Privacy Policy

This Privacy Policy explains how KosmoLab (“we”, “us”, “the Platform”) collects, uses, shares and protects personal data when you use KOSMOLAB SPACE at https://kosmolab.space (the “Platform”). KOSMOLAB SPACE is a global business-to-business (B2B) launch aggregator and space-hardware marketplace that connects satellite operators, payload owners and similar organisations (“Clients”) with launch service providers and hardware manufacturers (“Vendors”). It is intended for professional and organisational use only.

Last updated: 2026

This Policy is written to align with the EU General Data Protection Regulation (GDPR), the UK GDPR and the Data Protection Act 2018, and applicable ePrivacy rules. Because our audience is global, including the EU and UK, these standards apply to our handling of personal data wherever you are located.

1. Who we are / Data Controller

The data controller responsible for personal data processed through the Platform is:

  • KosmoLab, operating KOSMOLAB SPACE
  • Legal entity: to be confirmed prior to commercial launch
  • Registered address: to be confirmed prior to commercial launch
  • Email: info@kosmolab.space

If we have appointed a Data Protection Officer or an EU/UK representative under Article 27 GDPR/UK GDPR, their contact details are: info@kosmolab.space (no separate DPO or EU Article 27 representative has been designated).

For most processing we act as a data controller. When we transmit a Client’s Request for Quote (“RFQ”) to a Vendor, that Vendor becomes a separate, independent controller of the data they receive (see Section 6).

2. The nature of our service (and why it matters for your data)

KOSMOLAB SPACE is a neutral intermediary, listing and discovery service operating on a lead-generation / RFQ model. We help Clients discover, compare and enquire about launch windows, rideshare slots, launch service providers and space hardware, and we route enquiries to the Vendors a Client selects.

  • We are not a party to, and do not broker, guarantee or take commission on, any contract, sale, launch agreement or transaction between Clients and Vendors.
  • No payments are processed on the Platform. Pricing and contracts are agreed directly between the parties off-platform, and we therefore do not collect payment card or banking data for transactions.
  • We do not own, inspect, launch or sell the hardware or launch services listed.
  • Launch schedule and listing data is aggregated from third-party sources (including The Space Devs “Launch Library 2” API) and from Vendors themselves; it may be inaccurate, delayed or change without notice.

Because of this model, the most significant data flow is the routing of RFQ details to the Vendor(s) a Client chooses. Please read Section 6 carefully.

3. What data we collect

3.1 Account / registration data

  • Name, business email address, telephone number;
  • Organisation/company name, role or job title, and country;
  • Account type (Client or Vendor), username and authentication credentials (passwords are stored in hashed form);
  • Account preferences and cabinet settings.

3.2 RFQ / lead data

When a Client submits a Request for Quote, we collect:

  • Mission and technical parameters — e.g. payload type, mass, dimensions, target orbit, preferred launch window/date, quantity, deployer or hardware requirements, and free-text notes you choose to include;
  • Business contact details of the requester (name, organisation, email, phone) and any colleagues you ask us to copy.

Please do not include special-category personal data, classified information, or controlled technical data in free-text fields (see Section 4 and Section 11).

3.3 Vendor profile data

  • Company description, listings (launch offerings, hardware, components, ground equipment), specifications, logos and media;
  • Business contact persons and contact details published or used to receive RFQs;
  • Information you provide to be included in our space-company directory.

3.4 Usage / analytics data

  • IP address, device and browser type, operating system, language;
  • Pages viewed, searches and filters used, listings viewed, referring URLs, and timestamps;
  • Aggregated and statistical usage data collected via Google Analytics 4 (through Google Site Kit) and similar tools.

3.5 Cookies and similar technologies

Strictly necessary cookies, plus analytics and (where applicable) preference cookies set with your consent. See Section 9 and our Cookie Policy.

3.6 Communications

  • Emails, support requests, and other correspondence with us;
  • Records of enquiries and the content of messages routed through the Platform.

4. How we collect data

  • Directly from you — when you register a cabinet, complete your profile, submit an RFQ, create a listing, or contact us;
  • Automatically — via cookies, server logs and analytics when you use the Platform;
  • From third parties — for the space-company directory and listing/launch data, we ingest information from publicly available sources, Vendors, and aggregated feeds such as The Space Devs “Launch Library 2” API. Directory entries may include business contact information about companies and their representatives.

5. Purposes and legal bases

We process personal data only where we have a lawful basis under the GDPR/UK GDPR:

  • To create and manage your account and provide the Platform (search, comparison, listings, RFQ submission and routing) — legal basis: performance of a contract (our Terms of Use with you), or steps taken at your request prior to entering a contract.
  • To route RFQ/lead data to the Vendor(s) you select — legal basis: performance of a contract / pre-contractual steps at your request (this is the core function you ask us to perform).
  • To operate, secure, maintain and improve the Platform, prevent fraud and abuse, ensure network and information security, and keep records of enquiries — legal basis: legitimate interests in running a safe, reliable service.
  • To compile and maintain the space-company directory and listings from third-party and Vendor sources — legal basis: legitimate interests in providing a useful B2B discovery service (balanced against the limited, business-oriented nature of the data).
  • Analytics and performance measurement (Google Analytics 4 via Site Kit) and any marketing communications — legal basis: consent (which you can withdraw at any time), or legitimate interests where permitted by law.
  • To send service/transactional messages (e.g. RFQ confirmations, account notices) — legal basis: performance of a contract and/or legitimate interests.
  • To comply with legal obligations, respond to lawful requests, and exercise or defend legal claims — legal basis: legal obligation and legitimate interests.

Where we rely on legitimate interests, you have the right to object (see Section 10). We do not use RFQ details to make automated decisions producing legal or similarly significant effects.

6. How RFQ / lead data is shared with Vendors (key point)

The core purpose of the Platform is to connect Clients with Vendors. When you submit an RFQ, the mission parameters and your business contact details are transmitted to the specific Vendor(s) you select so they can respond to your enquiry with a quote or further information.

  • You control which Vendor(s) receive your RFQ by selecting them before submission.
  • Once an RFQ is received by a Vendor, that Vendor is an independent data controller and uses your data under its own privacy policy and terms. We are not responsible for how a Vendor handles your data after it has been routed.
  • We share only the information needed to action your enquiry; please limit free-text to what is necessary.
  • Any subsequent communications, negotiations, pricing and contracts take place directly between you and the Vendor, off-platform.

Similarly, when a Vendor receives an RFQ, we share with that Vendor the Client’s submitted details for the sole purpose of responding to the enquiry.

7. Other recipients and processors

We share personal data with carefully selected service providers who process it on our behalf under written agreements (data processors), including:

  • Hosting and infrastructure providers that host the Platform and its database;
  • Email / SMTP and messaging providers used to send notifications, RFQ routing messages and support correspondence;
  • Analytics — Google (Google Analytics 4 via Google Site Kit) for usage measurement;
  • Security, logging and maintenance tools used to operate and protect the Platform.

We may also disclose data: to professional advisers (legal, accounting); to authorities or third parties where required by law or to protect our rights and users; and to a successor entity in connection with a merger, acquisition or reorganisation. We do not sell personal data.

8. International data transfers

Because the Platform serves a global audience and uses global service providers, your personal data may be processed in countries outside your own, including outside the EEA/UK. Where we transfer personal data internationally, we put in place appropriate safeguards, such as:

  • Transfers to countries with an adequacy decision from the European Commission and/or the UK; or
  • Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement/Addendum, together with any required supplementary measures.

Note that when you select a Vendor located abroad, routing your RFQ to that Vendor will involve an international transfer to that Vendor as an independent controller. Details of our safeguards are available on request at info@kosmolab.space. Transfer mechanism specifics: European Commission Standard Contractual Clauses (SCCs), where applicable.

9. Cookies

We use cookies and similar technologies for essential Platform functionality, to remember preferences, and — with your consent — for analytics. You can manage or withdraw consent at any time through our cookie banner or your browser settings. For full details of the cookies we use and their purposes, see our Cookie Policy.

10. Data retention

We keep personal data only for as long as necessary for the purposes set out in this Policy, after which it is deleted or anonymised. As a general guide:

  • Account data — for the life of your cabinet and for a reasonable period afterwards to handle queries and legal claims (typically 36 months after closure);
  • RFQ / lead data — retained to evidence the enquiry and our facilitation of it, and to handle disputes (typically 24 months); note that Vendors retain their own copies under their own policies;
  • Vendor profile and directory data — while the listing or directory entry remains active;
  • Analytics data — for the retention period configured in Google Analytics (typically 14 months);
  • Communications — for as long as needed to address the matter and meet legal/record-keeping obligations.

Longer retention may apply where required by law (e.g. tax, accounting) or to establish, exercise or defend legal claims.

11. Export control, sanctions and sensitive content

Space launch services and spaceflight hardware are subject to export control and sanctions law (for example, US ITAR/EAR, EU dual-use regulations and national regimes). The Platform only facilitates discovery and introductions; we are not an exporter, broker, customs agent or legal adviser, and compliance with export control, sanctions and licensing obligations is the users’ own responsibility. You should not submit through the Platform any controlled technical data, classified information, or details whose disclosure would breach applicable law. We may decline to route, or may remove, content that appears to raise compliance concerns.

12. Your rights

Subject to applicable law, you have the following rights in relation to your personal data:

  • Access — to obtain a copy of the personal data we hold about you;
  • Rectification — to correct inaccurate or incomplete data;
  • Erasure — to ask us to delete your data (“right to be forgotten”) in certain circumstances;
  • Restriction — to ask us to limit processing in certain circumstances;
  • Portability — to receive certain data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible;
  • Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time;
  • Withdraw consent — where we rely on consent (e.g. analytics or marketing), you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal;
  • Complain — to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner’s Office (ICO); in the EU, your local data protection authority).

Where your RFQ data has already been routed to a Vendor acting as an independent controller, you may also need to contact that Vendor directly to exercise rights over the copy they hold. We will assist where we reasonably can.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS/TLS), hashed storage of passwords, access controls, and ongoing monitoring and maintenance. No method of transmission or storage is completely secure; we cannot guarantee absolute security, and you are responsible for keeping your account credentials confidential. If a personal data breach occurs that affects your rights, we will notify you and the relevant authorities where required by law.

14. Children

The Platform is a B2B service intended for organisations and professionals. It is not directed to anyone under the age of 18, and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology or legal requirements. We will post the updated version here and revise the “Last updated” date. Where changes are material, we will provide a more prominent notice. Your continued use of the Platform after an update constitutes acceptance of the revised Policy.

16. Contact and how to exercise your rights

To exercise any of your rights, ask a question, or raise a concern about this Policy or our data practices, contact us at info@kosmolab.space. Please include enough information for us to verify your identity and locate your data. We will respond within the timeframes required by applicable law (generally within one month under the GDPR/UK GDPR). You may also write to us at to be confirmed prior to commercial launch.

Governing law and the competent supervisory authority for this Policy are determined by the operator’s jurisdiction (to be confirmed prior to launch).