Privacy Policy

Last updated: 15 June 2026

This Privacy Policy explains how costiva.ai (“costiva.ai”, “we”, “us”, or “our”) collects, uses, discloses, and protects information when you visit costiva.ai or use the costiva.ai application (collectively, the “Service”). By using the Service, you agree to the practices described in this policy and acknowledge that you use the Service at your own risk.

1. Who we are

costiva.ai is a web application that helps small businesses monitor their Anthropic (Claude) API spending and usage. The party responsible for the Service is costiva.ai.

2. Information we collect

  • Account information. When you register, we collect your name, email address, and password (stored only as a secure hash).
  • Mobile number. If you enable SMS verification or two-factor authentication, we collect and store your mobile number to send one-time codes.
  • Organization & team data. Organization names, member roles, and invitations you create.
  • Connected Anthropic data. If you connect an Anthropic Admin API key, we ingest your usage, cost, rate-limit, and Claude Code analytics data through Anthropic’s read-only Admin Usage & Cost API. We store your Admin key in encrypted form and use it only to retrieve this data on your behalf.
  • Usage & device data. Log data such as IP address, browser type, pages visited, and timestamps, collected automatically when you use the Service.
  • Cookies & analytics. We use strictly necessary cookies to operate the Service (for example, to keep you signed in) and, where enabled, analytics cookies to understand how the public website is used.

3. How we use information

  • To provide, operate, and maintain the Service and your account.
  • To retrieve and display your Anthropic usage and cost data, and the attribution and ROI analysis you configure.
  • To authenticate you, including sending SMS one-time codes when you enable verification or two-factor authentication.
  • To send transactional messages such as verification, password-reset, and invitation emails.
  • To secure, monitor, troubleshoot, and improve the Service.
  • To comply with legal obligations and enforce our terms.

4. Legal bases for processing

Where applicable law (such as the GDPR) requires it, we process your information on the bases of performing our contract with you, our legitimate interests in operating and securing the Service, your consent (for example, for optional analytics), and compliance with legal obligations.

5. We do not sell or share your data

costiva.ai does not sell, rent, or trade your personal information or your customer data, and we do not share it with any third party for their own purposes, for advertising, or for marketing.

To operate the Service, we rely on a small number of service providers that process data strictly on our behalf and under contract — for example, our Canadian hosting provider, our email-delivery provider, and our SMS provider (Sinch) for one-time codes. These providers act only on our instructions and may not use your data for their own purposes; this is processing on our behalf, not a sale or disclosure of your data.

We may disclose information where we are legally required to do so — for example, to comply with a valid legal request, court order, or applicable law. In addition, if costiva.ai is involved in a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, which will remain bound by this Privacy Policy or a policy at least as protective, and we will notify you of any such change. We will not otherwise sell or share your data.

6. Data retention

We retain your information for as long as your account is active or as needed to provide the Service, and thereafter as required to comply with legal obligations, resolve disputes, and enforce agreements. You can request deletion of your account and associated data as described below; disconnecting your Anthropic key lets you remove the ingested data.

7. Security

We use technical and organizational measures to protect your information, including encryption of sensitive values such as your Anthropic Admin key, hashed passwords and one-time codes, and optional SMS two-factor authentication. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, and you use the Service at your own risk. To the maximum extent permitted by applicable law, costiva.ai is not liable for any loss or damage arising from your use of the Service or from any unauthorized access to, loss of, or alteration of your data.

8. Where your data is processed

costiva.ai hosts and processes your information on servers located in Canada. Certain features rely on third-party providers that may process limited data elsewhere — for example, our SMS provider delivers one-time codes through mobile carriers, and Anthropic processes the requests we make with your Admin key to return your usage and cost data. Where any transfer of personal information outside your country takes place, we rely on appropriate safeguards as required by applicable law.

9. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal information, and to object to certain processing or withdraw consent. To exercise these rights, contact us using the details below. You may also have the right to lodge a complaint with your local data-protection authority.

10. Children’s privacy

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal information from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and revise the “Last updated” date above. Material changes may be communicated to you directly.

12. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at privacy@costiva.ai.