Skip to content

Privacy Policy

Last updated July 10, 2026

Who we are

This Privacy Policy explains how Coustra collects, uses, shares and protects your personal data when you use our website, applications and subscription service (together, the “Service”), and the rights you have over your data.

Coustra is operated by Comaze FZCO, a free zone company incorporated with the International Free Zone Authority (IFZA), Dubai Silicon Oasis, Dubai, United Arab Emirates (“Coustra”, “we”, “us” or “our”). Comaze FZCO is the data controller responsible for your personal data.

We serve users globally. We handle personal data in accordance with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), where they apply.

1. Summary

  • We collect the data needed to run an AI-powered market-research subscription: your account details, billing information, the content you submit (like chat prompts and watchlists), and usage and device data.
  • Your chat prompts and queries are processed by third-party AI providers to generate responses. We do not use your content to train AI models, and the API terms of the AI model providers we use (Anthropic and OpenAI) do not permit them to train their models on it.
  • We never ask for brokerage credentials, portfolio logins or access to your money, and the Service has no connection to your brokerage or funds. Coustra is an information service only — please do not submit such data in chat.
  • We do not sell your personal data.

2. Data we collect

Account data. Email address, display name if you provide one, plan and account settings. Sign-in and authentication are handled by Clerk, our identity provider — your password is collected and secured by Clerk, and we never receive or store it.

Billing data. Payments are processed by Stripe. Stripe collects your payment card details directly — we never see or store full card numbers. We receive and keep limited billing information such as your name, billing country, VAT status, transaction history, plan, and the last digits and brand of your card.

Your content. Content you submit to the Service, such as AI chat prompts and conversations, watchlists, alerts, notes, and settings for analyses and briefings.

Usage data. How you use the Service: features used, analyses generated, credit consumption, pages viewed, and interaction events.

Device and log data. IP address, browser type and version, device and operating system, language, referring pages, timestamps, and diagnostic logs.

Cookies and similar technologies. See the section on cookies and analytics below.

Communications. Messages you send us, for example support requests to support@coustra.com.

What we do not collect. We do not collect brokerage account credentials, custody or portfolio data from your broker, government identification numbers, or special categories of personal data (such as health or biometric data). Please do not submit such data through the Service, including in AI chat.

3. How we use your data and legal bases

Where the GDPR or UK GDPR applies, we rely on the legal bases below.

PurposeDataLegal basis
Provide and operate the Service (accounts, features, AI chat, analyses, briefings, watchlists)Account data, your content, usage dataPerformance of a contract
Process payments, manage subscriptions, renewals and creditsAccount and billing dataPerformance of a contract; legal obligation (tax, accounting)
Generate AI responses via third-party AI providers (see the AI-processing section)Your content, limited contextPerformance of a contract
Secure the Service, prevent fraud and abuse, enforce our TermsDevice and log data, usage dataLegitimate interests (security, integrity of the Service)
Improve and develop the Service (aggregated feature usage, performance, errors) and monitor and debug AI response qualityUsage data, device and log data; prompt and response content in AI observability traces (see the AI-processing section)Legitimate interests (product improvement, AI quality)
Send service communications (renewal reminders, changes to terms, security notices)Account dataPerformance of a contract; legal obligation
Send marketing emails about Coustra features and offersAccount dataConsent, or legitimate interests for existing customers with an opt-out (soft opt-in)
Respond to support requestsCommunications, account dataPerformance of a contract; legitimate interests
Comply with laws, sanctions rules, and lawful requestsAs requiredLegal obligation
Business transfers (merger, acquisition, restructuring)As relevantLegitimate interests

Where UAE PDPL or other laws apply, we process personal data on materially equivalent grounds (contract performance, legal compliance, and legitimate purposes disclosed in this Policy, with consent where required).

If we send marketing emails, every message will include an unsubscribe link, and we honour objections to marketing immediately.

4. AI processing — what happens to your prompts

AI features (chat, research analyses, daily briefings, verdicts, scores and summaries) are powered by third-party AI model providers.

What is sent to AI providers:

  • the prompts, questions and messages you submit;
  • context needed to generate a useful response, such as conversation history within a session, tickers and watchlist entries you reference, and relevant market data; and
  • system instructions we add.

What is not sent: your email address, password, payment details, or device identifiers — unless you yourself include such information in your prompts or content.

Providers we use:

When an AI feature searches the web to answer you, search queries derived from your prompt (not your identity) may be sent to search providers such as Perplexity, Tavily, Exa or X (for public market sentiment). We also use AI observability tooling (LangSmith) to monitor and debug the quality of AI responses; traces may include prompt and response content, and we do not attach your name, email address or account identifiers to them.

We may add or change providers over time and will update this Policy accordingly.

No training on your content. We do not use your prompts, conversations or other content to train AI models. We use the AI model providers (Anthropic and OpenAI) through their business/API offerings, whose terms do not permit them to use your data to train their models. Providers may retain API inputs for a short period for abuse monitoring in line with their policies.

Transmission and protection. Data sent to AI providers is encrypted in transit (TLS). Providers act as our processors or independent controllers per their terms and are bound by applicable data-protection laws.

5. Sharing your data

We share personal data only as described here:

  • Service providers (processors). Companies that help us run the Service under contracts limiting their use of your data: Clerk (sign-in and account management), Stripe (payments), the AI, search and observability providers listed in the AI-processing section, our cloud hosting and infrastructure providers, and Vercel (privacy-friendly, cookieless analytics on our marketing site).
  • Legal and safety. Where required by law, regulation, legal process or enforceable governmental request, or to protect the rights, property or safety of Coustra, our users or the public.
  • Business transfers. In connection with a merger, acquisition, financing or sale of assets, in which case we will notify you before your data becomes subject to a different privacy policy.
  • With your consent. For any other purpose you agree to.

We do not sell personal data, and we do not share it with third parties for their own advertising.

6. International transfers

We are based in the UAE, and our service providers operate in the United States, the EU and elsewhere, so your data may be transferred to countries other than your own. Where we transfer personal data of EU/EEA or UK residents to countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), or the EU–US Data Privacy Framework where a provider is certified. Transfers from the UAE are made in accordance with the PDPL. You can contact us for more information about the safeguards in place.

7. Retention

  • Account data and your content: kept while your account is active. After you close your account, we delete or anonymise it within a reasonable period (normally 30 days), except where retention is legally required.
  • Billing records: kept for the statutory periods required by tax and accounting law (typically 5–10 years depending on jurisdiction).
  • Server logs and diagnostic data: typically retained up to 12 months.
  • AI observability traces: kept only as long as needed to monitor and debug AI response quality, then deleted.
  • Support correspondence: up to 24 months after resolution.

We may keep data longer where needed to resolve disputes, enforce agreements or comply with legal obligations.

8. Cookies and analytics

We keep cookies to a minimum:

  • Essential cookies — sign-in and session management (set by our sign-in provider, Clerk), security, and remembering your settings such as theme. These are required for the Service to work and do not need consent.
  • Analytics — on our marketing site we use privacy-friendly, cookieless analytics (Vercel Analytics) that aggregates page views without setting cookies or building visitor profiles. Analytics loads only after you accept it in our consent banner.

We do not use advertising or cross-site tracking cookies, and we do not run third-party advertising analytics such as Google Analytics. You can change your choice at any time via “Cookie preferences” in the footer; your choice is stored on your device so we do not ask again on every visit.

9. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data (you can also delete your account in settings).
  • Restriction and objection — restrict or object to certain processing, including processing based on legitimate interests and direct marketing (marketing objections are always honoured).
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — at any time, without affecting prior processing.
  • Complain — to a supervisory authority. In the EU/EEA this is your local data-protection authority; in the UK, the ICO; in the UAE, the UAE Data Office.

To exercise your rights, email support@coustra.com; you can also delete your account directly in settings. We respond within the timelines required by applicable law (one month under the GDPR, extendable where permitted). We may need to verify your identity first.

US state privacy laws. If you are a resident of California or another US state with a comprehensive privacy law, you may have similar rights (access, deletion, correction, opt-out of “sale”/“sharing”). We do not sell or share personal data as defined by those laws.

10. Automated decision-making

AI-generated analyses, verdicts, scores and briefings are informational content, not decisions about you. We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

11. Security

We protect personal data with technical and organisational measures, including encryption in transit (TLS) and at rest, access controls, and least-privilege practices for staff and systems. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; if a breach affects your data in a way that requires notice, we will notify you and the relevant authorities as required by law.

12. Children

The Service is for adults. It is not directed at anyone under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us personal data, contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. For material changes, we will notify you by email or in-app notice before the change takes effect and update the “Last updated” date above. Your continued use of the Service after the effective date means the updated Policy applies.

15. Contact

Comaze FZCO
DSO-IFZA, IFZA Properties, Dubai Silicon Oasis
Dubai, United Arab Emirates
Email: support@coustra.com