PERSONAL INFORMATION: We collect information you provide directly, including your name, email address, phone number, payment information, and professional credentials when you create an account.
ACCOUNT DATA: Your account profile information including role (client, chemist, or manufacturer), subscription status, wallet balance, and transaction history.
FORMULATION DATA: Any formulations you create, purchase, or upload to the platform, including associated metadata and documentation.
USAGE DATA: We automatically collect information about how you interact with our platform, including pages visited, features used, and time spent on the app.
DEVICE INFORMATION: We collect device identifiers, operating system version, app version, and general device information for technical support and analytics.
LOCATION DATA: With your permission, we may collect general location information to provide region-specific features and comply with local regulations.
PROVIDING SERVICES: To operate and maintain the platform, process transactions, facilitate communication between users, and deliver the features you request.
ACCOUNT MANAGEMENT: To create and manage your account, verify your identity, and process subscription payments.
COMMUNICATION: To send you important updates about your account, transactions, and platform changes. Marketing communications are optional and can be disabled.
SECURITY: To detect, prevent, and address fraud, security issues, and technical problems.
ANALYTICS: To understand how users interact with our platform and improve our services. All analytics data is anonymized and aggregated.
LEGAL COMPLIANCE: To comply with applicable laws, regulations, and legal processes.
PERSONALIZATION: To customize your experience and show you relevant content based on your preferences and usage patterns.
WITH OTHER USERS: Depending on your role, certain profile information may be visible to other users (e.g., chemist profiles are visible to clients seeking formulations).
LIVE SALES BANNER: When a chemist completes a sale, limited activity data (product type, price, chemist name, and time of sale) may be displayed in the live sales banner visible to all logged-in users on the home screen. This feature exists to provide social proof and platform activity. Chemists may opt out of this banner at any time via Profile > Privacy Settings. Buyer identity is never disclosed.
SERVICE PROVIDERS: We share data with third-party service providers who assist in operating our platform, including payment processors (Stripe, RevenueCat), cloud hosting (AWS), and analytics services.
PAYMENT PROCESSORS: Transaction data is shared with Apple App Store, Google Play Store, and Stripe for payment processing. These providers have their own privacy policies.
LEGAL REQUIREMENTS: We may disclose your information if required by law, court order, or government request, or to protect the rights, property, or safety of AJ Cosmo Labs LLC or others.
BUSINESS TRANSFERS: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
WITH YOUR CONSENT: We may share your information in other ways if you give us specific consent to do so.
CAMERA: The App requests camera access to capture profile photos and scan documents for verification purposes. Camera data is only accessed when you explicitly initiate these actions.
PHOTO LIBRARY: Access to your photo library is required to upload profile images, documents, and formula attachments. We only access photos you specifically select.
FILES/DOCUMENTS: The App may access your device storage to upload formula documents, certificates, and supporting materials. Only files you explicitly select will be accessed.
NETWORK: Internet connectivity is required for all platform functionality including API communication, real-time updates, and data synchronization.
NOTIFICATIONS: With your permission, we send push notifications for important updates about your transactions, messages, and account activity.
You may revoke any permission at any time through your device settings, though this may limit app functionality.
ENCRYPTION: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols.
SECURE STORAGE: Your personal information is stored on secure servers with restricted access controls and regular security audits.
AUTHENTICATION: We use secure authentication methods including multi-factor authentication (MFA) and biometric verification to protect your account.
PAYMENT SECURITY: Payment information is handled by PCI-compliant payment processors. We do not store your full credit card numbers on our servers.
ACCESS CONTROLS: Employee access to user data is limited to those who need it to perform their job functions and is subject to strict confidentiality agreements.
INCIDENT RESPONSE: We maintain incident response procedures to address any potential security breaches promptly and in accordance with applicable laws.
While we implement strong security measures, no system is completely secure. We encourage you to use strong passwords and protect your account credentials.
ACTIVE ACCOUNTS: We retain your personal information for as long as your account is active or as needed to provide you with our services.
TRANSACTION RECORDS: Financial transaction records are retained for 7 years to comply with tax and accounting requirements.
FORMULATION DATA: Purchased formulations and associated data are retained indefinitely to ensure you maintain access to your purchases.
DELETED ACCOUNTS: When you delete your account, we will delete or anonymize your personal information within 90 days, except where retention is required by law.
BACKUP DATA: Backup copies of data may be retained for up to 6 months after deletion for disaster recovery purposes.
LEGAL HOLDS: Data may be retained longer if necessary to comply with legal obligations or resolve disputes.
LEGAL BASIS: We process your data under the following legal bases: contract performance for active services, legal obligation for tax/accounting records (7 years), legitimate interest for security and platform operations, and your consent where specifically obtained.
AUDIT TRAILS: Administrative action logs and security audit trails are retained for 3 years to ensure platform integrity and regulatory compliance.
NDA RECORDS: Non-disclosure agreement acceptance records are retained for 5 years from the date of acceptance, in accordance with the NDA terms.
COMPLIANCE FRAMEWORKS: Our data handling practices comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA).
ACCESS: You have the right to request a copy of the personal information we hold about you.
CORRECTION: You can request that we correct any inaccurate or incomplete personal information.
DELETION: You can request that we delete your personal information at any time. Deletion may be paused (not refused) while we have open financial obligations to or from you — specifically: (a) escrow transactions in 'held' or 'partially_released' status; (b) a non-zero wallet balance that has not yet been withdrawn; (c) pending wire-transfer or bank-transfer requests awaiting admin review; (d) chemist payouts in 'pending' or 'processing' status; or (e) chargeback ledger entries or disputed payment failures inside the 180-day card-network dispute window. The pause clears automatically the moment the last open item settles, or you may resolve each item directly (withdraw funds, complete or cancel the transaction, etc.). This carve-out is permitted under CCPA §1798.105(d)(1), GDPR Art. 17(3), and required by Bank Secrecy Act / FinCEN financial-record retention rules. Once all open items clear we delete or anonymize your personal data within 90 days, except for the tokenized financial records we are legally required to retain.
PORTABILITY: You can request a machine-readable copy of your data to transfer to another service.
MARKETING OPT-OUT: You can opt out of marketing communications at any time through your account settings or by contacting us.
WITHDRAW CONSENT: Where we rely on your consent to process your information, you can withdraw that consent at any time.
To exercise any of these rights, please contact us at support@ajcosmolabs.com. We will respond to your request within 30 days.
DATA RIGHTS REQUESTS: You may receive data rights requests from our administrators regarding your account data. These requests are processed in accordance with applicable data protection laws (GDPR, CCPA/CPRA). You can view and respond to these requests in your Profile under "Data Rights Requests".
REQUEST PROCESSING: We process all data rights requests within 30 days of receipt. Complex requests may be extended to 60 days with notification. You will be informed of the outcome of any request.
CONTRACT PERFORMANCE (Art. 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including providing platform services, managing your account, processing transactions, and facilitating communications between users.
LEGAL OBLIGATION (Art. 6(1)(c) GDPR): Processing necessary to comply with legal requirements, including maintaining financial records for 7 years for tax and accounting compliance, responding to lawful government requests, and export control regulations for chemical data.
LEGITIMATE INTEREST (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, including platform security, fraud prevention, service improvement, and maintaining audit trails. We balance these interests against your rights and freedoms.
CONSENT (Art. 6(1)(a) GDPR): Where we rely on your consent for processing (such as optional marketing communications or location data), you may withdraw consent at any time through your account settings without affecting the lawfulness of prior processing.
DATA PROTECTION IMPACT: We conduct regular assessments of our data processing activities to ensure compliance with applicable regulations and to identify and mitigate potential risks to your privacy.
Our platform is not intended for users under 18 years of age.
We do not knowingly collect personal information from children under 18.
If we discover that we have collected information from a child under 18, we will delete that information immediately.
If you believe a child under 18 has provided us with personal information, please contact us at support@ajcosmolabs.com.
HOW AI PROCESSES FORMULATION DATA: When you use the platform's AI formulation features, your input data (such as product requirements, ingredient preferences, target properties, and domain specifications) is processed algorithmically to generate formulation suggestions. The AI system analyzes your inputs against publicly available ingredient data, regulatory databases, and formulation logic to produce outputs tailored to your specifications.
AI OUTPUTS AND DATA PERSISTENCE: AI-generated formulations and analysis outputs are generated algorithmically in response to your specific requests and are not permanently stored on our servers unless you explicitly choose to save them to your account (e.g., by saving a formulation to your library, adding it to a project, or listing it on the marketplace). Unsaved AI outputs may be temporarily cached for session continuity but are purged after your session ends.
NO THIRD-PARTY AI MODEL TRAINING WITHOUT CONSENT: Your formulation data, ingredient selections, product specifications, and other proprietary inputs are NOT used to train third-party AI models or shared with third-party AI providers for model improvement purposes without your explicit, informed consent. We may use anonymized and aggregated usage patterns to improve our own AI algorithms and platform performance.
AI PROCESSING LOG RETENTION: AI processing logs — including request metadata, processing timestamps, error logs, and system performance data — are retained for a period of ninety (90) days for quality assurance, debugging, and system improvement purposes. These logs do not contain complete formulation data but may contain partial input/output references necessary for troubleshooting. Processing logs are automatically deleted after the 90-day retention period.
USER RIGHT TO DELETION OF AI-GENERATED DATA: Users may request the deletion of all AI-generated formulation data associated with their account at any time by contacting support@ajcosmolabs.com or through the account settings within the app. Upon receiving a valid deletion request, we will delete all saved AI-generated formulations, associated metadata, and processing logs within 30 days, except where retention is required by law or necessary for legitimate business purposes (such as transaction records for purchased formulations).
AUTOMATED DECISION-MAKING DISCLOSURE (GDPR ART. 22): The platform uses automated processing, including AI algorithms, to generate formulation suggestions and analysis outputs. These automated processes do not produce decisions that have legal or similarly significant effects on users. Formulation outputs are suggestions only and require human evaluation, testing, and decision-making before any commercial use. Users retain full control over whether to use, modify, or discard any AI-generated output. If you believe an automated decision has significantly affected you, you may contact us to request human review.
DATA SENSITIVITY BY PRODUCT DOMAIN: The platform recognizes that different product domains may involve different levels of data sensitivity and regulatory requirements. Formulation data for highly regulated product categories — including food and beverage, dietary supplements, pharmaceutical-adjacent products, pet care products with health claims, and agricultural chemicals — receives enhanced protection and handling procedures commensurate with the regulatory sensitivity of those domains.
NO CROSS-CONTAMINATION OF CONFIDENTIAL DATA: The platform maintains strict data segregation practices to prevent cross-contamination of confidential formulation data between users. One user's proprietary formulation data, trade secrets, and confidential business information are never accessible to, shared with, or visible to other users unless explicitly authorized through a platform transaction (such as a validated sale, a manufacturing bid acceptance, or a collaboration invitation).
MULTI-TENANT DATA SEGREGATION: AJ Cosmo Labs LLC operates as a multi-tenant platform where multiple users share the same underlying infrastructure. We implement logical data segregation through access controls, encryption, and database-level isolation to ensure that each user's data remains private and inaccessible to other users. While we employ commercially reasonable security measures for data segregation, no multi-tenant system can guarantee absolute isolation, and users acknowledge this inherent limitation.
INDUSTRY-SPECIFIC DATA HANDLING REQUIREMENTS: Certain product domains may be subject to industry-specific data handling and record-keeping requirements. For example, food safety regulations may require specific record-keeping practices for traceability purposes, and chemical safety regulations may require retention of Safety Data Sheet information. Users are responsible for ensuring that their own data handling and record-keeping practices comply with all applicable industry-specific requirements. The platform's data handling practices are designed to support, but not replace, users' own compliance obligations.
DATA ACCESS AUDITING: The platform maintains audit logs of all data access events, including which users accessed which formulation data and when. These audit logs support both security monitoring and regulatory compliance needs and are retained for three (3) years in accordance with our data retention policy.
CATEGORIES OF THIRD-PARTY SERVICES: The AJ Cosmo Labs LLC platform integrates with the following categories of third-party services to provide and improve our services: (a) Payment Processors — including Stripe, Apple App Store In-App Purchases, and Google Play Billing — for processing transactions, managing subscriptions, and handling wallet deposits; (b) Cloud Hosting and Infrastructure — including Amazon Web Services (AWS) — for hosting the platform, storing data, and ensuring availability; (c) AI and Machine Learning Providers — for powering formulation analysis and generation capabilities; (d) Analytics and Performance Monitoring — for understanding platform usage, identifying technical issues, and improving service quality; (e) Communication Services — for sending transactional emails, push notifications, and account notifications.
DATA SHARED WITH THIRD PARTIES: The types of data shared with each category of third-party service include: Payment Processors receive transaction amounts, payment method details, and billing information necessary to process payments; Cloud Hosting providers host encrypted user data as part of platform infrastructure; AI Providers receive anonymized or pseudonymized formulation inputs necessary to generate outputs; Analytics services receive anonymized usage data and device information; Communication services receive email addresses and notification preferences necessary to deliver messages.
RIGHT TO REQUEST THIRD-PARTY LIST: Users may request a detailed list of the specific third-party sub-processors currently processing their personal data by contacting support@ajcosmolabs.com. We will provide this information within 30 days of receiving a valid request.
SUB-PROCESSOR NOTIFICATION FOR GDPR COMPLIANCE: In accordance with GDPR Article 28, AJ Cosmo Labs LLC maintains a list of sub-processors and will notify users of any intended additions or changes to sub-processors that process personal data. Users who object to a new sub-processor may contact us within 30 days of notification to discuss their concerns and, if the objection cannot be resolved, may terminate their account.
NO SALE OF PERSONAL DATA: AJ Cosmo Labs LLC does not sell personal data to third parties. In accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we affirm that we do not sell or share (as defined by CCPA/CPRA) consumers' personal information for cross-context behavioral advertising. Users may submit a 'Do Not Sell or Share My Personal Information' request at any time, although we do not currently engage in any activities that would constitute a sale or sharing of personal information under applicable law.
ON-DEVICE BIOMETRIC PROCESSING: When you enable biometric authentication (Face ID, Touch ID, or equivalent device biometric features) for the AJ Cosmo Labs LLC application, all biometric data processing occurs entirely on your device. The platform uses the device's native biometric authentication APIs, which process and store biometric data in the device's secure enclave or trusted execution environment. Biometric data never leaves your device and is never transmitted to AJ Cosmo Labs LLC servers.
NO STORAGE OF BIOMETRIC TEMPLATES: AJ Cosmo Labs LLC does not store, collect, receive, or possess any biometric templates, biometric identifiers, facial geometry data, fingerprint data, or any other biometric information. The platform receives only a cryptographic confirmation (success or failure) from the device's biometric authentication system. We have no ability to access, reconstruct, or reverse-engineer any biometric data from this confirmation.
COMPLIANCE WITH BIOMETRIC PRIVACY LAWS: AJ Cosmo Labs LLC's biometric authentication implementation is designed to comply with the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code 503.001), the Washington Biometric Identifier statute (RCW 19.375), and similar state biometric privacy laws. Because all biometric processing occurs on-device and we do not collect, store, or possess biometric data, our implementation is consistent with the requirements of these laws. If you have questions or concerns about biometric data handling, please contact support@ajcosmolabs.com.
DEVICE-LEVEL SECURITY RECOMMENDATIONS: To protect your account and formulation data, AJ Cosmo Labs LLC strongly recommends: (a) enabling biometric authentication (Face ID/Touch ID) for app access; (b) keeping your device operating system and the AJ Cosmo Labs LLC app updated to the latest versions; (c) using a strong device passcode as a backup to biometric authentication; (d) enabling device encryption (enabled by default on modern iOS and Android devices); (e) avoiding the use of jailbroken or rooted devices, which may compromise security protections; and (f) enabling remote wipe capabilities in case of device loss or theft.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.
We will notify you of any material changes by posting the updated policy in the app and updating the "Last Updated" date.
For significant changes, we may also send you a notification through the app or via email.
Your continued use of the platform after any changes indicates your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically for the latest information.