v14.0 — Effective May 8, 2026

Privacy Policy

Your data is yours. Here's exactly how we protect it.

1. Our Privacy Promise

You Own Your Data: We claim no ownership over lead notes or personality profiles.
Minimal Access: We pull only the minimum data required from your authorized sources to function.
Affirmative Support Access: Access to lead data is prohibited unless you provide affirmative, logged, and time-limited consent for a specific support ticket.
No Training: Your data is never used to train global AI models.

2. Role and Relationship

Cognenta acts as a Data Processor. We have no direct relationship with individual leads in your CRM. A standard Data Processing Agreement (DPA) is available upon request.

3. Prohibited Data (Liability Shield)

Users are strictly prohibited from using Cognenta to process Sensitive Information, including Social Security numbers, health data, financial account numbers, or physical/mental health conditions. Any ingestion of such data triggers an automated “Safe Skip” and is excluded from processing.

4. Technically Grounded Protection & Sub-processors

We replace raw identifiers with tokens locally before processing by our vetted sub-processors:

OpenAI

AI text generation (Private API/No-Training mode)

Supabase

Secure multi-tenant database storage

Fly.io & Vercel

Application hosting and infrastructure

5. Security & Vulnerability Remediation

We commit to annual third-party security assessments. Identified vulnerabilities are remediated based on their CVSS score:

Critical

9.0–10.0

24 Hours

High

7.0–8.9

7 Days

Medium

4.0–6.9

30 Days

Low

0.1–3.9

90 Days

6. Data Retention Schedule

Data Category	Retention	Justification
CRM Lead Records	18 Months	Optimized window for reactivation.
Active Profiles	Duration of Account	Required for ongoing sales analysis.
Cancelled Accounts	60 Days	Grace period before permanent purge.
Hashed Identifiers	Permanent	Required to honor suppression lists.
System Logs	30 Days	Security monitoring and debugging.

7. International Compliance

Transfers: We are pursuing self-certification under the EU-U.S. Data Privacy Framework (DPF). Until finalized, we rely on Standard Contractual Clauses (SCCs) and the UK IDTA.
Human Oversight:For leads residing in the UK or EU, we maintain a “human-in-the-loop” workflow where all outputs are pushed as drafts for review to satisfy Article 22 of the UK/EU GDPR.

8. Dispute Resolution and Updates

Independent Recourse: Unresolved complaints will be referred to BBB National Programs in the United States.
Material Changes: We will notify users of material policy changes 30 days prior to the effective date.

9. Contact

For DSAR requests, DPA copies, or security reports:

privacy@cognenta.com

We acknowledge all security disclosures within 2 business days.

← Back to Home