Privacy Policy

Cosmico Bank (“we”, “us”, “our”) is a demo financial services platform operated by Cosmico Ltd, registered in England and Wales. We are committed to protecting your privacy and handling your data responsibly in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

When you register for an account, we collect:

• Personal details: name, date of birth, nationality
• Contact information: email address, postal address
• Identity verification: NI number / SSN (last 4 digits) / SIN — for demo purposes only
• Account credentials: hashed passwords (never stored in plain text)
• Usage data: pages visited, features used, login timestamps

Sandbox notice: This is a demo environment. Please do not submit real identity documents, real financial credentials, or sensitive personal data.

We use your information to:

• Create and manage your account
• Provide secure authentication (including two-factor verification via email OTP)
• Display personalised account dashboards and transaction data
• Send account-related notifications and security alerts
• Comply with legal and regulatory obligations
• Improve the platform through aggregated, anonymised analytics

We use the following third-party providers who may process your data:

• Appwrite — user authentication and database storage
• Plaid — bank account linking (sandbox mode, no real bank access)
• Resend — transactional email delivery (OTP codes)
• Sentry — error monitoring and performance tracking (anonymised)

Each provider operates under their own privacy policy and data processing agreements.

We retain your account data for as long as your account is active. You may request deletion of your account and associated data at any time by contacting privacy@cosmico.co.uk. Upon deletion, your personal data will be permanently removed within 30 days, except where retention is required by law.

We implement industry-standard security measures including:

• Passwords hashed using bcrypt before storage
• OTP codes hashed with HMAC-SHA256, never stored in plain text
• Sessions transmitted over HTTPS with secure, HttpOnly cookies
• Two-factor authentication (email OTP) on every sign-in

Under UK GDPR, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your personal data
• Portability — receive your data in a machine-readable format
• Object — opt out of processing based on legitimate interests

To exercise these rights, contact privacy@cosmico.co.uk.

We use strictly necessary cookies only:

• appwrite-session — maintains your authenticated session

We do not use tracking or advertising cookies.

We may update this Privacy Policy periodically. We will notify you of significant changes via email. Continued use of the Service after changes are published constitutes acceptance of the updated policy.

For privacy enquiries, contact our Data Protection Officer at privacy@cosmico.co.uk. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.