Effective Date: September 25, 2025
1. INTRODUCTION
This Privacy Policy is intended for all Cobalt products and services, including our website (www.cobalt.io); our applications; and our marketing and promotional content (collectively, the “Services”).
We are Cobalt Labs, Inc., a Delaware corporation, doing business at 575 Market St, 4th Floor, San Francisco, CA 94105-USA, together with our affiliates (referred to herein as “Cobalt”, “us”, “our” or “we”).
For the purposes of EU GDPR, Cobalt acts as a Data Controller for the data we process for our own business purposes. If you have any questions relating to this Privacy Policy, please contact us by email at privacy@cobalt.io.
2. PURPOSE OF THIS POLICY
At Cobalt, we are committed to safeguarding and maintaining your personal data, in line with all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states (“EU GDPR”), Switzerland, the United Kingdom (Data Protection Act (“UK GDPR”)) and the United States federal and/or state data protection or privacy statutes including but not limited to the California Consumer Protection Act (“CCPA”), the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Oregon Consumer Privacy Act (OCPA), the Texas Data Privacy and Security Act (TDPSA), the Montana Consumer Data Privacy Act (MCDPA), the Delaware Personal Data Privacy Act (DPDPA), and other applicable U.S. state privacy laws, as may be amended from time-to-time.
This policy aims to promote transparency and facilitate you in making informed decisions about your personal data. In some circumstances, where we process personal data for a new purpose not contained herein, we may provide additional or revised privacy policies so that you fully understand the reason for and purpose of the new activity.
Cobalt maintains this policy on a regular basis and updates it where necessary. You are encouraged to check back regularly, however, if we make a substantial amendment to the current version, we will keep you informed and where you are our customer, we may notify you by email.
3. WHAT DATA DO WE COLLECT
Cobalt’s products and services are designed and intended for use by businesses and their representatives. We do not provide services or products that are aimed at individuals or consumers in a personal capacity.
When we refer to ‘personal information’ or ‘personal data’ in this Privacy Policy, we mean information that identifies or which could be reasonably used to identify any individual. We process different categories of personal data and this will depend on our relationship with you or your organization.
Information you provide to us
Contact Data: Any personal data you share when you contact us, for example, by sending us an email, by attending or engaging with us at an event, or through our website using live chat, contact forms or downloading content and can include any information shared by you.
Account Data: If you have a Cobalt account or where you are our prospective or actual customer, we collect first name, last name, job title/function, work email address, work phone number, user identifier and password.
Marketing Data: Your instructions as to whether you wish to receive email marketing, newsletters and other promotional material from Cobalt, including your marketing permissions and opt-in status.
Transactional Data: Where you are our Customer, or one of our vendors, or otherwise establish a relationship with us that involves financial transactions, we collect information relating to those transactions. This may include data like credit/debit card information, account and authentication information, tax identifiers and other billing, delivery and invoice details. For automated/digital transactions, we may outsource this activity to one of our selected third-party payment card processors, all of which maintain PCI-DSS compliance.
Organizational Data: When you engage with us on our website, or are our customer, we may collect non-personal data relating to your organization, including but not limited to number of employees, industry type, company name and size, growth trends, registered business address, location (city, state, country).
Information we collect automatically
Technical and Analytical Data:
- Information about how you use our services, such as, content downloaded or requested, intent data, Cobalt services or products searched, viewed or used, page response times, website performance analytics, download errors, timestamp of visit or interaction, length of visits or sessions, referral site or source, email activity (opens/clicks), page interaction information (such as scrolling, clicks, and mouse-overs); and
- Information about your device, such as, IP address, browser version, browser language, operating system and version, unique device identifiers, geo-location (city, state/province, country), operating system and platform, marketing cookie permissions.
Where accepted by you - we use cookies and similar tracking technologies to collect some of the information listed above; for more information, please see the Cookies and Tracking Technologies section below.
Data from other sources: We combine data that you provide to us (and that we may collect across our services) with information that we receive from third parties, including but not limited to B2B lead generation and professional Linkedin profiles. We may use demographic information about you in your professional capacity, such as your job title or function (that Cobalt obtains from sources like Linked-in) which is used for segmenting and profiling for B2B marketing purposes. You can opt-out of having your data used in this way at any time.
Please note that if you provide Personal Information to us about any individual other than yourself, you represent and warrant that you are legally authorized to provide such Personal Information to us for our use and disclosure as described in this Policy.
4. THE SOURCE OF THE PERSONAL DATA
If the personal data we process about you has not been given to us directly by you, Cobalt may obtain it from the following sources:
- From your organization, on your behalf;
- From yourself directly;
- From publicly available sources, such as public websites, the internet;
- From social media platforms such as Linkedin.
- From organizations we work with who are specialists in B2B lead generation, B2B intent data, who have obtained your permission to share some of your organization's data with us, such as B2B data clearinghouses.
- From website analytical data that is collected automatically by cookies and other similar technologies when you use our services.
5. THE PURPOSE OF OUR DATA PROCESSING
Cobalt is permitted to process personal data only where we have identified a lawful basis for doing so. The main lawful bases upon which Cobalt relies are:
Legitimate interests: the processing is necessary for the purpose of the legitimate interest pursued by us or our third parties. For example, we may have a legitimate interest in processing Personal Information to send B2B marketing communications and promote our business.
Consent: Where the data subject (you) has freely given your consent to the processing taking place. If you've provided us with your express consent for our processing of your Personal Information, we may process your Personal Information based on such consent, until such time where that processing is no longer necessary or your consent is withdrawn.
Legal Obligation: Where the processing is necessary for us to comply with a legal obligation to which we are subject as data controller. For example, if you have purchased our services and we are required by applicable law to process Personal Information to meet certain tax obligations, we may process your Personal Information to comply with such legal obligations;
Contract: Where the processing is necessary for the performance of a contract to which we are a party. For example, when you purchase our services, you enter into a contract with us and in such circumstances, we process your Personal Information in order to perform this contact or to take required measures prior to entering into the contract
We process personal data for the following purposes and rely on the following legal bases:
Processing purpose
|
Lawful Basis
|
Category of personal data
|
|
To manage or establish a relationship with you, such as:
- Respond to any enquiry, comment or request submitted by you;
- To provide you with alerts and services messages, notifying you about material changes to our services and our terms, policies and notices.
- Provide downloadable content to you, as requested on our website.
- Where you engage with us at an event where we are participating.
|
- Performance of a contract (including negotiation)
- Legal obligation (updates to terms and policies)
- Legitimate Interests (networking at events, provide downloadable content)
|
- Contact Data
- Account Data
- Organizational Data
|
|
Creating and maintaining your Cobalt account and providing services as requested, including:
- Administering services access
- Processing order forms and contractual agreements
- Facilitating integrations, as requested
- Password and 2FA management
- Personalize our online services at your selection
|
- Performance of a contract (including negotiation)
|
- Contact Data
- Account Data
- Technical and Analytical data
- Subscription Data
- Organizational Data
|
|
To review, monitor and protect the performance of our services, including:
- Troubleshooting and error management
- System maintenance
- Security monitoring and reporting
- System performance analysis
- Analyzing trends and usage
|
- Legitimate Interests
- Legal Obligation (system security)
|
- Contact Data
- Technical and Analytical data
- Account Data
- Organizational Data
|
|
Where we have a financial relationship with you, to process payments for services and settle invoices payable.
|
- Performance of a contract
|
- Contact Data
- Account Data
- Subscription Data
- Organizational Data
|
|
To maintain our existing relationship with established customers and to promote our products and services and identify new-customer opportunities.
We may use public information about you, in combination with other personal information we may have about you, to identify products and services that we believe may be of interest to your business.
You may opt-out of receiving these emails at any time by clicking “unsubscribe” found in the emails we send you or by clicking here.
|
|
- Contact Data
- Account Data
- Marketing Data
- Technical and Analytical data
- Data from other sources
- Organizational Data
Cobalt uses a combination of firmographic data to perform segmentation on the organizations of our customers based on various factors for sales and promotional purposes.
|
|
To identify organizations who may be interested in working with Cobalt, including:
- Using firmographic information about prospective organizations, such as, industry specialism, size of company, location of country. Please see ‘Non-personal data’ above.
- Using firmographic data to identify organizations who are in our target market and who we believe may be interested in Cobalt products and services.
|
|
- Contact Data
- Account Data
- Marketing Data
- Technical and Analytical Data
- Organizational Data
|
|
To share data with third party organizations who process data on our behalf as a data processor or subprocessor, and enable us to provide our services. For example, data hosting providers, CRMs, payment card processors and vendors who deliver technical services to us.
|
- Performance of a contract
- Legitimate Interests
|
- Contact Data
- Account Data
- Marketing Data
- Technical and Analytical data
- Data from other sources
- Organizational Data
|
6. RECIPIENTS OF PERSONAL DATA
We will share data with and receive data through Cobalt’s Partners who lead in the cybersecurity space. For example, Cobalt may assist them in providing their services or Partners may assist Cobalt in generating new business opportunities.
Cobalt engages third party service providers to assist us in providing our services and conducting our business, which means any service provider may process personal data on our behalf, depending on the nature of the services supplied. These organizations deliver to us specific functionality on which we rely to do business. We require every organization that processes personal data on our behalf to ensure its security, adhere to confidentiality requirements equal to those herein, and only in accordance with our strict instructions. These organizations may be located or have servers which are located outside of the EU, and Cobalt has entered into strict data protection agreements to safeguard personal data when transferred out of the EU or EEA.
You or your organization may choose to add new integrations or change the functionality of the services by using third party apps within the services. This means giving third-party apps access to your account and information like your name, email address, and any content you elect or are required to provide in connection with those apps.
To third parties providing services to us or on our behalf who require access to personal information (e.g., our professional advisors, including but not limited to auditors, insurers, legal counsel) to protect our business interests.
In the event we are involved in a merger, reorganization, acquisition or other fundamental corporate change, or if all or part of our assets are acquired by a third party, we may be required to share your personal data with relevant third parties involved in the transaction. We will endeavor to notify you of any transfer of personal data in this event and the recipient will be informed of the requirement to protect your personal data as per the terms of this Policy.
7. INTERNATIONAL DATA TRANSFERS
Cobalt is a global organization. This means that when you engage with us, your personal data may be transferred to or stored in countries that may not have equivalent privacy and data protection laws to the country where you are based. Cobalt hosts all data in the United States. Third-party vendors and service providers Cobalt works with may also be based in countries outside of the European Economic Area, including but not limited to the US.
Cobalt makes use of Standard Contractual Clauses, approved by the European Commission (and the equivalent Standard Contractual Clauses for the UK, where applicable) to safeguard restricted transfers made to countries without an adequacy decision.
8. HOW WE KEEP YOUR DATA SECURE
Cobalt is a security-centric company. This means that the security and integrity of your personal data is our paramount concern. We have heavily invested in our security infrastructure to ensure that we have appropriate technical and organizational measures to protect the personal data we process, and keep it from being accidentally lost, used or accessed, altered or disclosed in an unauthorized way.
For more information on how Cobalt keeps data secure, please see our security practices and certifications here.
9. HOW LONG DO WE STORE YOUR DATA
As part of our commitment to purpose limitation, Cobalt only retains personal data for as long as it is required for the purpose in which it was originally collected. For example, if you are an active customer of ours, we will retain your personal data, in connection with the services, for the duration of our agreement or relationship with you.
Cobalt has incorporated retention policies and schedules into our business to ensure that the data we retain is relevant to its purpose and is limited to only the data necessary to achieve said purpose. When we no longer need your personal data, we may de-identify or aggregate the data or securely destroy it based on our retention policy. Please note that de-identified or aggregated data is not treated as personal data under this policy, and may be used for analytics purposes. When Cobalt processes de-identified data, we will take commercially reasonable measures to ensure that it cannot be associated with any individual. Cobalt makes a public commitment to maintain and use de-identified data without attempting to re-identify it.
You may request the deletion of some or all of your personal data by contacting privacy@cobalt.io or by clicking here. However, please note that this is not an absolute right and only where certain circumstances are satisfied, and we may need to retain certain information for record keeping purposes, to complete transactions or to comply with a legal obligation.
10. MARKETING
To promote our business to new and existing customers and promote services that we believe may be of interest to your organization, we occasionally share marketing communications and promotional material with our B2B customers. For example, when you engage with us on our website by completing a form or downloading content, or where you have told us you would like to receive it.
You have the right to opt-out of receiving marketing communications at any time by clicking the ‘unsubscribe’ link in the footer of any promotional email from us. Alternatively, you can request this by email at privacy@cobalt.io.
Please note that this will not affect Services Messages which we are required to communicate to you, for example when we update our terms and conditions, or where we make material changes to our existing services that impact functionality or user experience.
11. CHILDREN UNDER 13
Our site and services are not directed to or intended to be used by individuals under the age of 13 and we do not knowingly collect Personal Information from children under 13. If you become aware or reasonably suspect that we have collected Personal Information from any child under the age of 13, please contact us at privacy@cobalt.io and we will seek to delete such Personal Information as soon as possible.
12. COOKIES AND TRACKING TECHNOLOGIES
Cobalt relies on cookies, web beacons and other similar tracking technologies to customize and improve our websites and services, personalize and enhance user experience, to understand the usage and performance levels of our services, determine what content is being engaged with and the levels of engagement. We also use cookies and other tracking technologies to determine things about our website visitor’s interests, based on things like browsing activity, interactions and preferences.
You have the right to reject the use of cookies on our Website for marketing purposes, however functional and essential cookies are used to make our website function or offer our services. These cookies cannot be switched off. You will be served with a prompt to accept, reject or configure cookies when you visit our website on a desktop or mobile. You can also reject marketing cookies at any time by clicking ‘My Privacy Settings’ on our website’s footer.
|
Cookies
|
Web Beacons
|
Device recognition technology
|
|
Like many websites, we use cookies on a user's hard drive to collect information. A cookie is a small piece of information that is placed on your device when you visit the site and other websites. We use cookies to identify your authenticated interaction with the site, to enable certain features of the site, to better understand how you interact with the site, and to monitor aggregate usage by site users and web traffic routing on the site. you can instruct your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. However, if you do not accept cookies, that may limit your use of certain features of the site.
|
Our site may contain electronic images known as Web beacons (sometimes called single-pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used and may be used in some of our emails to let us know which emails and links have been opened by recipients. This allows us to gauge the effectiveness of our customer communications and marketing campaigns. As with cookies, you may disable web beacons by changing your browser settings or the settings in your email services/program.
|
Device detection technology recognizes the devices being used to access a website, app, or mobile network, using the User-Agent or other HTTP request headers. These headers include detailed information across hundreds of categories, including device model, operating system, processing power, browser type, screen resolution,
Websites and apps enhanced with device detection can make smarter decisions (in real-time) about what content to send to a given device.
|
13. LINKS TO OTHER SITES
Our site may include links to third party websites. We do not endorse or recommend such third party websites or the content therein and we are not responsible for the privacy practices of the operators of such websites. Please be aware that when you access links on our site to a third party website, you are bound by the privacy policies and practices of that third party. We encourage you to read the privacy policies governing your use of any third party website.
14. YOUR RIGHTS UNDER GDPR
As defined under the EU GDPR, included as retained by the UK (“UK GDPR”) individuals are granted eight (8) individual rights over the personal data:
- Right to be informed: you have the right to be informed about the collection and use of your personal data. you also have the right to be provided with certain information including: our purposes for processing your personal data, our retention periods for that personal data, and who we will share with.
- Right of Access: you have the right to request confirmation that data about you is being processed, and receive a copy of some or all of the personal data processed about you from a Data Controller.
- Right to Rectification: you have the right to request the rectification of any personal data that is inaccurate or incomplete;
- Right to Erasure (or the ‘right to be forgotten’): you have the right to request the erasure of your personal data from the Data Controller’s records, including back-ups. This is not an absolute right and can only be fulfilled if one of the grounds under Article 17(1) GDPR apply;
- Right to Restriction of Processing: you have the right to request the restriction of processing of your personal data. This is not an absolute right, and can only be fulfilled if one of the grounds under Article 18(1) GDPR apply;
- Right to Data Portability: you have the right to receive the personal data concerning you, as provided to the Data Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the first controller.
- Right to Object: you have the right to object to an organization processing (using) your personal data at any time. This effectively means that you can stop or prevent the organization from using your data. An objection may be in relation to some or all of the personal data. The right to object only applies in certain circumstances outlined by Article 21 GDPR, including where processing is based exclusively on your consent, or processed for the purposes of direct marketing.
- Automated decision making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects on you. Automated individual decision-making is a decision made by automated means without any human involvement. Cobalt does not use, in connection with our services, automated decision-making in a way that produces legal effects concerning you or that significantly affect you.
You have the right to make any of the above requests at any time. To do so, please complete our Privacy Request Form or contact us at privacy@cobalt.io. Upon receiving your request, we will confirm receipt and aim to action your request without undue delay and no later than one month from the date we receive your request.
Please note that in order to fulfill your request, we may need to request identification from you (or your appointed representative) to confirm your identity or their authorization to make the request. We will inform you of any necessary identification checks after we receive your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing and any further rights available to you.
15. YOUR RIGHTS UNDER CCPA
The California Consumer Privacy Act ("CCPA") provides certain rights to individuals who reside in California ("Consumers"). Below is a description of Consumers' rights concerning their Personal Information and Cobalt's practices regarding the collection, use, disclosure and sale of Personal Information about Consumers.
Consumers have the right to request that we disclose what Personal Information we collect, use, disclose and sell. A Consumer may exercise the following rights:
- Right to Know: Consumers may request that businesses disclose what personal information they have collected, used, shared, or sold about you in the last 12 months, and why they collected, used, shared, or sold that information. Specifically, you may request:
- The categories of personal information collected;
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses the personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
- Right to Delete: Consumers have the right to request the deletion of personal information that a business holds on the consumer. However, this right does not apply where the business needs to retain the personal information in order to do any of the following:
- Provide goods or services to the consumer
- Detect or resolve issues security or functionality-related issues
- Comply with the law
- Conduct research in the public interest
- Safeguard the right to free speech
- Right to opt-out: Consumers have the right to opt out of their personal information being sold by a Company. you can do so by emailing privacy@cobalt.io, or by clicking do not sell my info.
The right to non-discrimination: Consumers have the right not to be discriminated against for having exercised their rights under the CCPA.
As of January 2023, Consumers are granted the following additional rights under the California Privacy Rights Act (“CPRA”):
- The right to request that inaccurate personal information be corrected by the Company responsible. This type of request should be fulfilled within 45 days however, where necessary, an additional 45 days may be necessary. If the deadline changes to 90 days, we will inform you without delay and explain our reasoning.
- The right to limit the use and disclosure of sensitive personal information collected about them. This means you can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. Please note that Cobalt does not process sensitive personal data about you for any purpose.
You may exercise your Consumer Rights at any time by emailing privacy@cobalt.io or clicking here.
We will confirm receipt of any consumer rights request within 10 days, and move to action your request within 45 days following initial receipt (except when the deadline has been properly extended, in which case the timeframe is 90 days).
Please note that we will need to verify your identity or your Authorized Agent’s (which may be a person or a business entity registered with the California Secretary of State) permission to submit the request on your behalf. We will inform you of additional information we require (if any) to verify your identity after we have received your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing.
In no event will Cobalt discriminate against any Consumer for exercising their CCPA rights.
Sale, collection & use of Personal Information about Consumers
Please be advised that Cobalt engages in limited data transfers to third parties that may be considered a data sale under applicable law. Such transfers occur only in the context of presentations, panels, and other events arranged or sponsored by Cobalt, that may be presented or co-sponsored with other third parties. In such cases, event attendees will be prompted to provide certain identifying information to register for the event in question.
Such information will be shared for marketing purposes with all parties presenting or sponsoring the event, including third parties with whom the attendee may not have a pre-existing relationship. Such third parties will be identified in materials accompanying any prompt to provide information.
You have the right to opt out of your data being shared in this manner. you can do so by emailing privacy@cobalt.io, or by clicking here: do not sell my info.
CCPA: Descriptions of processing
The table below includes information on the categories of Consumers' Personal Information we collected within the last twelve (12) months, categories of sources from which such Personal Information was collected and the business or commercial purpose for which the Personal Information was collected:
|
Category of Personal Information we Collected
|
Category of Source from which Personal Information was Collected
|
Business or Commercial Purpose for which Personal Information was Collected
|
|
Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.
|
|
Performing services for the Consumer, including maintaining or servicing accounts, providing customer services and verifying customer information and fulfilling orders and transactions
|
|
Commercial information, such as records of services purchased
|
|
Processing payments; fulfilling orders and transactions; providing financial documents
|
|
Internet or other electronic network activity information, including information regarding a Consumer’s interaction with our site
|
|
Providing advertising or marketing services; for analytics activities
|
The table below describes the categories of Personal Information about Consumers we have disclosed to third parties for a business purpose and the corresponding categories of third parties to whom such Personal Information was disclosed within the last twelve (12) months:
|
Category of Personal Information we Disclosed for a Business Purpose
|
Category of Third Party to whom Personal Information was Disclosed
|
|
Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.
|
Cobalt's vendors who assist us in providing our products and services, including access to the services
|
|
Commercial information, such as records of services purchased
|
Cobalt’s vendors who assist us in providing our products and services, including completing transactions and for accounting purposes.
|
|
Internet or other electronic network activity information, including information regarding a Consumer's interaction with our site
|
Cobalt’s vendors who assist us in providing our products and services, including promotion and marketing activities.
|
16. AI USE IN THE CHATBOT
Cobalt’s chatbot uses a third party LLM. The LLM is a RAG model from openAI gpt 4. User data is is utilized for support purposes, however it is not used for future training of the LLM . Data inputted into the chatbot is shared with and stored by the third party providing the LLM.
17. CHANGES TO THIS POLICY
Cobalt reserves the right to update and amend this Policy from time to time, in order to reflect any changes to our data processing activities or advancements in laws and regulations. Any changes we may make to our Policy in the future will be published on this page. Please review this page frequently to check for any updates or changes to our Policy.
18. CONTACT US
If you have any questions, comments or feedback about this privacy policy, or the ways in which we collect and process your personal information, or wish to exercise your rights under GDPR or CCPA please do not hesitate to contact us at privacy@cobalt.io.
Last updated: September 2025
