Skip to main content

Legal · Privacy

Privacy Policy.

How CreditOS by Cos24 collects, uses, shares, and protects personal information. We process loan-applicant data only on behalf of the lender that retained us, under a signed Data Processing Agreement.

EFFECTIVEMAY 10, 2026TERMS OF SERVICESECURITYCOMPLIANCE

IN PLAIN LANGUAGE

  • We do not sell personal information, ever. We do not use loan applicant data to train AI models.
  • When a lender uses CreditOS to evaluate a loan, the lender — not Cos24 — is the controller of the applicant's data. Cos24 acts as a processor under a signed DPA.
  • Marketing-site visitor analytics are aggregated, cookieless, and retained for up to 24 months.
  • Loan-file data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS), tenant-isolated, and retained per the lender's DPA — typically 6–10 years per SBA recordkeeping rules.
  • Applicants direct privacy requests to the lender that is evaluating their file. Marketing-site visitors and platform users may email arnav@cos24.ai.

1. About this policy

Cos24, Inc., a Delaware corporation (“Cos24,” “we,” “us,” or “our”) operates the CreditOS platform and the cos24.ai marketing website. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit cos24.ai, when you use the CreditOS platform as an employee of a lender or partner, or when your data is processed by the platform because a lender has chosen to evaluate your SBA loan submission with CreditOS.

Different relationships create different responsibilities. When you visit our marketing site or contact us directly, we act as the controller of your information. When a lender uses CreditOS to evaluate loan files, the lender is the controller of applicant information and Cos24 acts as a processor on their behalf, under a written Data Processing Agreement (“DPA”). This policy describes both relationships and points out which is which.

If anything in this policy conflicts with a written agreement between Cos24 and a lender or partner organization, the written agreement governs as to that organization's data.

2. Scope and definitions

“Personal Information” means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable U.S. state privacy laws (including the California Consumer Privacy Act, as amended by the CPRA, and equivalent laws in Colorado, Connecticut, Utah, Virginia, and other states).

“Nonpublic Personal Information” or “NPI” means personally identifiable financial information defined under the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P. SBA loan applicant data is NPI. We treat NPI according to the GLBA Safeguards Rule and the security commitments described in Section 6.

“Platform” means the CreditOS workbench, partner portal, agent runtime, deterministic credit services, APIs, integrations, and supporting infrastructure operated by Cos24.

“Marketing Site” means cos24.ai and any subdomain we use to describe Cos24 or CreditOS publicly (excluding *.demo-uat.cos24.io and other operational subdomains, which are governed by the Platform terms).

3. Information we collect

We collect information in four contexts. Each is described below.

3.1 Marketing Site visitors. When you browse cos24.ai, we collect basic technical information (IP address, user agent, referrer URL, page path, timestamp, approximate geographic region derived from IP) for analytics, abuse prevention, and site reliability. We use a privacy-first analytics provider that does not set persistent cross-site tracking cookies.

3.2 Inquiry and contact form submissions. When you fill out a contact form (e.g., the "Talk to the Founder" form on /contact/), we collect the fields you provide: name, work email, company, role, lender type, monthly SBA submission volume, and the free-text description of your intake challenge. We store this in our internal CRM solely to respond to your inquiry, qualify you for a pilot or commercial conversation, and send you follow-up materials if you have requested them.

3.3 Platform users (lender and partner employees). When an authorized user of a lender or partner organization signs in to the CreditOS workbench or partner portal, we process their identity profile (name, work email, role, tenant assignment), authentication metadata (Cognito user ID, MFA enrollment status, last sign-in timestamp), and platform-activity telemetry (actions taken, deals viewed, API calls made) for the purpose of operating the service, enforcing role-based access controls, billing, and producing the audit trail that lenders rely on for examination readiness.

3.4 Loan applicants and related parties. When a lender uses CreditOS to evaluate an SBA loan submission, the platform processes information about the applicant, guarantors, affiliates, and related business entities. This may include, depending on the loan and the lender's intake configuration: name, address, SSN or ITIN, date of birth, government ID, contact information, employment and income data, business financials, bank statements, tax returns, credit-bureau output supplied by the lender, and other documents the borrower or broker uploads to the file. Cos24 processes this information solely on the lender's behalf as a processor under a signed DPA. The lender — not Cos24 — is the controller of this data and is responsible for the legal basis of collection, the notices given to applicants, and applicant-facing rights requests.

4. How we use information

We use Marketing Site visitor and inquiry data to operate cos24.ai, respond to inquiries, prepare and send marketing communications you have requested, measure and improve our content, and prevent fraud or abuse.

We use Platform user data to authenticate users, authorize actions inside their tenant, log actions for audit, bill the lender or partner organization, troubleshoot product issues, communicate operationally about the service, and improve product reliability and quality.

We use applicant and related-party data only to provide the contracted CreditOS service to the lender — that is, to ingest, classify, structure, OCR, normalize, score for readiness, evaluate against the lender's policy, and surface stipulations and findings to the lender's underwriting team. Applicant data is not used for advertising, is not used to train or improve any general-purpose AI model, and is not combined across lender tenants. Each lender's tenant is isolated at the application and database layer.

When CreditOS uses AI agents to assist with file evaluation, those calls are made to subprocessor models (currently AWS Bedrock-hosted Anthropic models) under enterprise agreements that prohibit training on customer inputs and enforce zero-data-retention semantics. Outputs are governed by deterministic services and human-in-the-loop review; CreditOS does not autonomously decide credit. This is described in our public Compliance and Security pages.

5. How we share information

We share information only as described below.

With the lender (controller)
When applicant or related-party data flows through CreditOS, the lender is the controller. We share platform outputs (extracted facts, readiness scores, stipulation lists, policy findings, audit-ledger entries) back to the lender's authorized users in their tenant. Lenders may, in turn, disclose data to brokers, BDOs, or downstream LOS systems per their own agreements with the applicant.
With service providers and subprocessors
We rely on a small set of vetted subprocessors to operate the service. The current list is in Section 12. Each subprocessor is bound by written terms consistent with this policy and applicable laws (DPAs, GLBA-flow-down clauses where applicable, no-training commitments where applicable to AI providers).
For legal and safety reasons
We may disclose information when we have a good-faith belief that disclosure is required by law, regulation, legal process, or a binding government request; necessary to enforce our terms or protect our rights or the rights of a lender, partner, or applicant; or necessary to investigate fraud or a material security incident. Where permitted, we will give the lender prior notice of any compelled disclosure of their data.
In a corporate transaction
If Cos24 is involved in a merger, acquisition, asset sale, financing, or insolvency proceeding, information may be transferred to the successor or acquirer subject to confidentiality protections. We will provide notice (and where required by law, opt-out rights) before any such transfer materially changes how data is used.
We do not sell personal information
We do not sell personal information for monetary or other valuable consideration as defined under applicable state privacy laws, and we do not “share” personal information for cross-context behavioral advertising. We do not engage in profiling that produces legal or similarly significant effects on consumers without human review.

6. Data retention

Marketing Site analytics are retained for up to 24 months in aggregated form. Inquiry-form submissions are retained for up to 36 months from the date of last contact, after which we delete or de-identify them unless the inquiry has converted into a customer relationship.

Platform user identity records are retained for the duration of the lender's subscription plus a wind-down period defined in the lender's MSA (typically 30–90 days after termination, during which the lender can export their data).

Applicant and loan-file data is retained according to the retention schedule defined in the lender's DPA. Lenders typically configure CreditOS to retain loan files for the period required by SBA SOP 50 10 7 and applicable state recordkeeping rules; that period commonly runs 6–10 years from loan close or denial. After the retention period expires, files are deleted or returned to the lender per the DPA.

Audit-ledger entries for credit-critical actions are retained for the longer of the lender's contractual retention period or the regulatory retention period applicable to that action.

7. How we protect information

Cos24 maintains a written information security program designed to comply with the GLBA Safeguards Rule and to support our public commitments to SOC 2 Type II and HIPAA-ready controls. The program is reviewed annually and on the occurrence of material change.

  • Encryption in transit using TLS 1.2 or higher for all external traffic and inter-service traffic.
  • Encryption at rest using AES-256 with keys managed by AWS Key Management Service (KMS).
  • Tenant isolation at the application layer (RBAC) and at the database layer (row-level isolation), so that one lender's data is never accessible to another lender's authorized users.
  • Multi-factor authentication for all production access by Cos24 personnel.
  • Least-privilege access controls reviewed on a recurring schedule.
  • Centralized audit logging of credit-critical and security-relevant actions.
  • Vulnerability scanning, dependency monitoring, and a documented patch-management cadence.
  • Background checks for personnel with production access where permitted by law.
  • Annual security and privacy training for all employees and long-term contractors.
  • An incident-response plan with defined notification timelines for affected lenders.

No system can be guaranteed to be perfectly secure. We commit to notify affected lenders without undue delay (and within the timeline required by their DPA and applicable law) of any confirmed security incident that materially affects their data, and to work with them in good faith on remediation, root-cause analysis, and any onward applicant notification they choose or are required to make.

8. Your privacy rights

8.1 Marketing Site visitors and inquiry submitters. If you have submitted a contact form on cos24.ai or otherwise provided personal information directly to Cos24 in the operation of our marketing or sales activities, you may have the following rights, depending on where you live: the right to know what personal information we have about you; the right to access and obtain a copy of that information; the right to correct inaccuracies; the right to delete it (subject to limited exceptions, such as records we must retain for tax, legal-defense, or fraud-prevention purposes); the right to opt out of marketing communications; and, in California, the rights described under the CCPA/CPRA including the right to limit our use of sensitive personal information (we do not collect sensitive personal information from marketing-site visitors in normal operation).

To exercise these rights, email arnav@cos24.ai with the subject line "Privacy request" and describe the right you are exercising. We will respond within the timeline required by applicable law (45 days under CCPA/CPRA, with one 45-day extension where reasonably necessary). We may need to verify your identity before fulfilling certain requests.

If we deny your request, you may appeal the decision by replying to our denial within 60 days. We will respond to the appeal within 60 days. If you are still unsatisfied, you may contact your state attorney general or the California Privacy Protection Agency (if you are a California resident).

We will not retaliate against you for exercising any privacy right.

8.2 Loan applicants and related parties. If your information was supplied to CreditOS by a lender for the purpose of evaluating an SBA loan submission, the lender — not Cos24 — is the controller of that data. Direct any access, correction, deletion, opt-out, or other privacy request to the lender that is evaluating your loan. The lender's privacy notice will describe the procedure. We will assist any lender that receives such a request from an applicant, as required by our DPA with the lender.

8.3 Platform users (lender or partner employees). Your employer is the controller of your platform identity record for tenant administration purposes. Direct routine requests (e.g., update my email) to your administrator. For requests that fall outside what your employer can fulfill (e.g., access to platform-activity logs that your employer cannot administer), you may contact arnav@cos24.ai, and we will route your request consistent with your employer's DPA with us.

9. Cookies and tracking technologies

The Marketing Site uses a small number of strictly necessary cookies (e.g., a theme preference cookie that remembers your light/dark mode choice) and privacy-first analytics that do not set persistent cross-site identifiers. We do not use third-party advertising cookies and we do not participate in cross-context behavioral advertising. The Platform uses session and authentication cookies necessary to operate the service.

You can configure your browser to block or alert you to cookies. Blocking strictly necessary cookies may impair the Marketing Site or prevent you from signing in to the Platform.

10. Children's privacy

CreditOS is a B2B service intended for use by lenders, partners, and SBA-eligible business borrowers. The Marketing Site and the Platform are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact arnav@cos24.ai and we will delete it.

11. International users

CreditOS currently serves U.S. lenders making SBA-eligible loans, and our infrastructure is hosted in the United States (AWS US-East-1 region). The Marketing Site is accessible internationally for informational purposes, but we are not currently set up to provide the Platform to lenders outside the United States, and we do not target the Marketing Site at residents of the European Economic Area, the United Kingdom, or Switzerland. If you visit the Marketing Site from outside the United States, your information will be transferred to and processed in the United States.

12. Subprocessors

We rely on the following subprocessors to operate the Platform and the Marketing Site. The list is current as of the effective date of this policy.

Amazon Web Services, Inc.
Compute, storage, networking, identity (Cognito), and key management (KMS). Hosted in US-East-1.
Anthropic, PBC (via AWS Bedrock)
AI model inference for governed agentic workflows. Enterprise terms prohibit training on customer inputs and enforce zero-retention semantics.
Stripe, Inc.
Subscription billing and invoicing for paying lender and partner accounts.
Google Workspace
Email and collaboration for Cos24 staff (no applicant data routed through Workspace).
Plausible Insights OÜ
Privacy-first analytics for the Marketing Site (no cookies, no cross-site tracking).
GitHub, Inc.
Source-code hosting and CI/CD (no production applicant data routed through GitHub).

We update this list when we add or remove subprocessors. Lenders and partners who have signed a DPA receive advance notice of new subprocessors that materially affect their data, with a window to object as defined in the DPA.

13. Changes to this policy

We may update this Privacy Policy as the Platform, our subprocessors, or applicable law evolves. The effective date below is updated whenever we make a change. For non-cosmetic changes, we will notify lenders and partners through the channel defined in their DPA (typically email and a notice in the workbench). For Marketing Site visitors, the updated policy takes effect on the date posted; continuing to use the Marketing Site after the effective date constitutes your acceptance of the updated policy.

14. How to contact us

For privacy questions, requests, or appeals, email arnav@cos24.ai with the subject line "Privacy request." For all other inquiries, email arnav@cos24.ai or use the contact form at /contact/.

Cos24, Inc., a Delaware corporation.

EFFECTIVE MAY 10, 2026 · VERSION 1.0arnav@cos24.ai