Cosmos Chat

Privacy Policy

Last Updated: March 31, 2026 Effective Date: March 31, 2026

1. Introduction

Cosmos Chat ("we", "our", or "the App"), operated by Cosmos One, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use Cosmos Chat.

By using Cosmos Chat, you agree to the practices described in this Privacy Policy.

2. Overview

Cosmos Chat is an AI chat application that runs entirely on your device. All AI processing happens locally using downloaded models, ensuring your conversations remain private.

Key Points:

All AI inference runs locally on your device — conversations are never sent to external servers
Chat history is stored only on your device in a local database (protected by Android's file-based encryption)
Internet is used to download AI models (one-time) and to serve ads (if consented)
Optional Hugging Face sign-in for accessing gated models
Ads are shown with your consent via Google AdMob; you can purchase "Remove Ads" to disable them
No analytics or user tracking
You control all your data

3. Information We Collect

3.1 Information You Provide

Chat Conversations

Messages: Your chat messages and AI responses are stored locally in a Room database (protected by Android's file-based encryption)
Conversation metadata: Titles, creation dates, and message counts
AI personas: Custom persona definitions including names, descriptions, and system prompts
Storage: Entirely on your device — never transmitted to us or any third party

Hugging Face Account (Optional)

OAuth tokens: Stored securely in EncryptedSharedPreferences (AES-256-GCM encryption)
Username and avatar: Displayed in the app when signed in
Scopes requested: openid, profile, read-repos
Purpose: Only used to download gated AI models from Hugging Face
Security: OAuth 2.0 with PKCE (Proof Key for Code Exchange) via the AppAuth library

Audio Input (Optional)

Voice recordings: Processed in real-time for speech-to-text conversion
Processing: Entirely on-device using Sherpa-ONNX models — never transmitted
Storage: Audio is immediately discarded after transcription; only the resulting text is kept

3.2 Automatically Collected Information

App theme preference (light/dark/system)
Chat engine preference (MediaPipe/llama.cpp)
Speech language preference
STT model preference
Listening mode preference (single shot/continuous)
Debug logging preference (disabled by default, auto-expires after 24 hours)
Ad-free purchase status

3.3 Advertising Data (Google AdMob)

If you consent to personalised ads (via the Google-managed consent dialog):

Google AdMob may collect device advertising identifiers and limited device information to serve ads
What we control: We display banner ads only; we do not select or target ads ourselves
Opt-out: You may decline the consent dialog, and no ad-related data will be collected
Remove Ads: You can purchase "Remove Ads" via Google Play to permanently disable all advertising
No ads data stored by us: We do not store, access, or process any advertising data — this is handled entirely by Google AdMob

3.4 Diagnostic Logs (User-Initiated Only)

App logs are stored locally and only shared when you explicitly use "Share Logs" in Settings
Logs contain technical debugging information, timestamps, and device metadata
Logs do NOT contain your chat messages or personal conversations
Debug logging auto-expires after 24 hours if enabled
Logs are automatically rotated (512 KB per file, max 5 files) and pruned after 30 days

3.5 Information We Do NOT Collect

Passwords or authentication credentials (OAuth tokens are managed securely by AppAuth)
Payment or billing information (handled entirely by Google Play)
Location data
Contact or calendar data
Device identifiers (except as collected by AdMob with your consent)
Usage analytics or behavioural data
Crash reports (no dedicated crash reporting SDK such as Crashlytics or Sentry is integrated; Google AdMob may collect app stability signals as described in the Advertising section above, subject to your consent)

4. Permissions We Request

Permission	Purpose	Required
Internet	Download AI models; serve ads (with consent); Hugging Face OAuth	Yes
Network State	Check network connectivity before downloads	Yes
Advertising ID	Required by Google AdMob on Android 13+ for ad personalisation (with consent)	Yes
Microphone	Voice input for speech-to-text (if voice features used)	No
Notifications	Show AI service status and download progress in notification bar	No
Foreground Service	Base permission for running foreground services	Yes
Foreground Service (Special Use)	Keep on-device AI inference running reliably (subtype: `ai_inference`)	Yes
Foreground Service (Data Sync)	Download large AI model files in the background with progress notification	Yes

Foreground Services

Service	Type	Purpose
CosmosAiService	`specialUse` (`ai_inference`)	On-device AI inference for chat responses
ModelDownloadService	`dataSync`	Background download of AI model files with progress notification

5. How We Use Your Information

5.1 Core Functionality

Chat: Generate AI responses using on-device models
History: Save and display your conversation history locally
Personas: Customise AI behaviour with persona definitions
Voice Input: Convert speech to text for hands-free chatting (on-device)
Voice Output: Read AI responses aloud using Android's built-in text-to-speech engine or downloadable Sherpa-ONNX TTS models
Model Downloads: Fetch AI model files from Hugging Face (one-time)
Preferences: Remember your theme, language, and engine choices

5.2 Advertising (With Consent)

Display banner ads via Google AdMob to support free access to the app
Ads are only shown after you provide consent through the Google-managed consent dialog (UMP SDK)
You can remove ads permanently with a one-time in-app purchase

5.3 We Do NOT Use Your Information For

Training AI models
User profiling or behavioural analysis
Selling to third parties
Marketing communications
Cross-app tracking

6. Advertising and Your Choices

6.1 About Advertising

Cosmos Chat displays banner ads via Google AdMob to support free access to the app. Ads appear in designated banner placements within the app.

6.2 What Ad Partners May Collect

When you consent to personalised advertising, Google AdMob may collect:

Device advertising identifier (Google Advertising ID)
Device information (model, OS version)
IP address (approximate location)
Ad interaction data (impressions, clicks)

6.3 Your Choices

Remove Ads: Purchase "Remove Ads" as a one-time in-app purchase via Google Play to permanently disable all advertising and stop all ad-related data collection
GDPR/UMP Consent: You can decline personalised ads through the consent dialog — no ad-related data will be collected
Reset Advertising ID: Go to Android Settings > Google > Ads > Reset advertising ID
Opt out of personalisation: Go to Android Settings > Google > Ads > Opt out of Ads Personalisation

6.4 GDPR Compliance

The Google User Messaging Platform (UMP SDK) manages consent for users in the EU/EEA and other regions where required by law
Consent preferences are stored and managed by the UMP SDK
You can change your consent preferences at any time in the app's Settings
If you decline consent, ads may still be shown but will not be personalised, and no ad-related data will be collected by Google

7. Data Storage and Security

7.1 Storage Architecture

Cosmos Chat does NOT transmit your conversations, chat history, or persona data to external servers. All user-generated content remains on your device.

The app connects to the internet only for: model downloads (one-time), ads (with consent), optional Hugging Face OAuth, and Google Play Billing.

Component	Location	Protection
Chat messages	Room database (app internal storage)	Android file-based encryption
AI personas	Room database (app internal storage)	Android file-based encryption
App preferences	DataStore (app internal storage)	Android file-based encryption
OAuth tokens	EncryptedSharedPreferences	AES-256-GCM (keys: AES-256-SIV)
AI models	App internal storage	None (public model weights)
Debug logs	App files directory	None (30-day retention, auto-pruned)
Ad consent	Managed by Google UMP SDK	Google-managed
Purchase status	Google Play / local DataStore	Google Play managed

7.2 On-Device AI Processing

All AI inference happens locally on your device:

Chat models: Gemma 3 1B (MediaPipe) or Llama 3.2 3B (llama.cpp)
Embedding model: Nomic Embed Text v1.5 for semantic search
Speech-to-text: Whisper Tiny (English) or SenseVoice (Multilingual) via Sherpa-ONNX
Text-to-speech: Android's built-in TextToSpeech engine (default); optional downloadable TTS models via Sherpa-ONNX (Piper TTS for English, MeloTTS for Chinese/English, Mimic3 for Korean)

Your prompts and conversations are NEVER sent to external servers for AI processing.

7.3 Security Measures

Encryption at rest: OAuth tokens encrypted with AES-256-GCM (key encryption: AES-256-SIV via Android Keystore); app data protected by Android file-based encryption
Encryption in transit: All network requests use HTTPS/TLS
OAuth security: PKCE flow with state validation to prevent redirect attacks
Token storage: If hardware-backed encryption is unavailable (rare), tokens may fall back to standard Android SharedPreferences (filesystem-isolated via MODE_PRIVATE but not encrypted at the application level)
Service isolation: AI service access protected by signature-level Android permission (com.cosmos.permission.USE_AI_SERVICE)
Code protection: ProGuard/R8 obfuscation in release builds
No hardcoded secrets: Only a public OAuth client ID is included in the app

8. Data Sharing and Disclosure

8.1 Data NOT Shared

Cosmos Chat DOES NOT:

Share your chat history with any third party
Sell your personal information
Transmit your conversations to external servers
Use analytics or user tracking services
Share data with data brokers or advertisers (ads are served by Google AdMob directly; we have no access to ad-related data)

8.2 Network Requests

The app connects to the internet for:

Model downloads: One-time download of AI models from Hugging Face (https://huggingface.co)
Hugging Face OAuth: Only if you choose to sign in for gated model access (https://huggingface.co/oauth/)
Google AdMob: To serve banner ads (only with your consent, or disabled if you purchase "Remove Ads")
Google Play Billing: To verify and process in-app purchases

8.3 User-Initiated Sharing

Diagnostic logs: You may choose to share logs via the "Share Logs" feature in Settings — this uses the Android share sheet and is entirely under your control
No other export: The app does not provide any other mechanism for data to leave your device

8.4 Legal Disclosure

We may disclose information if required by law, legal process, or governmental request. However, since all user data is stored locally on your device and we have no access to it, there is effectively no data we can disclose.

We do NOT sell your personal information. We do NOT share data with data brokers. We do NOT share data with advertisers. We do NOT share data with any unlisted parties.

9. Third-Party Services

Google AdMob

Purpose: Display banner ads to support free access to the app
Data accessed: Device advertising identifier, limited device info (managed by Google)
Your control: Consent dialog before any ad data collection; "Remove Ads" purchase to disable entirely
Privacy Policy: https://policies.google.com/privacy
Ad Settings: https://adssettings.google.com

Google User Messaging Platform (UMP SDK)

Purpose: Collect GDPR/consent for ad personalisation (EU users and others as required by law)
Data accessed: Consent preferences
Privacy Policy: https://policies.google.com/privacy

Google Play Billing

Purpose: Process "Remove Ads" in-app purchase
Data accessed: Purchase status and transaction ID (managed entirely by Google Play)
We do NOT receive: Payment details, credit card numbers, or billing addresses
Privacy Policy: https://policies.google.com/privacy

Hugging Face (Optional)

Purpose: OAuth authentication for downloading gated AI models
Data shared: Username and profile information (only during OAuth flow)
Scopes: openid, profile, read-repos
We do NOT access: Your Hugging Face repositories, datasets, or other account data beyond profile info
Privacy Policy: https://huggingface.co/privacy

Model Hosting (Hugging Face)

Purpose: Hosts AI model files for download
Data exposed: Standard HTTP request metadata (IP address, user agent) during model downloads
User agent: CosmosChat/2.0 (offline model fetch; +https://github.com/cosmosone/cosmos-chat)
One-time only: Models are downloaded once and stored locally

On-Device Libraries (No Data Transmission)

These libraries run entirely on your device and do not transmit any data:

MediaPipe LLM Inference (Google): On-device chat inference
llama.cpp: Open-source local LLM inference
Sherpa-ONNX: On-device speech-to-text and text-to-speech processing
Android TextToSpeech: Built-in text-to-speech engine
AppAuth: OAuth 2.0 library for Hugging Face sign-in (network traffic limited to OAuth endpoints)

10. Data Retention and Deletion

10.1 Retention Periods

Data	Retention	How to Delete
Chat conversations	Until you delete them	Delete within app or clear app data
AI personas	Until you delete them	Delete within app or clear app data
App preferences	Until you clear app data	Android Settings > Apps > Cosmos Chat > Clear Data
OAuth tokens	Until you sign out or clear data	Sign out in app, or clear app data
AI models	Until you delete them or uninstall	Delete via app's model management, or uninstall
Debug logs	30 days (auto-pruned); stored in app files	Clear app data, or they are removed automatically
Ad consent	Managed by Google UMP	Reset via Android ad settings
Purchase status	Permanent (tied to Google account)	Managed via Google Play

10.2 Advertising Data

Advertising data is collected and retained by Google AdMob in accordance with Google's privacy policy. You can:

Reset your advertising ID via Android Settings > Google > Ads
Purchase "Remove Ads" to stop all ad-related data collection within the app

10.3 Deleting Your Data

Since Cosmos Chat operates entirely on-device with no user accounts managed by us:

Delete individual conversations: Use the delete function within the app
Delete all app data: Go to Android Settings > Apps > Cosmos Chat > Storage > Clear Data
Sign out of Hugging Face: Use the sign-out option in the app to remove OAuth tokens
Revoke Hugging Face access: Visit https://huggingface.co/settings/connected-applications
Reset ad consent: Go to Android Settings > Google > Ads > Reset advertising ID
Uninstall the app: Removes ALL local data including conversations, preferences, tokens, logs, and AI models

Nothing is retained after uninstallation. There is no cloud backup or external storage of your data.

11. AI Model Licences

The App uses AI models from third parties. These models run entirely on your device:

Model	Provider	Licence	Terms
Gemma 3 1B	Google	Gemma Terms of Use	View Terms
Llama 3.2 3B	Meta	Llama 3.2 Community Licence	View Terms
Nomic Embed v1.5	Nomic AI	Apache 2.0	View Terms
Whisper Tiny	OpenAI	MIT	View Terms
SenseVoice	FunAudioLLM	FunASR Licence	View Terms
Piper TTS	Rhasspy	MIT Licence	View Terms
MeloTTS	MyShell.ai	MIT Licence	View Terms
Mimic3	Mycroft AI	MIT Licence	View Terms

Prohibited uses of these models include generating content that violates laws, promotes violence or harm, is deceptive or fraudulent, infringes intellectual property, or involves surveillance of individuals. Refer to each model's licence terms for the full list of restrictions.

12. Your Privacy Rights

You have complete control over your data:

Access: View all conversations within the app
Correction: Edit or delete messages and conversations
Deletion: Remove all data by clearing app data or uninstalling (see §10)
Portability: Your data stays on your device under your control
Withdraw consent: Revoke permissions at any time in Android Settings
Ad consent: Change or withdraw ad consent through the consent dialog (accessible via app settings or by clearing app data)

Since all data is stored locally, most rights are exercisable directly through the app and Android system settings without needing to contact us.

12.1 For EU/EEA Residents (GDPR)

Under the General Data Protection Regulation, you have additional rights including:

Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing

Cosmos Chat does not process personal information on any server. The GDPR consent banner (UMP SDK) relates to ePrivacy compliance for advertising. You can exercise all data rights directly through the app and Android system settings. For any GDPR-related inquiries, contact us at support@cosmosone.cloud.

12.2 For California Residents (CCPA)

Under the California Consumer Privacy Act:

Right to Know: We collect minimal data as described in this policy — no personal information is collected or stored on our servers
Right to Delete: All data can be deleted as described in §10
Right to Opt-Out of Sale: We do NOT sell your personal information
Non-Discrimination: We do not discriminate against users who exercise their privacy rights

13. Children's Privacy

Cosmos Chat is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use this App.

The App displays ads via Google AdMob (with consent) and offers a one-time in-app purchase. No social features are included.

14. International Data Transfers

All user data is processed and stored locally on your device. No user data is transferred to our servers or across international borders by us.

Third-party services (Google AdMob, Google Play, Hugging Face) may process limited data in accordance with their own privacy policies and may transfer data internationally. Please refer to their respective privacy policies linked in §9 for details.

15. Changes to This Privacy Policy

We may update this Privacy Policy for:

Changes in legal requirements
New features or functionality
Changes in third-party service integrations
Improvements to security practices

Notification: Updates will be posted on this page with a new effective date. Material changes will be communicated through the app or our website.

16. Contact Information

If you have questions about this Privacy Policy:

Email: support@cosmosone.cloud Subject Line: [Cosmos Chat Privacy] Website: https://cosmosone.cloud Response Time: Within 5 business days

17. Summary

Aspect	Details
AI Processing	100% on-device, never transmitted
Chat History	Stored locally in Room database (protected by Android file-based encryption)
Network Usage	Model downloads (one-time), ads (with consent), optional OAuth
Authentication	Optional Hugging Face OAuth (tokens encrypted with AES-256-GCM)
Voice Input	Optional, processed entirely on-device via Sherpa-ONNX
Voice Output	Android built-in TextToSpeech (default); optional Sherpa-ONNX TTS models
Advertising	Google AdMob banner ads with consent; removable via in-app purchase
Analytics/Tracking	None
Data Sharing	None — no data sold, no data brokers, no third-party sharing
User Control	Complete — all data stored locally, deletable at any time
Deletion Method	Uninstall removes ALL data; no cloud retention
Governing Law	Australia

Privacy-First Design: Cosmos Chat is built on the principle that your conversations are yours alone. By processing everything on your device, we ensure that your private thoughts stay private.