1. Who we are
The Cognituring platform (the “Service”) is operated by Cogniron Technology Solutions Private Limited, an Indian Private Limited Company incorporated on 23 September 2020 (“Cogniron”, “we”, “our”, “us”). For the purposes of the EU/UK General Data Protection Regulation (GDPR) we are the data controller for personal data we collect directly from you, and the data processor for content you upload to the Service on behalf of your organisation.
Contact: support@cogniron.com.
2. What we collect
We collect personal data in three broad categories:
- Account data — name, email address, password hash, organisation membership and role, time-zone preference, profile photo (optional).
- Usage data — pages visited, features used, requests made, IP address, browser user-agent, audit-log entries for privileged actions (organisation invitations, role changes, deletions).
- Project content — datasets, prompts, test cases, evaluation results, project documents, and conversation histories that you (or members of your organisation) upload to the Service.
3. Why we process it (purposes and legal bases)
Under GDPR Art. 6, we rely on the following legal bases:
- Contract (Art. 6(1)(b)) — to provide the Service you signed up for: authenticate you, render the product, run AI evaluations, store project content, send transactional emails.
- Legitimate interest (Art. 6(1)(f)) — to secure the Service against abuse (rate limiting, audit logs, fraud detection), to debug failures, and to improve product features. Where we rely on this basis you have the right to object (see §8).
- Legal obligation (Art. 6(1)(c)) — to retain billing and tax records, to respond to lawful requests, and to keep audit trails required by frameworks such as ISO 42001 and NIST AI RMF.
- Consent (Art. 6(1)(a)) — for any non-essential cookies and any optional product communications. You can withdraw consent at any time.
We do not sell personal data, and we do not use your project content to train general-purpose AI models. AI providers we use process your content under their enterprise / API terms, which prohibit training on submitted data — see /subprocessors.
4. How long we keep it
- Sessions / refresh tokens — 30 days from issue, then deleted automatically.
- Account data — for the lifetime of your account. On account deletion we soft-delete for 30 days (to allow recovery from accidental deletion) and then erase.
- Project content — under your control. You can delete projects, datasets, and runs at any time. Backups expire within 7 days.
- Audit logs — retained for up to 7 years to support compliance frameworks (ISO 42001, NIST AI RMF). Audit logs may contain your user ID and the action taken; we redact free-text content from audit entries.
- Billing records — retained for the period required by applicable tax law (typically 7–10 years).
5. Who we share it with
We share personal data only with vetted third-party processors who operate under written data-processing agreements. See the full list at /subprocessors. In summary:
- Infrastructure and database hosting — Amazon Web Services.
- Authentication and identity — AWS Cognito.
- Transactional email — AWS Simple Email Service (SES).
- AI inference — OpenAI, Anthropic, Google Gemini (as selected per workflow).
- Payments (when subscriptions are enabled) — FastSpring, acting as merchant-of-record.
We disclose personal data to law enforcement only when compelled by valid legal process and, where lawful, will notify the affected user first.
6. International transfers
The Service is operated from infrastructure in the United States (AWS us-east-1) and India (AWS ap-south-1). AI inference requests may be processed in the regions operated by our AI subprocessors (primarily United States and the European Union, depending on the model).
Where we transfer personal data out of the EU/UK or other regions with cross-border restrictions, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum, together with the supplementary measures published by our subprocessors.
7. Security
We protect your data with technical and organisational measures including TLS 1.2+ in transit (HSTS enforced), encrypted secret management via AWS Secrets Manager, role-based access controls, append-only audit logging of privileged actions, multi-tenant isolation at the database layer, and per-request Content-Security-Policy with nonces. See /trust for a fuller controls inventory.
8. Your rights
Subject to applicable law (GDPR, UK GDPR, California CCPA/CPRA, and similar regimes), you have the right to:
- Access the personal data we hold about you.
- Have inaccurate data rectified.
- Request erasure of your data, subject to legal retention obligations.
- Receive a copy of your data in a portable, machine-readable format.
- Object to processing based on legitimate interest.
- Restrict processing while a dispute is being resolved.
- Withdraw any consent you have given.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, write to support@cogniron.com. We respond within 30 days. We may need to verify your identity before acting on a request.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
10. Cookies
We use a small number of strictly necessary cookies to sign you in and protect against cross-site request forgery. We do not currently use advertising or third-party analytics cookies. See /cookies for the full list.
11. Changes to this policy
We may revise this policy as the Service evolves. Material changes will be announced via the Service and, where required by law, by email. The “Last updated” date at the top of this page always reflects the current version.
12. Contact
Privacy matters: support@cogniron.com. General support: support@cogniron.com.