Privacy Policy

Effective date: 2026-05-23

Cognethics LLC

This Privacy Policy explains how Cognethics LLC ("Cognethics", "we", "us", or "our") collects, uses, discloses, and protects personal information in connection with the Cognethics developer portal at developers.cognethics.com and developer-account sandbox tenants provisioned under *.cognethics.com. Production customer-tenant data is governed by the customer's Master Service Agreement and the Data Processing Addendum at /legal/dpa/.

1. Scope

This policy covers:

This policy does not cover the processing of customer-controlled production data inside a paid customer tenant. That processing is governed by the executed MSA, the DPA at /legal/dpa/, and the SLA at /legal/sla/, under which Cognethics acts as a data processor and the customer acts as the data controller.

2. Information We Collect

Account information. When you sign up, we collect your email address, name (optional), organization name, and any password or federated identity credential. For federated sign-in (Google Workspace, Microsoft Entra ID, Okta, Auth0, or any OIDC-compliant identity provider), we receive the subject identifier and basic profile claims that you authorize through your IdP.

Sandbox tenant content. Documents, prompts, embeddings, agent runs, MCP tool calls, and configurations you create inside a sandbox tenant. Sandbox tenants are explicitly for evaluation, prototyping, and development. Do not upload regulated data (PHI, payment-card data, government-classified data) to a sandbox tenant. For production workloads, reach our sales team through the contact form at /trust/.

API usage metadata. Request counts, latency, error rate, request method, request path, response status, API key identifier, and tenant context. We use this for capacity planning, abuse detection, billing reconciliation, and product improvement.

Audit metadata. Every API write is recorded in the immutable, hash-chained audit ledger described at /trust/audit/: timestamp, action, entity, user identifier, session identifier, IP address, user agent, and request path.

Communications. When you contact us about legal, security, privacy, or support matters, we retain the message and any attachments to respond.

Cookies and analytics. The developer portal uses first-party cookies for session management and authentication. We do not use third-party advertising trackers or behavioral analytics on the developer portal.

3. How We Use Information

We use the information above to:

We do not sell personal information. We do not use sandbox-tenant content to train models for any tenant other than the originating tenant.

Where the EU General Data Protection Regulation or the UK GDPR applies, we process personal data under the following legal bases:

5. Data Residency

Your tenant is hosted in the AWS region and availability zone you select. Cognethics provisions tenant infrastructure in the AWS region(s) and availability zone(s) that meet your data-residency requirements; operational telemetry, audit logs, backups, and encryption key material reside in the same region as your tenant. Cloudflare provides edge CDN and DDoS protection globally; only request metadata (IP address, timestamp, User-Agent, referrer) traverses the Cloudflare edge — no document content passes through Cloudflare in plaintext.

A streaming PostgreSQL standby runs in a second availability zone within your tenant's region for disaster recovery. The standby is not used to serve production traffic.

Where personal data is transferred across borders for processing — for example, EEA or UK personal data processed in a third country — transfers rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor, as applicable), incorporated by reference into the DPA at /legal/dpa/.

6. Sub-Processors

A current list of sub-processors is published at /trust/sub-processors/, with a 30-day advance-notice RSS feed for additions. Today's sub-processors are:

You may subscribe to the RSS feed at https://developers.cognethics.com/trust/sub-processors/feed.xml to receive notice of any addition before it takes effect.

7. Disclosures to Third Parties

We disclose personal information to:

We do not share personal information with third parties for their own marketing purposes.

8. Retention

We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements:

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

To exercise any of these rights, submit a request through the form in the Contact section below from the address on file for your account. We will acknowledge your request within 48 hours (business days) and complete it within 30 days. If a request is complex, we may extend the response window by an additional 60 days with notice to you.

California (CCPA / CPRA). California residents have rights to know, delete, correct, and limit the use of sensitive personal information, and to non-discrimination for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise California rights, use the form in the Contact section below — select the United States and California and it will show your CCPA/CPRA rights.

10. Security

We protect personal information with technical and organizational measures appropriate to the risk. These include:

No system is perfectly secure. If you believe your account has been compromised, contact our Security & Compliance team immediately through the form on our Trust & Security page.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us through the form in the Contact section below and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect, and the "Effective date" at the top of this page will be updated. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

To exercise your data-protection rights — access, correction, deletion, and the other rights described above — use the form below. Tell us where you live and it will show the rights available in your jurisdiction.

Exercise your privacy rights

Tell us where you live and we’ll show the data-protection rights available to you.

Cognethics LLC is the data controller for personal information processed under this policy.