Privacy Policy

1. Who we are

Kosa is operated by Aligned Agent Inc. ("Kosa," "we," "us," or "our"), a company incorporated in Delaware. Kosa provides a system of record for venture capital firms that automatically structures data from emails, meetings, and documents.

If you have questions about this policy, contact us at [email protected].

2. What data we collect

When you use Kosa, we may collect:

• Account information: your name, email address, and organization, provided through your identity provider (WorkOS/Google).
• Google Workspace data: with your explicit consent, we access your Gmail messages, Google Calendar events, Google Drive files shared in email conversations, Google Contacts (saved and auto-saved), and your Google Workspace directory through the Google API. We request the minimum scopes necessary to operate Kosa as your firm's system of record: gmail.modify (read, draft, and send email on your behalf; we do not permanently delete email), drive.readonly (read pitch decks, term sheets, and data room files shared via Drive links in email), drive.file (create Kosa-authored files in your Drive, such as investment memos, only at your direction; we cannot access any file in your Drive that Kosa did not create or that you did not explicitly open in Kosa), contacts.readonly (your saved Google Contacts), contacts.other.readonly (auto-saved contacts from your Gmail interactions), directory.readonly (your Google Workspace directory, if applicable), and calendar.events (read meeting context and create meeting prep or follow-up events). Kosa's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
• Usage data: basic analytics about how you interact with Kosa (pages visited, features used) to improve the product.

3. How we use your data

We use the data we collect to:

• Build your system of record: We read your Gmail messages, calendar events, Google Drive files shared in email conversations, Google Contacts (saved and auto-saved), and your Google Workspace directory (if applicable) to extract and structure information about people, companies, deals, and portfolio updates relevant to your venture capital firm.
• Prepare meeting context: We use your calendar and historical email data to assemble relevant context before your meetings.
• Draft and send communications on your behalf: When you choose to use Kosa to reply to an email, send a follow-up, create a calendar event, or create an investment memo in your Drive, we draft and send or create those messages, events, or documents through your Google account at your direction. We do not send email, create calendar events, or create Drive files without an explicit action from you.
• Keep your records current: We continuously process new emails and calendar events to update your system of record without manual data entry.
• Improve Kosa: We use aggregated, non-identifiable usage patterns to improve product functionality.

4. Google API Services: Limited Use disclosure

Kosa's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve user-facing features that are prominent in Kosa's interface (extracting and structuring your firm's information from emails, calendar events, Drive files shared in email, Contacts, and Workspace directory; and drafting or sending emails, creating calendar events, and creating Kosa-authored Drive files at your explicit direction).
• We do not transfer Google user data to third parties, except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or asset sale with your prior consent.
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not use Google user data to determine creditworthiness or for lending purposes.
• We do not allow humans to read your Google user data unless: (a) you have given us affirmative consent to view specific data, (b) it is necessary for security purposes (such as investigating a bug or abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

5. How we store and protect your data

Your data is stored in secure, encrypted databases hosted on infrastructure providers with SOC 2 compliance (Neon for database, Vercel for application hosting, Railway for background workers). All data is encrypted in transit (TLS 1.2+) and at rest.

OAuth tokens used to access your Google account are stored encrypted and are never exposed to other users or external services. We use the principle of least privilege: our application database role cannot delete data, and read-only roles are used for all analytics and reporting.

6. Data sharing and third parties

We do not sell, rent, or trade your personal data or Google user data to anyone. We share data only in these limited circumstances:

• Infrastructure providers: to host and operate Kosa (Vercel, Neon, Railway). These providers process data on our behalf under strict contractual obligations.
• Analytics: we use PostHog (US region) to measure product usage — pageviews, click events, and error rates. Your email address and name are associated with your usage data for support and debugging purposes. Session recordings are collected with sensitive business content masked. We do not send email body content, extracted entities, or deal data to PostHog. PostHog processes this data on our behalf under a data processing agreement.
• AI processing: email and document content may be processed by Anthropic's Claude models to extract structured data. Under Anthropic's commercial terms, this content is not used for model training by default and is typically deleted within 30 days.
• Legal compliance: if required by law, regulation, or legal process.

7. Data retention and deletion

We retain your data for as long as your account is active. You may request deletion of your data at any time by contacting [email protected].

When you disconnect your Google account from Kosa, we stop accessing your Gmail and Calendar data. You may also revoke Kosa's access at any time through your Google Account permissions.

Upon account deletion or request, we will delete all of your data, including any data derived from Google APIs, within 30 days.

8. Multi-tenancy and data isolation

Kosa is a multi-tenant application. Each organization's data is strictly isolated. Users in one organization cannot access data belonging to another organization. All database queries are scoped to your organization.

9. Your rights

You have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Revoke Kosa's access to your Google account at any time
• Export your data in a standard format

To exercise any of these rights, contact [email protected].

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice in the application or sending you an email. Your continued use of Kosa after changes take effect constitutes acceptance of the updated policy.