Legal

Privacy Policy

This policy explains what personal data Cosignet processes, why, on what legal basis, who we share it with, and the rights you have. We keep it plain and honest.

Last updated: 18 June 2026.

Who we are

Cosignet (“we”, “us”) provides a hosted service that pauses high-risk actions and requires an explicit, payload-bound passkey approval. We are the data controller for the personal data described here. For any privacy matter, contact privacy@cosignet.com.

What we collect

• Account & contact data — the email address you submit to the waitlist or that is linked to your customer account; optional name/company/use-case from the waitlist form.
• Approval data — the action label and the payload you send for each confirmation. We store the payload because the approver must see exactly what they are signing and we hash it to bind the signature. Keep secrets out of payloads — pass references (IDs) instead of raw sensitive data.
• Authentication data — WebAuthn/passkey public credentials and the raw assertion produced on approval (our audit trail). The passkey private key is generated and stored in your device hardware; we never receive or store it.
• Optional notification identifiers — a Telegram chat ID, only if you link Telegram notifications.
• API keys — stored only as a SHA-256 hash plus a short prefix; the full key is shown once at creation and never again.
• Technical/security data — your IP address and a bot-protection token are processed by Cloudflare Turnstile on our public forms (waitlist, registration) to prevent abuse. We do not run analytics, advertising, or cross-site tracking.

Why we use it & legal bases

• Provide the service (create and display approvals, authenticate you, keep an audit trail) — performance of a contract.
• Security & abuse prevention (Turnstile, rate limiting, fail-closed logging) — our legitimate interest in protecting the service and users.
• Service communication (invites, magic links, approval and usage notifications you enable) — performance of a contract / your request.

Sub-processors

We use a small set of providers to run the service:

• Cloudflare — hosting (Workers), database (D1), email routing, and Turnstile bot protection.
• Resend — delivery of transactional email (invites, magic links, notifications).
• Telegram — only if you link Telegram notifications; the action label and approval link are sent to your linked chat.

Some providers may process data outside your country; where required we rely on appropriate safeguards (e.g. Standard Contractual Clauses).

Retention

Confirmations (action, payload, hash, status, and the raw assertion once approved) are kept until you request removal. Ephemeral records — login/registration challenges, magic links, and short-lived sessions — expire automatically. We do not yet run automatic deletion of confirmations; configurable retention is on the roadmap.

Your rights

Subject to applicable law (including the GDPR), you may request access, rectification, erasure, restriction, portability, or object to processing. To exercise any of these, or to ask about deletion, export, or data residency, contact privacy@cosignet.com. You also have the right to lodge a complaint with your local data-protection authority.

Cookies & security

We use only strictly-necessary cookies and run no tracking — details on the Cookie Policy. For how we secure data and bind approvals, see Security.

We may update this policy; material changes will be reflected by the “last updated” date above.