Privacy Policy
Last updated: March 5, 2026
This Privacy Policy describes how Portable Software, Corp. ("Cosyra," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Cosyra mobile application, website, cloud terminal infrastructure, and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
The short version: We collect only the data necessary to operate the Service. Your code remains private. We do not train AI models on your private code. All data is encrypted in transit. You may request deletion of your account and data at any time.
1. Information We Collect
1.1 Account Information
When you create a Cosyra account, we collect:
- Email address — Required to create your account, authenticate your identity, and communicate with you regarding the Service
- Name — Collected if you sign in via Google, Apple, or GitHub, or if you choose to provide it
- Authentication identifiers — User ID, OAuth tokens, and session tokens necessary to maintain your authenticated session
- Profile information — Profile photo URL if provided by your sign-in provider (Google, Apple, or GitHub)
1.2 Usage Data and Diagnostics
We automatically collect certain information to operate, maintain, and improve the Service:
- Device information — Device type, model, operating system version, screen resolution, and unique device identifier (UUID)
- App usage — Features accessed, session duration, screen views, and interaction events (collected with sampling to minimize data volume)
- Crash and performance data — Crash logs, stack traces, device state at time of error, and app performance metrics
- IP address — Used for security monitoring, fraud prevention, and approximate geographic location (country/region level)
1.3 Terminal and Cloud Session Data
When you use the Cosyra cloud terminal:
- Terminal commands — Commands you enter are transmitted to your cloud container via an encrypted WebSocket connection for execution
- Session data — Terminal output is streamed back to your device in real time; session data is isolated to your individual container
- Files — Files within your cloud container are accessible only to you and are stored on encrypted infrastructure
1.4 AI Interaction Data
When you use AI-powered features within the terminal:
- Prompts and context — Code snippets, commands, and questions you send to AI models via CLI tools (e.g., Claude Code, Gemini CLI, Codex)
- AI responses — Output generated by AI providers, streamed through your terminal session
AI interactions occur within your cloud terminal session. We do not independently log, store, or process the content of your AI conversations.
1.5 Voice Input Data
When you use the optional voice-to-text feature:
- Audio recording — Captured temporarily in device memory (maximum 30 seconds per recording)
- On-device processing — Audio is transcribed locally on your device using an on-device speech recognition model (Whisper). No audio data is transmitted to our servers or any third party
- Transcribed text — The resulting text is inserted into your terminal input. If you have enabled optional AI post-processing, the transcript may be sent to Anthropic's API for command normalization
1.6 Purchase and Subscription Data
When you subscribe to a paid plan:
- Subscription status — Plan type, entitlements, renewal dates, and transaction identifiers
- Purchase history — Managed by Apple (App Store), Google (Play Store), and our subscription infrastructure provider (RevenueCat)
We do not collect or store your payment card details, bank account information, or other financial instruments. All payment processing is handled by Apple, Google, or their authorized payment processors.
1.7 API Keys and Secrets
If you store API keys or environment variables in Cosyra:
- Secrets are encrypted using industry-standard encryption (AES-256)
- We use platform-native secure storage (iOS Keychain, Android EncryptedSharedPreferences)
- API keys are never transmitted to our servers unless required for a feature you explicitly enable
1.8 Biometric Data
If you enable biometric authentication (Face ID, Touch ID, or fingerprint):
- Biometric processing occurs entirely on your device using platform-native APIs
- We do not receive, transmit, or store any biometric data
- Only a success or failure result is returned to the application
2. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and operate the Service | Account info, authentication tokens, terminal session data | Contract performance |
| Manage subscriptions and billing | Purchase history, subscription status, user ID | Contract performance |
| Deliver push notifications | FCM token, device ID, notification preferences | Consent |
| Improve product quality and stability | Anonymized usage analytics, crash reports, performance data | Legitimate interest |
| Send product updates and communications | Email address | Consent |
| Prevent fraud, abuse, and unauthorized access | IP address, device info, authentication logs | Legitimate interest |
| Provide AI-powered terminal features | Code context, prompts (within your terminal session) | Contract performance |
| Legal and regulatory compliance | As required by applicable law | Legal obligation |
3. AI Features and Your Code
We do not train AI models on your private code.
When you use AI assistance features in Cosyra:
- Your code is not used for training - We never use your private code to train or improve AI models
- Bring your own API key - When you use your own API keys, data goes directly to your chosen provider
- Minimal context - We send only the code context necessary to generate helpful responses
- No persistent storage - AI interaction data is not stored beyond the current session unless you explicitly save it
Third-Party AI Providers
Cosyra supports multiple AI providers. When you use these services, your data is also subject to their privacy policies:
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share data only in the following circumstances and only to the extent necessary for the stated purpose.
4.1 Infrastructure and Hosting
| Provider | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, terminal containers, backend services | Encrypted application data, terminal session data, user files |
| Azure Static Web Apps | Website hosting (cosyra.com) | Static website assets only; no user data processed |
4.2 Authentication Providers
| Provider | Purpose | Data Processed |
|---|---|---|
| Firebase Authentication (Google) | Account creation, sign-in, identity management | Email address, name, authentication tokens, IP address |
| Google Sign-In | OAuth-based authentication | Google account name, email address, profile photo URL |
| Sign in with Apple | OAuth-based authentication | Apple ID, name (if provided), email address (may be relayed) |
| GitHub OAuth | OAuth-based authentication | GitHub username, email address, profile information, OAuth tokens |
4.3 Analytics, Diagnostics, and Notifications
| Provider | Purpose | Data Processed |
|---|---|---|
| Firebase Analytics (Google) | App usage analytics, feature adoption measurement | Device information, app events, screen views, anonymized user ID, advertising ID (for attribution only) |
| Firebase Crashlytics (Google) | Crash reporting and stability monitoring | Crash logs, stack traces, device state, operating system version |
| Firebase Cloud Messaging (Google) | Push notifications for terminal events | FCM device token, notification payload (e.g., "Command finished") |
| Google Analytics | Website analytics (cosyra.com only) | Anonymized page views and usage data |
4.4 Subscription and Payment Infrastructure
| Provider | Purpose | Data Processed |
|---|---|---|
| RevenueCat | Subscription management, entitlement verification, receipt validation | User ID, device ID, purchase history, subscription status, transaction identifiers |
| Apple App Store / Google Play Store | Payment processing, subscription billing | Managed entirely by Apple and Google; we do not receive payment card or bank details |
4.5 AI Providers
AI interactions occur within your cloud terminal session using CLI tools you install and configure (e.g., Claude Code, Gemini CLI, OpenAI Codex). These tools communicate directly with their respective provider APIs using your own API keys. Cosyra does not intermediate, log, or store the content of these interactions.
When you use these services, your data is subject to their respective privacy policies:
- Anthropic Privacy Policy (Claude)
- Google Privacy Policy (Gemini)
- OpenAI Privacy Policy (Codex, ChatGPT)
4.6 On-Device Processing
The following features process data entirely on your device. No data from these features is transmitted to our servers or to any third party:
- Voice-to-text (Whisper) — Audio is recorded, transcribed, and discarded on-device
- Biometric authentication — Face ID, Touch ID, and fingerprint data remain on-device via platform-native APIs
- Secure credential storage — API keys and secrets stored in iOS Keychain or Android EncryptedSharedPreferences
- Clipboard — URL copy/paste operations are handled locally by the operating system
4.7 Legal Requirements
We may disclose your information if required to do so by law, regulation, court order, subpoena, or government request. We will make reasonable efforts to notify you of such requests unless prohibited by law or court order.
4.8 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.
5. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, and resolve disputes.
| Data Type | Retention Period |
|---|---|
| Account data (email, name, user ID) | Until account deletion + 30 days |
| Authentication tokens and sessions | Revoked immediately upon account deletion or sign-out |
| Terminal session data | Duration of active session + 7 days |
| Cloud container files | Until account deletion + 30 days |
| Usage analytics | 26 months (anonymized and aggregated) |
| Crash reports and diagnostics | 90 days (Firebase Crashlytics default) |
| Subscription and purchase records | As required by financial regulations (typically 7 years) |
| Push notification tokens | Revoked immediately upon account deletion |
| AI interaction data | Not retained by Cosyra (session-scoped; subject to AI provider policies) |
| Voice recordings | Not retained (processed on-device and immediately discarded) |
| Support requests | 3 years from resolution |
6. Your Rights
Depending on your location, you may have the following rights:
For All Users
- Access — Request a copy of the personal data we hold about you
- Correction — Request correction of inaccurate or incomplete information
- Deletion — Request deletion of your account and associated data. You may delete your account directly from the app or by visiting our account deletion page
- Opt-out — Unsubscribe from marketing communications at any time
For EU/EEA Users (GDPR)
In addition to the rights above, users in the European Economic Area are entitled to:
- Data portability — Export your data in a structured, machine-readable format
- Restrict processing — Request that we limit how we process your data
- Object to processing — Object to processing based on legitimate interest
- Withdraw consent — Withdraw consent at any time without affecting the lawfulness of prior processing
For California Users (CCPA/CPRA)
California residents have the following additional rights:
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected
- Right to delete — Request deletion of your personal information
- Right to opt-out of sale — We do not sell personal information
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights
To exercise any of these rights, contact us at hello@portablesoftware.co or visit our contact page. We will acknowledge your request within 10 business days and respond substantively within 30 days.
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit - All data transmitted using TLS 1.3
- Encryption at rest - Stored data encrypted with AES-256
- Isolated sessions - Each terminal session runs in an isolated container
- Access controls - Role-based access for our team members
- Regular audits - Periodic security reviews and testing
8. International Data Transfers
Cosyra is based in the United States. If you are located outside the US, your data may be transferred to and processed in the US or other countries where our service providers operate.
For EU/EEA users, we ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where applicable.
9. Children's Privacy
Cosyra is a professional developer tool and is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe that a child under 16 has provided us with personal information, please contact us immediately at hello@portablesoftware.co and we will take steps to delete such information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the new policy on this page with an updated "Last updated" date
- Sending an email notification for material changes
11. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:
Portable Software, Corp.
169 Madison Avenue STE 66382
New York, NY 10016, United States
Email: hello@portablesoftware.co
You may also visit our contact page or our account deletion page for additional assistance.