Cozzy Cookie Policy
Version: 11
Last Updated: June 14, 2026
Effective: June 14, 2026
This Cookie Policy explains how Cozzy uses cookies and similar technologies in our mobile application (iOS and Android), our web dashboard at web.cozzy.io, and our public website at cozzy.io.
This policy is maintained by Cozzy Finance Limited (CRO 812498), Venture Hub, 136 Capel Street, Dublin 1, D01 T2C9, Ireland.
Cozzy is intended for users aged 16 and over. We do not knowingly collect cookie or similar-technology data from children under 16.
---
What Are Cookies and Similar Technologies?
Cookies are small text files stored on your device. In a mobile-app context we use "cookies and similar technologies" to refer to: mobile SDKs that store identifiers on your device; local storage (SharedPreferences, UserDefaults, Hive, browser localStorage); device identifiers used for analytics, crash diagnostics, or push delivery; web cookies (HTTP cookies) on our web dashboard and public website; and push-notification tokens (FCM) where you have enabled push.
Under the ePrivacy Directive (Article 5(3)), the Irish ePrivacy Regulations (S.I. No. 336/2011), and (for users in the United Kingdom) PECR 2003, each of the above is treated the same way: storing or accessing information on your device requires either (a) the strictly-necessary exemption or (b) your prior consent.
---
Types of Technologies We Use
Strictly Necessary — no consent required
| Technology | Purpose | Data Stored | Retention |
|---|---|---|---|
| Authentication Tokens (mobile + web) | Keep you signed in (Supabase) | Encrypted session token | Until logout or session expiry |
| User Preferences (mobile) | Remember your display settings | Currency, theme, notification preferences | Until account deletion or app data cleared |
| Cookie / Consent Record (mobile) | Remember your privacy choices | Consent status, version, timestamp (app local storage) | 6 months, then re-prompt |
| Offline Cache (mobile) | Allow the App to work offline | Encrypted financial data | Until cleared |
| Crash & Error Diagnostics (mobile) | Detect and report crashes and errors so we can keep the App secure and stable (Sentry EU, `de.sentry.io`). Initialised at startup; not used for advertising or profiling | Local diagnostics SDK state; events contain stack traces, device model/OS, app version, and a pseudonymised user ID (attached only after sign-in). `sendDefaultPii` disabled — no IP address | Events retained 90 days |
| Waitlist Confirmation (marketing site) | The sole signal we use to suppress the sign-up form for visitors who have already joined the waitlist; set only after you submit the form | `cozzy_waitlist_joined` | 365 days |
Crash and error diagnostics are treated as strictly necessary because they are essential to detect, diagnose, and fix faults that threaten the security and stability of a service you have requested. We minimise the data involved (`sendDefaultPii` disabled, no IP, pseudonymised user ID only after sign-in) and you may object to this processing under GDPR Article 21 by contacting privacy@cozzy.io.
Functional — used to deliver UI conveniences you have chosen
| Technology | Purpose | Data Stored | Retention |
|---|---|---|---|
| Theme Preference (web dashboard) | Remember your light/dark theme for the current browsing session | Theme choice (`cozzy_theme`) | Session cookie — cleared when the browser closes |
Firebase services — initialised only after you opt in
We do not initialise the Firebase SDK on your device until you have made an affirmative consent choice (or enabled push) that authorises a Firebase-backed feature. Until that point, no Firebase Installation ID and no FCM token exist on your device.
Once you have opted in to one or more Firebase-backed features, the following technologies are written:
| Technology | Triggered By | Purpose | Data Stored | Retention |
|---|---|---|---|---|
| Firebase Installation ID (FID) | Any Firebase-backed feature consented to or push opt-in | Pseudonymous per-installation identifier required by the Firebase SDK to operate the feature(s) you have enabled. Not used for advertising. | Pseudonymous installation identifier | Local app storage; cleared on uninstall or full revocation of all Firebase-backed features |
| Firebase Cloud Messaging (FCM) Token | Push opt-in | Route push notifications you have requested | FCM device token linked to your account | Local app storage and Cozzy backend; rotated by the OS; deleted on push opt-out or uninstall |
| Firebase Analytics | Consent to analytics | Product analytics | Pseudonymised usage events, screen views, feature engagement | 14 months |
| Firebase Performance Monitoring | Consent to analytics | App-performance and network-latency diagnostics | Automatic traces (app start, foreground/background, screen rendering) and HTTP/S network-request traces — request URLs, response codes, payload sizes and timings for calls to our API — plus custom timing traces, device model/OS, app version, and approximate location from IP. Transmitted to Google. | 90 days |
Granting OS-level notification permission is treated as your consent to register and store the FCM token. Firebase Analytics and Firebase Performance Monitoring are non-essential and run only after you opt in via the cookie consent flow; both share the single Analytics consent toggle.
First-Party Server Analytics — legitimate interest
We collect pseudonymised usage events (screen views, feature engagement, error counts) via our own server-side analytics service. This data is buffered locally on your device (Hive, up to 1,000 events) before being synced to our backend.
- Data collected: Event type, timestamp, screen name, pseudonymous session identifier. No directly identifying information.
- Legal basis (server-side): Legitimate interest (GDPR Art. 6(1)(f)).
- Local buffer basis: Strictly necessary under ePrivacy as a technical pre-requisite to delivering the Service reliably.
- Retention: 90 days on our servers.
---
Content Moderation Classifier (Education Hub)
If you submit a comment in the in-App Education Hub, the text of your comment is sent to Google Perspective API (operated by Google LLC in the United States) for automated harm classification. This is not strictly a cookie or device-storage technology, but we disclose it here for transparency. An inline notice next to the comment box ("Comments are screened by an automated classifier.") informs you of this at the point of interaction, in accordance with EU AI Act Article 50(2). Transfers to the US rely on the Standard Contractual Clauses, with additional reliance on the EU-US Data Privacy Framework where the recipient remains certified.
---
Device-Integrity Signals (Talsec freeRASP)
The mobile App uses Talsec freeRASP to detect runtime threats (root, jailbreak, debugger, hooking framework, emulator). Detection results — threat type, device model, OS, timestamp — are transmitted by the SDK to Talsec's EU backend; high-severity events are forwarded to our security team by email. This is not strictly a cookie technology but we disclose it here in line with our security-section commitments in the Privacy Policy.
---
Managing Your Preferences
Mobile App (iOS and Android)
When you first open Cozzy you see a consent prompt with three options:
- Accept all — initialises the Firebase SDK and enables Firebase Analytics and Firebase Performance Monitoring in addition to essential storage.
- Customise — opens a granular settings view with a single Analytics toggle. Switching it on initialises Firebase and enables both Firebase Analytics and Firebase Performance Monitoring; switching it off (or leaving it off) keeps both uninitialised.
- Essential only — only strictly-necessary and functional technologies are enabled. This includes crash and error diagnostics, which are strictly necessary for the security and stability of the Service; Firebase Analytics and Firebase Performance Monitoring remain uninitialised until you change your mind.
You can change your choice at any time at Settings > Data & Privacy > Cookie Preferences. Your full acceptance history (policy version accepted, timestamp, choice) is viewable at Settings > Data & Privacy > Legal & Acceptance History. Following DPC guidance we re-prompt every 6 months.
Web Dashboard (web.cozzy.io) and Public Website (cozzy.io)
Our web surfaces use only strictly-necessary or functional cookies. The web dashboard sets one session-only theme cookie that disappears when you close your browser; the public website sets a 365-day waitlist confirmation cookie (`cozzy_waitlist_joined`) only after you actively submit the waitlist form, and uses it solely to suppress the sign-up form for returning visitors who have already joined. Because no consent-based cookies or trackers are loaded, we do not display a consent banner on these surfaces. If you wish to clear the small number of essential or functional cookies set by these surfaces, you can do so from your browser's settings.
---
What Happens If You Reject Analytics?
- The App and dashboard work normally — all core features remain available.
- The Firebase SDK is not initialised — no FID is written to your device.
- Firebase Performance Monitoring is not initialised — no app-performance or network-request traces are collected, and no request URLs are shared with Google. If you previously consented and then withdraw consent, performance collection is switched off.
- We cannot improve the product based on your usage patterns.
- Crash and error diagnostics still run, as a strictly-necessary measure to keep the Service secure and stable, with `sendDefaultPii` disabled and no advertising use. You may object under Article 21.
---
Third-Party Sub-Processors Referenced
| Partner | When Used | Their Policy |
|---|---|---|
| Google (Firebase) | Analytics, Performance Monitoring, Cloud Messaging | Google Privacy Policy |
| Sentry (Functional Software, Inc., EU) | Crash and error diagnostics (`de.sentry.io`, Frankfurt) | Sentry Privacy Policy |
| Google (Vertex AI / Gemini) | Olivia AI assistant; AI Auto Categorisation for Expert-tier users | Google Privacy Policy |
| Google (Perspective API) | Comment moderation in the Education Hub | Google Privacy Policy |
| Yapily | Bank account connection | Yapily Privacy Policy |
| Supabase | Authentication and database; issues the auth session cookie | Supabase Privacy Policy |
| Railway | Backend hosting that issues the session cookie | Railway Privacy Policy |
| Resend | Transactional email delivery (no cookies; listed for completeness given the cross-reference from our Privacy Policy) | Resend Privacy Policy |
| RevenueCat | Subscription management | RevenueCat Privacy Policy |
| Talsec (freeRASP) | Mobile runtime threat detection | Talsec Privacy Policy |
We respect your choices through our in-app consent mechanism and Apple's App Tracking Transparency (ATT) framework on iOS. Cozzy does not collect IDFA or Google Advertising ID and does not show third-party advertising.
---
Do Not Track
Mobile apps do not support the "Do Not Track" browser signal. We respect your choices through our in-app consent mechanism (granular: Essential / Analytics) and Apple's App Tracking Transparency (ATT) framework on iOS.
---
Updates to This Cookie Policy
We will update this Cookie Policy when our practices change or when required by law. If we make significant changes we will notify you through the App and request your consent again where required by the ePrivacy Directive.
---
Questions?
- Email: privacy@cozzy.io
- Support: support@cozzy.io
- Entity: Cozzy Finance Limited (CRO 812498), Venture Hub, 136 Capel Street, Dublin 1, D01 T2C9, Ireland
You also have the right to lodge a complaint with the Irish Data Protection Commission. If you are based in the United Kingdom, you may also contact the Information Commissioner's Office.