingdom (Current and Committed Geography for Exchange Online, OneDrive, SharePoint, Teams, Microsoft 365 Copilot) | Email addresses, message content, internal admin documents |
| UpdraftPlus | Site backups (plugin) | Backups currently stored on our server (no remote destination) | Full database backups |
| Ultimate Member | Member account management (plugin) | On our server | Member account data |
| Stripe (when payment is enabled) | Payment processing | EU / United States | Name, billing address, payment method (card details handled by Stripe directly, never stored by us) |
International transfers (notably to the United States via Google and Anthropic, and to Microsoft’s UK / EU / global infrastructure as applicable) are protected by UK Standard Contractual Clauses (Addendum to EU SCCs Module Two and Three) and, where applicable, the EU-US Data Privacy Framework, UK Extension to EU-US Data Privacy Framework, and Swiss-US Data Privacy Framework certifications held by Google, Microsoft and others. Copies of the SCCs we rely on are available on request.
We may also disclose personal data to:
– Law enforcement, regulators, or courts where we are legally obliged to do so.
– Professional advisers such as our solicitors, accountants, or insurers, where necessary and bound by confidentiality.
– A successor entity in the event of a sale, merger, or restructuring of CosmosPM Ltd, in which case the recipient will be bound by this Privacy Policy or one substantially equivalent.
We will never sell your personal data to data brokers.
6. Cookies and similar technologies
Our website uses cookies. A small number are strictly necessary for the site to function (for example, your login session). The rest are only set after you give consent via the cookie banner. You can change or withdraw your consent at any time by clicking “Cookie settings” in the footer.
A full description of the cookies we set is in our Cookies Policy.
7. Schedule data uploaded during pilots
If your organisation enters a pilot agreement with us, you may upload project schedule files. These files may contain personal data — typically names of project team members, resource owners, or originators.
For this data:
– Your organisation is the data controller; CosmosPM Ltd is the data processor.
– A separate Data Processing Agreement (DPA) governs the processing.
– We will only use the data for the purposes set out in the pilot agreement.
– We will not share the data with anyone other than the sub-processors listed in section 5.
– We will delete the data within 90 days of pilot end, unless instructed otherwise in writing.
– Encryption in transit (TLS 1.2+) and at rest (full-disk encryption on our servers) applies.
We are happy to sign your organisation’s preferred DPA. We can also provide our standard one on request.
8. How long we keep your personal data
We keep your personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods are:
| Data category | Retention |
|—|—|
| Marketing waitlist email | 24 months from your last engagement |
| Member account data | While your account is active, plus 12 months after deletion (for audit and tax) |
| Pilot customer schedule data | Length of the pilot plus 90 days, then deleted |
| Security logs (Wordfence) | 90 days, rolling |
| Email correspondence | Up to 6 years (in line with HMRC retention rules) |
| Website backups (UpdraftPlus) | 30 days, rolling |
| Website analytics (Google Analytics 4) | 14 months for both User data and Event data |
| AI feature inputs/outputs (Anthropic API) | 30 days, retained by Anthropic per their published data retention policy |
| Financial and tax records | 6 years from the end of the relevant accounting period (HMRC requirement) |
When the retention period expires, we delete or fully anonymise the data.
9. Your rights under UK GDPR
You have the following rights in relation to your personal data:
| Right | What it means |
|—|—|
| Right of access | Get a copy of the personal data we hold about you |
| Right to rectification | Have inaccurate data corrected |
| Right to erasure | Have your data deleted (“right to be forgotten”) |
| Right to restriction | Pause or limit how we process your data |
| Right to portability | Receive your data in a structured, machine-readable format |
| Right to object | Object to processing that relies on our legitimate interest |
| Right to withdraw consent | Withdraw consent at any time, where consent is the lawful basis |
| Right not to be subject to automated decisions | Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects |
To exercise any of these rights, email us at privacy@cosmospm.com. We will respond within one calendar month, and may extend by a further two months for complex requests, in which case we’ll tell you why.
We may need to verify your identity before disclosing personal data. This is to protect your data from being released to someone impersonating you.
If you are unhappy with how we have handled your request, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Helpline: 0303 123 1113
https://ico.org.uk/make-a-complaint/
We would, of course, prefer the chance to resolve your concern first — please email us before going to the ICO if you can.
10. Security
We protect your personal data with appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+).
- Encryption at rest (full-disk encryption on our servers).
- Access controls (least-privilege principle; only authorised people can access personal data).
- Application-level firewalling (Wordfence on the website).
- Regular backups stored separately.
- Security patching of our software stack on a regular cadence.
- Strong password policies and multi-factor authentication for administrative access.
No system is perfectly secure. In the event of a personal data breach that creates a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform you directly if the risk is high.
11. International transfers
Some of our service providers (notably Google and Anthropic) process data outside the UK, primarily in the United States. UK GDPR allows such transfers only when adequate safeguards are in place. We rely on:
- UK Standard Contractual Clauses (Addendum to EU SCCs) signed with the relevant providers.
- Technical measures such as TLS encryption.
- Data minimisation — only the data that is strictly necessary leaves the UK.
For full details of any specific transfer, contact privacy@cosmospm.com.
12. Children’s data
Our products and website are designed for business users aged 18 and over. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us at privacy@cosmospm.com and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of the policy reflects the most recent change. If we make a material change that affects how we use your personal data, we will notify you directly (where we have your email) before the change takes effect.
A full version history of this policy is available on request.
14. Contact
For any questions about this Privacy Policy, your personal data, or to exercise any of your rights:
Email: privacy@cosmospm.com
Postal: CosmosPM Ltd, 5th Floor, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom
This policy is governed by the laws of England and Wales. Any disputes will be resolved in the courts of England and Wales.