Privacy Policy

1. Introduction

Cognitia ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our structured intelligence platform and related services (collectively, the "Services").

Important Notice: Cognitia is currently in active development and early deployment phase. While we implement industry-standard security practices, some advanced security features described in this policy represent our roadmap and planned implementations. We are transparent about our current stage and continuously improving our security posture.

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree with this policy, please do not access or use our Services.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, company name, role, and authentication credentials
• Profile Information: Professional details, preferences, and organizational settings
• Business Verification Data: Company registration documents, identity verification, and KYB/KYC information for enterprise accounts
• Communications: Messages, support requests, feedback, and correspondence with our team

2.2 Data You Upload or Process

When you use our Services, you may upload or process:

• Operational Data: Business data, customer behavior data, and operational signals you choose to analyze
• Integration Data: Data from third-party systems, APIs, and connected services
• Analytics Inputs: Queries, configurations, and parameters for intelligence generation

Note: Your processed data remains your property. We act as a data processor and implement strict controls to protect your data confidentiality.

2.3 Automatically Collected Information

When you use our Services, we automatically collect:

• Usage Data: Features accessed, API calls, query patterns, system interactions, and service performance metrics
• Device Information: IP address, browser type, device identifiers, operating system, and hardware specifications
• Log Data: Authentication events, API requests, errors, system events, and audit trails
• Cookies and Tracking: Session identifiers, authentication tokens, preferences, and analytics cookies

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

• Provide, operate, and maintain our structured intelligence platform
• Process your data to generate insights, analytics, and intelligence outputs
• Authenticate users and manage access controls
• Enable integrations with third-party systems and APIs

3.2 Service Improvement

• Analyze usage patterns to improve algorithms, features, and user experience
• Train and refine AI models using aggregated, anonymized data
• Develop new features and capabilities based on user needs
• Monitor system performance, reliability, and security

3.3 Communication

• Send service notifications, updates, and security alerts
• Respond to support requests and inquiries
• Provide product updates, feature announcements, and educational content (opt-out available)

3.4 Legal and Security

• Comply with legal obligations, regulations, and lawful requests
• Protect against security threats, fraud, and unauthorized access
• Enforce our Terms of Service and protect our rights and property
• Maintain audit trails for enterprise compliance requirements

4. Data Processing and AI Training

4.1 Your Data Ownership

You retain full ownership of all data you upload or process through our Services. We act solely as a data processor on your behalf. Your proprietary business data, customer information, and operational signals remain your intellectual property.

4.2 AI Model Training

As we develop our platform, we plan to use aggregated, anonymized, and de-identified usage patterns to improve our AI models and algorithms. This includes:

• Aggregated Usage Patterns: How features are used, common query structures, and interaction patterns (no individual identifiers)
• Model Performance Metrics: Accuracy, latency, and quality measurements across all users
• Error Patterns: System errors and edge cases to improve reliability

We never train our models on your raw business data, customer records, or proprietary information without explicit written consent. During our development phase, we prioritize data protection and will seek your permission before any data usage beyond core service delivery.

4.3 Data Isolation

Your processed data is logically isolated from other customers. We implement strict data segregation controls to prevent cross-contamination between tenant environments.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers who assist us in operating our Services:

• Cloud Infrastructure: Hosting, storage, and compute resources (e.g., AWS, Google Cloud, Azure)
• Authentication Services: Identity verification and access management
• Analytics Tools: Anonymized usage analytics and performance monitoring
• Communication Services: Email delivery, support ticketing, and notifications

All service providers are bound by confidentiality agreements and data protection requirements equivalent to this policy.

5.2 Legal Requirements

We may disclose information if required by law or legal process, including:

• Complying with valid subpoenas, court orders, or government requests
• Protecting against legal liability or defending legal claims
• Investigating potential violations of our Terms of Service
• Preventing harm to individuals or the public

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and provide choices regarding your information.

5.4 With Your Consent

We may share information with third parties when you explicitly authorize such sharing, such as integrations with your other business systems.

6. Data Security

We implement and are actively deploying industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest where applicable
• Access Controls: Authentication required for all services; hardware security key authentication (WebAuthn/FIDO2) and Time-based One-Time Password (TOTP) MFA available and recommended
• Cloud Infrastructure: Hosted on reputable cloud providers with built-in security features
• Secure Development: Following security best practices in code and architecture
• Ongoing Improvements: Regularly updating security measures as the platform matures

Current Stage Disclosure: As an early-stage platform, we are continuously implementing additional security measures. Advanced features like 24/7 monitoring, penetration testing, and formal certifications (SOC 2, ISO 27001) are on our roadmap. While we implement strong security measures, no system is completely secure. For sensitive data processing, we recommend implementing additional controls at your organization level.

7. Data Retention

We retain your information for as long as necessary to provide Services and fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active and for 90 days after account closure. After 90 days, account data and all related records are automatically and permanently purged by our automated data retention system.
• Processed Data: Retained for 90 days by default, configurable up to 7 years for enterprise accounts
• Backup Data: Incremental backups retained for 30 days; full backups for 1 year
• Audit Logs: Retained for 2 years for security and compliance purposes
• Legal Hold Data: Retained longer if required by law or legal proceedings

7.1 Automated Data Deletion

✅ Verified Implementation (as of February 19, 2026): Our automated data retention system runs daily at 2:00 AM UTC to identify and permanently delete accounts that have been marked as deleted for more than 90 days. This process:

• Automatically identifies accounts eligible for permanent deletion (deleted > 90 days ago)
• Permanently purges all related data including: user accounts, billing methods, invoices, usage records, API keys, security authenticators, scan jobs, and audit logs
• Maintains a comprehensive audit trail in our data_retention_log table documenting all automated deletions
• Sends email notifications to administrators after each cleanup operation with detailed reports
• Operates with full transactional safety to ensure data integrity during deletion

You may request deletion of your data at any time (subject to legal retention requirements). Manual deletion requests are processed within 72 hours. Upon account termination, we will delete or anonymize your personal information within 90 days automatically through our scheduled cleanup system.

Technical Note: Deleted accounts are marked with a deleted_at timestamp. After 90 days, our automated cleanup service permanently removes all tenant data, related users, and associated records. All deletions are logged for compliance and audit purposes. See our Security Policy for technical details.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

8.1 Access and Portability

• Request access to your personal information and processed data
• Export your data in machine-readable JSON format directly from your Dashboard → Security & Authentication → Data Export section (instant download)
• For custom export formats or assistance, contact support@cognitia-ai.ai
• Receive copies of your data processing history (last 90 days included in export)

8.2 Correction and Updates

• Update or correct inaccurate personal information through your account settings
• Request corrections to data we maintain about you

8.3 Deletion

• Request deletion of your account and associated data
• Delete specific processed data through the dashboard
• Right to be forgotten (GDPR) - request complete erasure of personal information

8.4 Objection and Restriction

• Object to processing of your data for certain purposes
• Request restriction of processing under certain circumstances
• Opt-out of marketing communications and non-essential cookies

8.5 Exercising Your Rights

To exercise these rights, contact us at support@cognitia-ai.ai or through your account settings. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

Cognitia is based in Egypt and uses cloud infrastructure that may process data in various locations. Your information may be transferred to, stored, and processed in countries other than your country of residence, including locations where our cloud providers operate their data centers.

We are implementing appropriate safeguards for international data transfers and working toward compliance with international data protection standards. For enterprise customers with specific data residency requirements, please contact us to discuss available options.

10. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately. If we learn that we have collected information from a child without parental consent, we will delete that information promptly.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Authentication, security, and session management (required for service operation)
• Functional Cookies: Preferences, settings, and feature enablement
• Analytics Cookies: Usage patterns, feature adoption, and performance metrics (anonymized)
• Marketing Cookies: Campaign attribution and conversion tracking (opt-in required)

You can control cookie preferences through your browser settings or our cookie consent banner that appears on your first visit. Disabling essential cookies may affect service functionality. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification upon your next login

Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to privacy inquiries as promptly as possible, typically within 3-5 business days.

14. Governing Law and Jurisdiction

This Privacy Policy and all matters relating to your privacy and our data practices shall be governed by and construed in accordance with the laws of the Arab Republic of Egypt, without regard to conflict of law principles.

Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Egypt.

14.1 International Users

If you are located outside of Egypt, you acknowledge that we may transfer, store, and process your information in Egypt and other countries where our service providers operate. By using our Services, you consent to such transfers.

14.2 Additional Rights

Depending on your jurisdiction, you may have additional rights under local data protection laws (such as GDPR for EU residents or CCPA for California residents). We strive to honor such rights to the extent applicable. Contact us to learn about your specific rights based on your location.