Privacy

1.1 Purpose of this page

1.1.1 This privacy page (the Policy) explains how the Cosmos Group collects, uses, discloses, transfers, retains, and otherwise processes Personal Data in connection with the Website, the cookies and similar technologies the Website uses, the way Cosmos uses artificial intelligence, and the rights that you have in relation to that Personal Data.

1.1.2 Sirius Consulting FZCO is a free zone company established in the United Arab Emirates and trading as Cosmos (trade licence number 43190, registered office The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates). In this Policy, Cosmos, the Cosmos Group, we, us, and our mean Sirius Consulting FZCO together with its Affiliates. An Affiliate of any entity means any other entity that directly or indirectly Controls, is Controlled by, or is under common Control with, that entity, where Control means the ownership of more than fifty per cent of the voting securities or the power to direct the management and policies of an entity whether through ownership of voting securities, by contract, or otherwise.

1.1.3 This Policy applies to the Website at https://cosmos.global and any associated pages operated by Cosmos, including the Onboarding Flow and the on-site payment functionality. It does not apply to the Platform, which is the separate AI-powered software-as-a-service platform made available by Cosmos on a subdomain and governed by the Master Services Agreement. Where you access the Platform, the privacy terms applicable to the Platform, and not this Policy, govern the Processing of Personal Data carried out through it.

1.1.4 In this Policy, Personal Data, Processing, Controller, Processor, Sub-processor, Data Subject, and Personal Data Breach bear the meanings given to them in the Applicable Data Protection Law, construed consistently across the regimes described in section 2. The terms Website, Platform, Onboarding Flow, Onboarding Submission, Services, User, you, and your, where capitalised, bear the meanings given to them in this Policy or in the Terms of use.

‍

1.2 Who this Policy is for

1.2.1 This Policy is written for the natural persons whose Personal Data the Cosmos Group processes in connection with the Website. Those persons include the following.

1.2.1.1 Prospective clients and their representatives who use the Onboarding Flow.

1.2.1.2 Individuals connected to a corporate client, including directors, shareholders, ultimate beneficial owners, authorised signatories, officers, and employees, whose Personal Data is submitted to Cosmos in the course of corporate services work.

1.2.1.3 Visitors to the Website who browse Content, complete forms, subscribe to communications, or otherwise interact with the Website.

1.2.1.4 Individuals who contact Cosmos through the Website, by email, or by telephone.

1.2.1.5 Suppliers, advisers, business partners, and their representatives, to the extent their Personal Data is processed in connection with the Website.

1.2.2 Where a corporate client provides Cosmos with Personal Data about an individual connected to it, the relationship between that client and that individual is a matter between them. Cosmos relies on the corporate client to provide this Policy, or equivalent information, to the individuals concerned, and to have a lawful basis for the disclosure to Cosmos. Cosmos remains responsible for the Personal Data it processes once it is received.

‍

1.3 Relationship with other documents

1.3.1 This Policy consolidates the privacy policy, the cookie policy, and the responsible AI notice into a single page. The cookies content sits in section 23 and the following sections, and the responsible AI content sits in section 30 and the following sections. This Policy should also be read together with the following documents, each of which forms part of the Cosmos Group's privacy framework.

1.3.1.1 The Data Processing Addendum, which governs the Processing of Personal Data by Cosmos as Processor on behalf of a corporate client where Cosmos acts in that capacity. The Sub-processor List, which identifies the Sub-processors engaged by Cosmos and the Processing each performs, sits with the Data Processing Addendum.

1.3.1.2 The Terms of use, which govern access to and use of the Website.

1.3.1.3 The complaints procedure on the Legal and compliance page, which describes how to make a complaint to Cosmos and how Cosmos handles complaints.

1.3.2 Where this Policy conflicts with the Data Processing Addendum in respect of Processing carried out by Cosmos as Processor, the Data Processing Addendum prevails for that Processing.

‍

1.4 Controller and Processor roles

1.4.1 In relation to the Personal Data described in this Policy, Cosmos generally acts as a Controller. It determines the purposes and means of the Processing of that Personal Data, including Personal Data collected through the Onboarding Flow, Personal Data collected for marketing, and Personal Data collected to operate and secure the Website.

1.4.2 In relation to certain Processing carried out for or on behalf of a corporate client under a separate engagement, Cosmos may act as a Processor. Where Cosmos acts as a Processor, the Data Processing Addendum governs that Processing, and the corporate client is the Controller. This Policy describes Cosmos's own Processing as a Controller and does not displace the Data Processing Addendum.

1.4.3 Where two or more entities within the Cosmos Group jointly determine the purposes and means of Processing, those entities act as joint Controllers. The lead entity for the purposes of this Policy, and the entity that you should contact in the first instance, is Sirius Consulting FZCO.

2.1 A multi-regime Policy

2.1.1 Cosmos is headquartered in the United Arab Emirates and serves clients in the United Arab Emirates and, increasingly, in other jurisdictions. The Processing described in this Policy may be governed by more than one data protection regime at the same time, depending on where you are, where the relevant Cosmos entity is established, and the nature of the Processing.

2.1.2 Applicable Data Protection Law means all data protection and privacy laws applicable to the Processing of Personal Data under this Policy, including those described in this section 2. Where a provision of this Policy refers to a specific regime, that provision applies to the extent the regime governs the relevant Processing.

‍

2.2 United Arab Emirates

2.2.1 The UAE PDPL means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, together with its Executive Regulations once issued. The UAE PDPL establishes a federal framework for the Processing of Personal Data in the United Arab Emirates, supervised by the UAE Data Office. Where the Executive Regulations to the UAE PDPL are issued after the effective date of this Policy, Cosmos will construe this Policy consistently with those Regulations and will update this Policy where required.

2.2.2 The UAE PDPL is the UAE data protection regime applicable to Cosmos's own Processing described in this Policy. Sirius Consulting FZCO is not established in the Abu Dhabi Global Market or the Dubai International Financial Centre, and the data protection laws of those financial free zones do not apply to Cosmos's own Processing. The United Arab Emirates also contains financial free zones with their own data protection laws, namely the ADGM DP Regulations, meaning the ADGM Data Protection Regulations 2021 administered by the Office of Data Protection of the Abu Dhabi Global Market, and the DIFC Data Protection Law No. 5 of 2020, administered by the Commissioner of Data Protection of the Dubai International Financial Centre. Those laws may govern the Processing carried out by a regulated partner of Cosmos that is established in the relevant free zone, and a partner of that kind processes Personal Data under its own terms and regulatory permissions.

2.2.3 The governing law of this Policy is the law of the Abu Dhabi Global Market, as set out in section 39. The choice of governing law does not displace the application of the UAE PDPL, or any other Applicable Data Protection Law, where that law applies of its own force to the Processing described in this Policy.

‍

2.3 European Union

2.3.1 The EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The EU GDPR applies to the Processing of Personal Data of Data Subjects who are in the European Union where that Processing relates to the offering of goods or services to those Data Subjects or to the monitoring of their behaviour within the European Union, and to the Processing carried out in the context of the activities of an establishment of a Controller or Processor in the European Union.

2.3.2 The ePrivacy Directive means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended, together with the national laws that implement it in each Member State of the European Union. The ePrivacy Directive and its national implementations govern, among other matters, the storing of information on, and the gaining of access to information stored on, a User's device, and the sending of unsolicited electronic marketing communications.

2.3.3 Where this Policy refers to the EU GDPR, that reference includes the national data protection laws of the Member States of the European Union and the European Economic Area to the extent those laws supplement or implement the EU GDPR or the ePrivacy Directive.

‍

2.4 United Kingdom

2.4.1 The UK GDPR means the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and as amended by regulations made under that Act. The DPA 2018 means the UK Data Protection Act 2018, which supplements the UK GDPR and contains the United Kingdom's data protection framework. The UK GDPR applies to the Processing of Personal Data of Data Subjects who are in the United Kingdom in circumstances corresponding to those described in clause 2.3.1, and to the Processing carried out in the context of the activities of an establishment of a Controller or Processor in the United Kingdom.

2.4.2 PECR means the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended. PECR governs the use of cookies and similar technologies on devices in the United Kingdom and the sending of electronic marketing communications to Users in the United Kingdom. PECR sits alongside the UK GDPR and the DPA 2018.

‍

2.5 Singapore

2.5.1 The PDPA means the Singapore Personal Data Protection Act 2012, as amended by the Personal Data Protection (Amendment) Act 2020. The PDPA governs the collection, use, and disclosure of personal data by organisations in Singapore, and applies to the Processing of personal data of individuals in Singapore in the circumstances for which the PDPA provides. The PDPA is administered by the Personal Data Protection Commission of Singapore, the PDPC.

2.5.2 The PDPA contains a data breach notification regime under Part VIA, which requires the notification of certain data breaches to the PDPC and to affected individuals. The PDPA also contains the Do Not Call provisions in Part IX, which restrict the sending of specified messages to Singapore telephone numbers registered on the Do Not Call Register. Cosmos applies these provisions as described in sections 18 and 20 of this Policy.

‍

2.6 Interaction between regimes

2.6.1 Where more than one regime described in this section 2 applies to a single Processing operation, Cosmos applies the standard that gives the strongest protection to the Data Subject in respect of that operation, save where doing so would conflict with a mandatory requirement of a regime that applies of its own force, in which case Cosmos complies with that mandatory requirement.

2.6.2 This Policy treats each regime substantively. Where a section of this Policy addresses a topic such as legal bases, international transfers, or Data Subject rights, it sets out the position under each applicable regime in turn rather than by cross-reference to another regime.

3.1 The operator and Controller

3.1.1 The Website is operated by Sirius Consulting FZCO, a free zone company established in the United Arab Emirates and trading as Cosmos, together with its Affiliates, comprising the Cosmos Group. Sirius Consulting FZCO is the operator of the Website and acts as the data Controller in respect of the Processing described in this Policy.

3.1.2 The registered office of Sirius Consulting FZCO is at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates. Its trade licence number is 43190.

3.1.3 The Cosmos Group operates through a number of entities. Where an Affiliate of Sirius Consulting FZCO processes Personal Data described in this Policy, that Affiliate does so as a Controller or joint Controller in respect of its own Processing, and as a Sub-processor or Processor where it processes Personal Data on behalf of Sirius Consulting FZCO or a corporate client. The internal allocation of Controller responsibility within the Cosmos Group does not reduce the rights available to you, and you may exercise your rights against Sirius Consulting FZCO as the lead Controller and contact point.

‍

3.2 Privacy queries

3.2.1 Questions about this Policy, and requests to exercise the rights described in section 16, should be sent to privacy@cosmos.global.

3.2.2 You may also write to the privacy point of contact at dpo@cosmos.global, or by post to Sirius Consulting FZCO at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates, marked for the attention of the privacy point of contact. The postal address for all data protection correspondence is The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates.

3.2.3 Cosmos asks that requests to exercise Data Subject rights are made in writing so that they can be recorded, verified, and handled within the timelines set out in section 16.

4.1 The Data Controller and the data protection officer position

4.1.1 The Data Controller for the Processing described in this Policy is Sirius Consulting FZCO. Cosmos has not appointed a data protection officer. Cosmos keeps under review whether it is required to appoint a data protection officer under each Applicable Data Protection Law, and whether it is appropriate to appoint one as a matter of good practice. The position under each regime is set out in this clause 4.1.

4.1.2 Under the EU GDPR and the UK GDPR, a Controller or Processor must appoint a data protection officer where its core activities consist of Processing operations that, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of Data Subjects on a large scale, or where its core activities consist of Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences. Cosmos keeps the application of these thresholds to its activities under regular review as the Cosmos Group scales.

4.1.3 Under the UAE PDPL, a Controller or Processor must appoint a data protection officer where the Processing would create a high risk to the confidentiality and privacy of the Personal Data of Data Subjects as a result of the adoption of new technologies, where the Processing involves a large volume of Personal Data, or where the Processing involves the systematic and comprehensive evaluation of sensitive Personal Data, in each case as elaborated by the Executive Regulations to the UAE PDPL.

4.1.4 Under the PDPA, an organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. The individual so designated is commonly described as a data protection officer.

4.1.5 Cosmos has not appointed a statutory data protection officer, having assessed that the thresholds described in this clause 4.1 are not met by its current Processing activities. Cosmos maintains a privacy point of contact within the Data Controller, contactable at dpo@cosmos.global, who is responsible for handling privacy queries and Data Subject rights requests and for coordinating the Cosmos Group's data protection compliance. Cosmos keeps this position under review as the Cosmos Group scales.

4.1.6 You may contact the Data Controller at dpo@cosmos.global, or at privacy@cosmos.global, with any matter relating to the Processing of your Personal Data or the exercise of your rights.

‍

4.2 EU and UK Article 27 representatives

4.2.1 Article 27 of the EU GDPR requires a Controller or Processor that is not established in the European Union, but whose Processing is subject to the EU GDPR by virtue of Article 3(2), to designate in writing a representative in the European Union, unless an exemption applies. Article 27 of the UK GDPR imposes a corresponding requirement, in respect of a representative in the United Kingdom, on a Controller or Processor that is not established in the United Kingdom but whose Processing is subject to the UK GDPR by virtue of Article 3(2) of the UK GDPR.

4.2.2 Cosmos has no establishment in the European Union or the United Kingdom, and has not currently appointed a representative under Article 27 of the EU GDPR or the UK GDPR. A representative under Article 27 may be required where Cosmos offers Services to, or monitors the behaviour of, Data Subjects in the European Union or the United Kingdom such that the relevant regime applies and no exemption is available. Cosmos keeps this position under review and will designate a representative, and update this Policy with its name and address, where it concludes that one is required.

4.2.3 Until any representative is appointed, Data Subjects in the European Union or the United Kingdom may contact the Data Controller on any matter relating to the Processing of their Personal Data at dpo@cosmos.global or at privacy@cosmos.global.

‍

4.3 Singapore business contact under the PDPA

4.3.1 Section 11 of the PDPA requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA, and to make available the business contact information of at least one such individual.

4.3.2 For the purposes of the PDPA, the Data Controller performs the role of the business contact and may be contacted at dpo@cosmos.global. Individuals in Singapore may contact the Data Controller on any matter relating to the Processing of their personal data under the PDPA, in addition to contacting Cosmos at privacy@cosmos.global.

5.1 Overview

5.1.1 The categories of Personal Data that Cosmos collects depend on how you interact with the Website and the nature of any Services for which you, or a corporate client connected to you, engage Cosmos. Not every category is collected from every individual.

5.1.2 The categories described in this section 5 are set out at the level of Personal Data items. The purposes for which each category is processed, and the legal bases relied upon, are set out in section 7.

5.2 Identity data

5.2.1 Identity data means data that identifies you as a natural person. It includes your full legal name, any former or alternative names, your title, your date and place of birth, your nationality and any second or further nationality, your gender where you provide it, your photograph or other likeness where you provide it, and identifiers issued by a government or other authority, including passport number, national identity number, residency or visa identifier, tax identification number, and Emirates ID number.

5.2.2 Identity data also includes your role or position in relation to a corporate client, including your status as a director, shareholder, ultimate beneficial owner, authorised signatory, officer, or employee, and your specimen signature where it is provided for the purpose of corporate services work.

5.3 Contact data

5.3.1 Contact data means data that allows Cosmos to communicate with you. It includes your postal address, your email address, your telephone and mobile numbers, and any messaging or professional networking identifier that you provide for the purpose of contact.

5.4 Financial data

5.4.1 Financial data means data relating to your financial position and to the financial aspects of any engagement. It includes bank account details, payment card details to the extent these are handled, source of funds and source of wealth information, information about your financial standing where this is relevant to a corporate services engagement, and information about the financial position of an entity connected to you where you provide it.

5.5 Transactional data

5.5.1 Transactional data means data about payments made through the Website and about Services purchased or enquired about. It includes the amount, date, and currency of a payment, the description of the Service to which a payment relates, payment references and transaction identifiers, invoices and receipts, and the status of a payment.

5.6 Technical data

5.6.1 Technical data means data collected automatically when you interact with the Website. It includes your internet protocol address, the type and version of your browser, your device type and operating system, device identifiers, time zone setting and location inferred from your internet protocol address, the pages of the Website you visit, the date and time of your visit, referring and exit pages, and information collected through cookies and similar technologies as described in the cookies section, section 23 and the following sections.

5.7 Usage data

5.7.1 Usage data means data about how you use the Website. It includes the actions you take on the Website, the features and Content you interact with, the searches you run, the forms you start and complete, the time spent on pages, and patterns of navigation through the Website.

5.8 Marketing and communications data

5.8.1 Marketing and communications data means data about your marketing preferences and your communications with Cosmos. It includes your preferences for receiving marketing from Cosmos and your consent or objection in relation to particular channels, your subscription status for newsletters and updates, your responses to marketing communications, and a record of communications between you and Cosmos, including emails, messages submitted through Website forms, and notes of telephone calls.

5.9 Know-your-customer and anti-money-laundering data

5.9.1 Know-your-customer data and anti-money-laundering data, together KYC and AML Data, means data collected and processed to allow Cosmos and the Cosmos Group to meet customer due diligence, identification, verification, and ongoing monitoring obligations under applicable anti-money-laundering, counter-terrorist-financing, and corporate services regulation. It includes the identity data and financial data described above where collected for that purpose, copies of identity documents, proof of address documents, the results of identity verification and document authentication checks, the results of screening against sanctions lists, politically exposed person lists, and adverse media sources, risk ratings assigned to you or to an entity connected to you, and the supporting records of the due diligence carried out.

5.9.2 KYC and AML Data may include data revealing or capable of revealing a criminal conviction or offence, or an allegation of one, where this is identified through screening or disclosed in the course of due diligence. The Processing of such data is subject to the additional controls described in section 8.

5.10 Beneficial ownership information

5.10.1 Beneficial ownership information means data about the natural persons who ultimately own or control an entity for which corporate services are provided or enquired about. It includes the identity data and contact data of ultimate beneficial owners, the nature and extent of their ownership or control, ownership percentages and chains of ownership, the identity of nominee arrangements where these exist, and the supporting documents that evidence ownership and control.

5.11 Document content submitted during the Onboarding Flow

5.11.1 During the Onboarding Flow you, or a representative of a corporate client, may submit documents and free-text information to Cosmos. The content of an Onboarding Submission may include any of the categories of Personal Data described in this section 5, and may also include Personal Data about third parties, including family members, business associates, and other individuals connected to a proposed corporate structure.

5.11.2 Where an Onboarding Submission contains Personal Data about a third party, the individual who makes the submission is responsible for ensuring that they are entitled to provide that Personal Data to Cosmos and that the third party has been given the information required by the Applicable Data Protection Law. Cosmos processes the Personal Data in an Onboarding Submission as a Controller for the purposes described in section 7, and asks that submissions are limited to Personal Data that is relevant and necessary for the Service enquired about.

5.12 Aggregated and anonymised data

5.12.1 Cosmos may create aggregated or anonymised data from the categories described in this section 5, for example statistical data about Website usage. Aggregated or anonymised data that does not identify, and cannot reasonably be used to identify, a natural person is not Personal Data and is not subject to this Policy. Where Cosmos combines anonymised data with Personal Data so that the combination identifies you, the combined data is treated as Personal Data.

6.1 Data collected directly from you

6.1.1 Cosmos collects most of the Personal Data it processes about you directly from you. This includes Personal Data you provide when you complete a form on the Website, use the Onboarding Flow, make a payment, subscribe to a communication, contact Cosmos by email or telephone, or otherwise interact with the Website.

6.1.2 Cosmos also collects Technical data and Usage data automatically when you interact with the Website, through cookies and similar technologies as described in section 21 and in the cookies section, section 23 and the following sections, and through server logs.

6.2 Data received from corporate clients

6.2.1 Where you are an individual connected to a corporate client, Cosmos may receive your Personal Data from that corporate client, or from a representative or adviser acting for it. This commonly occurs where a corporate client engages Cosmos for corporate services and provides Personal Data about its directors, shareholders, ultimate beneficial owners, authorised signatories, officers, and employees so that Cosmos can carry out the engagement.

6.2.2 Where Cosmos receives your Personal Data from a corporate client, it relies on that client to have a lawful basis for the disclosure and to have provided you with the information required by the Applicable Data Protection Law. Cosmos processes the Personal Data it receives in accordance with this Policy.

6.3 Data from public registers and public sources

6.3.1 Cosmos may collect Personal Data about you from public registers and other public sources, where this is necessary for due diligence, verification, or the provision of corporate services. Public sources include company registries and registers of beneficial ownership, registers maintained by free zone and onshore corporate registries, professional and regulatory registers, registers of sanctioned persons, registers of politically exposed persons where these are publicly maintained, court and insolvency records where publicly available, and information published on official and reputable websites and in the news media.

6.4 Data from third party verification providers

6.4.1 Cosmos engages third party providers to verify identity, authenticate documents, and screen individuals and entities against sanctions, politically exposed person, and adverse media data. These providers supply Cosmos with the results of the checks they carry out, which may include Personal Data about you that you did not provide directly to Cosmos. Cosmos selects these providers with care and subjects them to the due diligence described in section 15.

6.5 Data from other sources

6.5.1 Cosmos may also receive Personal Data about you from Stripe and other payment service providers in connection with payments made through the Website, from advisers and intermediaries who refer you to Cosmos, from Affiliates within the Cosmos Group, and from analytics and advertising providers in the form of Technical data and Usage data, subject to the consent and cookie controls described in section 21 and in the cookies section, section 23 and the following sections.

7.1 How to read this section

7.1.1 This section 7 sets out the purposes for which Cosmos processes Personal Data and the legal basis relied upon for each purpose under each applicable regime. Where more than one purpose or legal basis applies to a Processing operation, Cosmos may rely on each that applies.

7.1.2 The legal basis framework under each regime is summarised as follows.

7.1.2.1 Under the EU GDPR and the UK GDPR, Article 6(1) provides that Processing is lawful only where at least one of the following applies: the Data Subject has given consent under Article 6(1)(a); Processing is necessary for the performance of a contract with the Data Subject or to take steps at the Data Subject's request before entering into a contract under Article 6(1)(b); Processing is necessary for compliance with a legal obligation to which the Controller is subject under Article 6(1)(c); Processing is necessary to protect the vital interests of a natural person under Article 6(1)(d); Processing is necessary for the performance of a task carried out in the public interest under Article 6(1)(e); and Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where overridden by the interests or fundamental rights of the Data Subject, under Article 6(1)(f).

7.1.2.2 Under the UAE PDPL, Article 4 provides that Personal Data may not be processed without the consent of the Data Subject, save in the cases prescribed by Article 4 itself. Those prescribed cases, which operate as legal bases in addition to consent, include Processing necessary to protect the public interest, Processing necessary to carry out legal procedures and claims and to defend rights, Processing necessary to protect the interests or the safety of the Data Subject, Processing necessary to perform obligations and exercise legally established rights of the Controller or the Data Subject in the field of employment and social security law, Processing necessary for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject for entering into a contract, Processing necessary for the legitimate interests of the Controller or any other party provided this does not prejudice the rights and interests of the Data Subject, and Processing necessary to comply with other laws of the State to which the Controller is subject. Article 5 of the UAE PDPL sets out the controls on the lawful Processing of Personal Data, including that Processing must be carried out fairly, transparently, and lawfully, and limited to the purpose for which it is collected.

7.1.2.3 Under the PDPA, an organisation may collect, use, or disclose personal data only where the individual has given, or is deemed to have given, consent, or where collection, use, or disclosure without consent is required or authorised under the PDPA or any other written law. Consent under the PDPA may be expressed consent, given by the individual; deemed consent, which arises where the individual voluntarily provides personal data for a purpose and it is reasonable that the individual would do so, where consent is deemed by contractual necessity, or where consent is deemed by notification in the manner the PDPA permits; and consent following notification of the purpose. The PDPA also permits collection, use, and disclosure without consent under exceptions in the First Schedule and Second Schedule, including the legitimate interests exception, the business improvement exception, and exceptions relating to legal and regulatory compliance, the prevention of fraud and unlawful activity, and the conduct of investigations and proceedings.

7.2 To respond to enquiries and operate the Onboarding Flow

7.2.1 Cosmos processes identity data, contact data, communications data, and the content of any Onboarding Submission to respond to your enquiries, to operate the Onboarding Flow, and to assess and scope a potential engagement.

7.2.2 The legal bases for this purpose are as follows.

7.2.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(b), Processing necessary to take steps at your request before entering into a contract, where you are a prospective client, and on Article 6(1)(f), the legitimate interests of Cosmos in responding to enquiries and developing its client relationships, where you are an individual connected to a prospective corporate client.

7.2.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the performance of a contract to which you are a party or to take steps at your request for entering into a contract, and on Processing necessary for the legitimate interests of Cosmos in responding to enquiries, provided this does not prejudice your rights and interests.

7.2.2.3 Under the PDPA, Cosmos relies on your consent, which may be expressed consent where you submit an enquiry or an Onboarding Submission, deemed consent by virtue of your voluntary provision of personal data for the purpose of the enquiry, and the legitimate interests exception.

‍

7.3 To provide and administer the Services

7.3.1 Where you, or a corporate client connected to you, engage Cosmos, Cosmos processes identity data, contact data, financial data, transactional data, KYC and AML Data, beneficial ownership information, and the content of Onboarding Submissions and other documents to provide and administer the Services, including corporate structuring support, compliance calendaring, document management, and entity administration.

7.3.2 The legal bases for this purpose are as follows.

7.3.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(b), Processing necessary for the performance of a contract with you, where you are a party to the engagement, and on Article 6(1)(f), the legitimate interests of Cosmos in providing the Services and of the corporate client in receiving them, where you are an individual connected to a corporate client and not personally a party to the engagement.

7.3.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the performance of a contract to which you are a party, and on Processing necessary for the legitimate interests of Cosmos and the corporate client, provided this does not prejudice your rights and interests.

7.3.2.3 Under the PDPA, Cosmos relies on consent, including deemed consent by contractual necessity, and on the legitimate interests exception.

7.4 To take payments and manage billing

7.4.1 Cosmos processes financial data, transactional data, identity data, and contact data to take payments made through the Website, to issue invoices and receipts, to manage billing and credit control, and to detect and prevent payment fraud.

7.4.2 The legal bases for this purpose are as follows.

7.4.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(b) where the payment relates to a contract to which you are a party, on Article 6(1)(c), compliance with a legal obligation, in respect of tax, accounting, and record-keeping obligations, and on Article 6(1)(f), the legitimate interests of Cosmos in being paid for its Services and in preventing payment fraud.

7.4.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the performance of a contract, on Processing necessary to comply with other laws of the State to which Cosmos is subject, and on Processing necessary for the legitimate interests of Cosmos.

7.4.2.3 Under the PDPA, Cosmos relies on consent, including deemed consent by contractual necessity, on the legitimate interests exception, and on the exception for collection, use, and disclosure required or authorised by law in respect of tax and record-keeping obligations.

7.5 To carry out customer due diligence and meet anti-money-laundering obligations

7.5.1 Cosmos and the Cosmos Group are subject to customer due diligence, identification, verification, screening, ongoing monitoring, and reporting obligations under applicable anti-money-laundering, counter-terrorist-financing, sanctions, and corporate services regulation. To meet these obligations, Cosmos processes identity data, contact data, financial data, KYC and AML Data, and beneficial ownership information, including by screening against sanctions, politically exposed person, and adverse media data and by assessing and recording risk.

7.5.2 The legal bases for this purpose are as follows.

7.5.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(c), compliance with a legal obligation to which Cosmos is subject, and, where a legal obligation under the law of a third country applies to a Cosmos Group entity but does not constitute a legal obligation for the purposes of Article 6(1)(c), on Article 6(1)(f), the legitimate interests of Cosmos in meeting its regulatory obligations across the jurisdictions in which it operates and in preventing financial crime. Where the Processing involves data revealing a criminal conviction or offence, Cosmos additionally relies on a condition described in section 8.

7.5.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary to comply with other laws of the State to which Cosmos is subject, on Processing necessary to carry out legal procedures and to defend rights, and on Processing necessary to protect the public interest.

7.5.2.3 Under the PDPA, Cosmos relies on the exceptions for collection, use, and disclosure required or authorised by law, for the prevention, detection, or suppression of an offence or unlawful activity, and for the conduct of investigations and proceedings, together with consent where applicable.

7.6 To meet our own legal and regulatory obligations

7.6.1 Cosmos processes Personal Data to meet its own legal and regulatory obligations beyond those described in clause 7.5, including tax and accounting obligations, corporate registry and filing obligations, the obligation to respond to lawful requests from authorities and courts, the obligation to establish, exercise, or defend legal claims, and obligations under the Applicable Data Protection Law.

7.6.2 The legal bases for this purpose are as follows.

7.6.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(c), compliance with a legal obligation, and on Article 6(1)(f), the legitimate interests of Cosmos in managing its affairs and protecting its legal position.

7.6.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary to comply with other laws of the State to which Cosmos is subject, on Processing necessary to carry out legal procedures and claims and to defend rights, and on Processing necessary for the legitimate interests of Cosmos.

7.6.2.3 Under the PDPA, Cosmos relies on the exception for collection, use, and disclosure required or authorised by law, on the exception for the conduct of investigations and proceedings, and on the legitimate interests exception.

7.7 To operate, secure, and improve the Website

7.7.1 Cosmos processes technical data and usage data to operate the Website, to keep it available and performing, to keep it secure and to protect it against fraud and abuse, to diagnose and resolve technical problems, and to understand and improve how the Website is used.

7.7.2 The legal bases for this purpose are as follows.

7.7.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(f), the legitimate interests of Cosmos in operating a secure and effective Website and in improving its services. Where the Processing involves the storing of information on, or the gaining of access to information stored on, your device through non-essential cookies and similar technologies, Cosmos additionally relies on your consent under Article 6(1)(a), obtained in the manner described in section 21 and in the cookies section, section 23 and the following sections, consistently with the ePrivacy Directive and PECR.

7.7.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the legitimate interests of Cosmos, provided this does not prejudice your rights and interests, and on consent where the Processing requires it.

7.7.2.3 Under the PDPA, Cosmos relies on the legitimate interests exception, the business improvement exception in respect of the improvement of the Website and the Services, and consent, including deemed consent, in respect of cookies and similar technologies.

7.8 To send marketing and service communications

7.8.1 Cosmos processes contact data, marketing and communications data, identity data, and usage data to send you communications about Cosmos, its Services, and matters Cosmos considers may be of interest to you, and to send you service communications relating to an enquiry, a payment, or an engagement.

7.8.2 The legal bases for this purpose are as follows.

7.8.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(a), your consent, for electronic marketing communications where consent is required by the ePrivacy Directive or PECR, and on Article 6(1)(f), the legitimate interests of Cosmos in marketing its Services, where Cosmos sends marketing in reliance on the limited circumstances in which the ePrivacy Directive and PECR permit marketing without prior consent, as described in section 18. Service communications that are necessary to administer an enquiry, payment, or engagement are sent in reliance on Article 6(1)(b) or Article 6(1)(c) as applicable, and are not marketing.

7.8.2.2 Under the UAE PDPL, Cosmos relies on your consent for marketing communications, which you may withdraw at any time, and on Processing necessary for the performance of a contract or for the legitimate interests of Cosmos in respect of service communications.

7.8.2.3 Under the PDPA, Cosmos relies on your consent for marketing communications, and complies with the Do Not Call provisions of the PDPA as described in section 18 in respect of specified messages sent to Singapore telephone numbers. Service communications are sent in reliance on consent, including deemed consent by contractual necessity.

7.9 To manage relationships with suppliers, advisers, and partners

7.9.1 Cosmos processes identity data, contact data, financial data, and communications data of individuals connected to its suppliers, advisers, and business partners to manage those relationships, to receive and pay for goods and services, and to coordinate referrals and joint activity.

7.9.2 The legal bases for this purpose are as follows.

7.9.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(b) where an individual is personally a party to the relevant arrangement, on Article 6(1)(c) in respect of tax and record-keeping obligations, and on Article 6(1)(f), the legitimate interests of Cosmos in managing its supplier, adviser, and partner relationships.

7.9.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the performance of a contract, on Processing necessary to comply with other laws of the State, and on Processing necessary for the legitimate interests of Cosmos.

7.9.2.3 Under the PDPA, Cosmos relies on consent, including deemed consent by contractual necessity, on the legitimate interests exception, and on exceptions relating to the management or termination of an employment, contractual, or other relationship.

7.10 To carry out corporate transactions

7.10.1 Cosmos may process Personal Data in connection with a proposed or actual corporate transaction affecting the Cosmos Group, including a merger, acquisition, reorganisation, financing, or sale of business or assets. Cosmos may disclose Personal Data to a counterparty and its advisers for the purpose of due diligence, and to a successor entity on completion.

7.10.2 The legal bases for this purpose are as follows.

7.10.2.1 Under the EU GDPR and the UK GDPR, Cosmos relies on Article 6(1)(f), the legitimate interests of Cosmos and any counterparty in evaluating and carrying out the transaction, and on Article 6(1)(c) where disclosure is required by law.

7.10.2.2 Under the UAE PDPL, Cosmos relies on Processing necessary for the legitimate interests of Cosmos and any counterparty, and on Processing necessary to comply with other laws of the State.

7.10.2.3 Under the PDPA, Cosmos relies on the exception in the PDPA for the collection, use, and disclosure of personal data for the purposes of a business asset transaction, and on the legitimate interests exception.

7.11 Change of purpose

7.11.1 Cosmos processes your Personal Data only for the purposes for which it was collected, as described in this section 7, unless it reasonably considers that it needs to use it for another purpose that is compatible with the original purpose. Where Cosmos needs to use your Personal Data for an unrelated purpose, it will notify you and explain the legal basis that allows it to do so, save where the Applicable Data Protection Law permits or requires Processing for the new purpose without notification.

7.11.2 Where Cosmos relies on legitimate interests as a legal basis under the EU GDPR or the UK GDPR, it carries out a balancing assessment to confirm that its interests, or those of a third party, are not overridden by your interests or fundamental rights and freedoms. You may obtain information about that assessment by writing to privacy@cosmos.global.

8.1 Special category data under the EU GDPR and the UK GDPR

8.1.1 Article 9 of the EU GDPR and of the UK GDPR identifies special categories of Personal Data, the Processing of which is prohibited unless a condition in Article 9(2) applies. The special categories are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation.

8.1.2 Cosmos does not seek to collect special category data through the Website and asks that you do not include special category data in an Onboarding Submission unless Cosmos has asked for it. Special category data may nonetheless be processed in limited circumstances, as follows.

8.1.2.1 Nationality data and place of birth data, which Cosmos collects as identity data and as KYC and AML Data, are not in themselves special category data. Where, in combination with other data, such data reveals or is capable of revealing the racial or ethnic origin of a Data Subject, Cosmos treats the Processing as Processing of special category data and applies the conditions and safeguards described in this section 8.

8.1.2.2 An identity document submitted for verification may disclose data concerning health, for example where the document records a disability, or may disclose other special category data. Cosmos processes such data only to the extent necessary to verify identity and to meet its regulatory obligations.

8.1.3 Where Cosmos processes special category data, it relies on one or more of the following conditions in Article 9(2): that the Data Subject has given explicit consent under Article 9(2)(a); that Processing is necessary for the establishment, exercise, or defence of legal claims under Article 9(2)(f); and that Processing is necessary for reasons of substantial public interest, on the basis of a law that is proportionate to the aim pursued, under Article 9(2)(g), including the substantial public interest in the prevention and detection of money laundering, terrorist financing, and other financial crime, read with the conditions set out in the DPA 2018 for the United Kingdom.

8.1.4 Where Cosmos relies on a condition in Article 9(2) read with the DPA 2018, it maintains an appropriate policy document and the additional records required by the DPA 2018, and applies additional safeguards, including restricted access on a need-to-know basis, additional access logging, and a shorter review cycle for retention.

8.2 Data on criminal convictions and offences

8.2.1 Personal Data relating to criminal convictions and offences, or to related security measures, including allegations of offences, may be processed by Cosmos where it is identified through sanctions, politically exposed person, or adverse media screening, or disclosed in the course of due diligence. Under the EU GDPR and the UK GDPR, the Processing of such data is subject to Article 10, which requires that it be carried out only under the control of official authority or where authorised by law providing appropriate safeguards.

8.2.2 Under the UK GDPR, Cosmos processes data relating to criminal convictions and offences in reliance on conditions in the DPA 2018, including the condition relating to the prevention and detection of unlawful acts and the condition relating to the prevention of fraud, and maintains the appropriate policy document and records that the DPA 2018 requires.

8.3 Sensitive data under the other regimes

8.3.1 The UAE PDPL defines Sensitive Personal Data as Personal Data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of that person. The UAE PDPL applies additional controls to the Processing of Sensitive Personal Data. Where Cosmos processes Sensitive Personal Data within the meaning of the UAE PDPL, it does so only where a lawful basis under the UAE PDPL applies and applies the additional safeguards described in clause 8.1.4.

8.3.2 The PDPA does not use the concept of special category data, but the PDPC treats certain personal data, including data about an individual's health, finances, and identity documents, as warranting a higher standard of protection. Cosmos applies a correspondingly higher standard of protection to such data.

9.1 General position

9.1.1 Cosmos does not sell your Personal Data. Cosmos shares Personal Data only where it is necessary for a purpose described in section 7, where you have consented, or where the Applicable Data Protection Law otherwise permits or requires it.

9.1.2 This section 9 describes the categories of recipient with whom Cosmos may share Personal Data. The Processors and Sub-processors engaged by Cosmos are described at a high level in this section and identified at an operational level in the Sub-processor List, which sits with the Data Processing Addendum. Where Cosmos engages a Processor, it does so under a written contract that imposes the obligations required by the Applicable Data Protection Law, as described in the Data Processing Addendum.

9.2 Categories of recipient

9.2.1 Cosmos may share Personal Data with the following categories of recipients.

9.2.1.1 Affiliates within the Cosmos Group, where the sharing is necessary for a purpose described in section 7, including the provision of the Services, the operation and security of the Website, and the management of the Cosmos Group's compliance, regulatory, and administrative functions.

9.2.1.2 Service providers engaged as Processors to perform functions on behalf of Cosmos, including hosting and cloud infrastructure providers, payment service providers including Stripe, identity verification and document authentication providers, sanctions, politically exposed person, and adverse media screening providers, communications and email delivery providers, customer relationship management providers, analytics providers, providers of information technology support and security services, and the third party model providers that support the Website's AI-assisted features, currently OpenAI, Anthropic, and Mistral AI. These Processors process Personal Data only on the documented instructions of Cosmos and for no other purpose. The position on the use of inputs by third party model providers is described in section 20 and in the responsible AI section, section 32, and the Processing carried out by each Sub-processor is identified in the Sub-processor List.

9.2.1.3 Professional advisers acting as Controllers in their own right, including lawyers, accountants, auditors, tax advisers, and insurers, where the sharing is necessary for the purpose of obtaining advice or services or for the establishment, exercise, or defence of legal claims.

9.2.1.4 Corporate registries, regulators, supervisory authorities, tax authorities, law enforcement agencies, courts, and other public authorities, where the sharing is required or permitted by law or is necessary for the provision of corporate services.

9.2.1.5 Banks, financial institutions, and corporate services providers, where the sharing is necessary to open accounts, establish entities, or otherwise carry out an engagement.

9.2.1.6 A counterparty and its advisers in connection with a corporate transaction, as described in clause 7.10, and a successor entity on completion of such a transaction.

9.2.1.7 Any person to whom Cosmos is required to disclose Personal Data by an order of a court or tribunal of competent jurisdiction or by a binding request of a regulator or other authority.

9.2.2 Cosmos provides operational detail about the Processors and Sub-processors it engages, including the name of each Sub-processor, the Processing it carries out, and the location of its Processing, in the Sub-processor List. The terms on which Cosmos engages Processors, where Cosmos acts as Processor for a corporate client, are set out in the Data Processing Addendum.

9.3 Disclosures required by law

9.3.1 Cosmos may disclose Personal Data where it is required to do so by law, by an order of a court or tribunal, or by a binding request of a regulator, tax authority, or law enforcement agency. Where the law permits, and it is reasonable to do so, Cosmos will assess the lawfulness of a request before responding and will limit the disclosure to what the request requires.

10.1 Why transfers occur

10.1.1 The Cosmos Group operates across borders, and the Processors and Sub-processors it engages may be located in, or may process Personal Data in, jurisdictions other than the one in which you are located. The recipients of Personal Data include the third party model providers that support the Website's AI-assisted features, currently OpenAI, Anthropic, and Mistral AI, which are identified in the Sub-processor List. As a result, your Personal Data may be transferred to, stored in, or accessed from, a jurisdiction other than your own.

10.1.2 Where Cosmos transfers Personal Data across borders, it does so only where a transfer mechanism recognised by the Applicable Data Protection Law is in place, as described in this section 10. This section addresses the transfer rules of each applicable regime in turn. The international transfers that occur in respect of the third-party cookies on the Website are described in section 28.

10.2 Transfers under the EU GDPR

10.2.1 Chapter V of the EU GDPR governs the transfer of Personal Data to a third country or an international organisation. A transfer is permitted only where one of the mechanisms described in this clause 10.2 applies.

10.2.2 Cosmos transfers Personal Data subject to the EU GDPR to a third country on the basis of an adequacy decision adopted by the European Commission under Article 45, where the European Commission has decided that the third country, a territory or sector within it, or an international organisation, ensures an adequate level of protection.

10.2.3 Where no adequacy decision applies, Cosmos transfers Personal Data subject to the EU GDPR on the basis of appropriate safeguards under Article 46, principally the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, the EU SCCs. Where Cosmos relies on the EU SCCs, it carries out a transfer impact assessment, taking account of the circumstances of the transfer and the law and practice of the destination country, and adopts supplementary measures where the assessment shows them to be necessary to ensure a level of protection essentially equivalent to that guaranteed within the European Union.

10.2.4 Where neither an adequacy decision nor appropriate safeguards apply, Cosmos transfers Personal Data subject to the EU GDPR only in reliance on a derogation for a specific situation under Article 49, including where the transfer is necessary for the performance of a contract between you and Cosmos or the implementation of pre-contractual measures taken at your request, where the transfer is necessary for the conclusion or performance of a contract concluded in your interest between Cosmos and another natural or legal person, where the transfer is necessary for the establishment, exercise, or defence of legal claims, and where you have explicitly consented to the proposed transfer after having been informed of the possible risks of the transfer in the absence of an adequacy decision and appropriate safeguards. Cosmos relies on the Article 49 derogations only for transfers that are occasional and not repetitive, save where the derogation by its terms permits otherwise.

10.3 Transfers under the UK GDPR

10.3.1 The UK GDPR contains transfer rules corresponding to Chapter V of the EU GDPR. A transfer of Personal Data subject to the UK GDPR to a country outside the United Kingdom is permitted only where one of the mechanisms described in this clause 10.3 applies.

10.3.2 Cosmos transfers Personal Data subject to the UK GDPR to a country covered by United Kingdom adequacy regulations made by the Secretary of State, under which the country, a territory or sector within it, or an international organisation, is treated as ensuring an adequate level of protection.

10.3.3 Where no United Kingdom adequacy regulations apply, Cosmos transfers Personal Data subject to the UK GDPR on the basis of appropriate safeguards, principally the UK IDTA, meaning the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the DPA 2018, or the UK Addendum, meaning the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the DPA 2018, used together with the EU SCCs. Where Cosmos relies on the UK IDTA or the UK Addendum, it carries out a transfer risk assessment, taking account of the circumstances of the transfer and the law and practice of the destination country, and adopts supplementary measures where the assessment shows them to be necessary.

10.3.4 Where neither United Kingdom adequacy regulations nor appropriate safeguards apply, Cosmos transfers Personal Data subject to the UK GDPR only in reliance on a derogation corresponding to those in Article 49 of the EU GDPR, on the basis described in clause 10.2.4.

10.4 Transfers under the PDPA

10.4.1 Section 26 of the PDPA restricts the transfer of personal data outside Singapore. An organisation may not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data is afforded a standard of protection comparable to that under the PDPA.

10.4.2 Cosmos transfers personal data subject to the PDPA outside Singapore on the basis of one or more of the following, in accordance with the Personal Data Protection Regulations made under the PDPA: prescribed contractual protections that require the recipient to provide a standard of protection comparable to that under the PDPA and that are legally enforceable; binding corporate rules, where the transfer is to a recipient within the Cosmos Group and the binding corporate rules require every recipient to provide a standard of protection comparable to that under the PDPA and are legally binding throughout the Cosmos Group; the consent of the individual to the transfer, given after the individual has been informed of how the transferred data will be protected to a comparable standard; and the other bases for which the Personal Data Protection Regulations provide, including where the transfer is necessary for the performance of a contract between the individual and Cosmos or is necessary for the conclusion or performance of a contract concluded in the individual's interest.

10.4.3 Cosmos remains responsible for personal data transferred outside Singapore under this clause 10.4 and takes appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide the transferred data with a comparable standard of protection.

10.5 Transfers under the UAE PDPL

10.5.1 The UAE PDPL governs the transfer of Personal Data outside the United Arab Emirates. Such a transfer is permitted in the cases for which the UAE PDPL and its Executive Regulations provide.

10.5.2 Cosmos transfers Personal Data subject to the UAE PDPL outside the United Arab Emirates on the basis of one or more of the following. First, a transfer to a country or territory that has in place an adequate level of protection for Personal Data, as determined through an adequacy assessment by the UAE Data Office, including a country that has a special law concerning the protection of Personal Data. Second, where no such adequacy determination applies, a transfer made under contractual safeguards that bind the recipient to provide an adequate level of protection for the transferred Personal Data, including standard contractual provisions and binding obligations approved or recognised in accordance with the UAE PDPL and its Executive Regulations. Third, the explicit consent of the Data Subject to the transfer, where consent is required and the transfer does not conflict with the public and security interests of the United Arab Emirates. Fourth, the other cases for which the UAE PDPL and its Executive Regulations provide, including where the transfer is necessary for the performance of a contract between Cosmos and the Data Subject or between Cosmos and a third party in the interest of the Data Subject, where the transfer is necessary for the conclusion or performance of a procedure related to international judicial cooperation, and where the transfer is necessary to protect the public interest.

10.6 Obtaining information about transfers

10.6.1 You may obtain further information about the transfers of Personal Data that affect you, and a copy of, or information about, the safeguards in place for a transfer, by writing to privacy@cosmos.global. Cosmos may redact a copy of a transfer mechanism to protect commercial confidentiality and the Personal Data of other Data Subjects.

11.1 Retention principles

11.1.1 Cosmos retains Personal Data only for as long as is necessary for the purposes for which it was collected, as described in section 7, including for the purposes of satisfying any legal, accounting, regulatory, or reporting requirement, and for the establishment, exercise, or defence of legal claims.

11.1.2 In determining the appropriate retention period for Personal Data, Cosmos considers the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, the purposes for which the Personal Data is processed and whether those purposes can be achieved by other means, and the legal, regulatory, accounting, and tax requirements that apply.

11.1.3 Where Personal Data is no longer required, Cosmos deletes it, anonymises it so that it can no longer be associated with a Data Subject, or places it beyond use pending secure deletion. Where Cosmos anonymises Personal Data, it may retain and use the anonymised data without further notice to you.

11.1.4 Retention periods may be extended where Personal Data is relevant to an actual or anticipated legal claim, regulatory investigation, or audit, in which case the Personal Data is retained until the matter is resolved and any applicable limitation period has expired.

11.2 Retention schedule

11.2.1 The following table sets out the retention periods that Cosmos applies to the principal categories of Personal Data. Where a category is subject to more than one retention driver, the longer period applies.

‍

‍

11.2.2 The retention periods in the table above are general periods and may be varied in a particular case where a longer or shorter period is required by law, by a regulator, or by the circumstances of an actual or anticipated legal claim, regulatory investigation, or audit.

12.1 Security commitment

12.1.1 Cosmos implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, and against all other unlawful forms of Processing. The measures take account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of Data Subjects.

12.2 Technical measures

12.2.1 The technical measures applied by Cosmos include the following.

12.2.1.1 Encryption of Personal Data in transit, using current transport-layer security protocols, and encryption of Personal Data at rest in the systems and storage operated by or for Cosmos.

12.2.1.2 Network security measures, including firewalls, segregation of networks, and monitoring for unauthorised access and anomalous activity.

12.2.1.3 Logging and monitoring of access to systems that hold Personal Data, and the retention of logs to support the detection and investigation of security incidents.

12.2.1.4 Secure development practices, vulnerability management, and the timely application of security patches.

12.2.1.5 Backup of Personal Data and tested procedures for restoring availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

12.3 Organisational measures

12.3.1 The organisational measures applied by Cosmos include the following.

12.3.1.1 Access controls that restrict access to Personal Data to those personnel who need it to perform their roles, applied on the principle of least privilege, with access reviewed periodically and removed promptly when no longer required.

12.3.1.2 Authentication controls, including multi-factor authentication for access to systems that hold Personal Data.

12.3.1.3 Confidentiality obligations binding on personnel and contractors who have access to Personal Data.

12.3.1.4 Training and awareness for personnel on data protection and information security.

12.3.1.5 Policies and procedures governing the handling of Personal Data, the use of devices, the management of access, and the response to security incidents.

12.3.1.6 Physical security measures for premises and equipment used to process Personal Data.

12.4 Vendor due diligence

12.4.1 Before engaging a Processor or Sub-processor that will process Personal Data, Cosmos carries out due diligence proportionate to the risk of the Processing, to satisfy itself that the Processor or Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.

12.4.2 Cosmos engages Processors under a written contract that imposes the obligations required by the Applicable Data Protection Law, including obligations of confidentiality, security, assistance, and the deletion or return of Personal Data, and obligations relating to the engagement of further Sub-processors and to international transfers. Cosmos monitors the performance of Processors and reviews its vendor relationships periodically.

12.5 Incident response

12.5.1 Cosmos maintains an incident response procedure for the identification, containment, investigation, and remediation of security incidents, including Personal Data Breaches.

12.5.2 Where Cosmos becomes aware of a Personal Data Breach, it assesses the breach, takes steps to contain and remediate it, and assesses the risk to affected Data Subjects.

12.5.3 Cosmos notifies a Personal Data Breach to the relevant supervisory authority and to affected Data Subjects where and to the extent the Applicable Data Protection Law requires, as follows.

12.5.3.1 Under the EU GDPR and the UK GDPR, Cosmos notifies a Personal Data Breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, and communicates the breach to affected Data Subjects without undue delay where it is likely to result in a high risk to their rights and freedoms.

12.5.3.2 Under the PDPA, Cosmos assesses whether a data breach is a notifiable data breach within the meaning of Part VIA of the PDPA, being a breach that results in, or is likely to result in, significant harm to affected individuals, or that is of a significant scale. Where a breach is notifiable, Cosmos notifies the PDPC as soon as practicable and in any event within three calendar days, and notifies affected individuals where the breach is likely to result in significant harm to them, in each case in accordance with the PDPA.

12.5.3.3 Under the UAE PDPL, Cosmos notifies the UAE Data Office of a Personal Data Breach that would prejudice the privacy, confidentiality, and security of the Personal Data of a Data Subject, upon becoming aware of it, and notifies the affected Data Subject where the breach would prejudice their privacy, confidentiality, or security, in each case in accordance with the UAE PDPL and its Executive Regulations.

12.5.4 Where Cosmos acts as a Processor for a corporate client, it notifies the corporate client as Controller of a Personal Data Breach affecting that client's Personal Data without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with the Data Processing Addendum.

12.5.5 No method of transmission over the internet, and no method of electronic storage, is completely secure. While Cosmos applies the measures described in this section 12, it cannot guarantee absolute security, and you transmit Personal Data to Cosmos at your own risk to that extent.

13.1 Cosmos applies the principles of data protection by design and by default. It integrates data protection considerations into the design of the Website, the Onboarding Flow, and its internal processes, and it implements appropriate technical and organisational measures designed to give effect to the data protection principles in an effective manner.

13.2 Cosmos applies data protection by default by ensuring that, by default, only Personal Data that is necessary for each specific purpose of the Processing is processed. This applies to the amount of Personal Data collected, the extent of its Processing, the period of its storage, and its accessibility.

13.3 When Cosmos designs a new feature of the Website, a new processing activity, or a material change to an existing one, it assesses the data protection implications at the design stage, applies the principle of data minimisation, and considers whether a data protection impact assessment is required under section 14.

14.1 Where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular where it uses new technologies, Cosmos carries out a data protection impact assessment before the Processing begins, as required by the EU GDPR, the UK GDPR, and, in corresponding terms, the UAE PDPL

14.2 A data protection impact assessment carried out by Cosmos contains a systematic description of the envisaged Processing operations and the purposes of the Processing, an assessment of the necessity and proportionality of the Processing in relation to the purposes, an assessment of the risks to the rights and freedoms of Data Subjects, and the measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure the protection of Personal Data.

14.3 Where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures to mitigate the risk, Cosmos consults the relevant supervisory authority before the Processing begins, where the Applicable Data Protection Law requires.

15.1 The due diligence, contracting, and monitoring measures that Cosmos applies to its Processors and Sub-processors are described in clause 12.4. Cosmos identifies its Sub-processors and the Processing each carries out in the Sub-processor List, and governs Processing carried out on behalf of corporate clients through the Data Processing Addendum.

16.1 Overview of rights

16.1.1 You have rights in relation to your Personal Data. The rights available to you, and their scope, depend on the Applicable Data Protection Law that governs the relevant Processing. This section 16 describes the rights under each regime in turn and then explains how to exercise them.

16.2 Rights under the EU GDPR and the UK GDPR

16.2.1 Where the EU GDPR or the UK GDPR governs the Processing of your Personal Data, you have the following rights.

16.2.1.1 The right of access under Article 15, to obtain confirmation of whether Cosmos processes your Personal Data and, where it does, access to that Personal Data and to the information specified in Article 15.

16.2.1.2 The right to rectification under Article 16, to obtain the correction of inaccurate Personal Data and the completion of incomplete Personal Data.

16.2.1.3 The right to erasure under Article 17, also known as the right to be forgotten, to obtain the deletion of your Personal Data where one of the grounds in Article 17 applies, subject to the exceptions in that Article, including where Processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

16.2.1.4 The right to restriction of Processing under Article 18, to obtain the restriction of the Processing of your Personal Data where one of the grounds in Article 18 applies.

16.2.1.5 The right to data portability under Article 20, to receive the Personal Data you have provided to Cosmos in a structured, commonly used, and machine-readable format, and to transmit that data to another Controller, where the Processing is based on consent or on a contract and is carried out by automated means.

16.2.1.6 The right to object under Article 21, to object on grounds relating to your particular situation to Processing based on legitimate interests or on the performance of a task carried out in the public interest, and an unconditional right to object to Processing for direct marketing purposes.

16.2.1.7 The right not to be subject to a decision based solely on automated Processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, under Article 22, subject to the exceptions in that Article.

16.2.1.8 The right to withdraw consent under Article 7(3), where Processing is based on consent, at any time, without affecting the lawfulness of Processing carried out before the withdrawal.

16.2.1.9 The right to lodge a complaint with a supervisory authority, as described in section 17.

16.3 Rights under the UAE PDPL

16.3.1 Where the UAE PDPL governs the Processing of your Personal Data, you have the following rights under Articles 13 to 19 of the UAE PDPL.

16.3.1.1 The right to obtain information, under Article 13, including the right to request information about the Personal Data processed, the purposes of Processing, the recipients of the Personal Data, the controls and standards for the period of storage, the procedures for correcting, erasing, or restricting Processing, and the cross-border transfer of Personal Data.

16.3.1.2 The right to request the transfer of Personal Data, under Article 14, to obtain your Personal Data that you have provided to Cosmos for Processing in a structured, machine-readable format, and to request its transfer to another Controller where technically feasible, where Processing is based on consent or on a contract and is carried out by automated means.

16.3.1.3 The right to correction or erasure of Personal Data, under Article 15, to request the correction of inaccurate Personal Data and the erasure of Personal Data, subject to the conditions and exceptions in the UAE PDPL.

16.3.1.4 The right to restrict Processing, under Article 16, to request the restriction or limitation of the Processing of your Personal Data in the cases for which the UAE PDPL provides.

16.3.1.5 The right to stop Processing, under Article 17, to object to and request that Cosmos stop the Processing of your Personal Data in the cases for which the UAE PDPL provides, including Processing for the purposes of direct marketing.

16.3.1.6 Rights in relation to automated Processing, under Article 18, including the right not to be subject to decisions based on automated Processing that have legal consequences or that seriously affect the Data Subject, subject to the exceptions in the UAE PDPL.

16.3.1.7 The right to communicate with the UAE Data Office and to file a complaint, under Article 19, where you consider that the Processing of your Personal Data violates the UAE PDPL.

16.4 Rights under the PDPA

16.4.1 Where the PDPA governs the Processing of your personal data, you have the following rights under Part IV of the PDPA and under the related provisions of the PDPA.

16.4.1.1 The right of access, under section 21, to request information about your personal data that is in the possession or under the control of Cosmos and about the ways in which that personal data has been or may have been used or disclosed within a year before the date of the request, subject to the exceptions in the PDPA.

16.4.1.2 The right of correction, under section 22, to request the correction of an error or omission in your personal data that is in the possession or under the control of Cosmos, subject to the exceptions in the PDPA.

16.4.1.3 The right to withdraw consent, under section 16, to withdraw any consent given, or deemed to have been given, in respect of the collection, use, or disclosure of your personal data, on giving reasonable notice, without affecting the lawfulness of collection, use, or disclosure carried out before the withdrawal. Cosmos will inform you of the likely consequences of withdrawing consent.

16.4.1.4 The right to be informed, on request, of the business contact information of the data protection officer designated under section 11 of the PDPA.

16.5 Comparative table of rights

16.5.1 The following table compares the principal Data Subject rights across the regimes covered by this Policy. It is a guide and does not displace the detailed provisions of each regime described above.

‍

‍

16.6 How to exercise your rights

16.6.1 You may exercise a right described in this section 16 by writing to privacy@cosmos.global, or to dpo@cosmos.global, or by post to Sirius Consulting FZCO at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates, marked for the attention of the privacy point of contact. To help Cosmos handle your request, please identify the right you wish to exercise and provide enough detail to allow Cosmos to locate the relevant Personal Data.

16.6.2 You do not have to pay a fee to exercise a right, save that Cosmos may charge a reasonable fee, or refuse to act on a request, where the request is manifestly unfounded or excessive, in particular because of its repetitive character, where the Applicable Data Protection Law permits. Where Cosmos charges a fee or refuses to act, it will explain its decision and inform you of your right to complain to a supervisory authority.

16.7 Identity verification

16.7.1 To protect your Personal Data, Cosmos verifies the identity of the person making a request before acting on it. Cosmos may ask you for information to confirm your identity, and may decline to act on a request, or delay acting on it, until your identity is confirmed. Where a request is made by a person acting on your behalf, Cosmos may ask for evidence of that person's authority to act for you.

16.8 Response timelines

16.8.1 Cosmos responds to a request to exercise a right within the timelines set by the Applicable Data Protection Law, as follows.

16.8.1.1 Under the EU GDPR and the UK GDPR, Cosmos responds without undue delay and in any event within one month of receipt of the request. Cosmos may extend that period by two further months where necessary, taking into account the complexity and number of requests, and will inform you of any extension and the reasons for it within one month of receipt of the request.

16.8.1.2 Under the PDPA, Cosmos responds to an access or correction request as soon as practicable and, where it cannot respond within 30 days of receiving the request, informs you in writing within that time of the time by which it will respond.

16.8.1.3 Under the UAE PDPL, Cosmos responds to a request within the period prescribed by the UAE PDPL and its Executive Regulations, which Cosmos applies as 30 days from receipt of the request, subject to any extension for which the UAE PDPL and its Executive Regulations provide.

16.8.2 Where a response timeline differs as between the regimes that apply to a single request, Cosmos applies the shortest applicable timeline.

17.1 Your right to complain

17.1.1 Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority where you consider that the Processing of your Personal Data infringes the Applicable Data Protection Law. Cosmos asks that you raise a concern with it first, by contacting privacy@cosmos.global or by using the complaints procedure on the Legal and compliance page, so that it has the opportunity to address your concern, but you are not obliged to do so.

17.2 The relevant supervisory authorities

17.2.1 The supervisory authorities relevant to the Processing described in this Policy are the following.

17.2.1.1 The UAE Data Office, formally the UAE Data Office established under the UAE PDPL, which supervises the Processing of Personal Data subject to the UAE PDPL. The UAE Data Office may be contacted at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates or through its official channels.

17.2.1.2 The Information Commissioner's Office, the ICO, which supervises the Processing of Personal Data subject to the UK GDPR, the DPA 2018, and PECR. The ICO may be contacted at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom, or through its website at ico.org.uk.

17.2.1.3 The relevant EU lead supervisory authority and, where applicable, other concerned supervisory authorities in the European Union and the European Economic Area, which supervise the Processing of Personal Data subject to the EU GDPR. The one-stop-shop mechanism is described in clause 17.3.

17.2.1.4 The Personal Data Protection Commission, the PDPC, which supervises the Processing of personal data subject to the PDPA. The PDPC may be contacted through its website at pdpc.gov.sg.

17.2.1.5 Where the Processing of a regulated partner of Cosmos is governed by the ADGM Data Protection Regulations 2021, the Office of Data Protection of the Abu Dhabi Global Market, and where it is governed by the DIFC Data Protection Law No. 5 of 2020, the Commissioner of Data Protection of the Dubai International Financial Centre.

17.2.2 Where a complaint touches the regulated services of a regulated partner of Cosmos, the financial services regulator of that partner, including in the Abu Dhabi Global Market the ADGM Financial Services Regulatory Authority, may also be a relevant authority. Cosmos itself is not authorised or regulated by any financial services regulator.

17.3 The one-stop-shop mechanism under the EU GDPR

17.3.1 The EU GDPR provides a one-stop-shop mechanism for cross-border Processing. Under that mechanism, where a Controller carries out cross-border Processing, the supervisory authority of the main establishment of the Controller in the European Union acts as the lead supervisory authority for that Processing and is the principal point of contact for the Controller.

17.3.2 A Data Subject may lodge a complaint with the supervisory authority of the Member State of the Data Subject's habitual residence, place of work, or the place of the alleged infringement. That supervisory authority, where it is not the lead supervisory authority, acts as a concerned supervisory authority and cooperates with the lead supervisory authority under the cooperation and consistency procedures of the EU GDPR. The effect of the mechanism is that you may complain to the supervisory authority that is most convenient for you, and the supervisory authorities concerned coordinate the handling of the complaint.

17.3.3 Cosmos has no establishment in the European Union, with the result that the one-stop-shop mechanism does not designate a lead supervisory authority, and a Data Subject may complain to the supervisory authority of the Member State in which the Data Subject is located. Where Cosmos appoints a representative under Article 27 of the EU GDPR, as described in clause 4.2, that representative is also a point of contact.

17.4 The complaints procedure

17.4.1 The complaints procedure on the Legal and compliance page describes how to make a complaint directly to Cosmos, the timelines within which Cosmos acknowledges and responds to complaints, and the records Cosmos keeps. A complaint about the Processing of Personal Data may be made under that complaints procedure, and this section 17 does not limit your right to complain directly to a supervisory authority.

18.1 Marketing communications

18.1.1 Cosmos may send you marketing communications about Cosmos, its Services, and matters Cosmos considers may be of interest to you, by email and by other channels, where it is permitted to do so under the Applicable Data Protection Law and the rules described in this section 18.

18.2 Electronic marketing in the United Kingdom under PECR

18.2.1 PECR governs the sending of electronic marketing communications to Users in the United Kingdom. Cosmos sends electronic marketing communications to an individual subscriber in the United Kingdom only where that subscriber has consented to receive them, or where the limited exception in PECR for existing customers applies.

18.2.2 The existing customer exception under PECR permits Cosmos to send electronic marketing about its own similar Services to a person whose contact details Cosmos obtained in the course of a sale or negotiations for a sale to that person, provided that person was given a simple means of refusing the use of their contact details for marketing at the time the details were collected and is given a simple means of refusing in every subsequent communication, and provided that person has not refused.

18.2.3 Every electronic marketing communication sent by Cosmos identifies Cosmos as the sender and provides a simple, cost-free means of opting out of further marketing. Cosmos acts on an opt-out without undue delay.

18.3 Electronic marketing in the European Union under the ePrivacy Directive

18.3.1 The national laws implementing the ePrivacy Directive govern the sending of electronic marketing communications to Users in the European Union. Cosmos sends such communications on the basis of consent, or in reliance on the existing customer exception corresponding to that described in clause 18.2.2 where the national law concerned provides for it, and on the same opt-out terms.

18.4 Marketing under the UAE PDPL

18.4.1 Where the UAE PDPL governs the Processing, Cosmos processes Personal Data for direct marketing on the basis of your consent, and you may withdraw that consent and object to Processing for direct marketing at any time. Cosmos acts on a withdrawal or objection without undue delay.

18.5 The Do Not Call provisions under the PDPA

18.5.1 Part IX of the PDPA contains the Do Not Call provisions, which restrict the sending of a specified message to a Singapore telephone number. A specified message includes a message the purpose, or one of the purposes, of which is to offer, advertise, or promote goods, services, land, or a business or investment opportunity, and includes a voice call, a text message, and a fax message.

18.5.2 Before sending a specified message to a Singapore telephone number, Cosmos checks the relevant Do Not Call Register maintained under the PDPA, and does not send the message to a number listed on the applicable register unless an exception under the PDPA applies, including where the individual has given clear and unambiguous consent in evidential form to the sending of the message to that number, or where the ongoing relationship exemption applies in respect of a text or fax message about similar goods or services.

18.5.3 A specified message sent by Cosmos includes the information required by the PDPA, including information identifying the sender and contact information at which the sender can be readily contacted.

18.6 Consent management and double opt-in

18.6.1 Where Cosmos relies on consent for marketing, it obtains consent through a clear affirmative action, keeps a record of the consent given, and provides a simple means of withdrawing consent at any time.

18.6.2 As a matter of good practice, Cosmos applies a double opt-in process for email marketing subscriptions, under which a person who submits a subscription request is sent a confirmation message and is added to the marketing list only after confirming the request. The double opt-in process confirms that the subscriber controls the email address and provides a clear record of consent.

18.6.3 You may withdraw your consent to marketing, or object to marketing, at any time, by using the opt-out mechanism in a marketing communication or by writing to privacy@cosmos.global. A withdrawal or objection in respect of marketing does not affect Processing for other purposes, and Cosmos may continue to send you service communications that are necessary to administer an enquiry, a payment, or an engagement.

19.1 Automated decision-making means a decision based solely on automated Processing, including profiling, that is made without meaningful human involvement. Profiling means any form of automated Processing of Personal Data to evaluate certain personal aspects relating to a natural person.

19.2 Cosmos does not make decisions that produce legal effects concerning you, or that similarly significantly affect you, based solely on automated Processing of your Personal Data through the Website. Where Cosmos uses automated tools, including screening tools, as part of customer due diligence, the output of those tools is reviewed by a member of Cosmos's personnel before any decision that significantly affects you is taken, so that the decision involves meaningful human involvement.

19.3 Where Cosmos were to carry out automated decision-making within the meaning of Article 22 of the EU GDPR or the UK GDPR, it would do so only where the decision is necessary for entering into or performing a contract, is authorised by law, or is based on your explicit consent, and would implement suitable measures to safeguard your rights, including the right to obtain human intervention, to express your point of view, and to contest the decision. Where Cosmos carries out profiling that does not result in automated decision-making, it does so for the purposes described in section 7, principally the operation, security, and improvement of the Website and the conduct of due diligence.

19.4 The position on automated decision-making under the UAE PDPL is addressed in clause 16.3.1.6. Cosmos applies a corresponding standard, ensuring that decisions which have legal consequences or which seriously affect a Data Subject are not based solely on automated Processing without the safeguards the UAE PDPL requires.

20.1 Cosmos uses artificial-intelligence technologies in the operation of its Services and in connection with the Website. The way in which Cosmos uses those technologies, the safeguards it applies, and the limits it observes, are described in the responsible AI section, section 30 and the following sections.

20.2 Cosmos does not itself train, develop, or fine-tune any artificial-intelligence model, and does not use the inputs it receives from Users, including the content of Onboarding Submissions and other User Content, to train any model that Cosmos controls. Cosmos delivers AI-assisted features using third party model providers, currently OpenAI, Anthropic, and Mistral AI, identified in the Sub-processor List.

20.3 Inputs sent to a third-party model provider may be used by that provider to train or improve its own models. You should not submit confidential information or special category Personal Data into AI-assisted features. Cosmos keeps this position under review and expects to publish more specific commitments once it has confirmed the data-use terms applicable to each provider. The responsible AI section, section 30 and the following sections, and the Sub-processor List describe the relevant providers.

21.1 The Website uses cookies and similar technologies, including pixels, tags, software development kits, and local storage, to operate the Website, to keep it secure, to remember your preferences, to measure and analyse usage, and, where you consent, for marketing and advertising purposes.

21.2 The cookies content in section 23 and the following sections describes the cookies and similar technologies used on the Website, the purpose and lifespan of each, whether each is a first-party or a third-party technology, and how you may accept or reject non-essential cookies and manage your preferences.

21.3 Where the law of the United Kingdom or of a Member State of the European Union applies, Cosmos stores non-essential cookies on, or gains access to non-essential information stored on, your device only with your consent, obtained through the Website's cookie banner, consistently with PECR and the national laws implementing the ePrivacy Directive. Strictly necessary cookies, which are required for the Website to function, do not require consent.

21.1 The Website uses cookies and similar technologies, including pixels, tags, software development kits, and local storage, to operate the Website, to keep it secure, to remember your preferences, to measure and analyse usage, and, where you consent, for marketing and advertising purposes.

21.2 The cookies content in section 23 and the following sections describes the cookies and similar technologies used on the Website, the purpose and lifespan of each, whether each is a first-party or a third-party technology, and how you may accept or reject non-essential cookies and manage your preferences.

21.3 Where the law of the United Kingdom or of a Member State of the European Union applies, Cosmos stores non-essential cookies on, or gains access to non-essential information stored on, your device only with your consent, obtained through the Website's cookie banner, consistently with PECR and the national laws implementing the ePrivacy Directive. Strictly necessary cookies, which are required for the Website to function, do not require consent.22.1 The Website is intended for, and directed at, persons aged 18 years or over. The Website is not intended for, and is not directed at, children, and Cosmos does not offer Services to children.

22.2 Cosmos does not knowingly collect Personal Data from a person under the age of 18. Where Cosmos becomes aware that it has collected Personal Data from a person under the age of 18 other than in the course of corporate services work where the data of a minor is properly relevant, for example as a member of a shareholding family, it will delete that Personal Data without undue delay.

22.3 Where you provide Personal Data about a third party who is under the age of 18 in the course of corporate services work, you confirm that you are entitled to do so. Cosmos processes such Personal Data only to the extent necessary for the relevant purpose described in section 7 and applies appropriate safeguards to it.

22.4 If you believe that Cosmos holds Personal Data about a person under the age of 18 that it should not hold, please contact privacy@cosmos.global.

23.1 Cookies

23.1.1 A cookie is a small text file that a website places on your device, being a computer, tablet, or smartphone, when you visit it. Cookies are returned to the originating website on each subsequent visit, or to any other website that recognises that cookie, enabling the website to recognise your device and remember certain information about your preferences or actions over time.

23.1.2 Cookies set by the website operator are called first-party cookies. Cookies set by parties other than the website operator are called third-party cookies. Third-party cookies are governed by the privacy policies of the respective third-party providers, and the relevant details are set out in the table in section 26.

23.1.3 Cookies may be session cookies, which are deleted when you close your browser, or persistent cookies, which remain on your device until they expire or you delete them.

23.2 Similar technologies

23.2.1 In addition to cookies, Cosmos and its third-party partners may use the following technologies, which this Policy covers on the same terms.

23.2.1.1 Pixel tags, also known as web beacons or clear GIFs, being tiny, typically one-pixel images embedded in web pages or emails that, when loaded, allow the placing party to record that a page or email has been viewed and to collect device and browsing data.

23.2.1.2 Local storage and session storage, being browser-side key-value stores that persist data beyond a single request without expiry in the case of local storage, or only for the duration of a browser session in the case of session storage.

23.2.1.3 Fingerprinting, being the derivation of a probabilistic identifier from device attributes such as browser type and version, operating system, installed fonts, screen resolution, and time zone, used where cookies are blocked or unavailable.

23.2.2 Where any such technology involves the Processing of Personal Data, the same legal bases, safeguards, and rights described in this Policy apply as they do to cookies.

24.1 Strictly necessary cookies

24.1.1 Strictly necessary cookies are essential to the operation of the Website and cannot be disabled through the preference centre. They include cookies that enable navigation, load balancing, security functions, and fraud prevention. They do not require consent under PECR because they are required for the provision of an information society service explicitly requested by the user, but Cosmos records their presence in its cookie disclosure in the interests of full transparency.

24.1.2 Cosmos does not use strictly necessary cookies to track users for advertising purposes or to build behavioural profiles.

24.2 Functional cookies

24.2.1 Functional cookies enable enhanced features and personalisation, such as remembering your language preference, your cookie consent choices, or information you entered in a form. Disabling these cookies may affect the quality or availability of certain features.

24.2.2 Where functional cookies involve the Processing of Personal Data, Cosmos relies on legitimate interests under Article 6(1)(f) of the EU GDPR and Article 6(1)(f) of the UK GDPR where the personalisation benefit is clearly in your interests, and on consent where the Processing goes beyond what you would reasonably expect.

24.3 Analytics cookies

24.3.1 Analytics cookies collect information about how visitors use the Website, including which pages are visited most often, how users navigate between pages, and whether error messages are encountered. This information is used to improve the Website and the Services.

24.3.2 Cosmos relies on consent as the legal basis for analytics cookies that involve the Processing of Personal Data about individual users. Where analytics data is genuinely aggregated and anonymised such that no individual can reasonably be identified, it does not constitute Personal Data and falls outside the scope of data protection law, although Cosmos nonetheless discloses its use here.

24.4 Advertising and targeting cookies

24.4.1 Advertising cookies are set by Cosmos or by its advertising partners to build a profile of your interests and show you relevant advertisements on other websites. They work by uniquely identifying your browser and internet device.

24.4.2 Cosmos relies on consent as the legal basis for advertising and targeting cookies in all jurisdictions covered by this Policy. Advertising cookies are never placed before you have given your affirmative consent.

24.4.3 Not consenting to advertising cookies will not prevent you from accessing the Website but means you may see generic rather than interest-based advertising when you browse other sites.

25.1 How we obtain consent

25.1.1 On your first visit to the Website, or following a reset of your consent record, you will be presented with a cookie consent banner. The banner provides a clear explanation of the categories of cookies used; individual toggle controls for each non-essential category, being functional, analytics, and advertising; an "Accept all" button that consents to all categories; and a "Reject all" button, or equivalent, that is displayed with equal prominence and accessibility to the "Accept all" button and that rejects all non-essential cookies.

25.1.2 No toggle is pre-ticked or pre-set to "on". Strictly necessary cookies are listed but cannot be disabled.

25.1.3 Closing or dismissing the banner without making a selection is not treated as consent. Cosmos does not infer consent from continued browsing or scrolling.

25.1.4 Cosmos does not bundle consent for cookies with consent for any other Processing activity. Consent for non-essential cookies is freely given, specific, informed, and unambiguous.

25.2 Consent records and audit trail

25.2.1 When you interact with the consent banner, Cosmos logs a consent record containing a unique identifier tied to your consent record and not to your identity; a timestamp and the version of this Policy in force at the time; the categories you accepted and the categories you rejected; and the method by which consent was given, being banner interaction, preference centre, or application programming interface.

25.2.2 Cosmos retains consent records for as long as necessary to demonstrate compliance, and in any event for at least three years from the date of the consent or last renewal, whichever is later.

25.3 Consent renewal

25.3.1 Consent is refreshed at least once every twelve months. If twelve months have elapsed since you last made a consent choice, you will be presented with the consent banner again on your next visit. Any cookies for which renewed consent is not given will be removed.

25.3.2 Cosmos will also seek renewed consent if the cookies content of this Policy is materially updated in a way that affects the Processing for which consent was originally given.

25.4 GDPR and PECR

25.4.1 For users in the European Economic Area and the United Kingdom, Cosmos applies the requirements of the EU GDPR and the UK GDPR, as applicable, and of PECR.

25.4.1.1 Consent for cookies that access or store information on a device is obtained in accordance with Regulation 6 of PECR, which requires that the subscriber or user is provided with clear and comprehensive information about the purposes of the storage or access, and gives their consent.

25.4.1.2 That consent also satisfies Article 6(1)(a) of the applicable GDPR where the cookie involves the Processing of Personal Data.

25.4.1.3 The right to withdraw consent is explained in section 27, and withdrawal can be effected at any time without detriment.

25.4.2 The position on EU and UK Article 27 representatives is set out in clause 4.2. Cosmos has no establishment in the European Union or the United Kingdom and has not currently appointed a representative under Article 27 of the EU GDPR or the UK GDPR. Until any representative is appointed, individuals in the European Union or the United Kingdom may contact the Data Controller at dpo@cosmos.global.

25.5 PDPA in Singapore

25.5.1 For users accessing the Website from Singapore, Cosmos complies with the PDPA. Where cookies involve the collection of personal data from Singapore-resident individuals, Cosmos notifies you of the purposes for which personal data is collected, used, or disclosed at or before the point of collection, by means of this Policy and the consent banner; obtains your consent before placing non-functional cookies that involve the collection of personal data; and honours your withdrawal of consent within a reasonable time, consistent with section 27.

25.5.2 Singapore-resident users may contact the Data Controller regarding cookie-related personal data matters at dpo@cosmos.global or at privacy@cosmos.global.

25.6 UAE PDPL

25.6.1 For users in the United Arab Emirates, Cosmos applies the requirements of the UAE PDPL. Where cookies involve the Processing of personal data relating to UAE residents, Cosmos provides notification of the purposes of collection through this Policy and the consent banner, in accordance with the transparency requirements of the UAE PDPL; obtains consent where required by the UAE PDPL before placing non-functional cookies that involve the Processing of personal data of UAE residents; and recognises the rights of UAE residents to withdraw consent and to request information about their personal data, as further described in section 16.

25.6.2 UAE PDPL queries may be directed to privacy@cosmos.global.

The table below sets out the specific cookies and similar technologies Cosmos uses, or permits its partners to use, on the Website as at the effective date. Cosmos reviews and updates this table at least every six months. Cookie names and durations are set by the relevant providers and may change from time to time, and Cosmos reconciles this table against the live deployment at each review.

‍

26.1 Strictly necessary

‍

‍

26.2 Functional

‍

‍

26.3 Analytics

‍

‍

26.4 Advertising and targeting

‍

27.1 Cookie preference centre

27.1.1 You can change your consent choices at any time by accessing the cookie preference centre, which is available via the "Cookie settings" link in the footer of every page of the Website.

27.1.2 To withdraw consent for a category of cookies, toggle the relevant category to "off" in the preference centre and save your selection. Any cookies for which you withdraw consent will be removed from your device within a reasonable time and in any event promptly following the next page load.

27.1.3 Withdrawal of consent does not affect the lawfulness of Processing carried out on the basis of consent before its withdrawal.

27.2 Browser controls

27.2.1 All major web browsers provide controls that allow you to manage, delete, and block cookies. The exact steps vary by browser, and you can find guidance at the following locations.

27.2.1.1 Google Chrome: Settings, then Privacy and security, then Cookies and other site data.

27.2.1.2 Mozilla Firefox: Options, then Privacy and Security, then Cookies and Site Data.

27.2.1.3 Apple Safari: Preferences, then Privacy, then Manage Website Data.

27.2.1.4 Microsoft Edge: Settings, then Cookies and site permissions, then Cookies and site data.

27.2.2 Please note that blocking all cookies through browser settings may prevent parts of the Website from functioning correctly, including the Onboarding Flow and certain security features.

27.2.3 For information about managing cookies on mobile devices, refer to the documentation provided by your device manufacturer or operating system provider.

27.3 Third-party opt-out mechanisms

27.3.1 Many of Cosmos's advertising and analytics partners participate in industry opt-out programmes. You can opt out of interest-based advertising from participating companies through the following mechanisms, the links being accurate as at the effective date, and you should verify their currency.

27.3.1.1 Your Online Choices, for the EU and EEA, at http://www.youronlinechoices.com.

27.3.1.2 Network Advertising Initiative, for the USA, at https://www.networkadvertising.org/choices.

27.3.1.3 Digital Advertising Alliance, for the USA, at https://www.aboutads.info/choices.

27.3.1.4 Google Ads Settings, at https://adssettings.google.com.

27.3.1.5 Meta Ad Preferences, available through your Facebook account settings.

27.3.2 Using these opt-out mechanisms does not necessarily prevent all data collection, and it limits the use of that data for interest-based advertising.

27.4 Global Privacy Control and Do Not Track

27.4.1 Global Privacy Control, the GPC, is a browser-level signal that communicates a user's privacy preference to websites. Where Cosmos detects a valid GPC signal from your browser, it treats it as a request to opt out of the sale or sharing of personal data for cross-context behavioural advertising, consistent with applicable law, including, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act, which Cosmos applies as a floor for users in California even though it is not the primary governing law for this Website. Cosmos will not place advertising or targeting cookies in response to a valid GPC signal unless you subsequently give affirmative consent through the preference centre.

27.4.2 Do Not Track, the DNT, is a browser signal indicating a preference not to be tracked across websites. There is no universal legal obligation to honour DNT signals and no agreed technical standard for implementing them. Cosmos does not currently treat a DNT signal as equivalent to withdrawal of consent for cookies. Cosmos encourages users who wish to limit tracking to use the preference centre or GPC instead.

28.1 Several of the third-party cookies listed in section 26 involve the transfer of personal data to the United States or to other countries outside the European Economic Area, the United Kingdom, Singapore, and the UAE. Where such transfers occur, Cosmos takes the following steps to ensure an adequate level of protection.

28.1.1 For transfers to the USA by Google LLC and Meta Platforms, Inc., Cosmos relies on the EU-US Data Privacy Framework where the recipient is certified, and on the EU SCCs in the controller-to-controller module and, for UK-resident users, on the UK Addendum or UK IDTA as applicable.

28.1.2 For transfers to the USA by LinkedIn Ireland Unlimited Company, Cosmos relies on the EU SCCs and, for UK-resident users, on the UK Addendum or UK IDTA as applicable.

28.1.3 For transfers by Cloudflare, Inc., Cosmos relies on the EU SCCs and the UK Addendum or UK IDTA as applicable.

28.1.4 For transfers from the UAE, Cosmos relies on consent and on such supplementary safeguards as are required or permitted by the UAE PDPL and its Executive Regulations.

28.2 You may request a copy of the relevant transfer mechanism by contacting privacy@cosmos.global. The general transfer rules that Cosmos applies under each regime are set out in section 10.

29.1 Cookies expire on the dates set out in section 26. Session cookies are deleted automatically when you close your browser.

29.2 Where cookie data is processed as Personal Data on Cosmos's servers or in its analytics platforms, it is retained for no longer than is necessary for the purposes described in this Policy, and in any event for the periods set out in the retention schedule in section 11.

29.3 Consent records are retained for at least three years from the date of consent or last renewal, as described in clause 25.2.2.

30.1 Who this content applies to

30.1.1 The responsible AI content in this section 30 and the following sections applies to all Users who access the Website, including through the Onboarding Flow, and to any person who receives outputs generated by AI systems operated by or on behalf of Cosmos in connection with the Website.

30.1.2 This content supplements, and should be read alongside, the rest of this Policy and the Disclaimer and No Advice Notice. In the event of conflict, the more specific provision prevails on its subject matter.

30.1.3 This content does not apply to the Platform, which is governed by the Master Services Agreement and any AI-specific addendum agreed under it. Users of the Platform should refer to those documents.

30.2 What this content covers

30.2.1 This section 30 and the following sections describe the AI systems and model providers that Cosmos uses in connection with the Website and its associated Services; the purposes for which AI is used; Cosmos's commitments in respect of model training, data use, accuracy, human oversight, bias, and fairness; the responsibilities of Users when interacting with or relying upon AI-generated outputs; Cosmos's forward-looking regulatory positioning; and how to contact Cosmos with AI-related concerns.

31.1 Overview

31.1.1 Cosmos is an AI-powered corporate services and compliance technology platform. AI systems are central to how the Services are delivered, and Users should expect to encounter AI-generated content when using the Website.

31.1.2 The AI capabilities accessible through or in connection with the Website include the following.

31.1.2.1 Document drafting assistance: AI systems generate, or assist in generating, drafts of corporate documents, including incorporation documents, board resolutions, and compliance filings, based on parameters provided by the User through the Onboarding Flow.

31.1.2.2 Compliance information and guidance: AI systems surface information about regulatory requirements, filing deadlines, and corporate governance obligations in the jurisdictions in which Cosmos operates, drawing on curated regulatory data sources maintained by Cosmos.

31.1.2.3 Onboarding and intake: AI systems process information submitted through the Onboarding Flow to identify the appropriate Services and to pre-populate or structure engagement documents.

31.1.2.4 Search and information retrieval: AI systems assist Users in locating relevant regulatory provisions, official guidance, and Cosmos-curated content.

31.1.2.5 Communication assistance: AI systems may assist in drafting communications or summaries that are then reviewed by Cosmos professionals before being sent to Users.

31.1.3 The specific AI capabilities available to a User at any given time depend on the Services engaged, the jurisdiction involved, and the configuration of the Website in force at that date. Cosmos may add, modify, or discontinue AI capabilities, and this Policy is updated to reflect material changes.

31.2 Model providers

31.2.1 Cosmos sources the AI capabilities described in clause 31.1 from third-party foundation model providers. As at the effective date, the model providers engaged are OpenAI, Anthropic, and Mistral AI.

31.2.2 Cosmos undertakes to keep this list current. Users may request an up-to-date list of model providers by contacting privacy@cosmos.global. Material changes to the model provider list will be reflected in an updated version of this Policy.

31.2.3 Each model provider processes data on Cosmos's behalf as a Processor or, where the provider operates its own infrastructure for its own purposes, as a Controller. The data processing arrangements for each provider are set out in or referenced from this Policy and, for Platform users, in the Sub-processor List maintained under the Master Services Agreement.

32.1 Cosmos's position

32.1.1 Cosmos does not itself train, develop, or fine-tune any AI model. Cosmos does not use any inputs provided by Users through the Website or the Onboarding Flow to train, fine-tune, evaluate, or otherwise improve any AI model that Cosmos controls.

32.1.2 This position applies to the text, documents, and data you submit through the Website, including any Onboarding Submission.

32.1.3 Cosmos delivers its AI features using the third-party model providers named in clause 31.2.1. Whether inputs sent to a provider are used by that provider to train or improve its own models depends on that provider's terms and the configuration of Cosmos's account with that provider. Cosmos does not control, and does not warrant, the training practices of a third-party model provider.

32.2 Position on provider training

32.2.1 When you use the Website's AI-assisted features, your inputs are processed by the third-party model providers named in clause 31.2.1. Those inputs may be used by those providers to train or improve their models. Cosmos does not control, and does not warrant, the training practices of any third-party model provider.

32.2.2 You should not enter confidential information, or any special category personal data, into the AI-assisted features. Cosmos keeps this position under review and expects to publish more specific commitments once it has confirmed the data-use terms applicable to each provider.

33.1 Inherent limitations

33.1.1 Large language models and other generative AI systems can produce outputs that are factually incorrect, inconsistent, incomplete, out of date, or misleading. This phenomenon is commonly referred to as hallucination. It arises because these systems generate statistically probable text rather than retrieving verified facts, and they cannot reliably distinguish between what they know to be true and what they have inferred or invented.

33.1.2 Cosmos takes steps to reduce the risk of inaccurate AI outputs, including grounding AI systems in curated, jurisdiction-specific regulatory data sources maintained by Cosmos; applying retrieval-augmented generation or equivalent techniques to anchor outputs to identified source documents where practicable; human review of AI outputs in the workflows described in section 34; and ongoing monitoring and evaluation of output quality.

33.1.3 Notwithstanding those steps, Cosmos cannot guarantee that any AI-generated output is accurate, complete, current, or fit for any particular purpose. All AI outputs are provided on that basis.

33.2 No reliance without verification

33.2.1 Users must not rely on AI-generated outputs without independent verification, particularly in respect of the current text or status of any law, regulation, or official guidance; the requirements of any specific regulatory filing or corporate process; deadlines, fees, or procedural requirements imposed by a government authority or free zone; and the appropriateness of any document, structure, or course of action for the User's specific circumstances.

33.2.2 Nothing in this Policy or in any AI-generated output constitutes legal, tax, financial, accounting, or professional advice of any kind. Please refer to the Disclaimer and No Advice Notice for a full statement of the limitations of Cosmos's Services.

34.1 Reviewed workflows

34.1.1 The following workflows involve AI-generated output that is reviewed by a qualified Cosmos professional before it is delivered to, or relied upon by, the User: finalised corporate document drafts delivered as part of an engagement; compliance calendars and regulatory filing schedules generated during onboarding; entity structuring recommendations generated during the Onboarding Flow and confirmed to a User as a formal proposal; and any AI-generated communication that is sent from a named Cosmos professional or from an official Cosmos email address.

34.1.2 In each of the reviewed workflows listed in clause 34.1.1, the reviewing professional is responsible for verifying the accuracy and appropriateness of the AI-generated content before it is delivered. The review does not necessarily mean that every line has been independently researched from scratch. It means that a suitably qualified person has applied professional judgement to the output and is satisfied that it is materially accurate and appropriate for delivery.

34.2 Unreviewed workflows

34.2.1 The following workflows involve AI-generated output that is delivered directly to the User without prior review by a Cosmos professional: real-time responses generated by any AI chat or assistant interface on the Website; automated search results and information-retrieval responses; and preliminary document structures or summaries generated during the Onboarding Flow before a Cosmos professional has reviewed the engagement.

34.2.2 Cosmos identifies unreviewed AI outputs by displaying one or more of the following indicators: a visible label stating "AI-generated" or equivalent; an inline disclaimer; or a notice in the interface through which the output is delivered. Users must not treat unreviewed AI outputs as verified information.

34.2.3 Cosmos is committed to expanding the scope of human oversight as its operations scale. The allocation of workflows between reviewed and unreviewed categories will be updated in this Policy as material changes occur.

34.3 Escalation

34.3.1 If a Cosmos professional, in the course of reviewing an AI-generated output, identifies a material error or a concern that the output may not be reliable for the User's circumstances, they will correct the output before delivery; notify the User of the issue where relevant to the User's reliance; and escalate the matter internally for a review of the underlying AI system or data source.

35.1 Cosmos's commitment

35.1.1 Cosmos acknowledges that AI systems can produce outputs that reflect, amplify, or perpetuate biases present in the data on which they were trained, in the prompts used to query them, or in the design of the systems themselves. Biased AI outputs can lead to unfair treatment of individuals or groups, including on the basis of national or ethnic origin, political opinions, religion, disability, age, sex, or other protected characteristics.

35.1.2 Cosmos takes the following steps to identify and mitigate bias in its AI-powered Services: selecting and configuring model providers whose published model cards and responsible AI documentation demonstrate attention to bias identification and mitigation; reviewing AI-generated outputs for evidence of systematic bias as part of ongoing quality monitoring; maintaining a mechanism through which Users and Cosmos professionals can report suspected bias, as described in section 38; and publishing an updated assessment of known bias risks and mitigation measures at reasonable intervals, and notifying Users of material findings through updates to this Policy.

35.1.3 Cosmos does not use AI systems to make automated decisions that produce legal or similarly significant effects in respect of individual Users without human oversight. Where AI is used to inform a decision that affects a User's legal or financial position, a Cosmos professional reviews the AI output as described in clause 34.1.

35.2 Limitations of bias mitigation

35.2.1 Cosmos's bias mitigation measures reduce but cannot eliminate the risk of biased outputs. Users who believe they have received an output that unfairly discriminates against them or reflects inappropriate assumptions should contact Cosmos at legal@cosmos.global as described in section 38.

36.1 Personal data

36.1.1 Users must not submit personal data, and in particular special category personal data as defined in Article 9 of the EU GDPR and its equivalents under other Applicable Data Protection Laws, through any AI interface on the Website unless such submission is expressly required by the relevant workflow and has been authorised by all relevant data subjects, and the User has reviewed this Policy and is satisfied that the submission is lawful.

36.1.2 Special category personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning a person's sex life or sexual orientation. The Onboarding Flow is not designed to receive special category data except where a specific workflow expressly requires it.

36.1.3 Users must not submit the personal data of any third party through the Website without a lawful basis for doing so and, where required, the informed consent of that third party.

36.2 Verification of outputs

36.2.1 Users are responsible for verifying all AI-generated outputs before relying on them for any purpose, in accordance with clause 33.2. This responsibility applies regardless of whether the output has been reviewed by a Cosmos professional, because the scope of review described in clause 34.1 is limited to the professional's assessment at the time of review and does not constitute a warranty of accuracy.

36.2.2 In particular, Users must seek independent professional advice before relying on any AI-generated document, filing, or recommendation for the purposes of corporate incorporation, restructuring, or dissolution; regulatory filing or compliance certification; any transaction, investment, or financial commitment; and any matter that may give rise to legal rights or obligations.

36.3 Prohibited inputs

36.3.1 Users must not input into any AI interface on the Website content that is unlawful, harmful, threatening, abusive, defamatory, or in violation of any applicable law; content that infringes the intellectual property rights of any person; classified, confidential, or trade secret information belonging to a third party that the User is not authorised to disclose; content designed to manipulate, jailbreak, or circumvent the safety or operational constraints of any AI system; or content that violates the Acceptable Use Policy.

36.3.2 Cosmos reserves the right to suspend or terminate access to AI-powered features where a User breaches clause 36.3.1, without prejudice to any other remedy available to Cosmos.

37.1 ADGM and DIFC

37.1.1 Cosmos's primary regulatory environment is the Abu Dhabi Global Market. The ADGM Financial Services Regulatory Authority, the FSRA, has published guidance relevant to the use of AI and automated systems in financial services and technology businesses operating in the ADGM. Cosmos monitors FSRA guidance and updates its AI governance practices to remain consistent with applicable regulatory expectations as they develop.

37.1.2 To the extent that Cosmos or an Affiliate operates within the Dubai International Financial Centre, Cosmos monitors relevant guidance from the DIFC Authority and the Dubai Financial Services Authority, the DFSA, in respect of AI and technology risk, and applies those standards where applicable.

37.1.3 Neither the ADGM nor the DIFC had, as at the effective date of this Policy, enacted primary AI-specific legislation applicable to Cosmos's operations. This section will be updated as the regulatory landscape develops.

37.2 EU AI Act

37.2.1 Regulation (EU) 2024/1689 of the European Parliament and of the Council, the EU AI Act, entered into force on 1 August 2024, with phased application of its provisions through to August 2027. The EU AI Act establishes a risk-based framework for AI systems placed on the market in the European Union.

37.2.2 Cosmos is actively assessing which of its AI-powered services, insofar as they are used by persons in the EU, fall within the scope of the EU AI Act and what classification, being prohibited, high-risk, limited-risk, or minimal-risk, applies to each. Cosmos's forward-looking compliance programme addresses risk classification of AI systems used in connection with the Website and the Platform; transparency obligations applicable to limited-risk AI systems, including obligations to inform users when they are interacting with an AI system; documentation and record-keeping obligations as they enter into force; and conformity assessment requirements for any system that may be classified as high-risk.

37.2.3 Cosmos does not currently assess any AI capability deployed on the Website as falling within a prohibited use case under Article 5 of the EU AI Act.

37.2.4 This section represents Cosmos's good-faith assessment of its regulatory position as at the effective date and is subject to revision as the EU AI Act's implementing measures, guidance from the European AI Office, and any applicable national implementing legislation develop.

37.3 Other jurisdictions

37.3.1 Cosmos monitors AI regulatory developments in the United Kingdom, including guidance from the Information Commissioner's Office and the AI Safety Institute, in Singapore, including guidance from the Infocomm Media Development Authority and the Personal Data Protection Commission, and in other jurisdictions in which it operates. Where binding AI-specific requirements become applicable to Cosmos's Services in those jurisdictions, Cosmos will update its practices and this Policy accordingly.

38.1 If you have a concern about the accuracy, fairness, bias, or conduct of any AI-generated output you have received from Cosmos, or if you believe that your personal data may have been used in a way inconsistent with this Policy, please contact Cosmos by email at legal@cosmos.global for AI-related concerns, at privacy@cosmos.global for privacy and data matters, or at dpo@cosmos.global for the privacy point of contact, or by post to The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates.

38.2 Please include in your communication a description of the concern, the date and nature of the interaction or output in question, and any supporting information. Cosmos will acknowledge your contact within five business days and provide a substantive response within thirty calendar days.

38.3 If you believe an AI output has affected you in a manner that engages your rights under applicable data protection law, you may also lodge a complaint with the relevant supervisory authority. The applicable supervisory authorities are set out in section 17.

39.1 Contact details

39.1.1 Questions about this Policy, and requests to exercise the rights described in section 16, should be sent to privacy@cosmos.global or to dpo@cosmos.global, or by post to Sirius Consulting FZCO at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates. AI-related concerns may also be sent to legal@cosmos.global as described in section 38.

39.2 Governing law and jurisdiction

39.2.1 This Policy and any non-contractual obligations arising out of or in connection with it are governed by the law of the Abu Dhabi Global Market (ADGM). The ADGM Courts have non-exclusive jurisdiction to settle any dispute arising out of or in connection with it. Nothing in this clause deprives a consumer resident in the European Union, the European Economic Area, the United Kingdom, or Singapore of the protection of mandatory provisions of the law of their country of residence, and such a consumer may also bring proceedings in, and benefit from the mandatory consumer protection laws of, that country where local law so requires.

39.2.2 The choice of governing law in clause 39.2.1 does not displace the application of the UAE PDPL, the EU GDPR, the UK GDPR, the DPA 2018, PECR, the PDPA, or any other Applicable Data Protection Law to the extent that law applies of its own force to the Processing described in this Policy.

39.3 Variation and changes

39.3.1 Cosmos may amend this Policy from time to time to reflect changes in its Processing activities, in its cookie usage, in its AI capabilities or model provider arrangements, in the Applicable Data Protection Law, or in good practice, including to reflect the issuing of the Executive Regulations to the UAE PDPL.

39.3.2 Where Cosmos amends this Policy, it will update the version number and the effective date in the header block, and will publish the amended Policy on the Website. Where a change is material, Cosmos will give you additional notice by a means appropriate to the change, which may include a notice on the Website, the presentation of the cookie consent banner again on your next visit where the change affects cookie Processing, reasonable steps to draw the change to the attention of Users currently accessing AI-powered features where the change affects those features, or, where Cosmos holds your contact details and it is appropriate to do so, a direct communication to you.

39.3.3 Where an amendment requires your consent under the Applicable Data Protection Law, Cosmos will obtain that consent before the amendment takes effect in relation to the Processing concerned. Your continued use of the Website after the effective date of an amended Policy that does not require consent indicates that you have read the amended Policy, but does not constitute consent to any new categories of cookies for which consent is required.

39.3.4 No variation of this Policy is effective unless made by Cosmos in accordance with this clause 39.3.

39.4 Version control

39.4.1 Cosmos keeps prior versions of this Policy and can provide a copy of a prior version on request to privacy@cosmos.global. The version in force at the time of your visit governs your use of the Website. This Policy is published at https://cosmos.global.

39.5 Severability

39.5.1 If any provision of this Policy is or becomes invalid, illegal, or unenforceable, it is to be treated as modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is not possible, the relevant provision is to be treated as deleted. Any modification to or deletion of a provision under this clause does not affect the validity and enforceability of the rest of this Policy.

39.6 No waiver

39.6.1 No failure or delay by Cosmos in exercising a right or remedy provided under this Policy or by law constitutes a waiver of that or any other right or remedy, and no single or partial exercise of such a right or remedy precludes or restricts the further exercise of that or any other right or remedy.

39.7 Notices

39.7.1 A notice to Cosmos under this Policy is to be sent to privacy@cosmos.global or by post to Sirius Consulting FZCO at The Bureau, Opera Grand, Downtown, Dubai, United Arab Emirates. A notice from Cosmos to you may be given by email to the most recent email address Cosmos holds for you, by a notice on the Website, or by post to the most recent postal address Cosmos holds for you.

39.8 Entire statement

39.8.1 This Policy, together with the documents it cross-refers to, namely the Terms of use, the Data Processing Addendum, the Sub-processor List, and the complaints procedure on the Legal and compliance page, sets out the entirety of how Cosmos handles Personal Data, cookies, and artificial intelligence in connection with the Website.

40.1 The following defined terms are used in this Policy. Where a term is defined in the body of this Policy, the body definition governs and this appendix is a guide.

40.1.1 ADGM means the Abu Dhabi Global Market.

40.1.2 ADGM DP Regulations means the ADGM Data Protection Regulations 2021 administered by the Office of Data Protection of the Abu Dhabi Global Market.

40.1.3 Affiliate has the meaning given in clause 1.1.2.

40.1.4 Applicable Data Protection Law means all data protection and privacy laws applicable to the Processing of Personal Data under this Policy, including the UAE PDPL, the EU GDPR, the UK GDPR, the DPA 2018, PECR, and the PDPA.

40.1.5 Controller bears the meaning given in the Applicable Data Protection Law.

40.1.6 Cosmos, the Cosmos Group, we, us, and our mean Sirius Consulting FZCO together with its Affiliates.

40.1.7 Data Controller means Sirius Consulting FZCO, as the Controller for the Processing described in this Policy.

40.1.8 Data Processing Addendum means the Cosmos Data Processing Addendum, which governs Processing carried out by Cosmos as Processor on behalf of a corporate client.

40.1.9 Data Subject bears the meaning given in the Applicable Data Protection Law.

40.1.10 DPA 2018 means the UK Data Protection Act 2018.

40.1.11 ePrivacy Directive means Directive 2002/58/EC, together with the national laws that implement it in each Member State of the European Union.

40.1.12 EU AI Act means Regulation (EU) 2024/1689 of the European Parliament and of the Council.

40.1.13 EU GDPR means Regulation (EU) 2016/679.

40.1.14 EU SCCs means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

40.1.15 KYC and AML Data has the meaning given in clause 5.9.1.

40.1.16 Master Services Agreement or MSA means the separate agreement governing access to and use of the Platform.

40.1.17 Onboarding Flow means the guided intake process on the Website through which a prospective client submits information to Cosmos.

40.1.18 Onboarding Submission means any information, document, or material submitted by a User through the Onboarding Flow.

40.1.19 PDPA means the Singapore Personal Data Protection Act 2012, as amended by the Personal Data Protection (Amendment) Act 2020.

40.1.20 PECR means the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.

40.1.21 Personal Data, Processing, Personal Data Breach, Processor, and Sub-processor bear the meanings given in the Applicable Data Protection Law.

40.1.22 Platform means the separate AI-powered software-as-a-service platform made available by Cosmos on a subdomain and governed by the Master Services Agreement.

40.1.23 Policy means this privacy page, comprising the privacy, cookies, and responsible AI content consolidated here.

40.1.24 Sensitive Personal Data has the meaning given in clause 8.3.1.

40.1.25 Sirius Consulting FZCO means the company that operates the Website, a free zone company established in the United Arab Emirates and trading as Cosmos.

40.1.26 Sub-processor List means the list, sitting with the Data Processing Addendum, that identifies the Sub-processors engaged by Cosmos and the Processing each performs.

40.1.27 UAE PDPL means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its Executive Regulations once issued.

40.1.28 UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the DPA 2018.

40.1.29 UK GDPR means the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.

40.1.30 UK IDTA means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the DPA 2018.

40.1.31 User, you, and your mean any person who accesses or uses the Website.

40.1.32 Website means the website at https://cosmos.global and any associated pages operated by Cosmos, including the Onboarding Flow and on-site payment functionality, but excluding the Platform.

Version: v1.0.

Effective date: 24 May 2026.

Operator: Sirius Consulting FZCO, a free zone company established in the United Arab Emirates, trading as Cosmos.

This Policy is published at https://cosmos.global. Prior versions are available on request to privacy@cosmos.global.