LogicReader
Privacy Policy
Version beta-2026-07 · Effective date 11 July 2026 This policy covers the public self-serve free beta of LogicReader at logicreader.io and app.logicreader.io. It replaces the earlier pilot-era policy published on cosmospm.com for this product.
This policy explains what personal data CosmosPM Ltd collects when you use LogicReader, why we collect it, who we share it with, and the rights you have over it.
1. Who we are
CosmosPM Ltd (company number 16886156), registered in England and Wales.
Registered office: 5th Floor, City Reach, 5 Greenwich View Place, London E14 9NN, United Kingdom.
ICO registration: C1928514.
Data protection queries: privacy@cosmospm.com
General queries: contact@cosmospm.com
2. Two roles: controller and processor
CosmosPM acts in two different capacities depending on the type of data, and different rules apply to each.
(a) Account data — we are the controller
For your account details (name, email address, role, company, login credentials, and security logs), CosmosPM is the data controller. We decide why and how this data is processed, and this policy governs it directly.
(b) Uploaded schedule content — we are the processor
For the project schedule files you upload (XER or CSV files), CosmosPM is the data processor. You, or your organisation, are the controller of that content. Uploaded schedules may contain personal data about third parties, such as the names of project team members listed against activities. Our processing of this content is governed by the Data Processing Terms in our Terms of Service. By uploading a schedule, you warrant that you have the right to upload it and that you have any necessary permissions to share the personal data it contains with us.
3. What data we collect
- Registration data: name, email address, role, and company, collected when you register and confirmed through double opt-in email verification.
- Account credentials: your login password (stored in hashed form) and related account security data.
- Uploaded schedule files: XER or CSV project schedule files you choose to upload.
- Technical data: IP address, browser type, and security logs, collected automatically to keep the service secure and working.
- Support and feedback correspondence: messages you send us, for example bug reports or support requests.
We do not seek to collect any special-category data (such as health, religious belief, or racial or ethnic origin data) and ask that you do not include such data in your account profile.
Providing your name, email, and company is necessary to enter the contract for the Service — without it we cannot create your account.
4. Why we process your data (lawful bases)
- Contract: to create and run your account and provide the LogicReader service you have signed up for.
- Consent: for marketing communications, only if you opt in at signup. You can withdraw this consent at any time.
- Legitimate interests: to keep the service secure, to improve it, and to understand anonymised usage patterns (with an opt-out available — see section 10). This basis covers account, technical and usage data only. We do not analyse or use the content of your uploaded schedule files for our own purposes — see section 2(b).
- Legal obligation: to meet our obligations to HMRC and the ICO, and other legal requirements.
5. AI processing — how we use Anthropic
LogicReader's AI features send relevant schedule data and prompts to Anthropic (Anthropic PBC, United States; Anthropic Ireland Limited is the contracting entity for EU/UK customers) to generate the AI response you requested.
- Anthropic retains API inputs and outputs for 30 days for safety and abuse monitoring.
- Anthropic does not train its models on data submitted through the API.
- This processing is covered by a contractual Data Processing Agreement with Anthropic, incorporating EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
- You are told before an AI feature runs, so you can choose whether to use it.
6. Who we share your data with (sub-processors)
We use a small number of carefully chosen sub-processors to run LogicReader. We have data processing agreements in place with each of them.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Hostinger International Ltd / Hostinger UK Ltd | Application hosting | United Kingdom (single production server) | DPA; Standard Contractual Clauses / UK IDTA |
| Anthropic (Anthropic PBC / Anthropic Ireland Limited) | AI features | United States / Ireland | DPA; SCCs / UK Addendum; 30-day input/output retention; no model training on our data |
| Brevo (Sendinblue SAS) | Transactional email — signup verification | Paris, France (hosting primarily France/Belgium) | DPA in force via Brevo's Terms of Service; SCCs and EU-US Data Privacy Framework for its non-EEA sub-processors |
| Microsoft | Business email | UK geo | DPA |
| PostHog (when enabled) | Server-side, cookieless usage telemetry | EU cloud | Opt-out available — see section 10 |
| Stripe / Paddle | Payment processing | Will be added here before paid plans launch; not currently in use. | |
7. How long we keep your data
- Account data: kept while your account is active. On a deletion request we deactivate your account and put your personal data beyond use without undue delay; residual copies may persist in encrypted backups for up to 12 months before being permanently purged.
- Uploaded schedule data: kept until you delete it, or for 90 days after your account is closed.
- Pending registrations: unverified sign-ups are kept only for a short, limited period before removal.
- Support and other correspondence: kept for up to 6 years, in line with HMRC record-keeping requirements.
- Security logs: kept on a rolling 90-day basis.
8. How we protect your data
We apply the following technical and organisational measures to protect your personal data:
- data is encrypted in transit using TLS;
- passwords are stored only in hashed form, never in plain text;
- access to personal data is restricted to authorised personnel who need it to operate the Service;
- the Service runs on a single production server hosted in the United Kingdom;
- we take regular backups, held encrypted; and
- no card data touches our servers — payments, when launched, will use a hosted payment provider.
These measures are kept under review as the Service develops. We do not hold any security certifications at this stage.
9. Your rights
Under UK GDPR, you have the right to:
- be informed about how your data is used;
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased, in certain circumstances;
- restrict how your data is processed, in certain circumstances;
- receive your data in a portable format;
- object to processing based on legitimate interests or for direct marketing;
- withdraw consent at any time, where we rely on your consent (e.g. marketing), without affecting the lawfulness of earlier processing; and
- not be subject to decisions based solely on automated processing that have a legal or similarly significant effect on you.
To exercise any of these rights, email privacy@cosmospm.com. We aim to respond within one calendar month.
If you are not satisfied with how we have handled your data, you can complain to the UK's data protection regulator:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom
10. Cookies and local storage
LogicReader uses only strictly necessary cookies — specifically the lr_session authentication cookie, which keeps you signed in — and local browser storage to remember your interface preferences. We do not use advertising or tracking cookies. See our Cookie Policy for details, including how to opt out of anonymised usage telemetry where it is enabled.
11. International data transfers
Some of our sub-processors are based outside the UK. Where we transfer your data outside the UK, for example to Anthropic in the United States, we rely on EU Standard Contractual Clauses together with the UK International Data Transfer Addendum, or equivalent safeguards as set out in the sub-processor table in section 6.
The Service is hosted in the United Kingdom. If you access it from outside the UK (for example from India, the United Arab Emirates, or the United States), the personal data and schedule content you provide are transferred to, and processed on, our server in the United Kingdom, and — where you use an AI feature — to Anthropic in the United States as described above. By using the Service from your location you understand that this cross-border processing takes place. This free beta is intended for sample or anonymised schedules, not confidential live project data.
12. Children
LogicReader is a professional tool intended for use by scheduling and project management professionals. It is not intended for, and we do not knowingly collect data from, anyone under 18 years of age.
13. Beta status
LogicReader is currently offered as a free beta service. As the product moves through development, data held in beta accounts may be deleted when the beta period ends. We will give notice before this happens.
14. Changes to this policy
We may update this policy from time to time. If we make a material change, we will notify you in-app or by email. The version number and effective date at the top of this page always show the current version.