Privacy Policy

Effective Date: January 19, 2026 Last Updated: March 21, 2026

Cosplai ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App").

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address, password (encrypted), display name, and profile avatar when you create an account.
  • OAuth Data: If you sign in with Google or Apple, we receive your email and name from those providers. We do not receive or store your Google/Apple passwords.
  • Project Data: Cosplay project details including character names, series names, budgets, deadlines, tasks, and notes.
  • Images:
    • Profile photos and avatars
    • Reference images you upload for costume planning
    • Completed cosplay photos you add to your projects
  • Social Data: Friends list, event attendance, and shared project visibility preferences.
  • Payment Information: Subscription and purchase data is processed by Apple (App Store), Google (Play Store), and RevenueCat. We do not store your credit card details.

1.2 Information Collected Automatically

  • Device Information: Device type, operating system version, unique device identifiers.
  • Usage Data: App features used, timestamps, crash logs, and performance metrics.

1.3 Location & Event Data

When you search for conventions and events, the App uses Google Places API to find venues. Search queries are sent to Google but are not linked to your identity.

When you use the AI-powered Discover Events feature (Pro subscribers), your approximate location (coordinates and city name) is sent to our server, which queries Perplexity AI to find nearby conventions and events. Your identity is not shared with Perplexity — only the geographic area and search parameters are transmitted. Search results are cached and shared across users in the same region to minimize data sent to third parties.

The App does not continuously track or store your physical location. Location data is used only at the moment you initiate a search.

1.4 Push Notifications & Analytics

  • Push Notifications: If you enable notifications, we store your device push token to deliver task reminders, friend requests, and event updates. Push tokens are sent to Expo (Expo, Inc.) for delivery.
  • Analytics: We use PostHog to collect anonymous usage analytics (features used, screen views, subscription events). PostHog does not receive your name, email, or other personal identifiers. You can opt out of analytics in your device settings.

2. How We Use Your Information

We use your information to:

  • Provide and maintain the App
  • Manage your account and subscriptions
  • Send you notifications about your tasks and deadlines (if enabled)
  • Respond to your support requests
  • Improve the App and develop new features
  • Detect and prevent fraud or abuse

3. Data Storage and Security

3.1 Where Your Data Is Stored

  • All Authenticated Users: Your data is synced to our cloud servers (Supabase, hosted on AWS) to enable cross-device access and social features.
  • Images: Stored in secure cloud storage buckets with access controls.

3.2 Security Measures

We implement industry-standard security measures including:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Row-Level Security (RLS) ensuring you can only access your own data
  • Secure authentication via Supabase Auth

4. Data Sharing

We do not sell your personal information. We share data only with:

4.1 Service Providers

  • Supabase (Supabase, Inc.): Database, authentication, and cloud storage. Stores your account data, project data, and uploaded images. Hosted on AWS in the United States.
  • Google (Google LLC): Google Places API for event/venue search. Search queries are sent to Google but are not linked to your identity.
  • Perplexity AI (Perplexity AI, Inc.): AI-powered event discovery for Pro subscribers. Receives approximate location and search parameters to find nearby conventions. Does not receive your identity or personal information.
  • RevenueCat (RevenueCat, Inc.): Subscription and payment management. Receives transaction data from Apple/Google to manage your subscription status.
  • PostHog (PostHog, Inc.): Anonymous product analytics. Receives usage events (feature usage, screen views) without personal identifiers. Hosted in the United States.
  • Expo (Expo, Inc.): Push notification delivery. Receives device push tokens to deliver notifications.
  • Resend (Resend, Inc.): Transactional email delivery. Used to send data retention warning emails to inactive accounts.
  • Apple/Google: App distribution and in-app purchase processing.

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request.

5. Your Rights and Choices

5.1 Access and Export

Your project data is synced to the cloud when you create an account. You can view all your data within the App.

5.2 Deletion

  • You can delete individual projects, tasks, and images at any time. Deletion is permanent and removes data from both the database and cloud storage.
  • You can delete your account from Settings → Delete Account. All data will be permanently wiped within 30 days.
  • Use the Backup feature in Settings to download a personal copy before deletion.

5.3 Notifications

You can disable notifications in your device settings or within the App.

6. Data Retention

  • Active Accounts: Data is retained while your account is active.
  • Images: Stored in your cloud account until you delete them or delete your account. You can delete individual images at any time.
  • Community Submissions: Events and resources you submit for community review are stored until published, rejected, or removed by you or an administrator.
  • Inactive Free Accounts: Free tier accounts inactive for 1+ years may have images and media files removed to manage server costs. Project text data (names, tasks, notes, budgets) and social connections are preserved indefinitely. Users receive email warnings at 90, 30, and 7 days before any removal.
  • Deleted Accounts: All associated data is permanently deleted within 30 days of the scheduled deletion date, including all cloud storage files and database records.
  • Backup Responsibility: Users are encouraged to use the in-app Backup feature to maintain personal copies of their data.

7. Children's Privacy

Cosplai is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, please contact us.

8. International Data Transfers

Your data may be transferred to and processed in the United States where our service providers operate. By using the App, you consent to this transfer.

9. Third-Party Links

The App may contain links to third-party websites (e.g., costume retailers). We are not responsible for their privacy practices.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via the App or email. Continued use after changes constitutes acceptance.

11. Contact Us

For privacy-related questions or requests:

Additional Disclosures

California Residents (CCPA)

California residents have additional rights:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

European Users (GDPR)

If you are in the European Economic Area:

  • Legal Basis: We process data based on consent, contract performance, and legitimate interests.
  • Data Controller: Cosplai
  • Rights: Access, rectification, erasure, data portability, restriction, and objection.
  • Complaints: You may lodge a complaint with your local data protection authority.

This privacy policy was last reviewed on March 21, 2026.