Privacy Policy
Effective date: 2026-05-23
Cognethics LLC
This Privacy Policy explains how Cognethics LLC ("Cognethics", "we", "us", or "our") collects, uses, discloses, and protects personal information in connection with the Cognethics developer portal at developers.cognethics.com and developer-account sandbox tenants provisioned under *.cognethics.com. Production customer-tenant data is governed by the customer's Master Service Agreement and the Data Processing Addendum at /legal/dpa/.
1. Scope
This policy covers:
- The developer portal at
developers.cognethics.comand its sub-paths (signup, signin, reference, recipes, trust, legal) - Sandbox tenants provisioned for individual developer accounts and developer organizations
- The marketing site at
cognethics.comto the extent it links here
This policy does not cover the processing of customer-controlled production data inside a paid customer tenant. That processing is governed by the executed MSA, the DPA at /legal/dpa/, and the SLA at /legal/sla/, under which Cognethics acts as a data processor and the customer acts as the data controller.
2. Information We Collect
Account information. When you sign up, we collect your email address, name (optional), organization name, and any password or federated identity credential. For federated sign-in (Google Workspace, Microsoft Entra ID, Okta, Auth0, or any OIDC-compliant identity provider), we receive the subject identifier and basic profile claims that you authorize through your IdP.
Sandbox tenant content. Documents, prompts, embeddings, agent runs, MCP tool calls, and configurations you create inside a sandbox tenant. Sandbox tenants are explicitly for evaluation, prototyping, and development. Do not upload regulated data (PHI, payment-card data, government-classified data) to a sandbox tenant. For production workloads, reach our sales team through the contact form at /trust/.
API usage metadata. Request counts, latency, error rate, request method, request path, response status, API key identifier, and tenant context. We use this for capacity planning, abuse detection, billing reconciliation, and product improvement.
Audit metadata. Every API write is recorded in the immutable, hash-chained audit ledger described at /trust/audit/: timestamp, action, entity, user identifier, session identifier, IP address, user agent, and request path.
Communications. When you contact us about legal, security, privacy, or support matters, we retain the message and any attachments to respond.
Cookies and analytics. The developer portal uses first-party cookies for session management and authentication. We do not use third-party advertising trackers or behavioral analytics on the developer portal.
3. How We Use Information
We use the information above to:
- Operate, secure, and improve the Service
- Authenticate you, authorize API requests, and prevent abuse
- Bill paid accounts and reconcile invoices
- Respond to support, security, privacy, and legal inquiries
- Send transactional messages (account verification, password reset, API key rotation reminders, security advisories, change of these Terms or this Policy)
- Comply with legal obligations, including responding to lawful requests from public authorities and enforcing our Terms
We do not sell personal information. We do not use sandbox-tenant content to train models for any tenant other than the originating tenant.
4. Legal Bases (EEA / UK)
Where the EU General Data Protection Regulation or the UK GDPR applies, we process personal data under the following legal bases:
- Contract — to provide the Service you have requested
- Legitimate interests — to operate, secure, and improve the Service; to detect and prevent abuse; to communicate operational changes
- Legal obligation — to comply with applicable law
- Consent — for any processing that requires consent under applicable law; you may withdraw consent at any time
5. Data Residency
Your tenant is hosted in the AWS region and availability zone you select. Cognethics provisions tenant infrastructure in the AWS region(s) and availability zone(s) that meet your data-residency requirements; operational telemetry, audit logs, backups, and encryption key material reside in the same region as your tenant. Cloudflare provides edge CDN and DDoS protection globally; only request metadata (IP address, timestamp, User-Agent, referrer) traverses the Cloudflare edge — no document content passes through Cloudflare in plaintext.
A streaming PostgreSQL standby runs in a second availability zone within your tenant's region for disaster recovery. The standby is not used to serve production traffic.
Where personal data is transferred across borders for processing — for example, EEA or UK personal data processed in a third country — transfers rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor, as applicable), incorporated by reference into the DPA at /legal/dpa/.
6. Sub-Processors
A current list of sub-processors is published at /trust/sub-processors/, with a 30-day advance-notice RSS feed for additions. Today's sub-processors are:
- Amazon Web Services — infrastructure (compute, storage, database, network, KMS, CloudTrail). BAA signed via AWS Artifact.
- Anthropic — LLM inference for AI features. Accessed directly and via AWS Bedrock.
- Google (Gemini API) — LLM inference for narrow extraction workflows (healthcare EOB, denial analysis, technical-specification extraction, invoice parsing).
- Cloudflare — edge CDN and DDoS protection. Request metadata only.
You may subscribe to the RSS feed at https://developers.cognethics.com/trust/sub-processors/feed.xml to receive notice of any addition before it takes effect.
7. Disclosures to Third Parties
We disclose personal information to:
- Sub-processors acting under our instructions and bound by contractual confidentiality and security obligations (see Section 6)
- Professional advisors — accountants, lawyers, auditors — under a duty of confidentiality
- Public authorities — when required by law, valid legal process, or to protect rights, property, or safety
- A successor entity — in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, in which case the successor is bound by terms no less protective than this policy
We do not share personal information with third parties for their own marketing purposes.
8. Retention
We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements:
- Active account data — for the duration of your account
- API usage metadata — 24 months rolling, then aggregated for capacity-planning only
- Audit logs — retained for the minimum period required by your compliance obligations and applicable law
- Billing records — retained as required by tax and accounting law (typically 7 years)
- After account deletion — personal information is deleted from production within 30 days of account deletion or termination, except where retention is required by law. Backup copies are retained for up to 90 days, then purged.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal information we hold about you
- Rectification — ask us to correct inaccurate or incomplete information
- Deletion — ask us to delete your personal information
- Restriction — ask us to restrict processing in certain circumstances
- Portability — receive your personal information in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent
- Lodge a complaint — with a supervisory authority in your jurisdiction
To exercise any of these rights, submit a request through the form in the Contact section below from the address on file for your account. We will acknowledge your request within 48 hours (business days) and complete it within 30 days. If a request is complex, we may extend the response window by an additional 60 days with notice to you.
California (CCPA / CPRA). California residents have rights to know, delete, correct, and limit the use of sensitive personal information, and to non-discrimination for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise California rights, use the form in the Contact section below — select the United States and California and it will show your CCPA/CPRA rights.
10. Security
We protect personal information with technical and organizational measures appropriate to the risk. These include:
- Encryption in transit (TLS 1.3) and at rest (AES-256 via AWS KMS; sensitive data encrypted with a dedicated per-tenant AWS KMS customer-managed key)
- Per-tenant data isolation enforced by construction at the database, queryset, and MCP-handler layers
- Mandatory two-factor authentication for Cognethics personnel with access to production systems
- Immutable, SHA-256 hash-chained audit logging across every API write
- Least-privilege IAM, GuardDuty threat detection, Security Hub compliance monitoring, VPC Flow Logs network logging
- Backup and disaster-recovery procedures with cross-region replication
No system is perfectly secure. If you believe your account has been compromised, contact our Security & Compliance team immediately through the form on our Trust & Security page.
11. Children
The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us through the form in the Contact section below and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect, and the "Effective date" at the top of this page will be updated. Continued use of the Service after the effective date constitutes acceptance.
13. Contact
To exercise your data-protection rights — access, correction, deletion, and the other rights described above — use the form below. Tell us where you live and it will show the rights available in your jurisdiction.
Exercise your privacy rights
Tell us where you live and we’ll show the data-protection rights available to you.
Cognethics LLC is the data controller for personal information processed under this policy.