Privacy Policy

Last updated: 7 July 2026

1. Introduction and scope

This Privacy Policy explains how Cognita Tech Ltd (“Cognita”, “we”, “us”) handles personal data. It applies to the people who create and manage a Cognita account, the visitors to our website, and anyone who contacts us or joins our waitlist.

Cognita acts in two different capacities, and this policy is careful to separate them:

  • As a controller — for the account and website data described above, we decide why and how the data is processed, so this policy is our notice to you under UK GDPR Articles 13 and 14.
  • As a processor — we also ingest Claude Code usage telemetry belonging to our business customers. For that telemetry the customer (usually the individual’s employer) is the controller and we act only on their documented instructions. That processing is governed by our Data Processing Agreement, not by this policy — see section 3.

2. Who we are

Cognita Tech Ltd is a company registered in England and Wales (company number [___]), registered office 87a Worship Street, London EC2A 2BE, United Kingdom.

For any privacy question or to exercise your rights, contact us at privacy@cognita.tech or by post at the address above. We have not appointed a statutory Data Protection Officer; the above contact handles all privacy matters. If you are in the EEA, our EU representative under Article 27 is [___].

3. Our role: controller vs processor

If you have a direct relationship with us — you signed up, you manage an account, or you visited our site — we are the controller of your data and this policy governs it.

If your Claude Code usage data reached us only because your employer is a Cognita customer, we are a processor and your employer is the controller. Your employer decides why your data is used and is responsible for informing you. If you are such an employee, please contact your employer for the privacy notice covering that processing. We will assist your employer in responding to your request, but we cannot action it directly (see section 8).

4. The personal data we collect

As a controller, we collect:

  • Account data — your name, work email address, a securely hashed password (we never store your password in plain text), and your sign-in method (email/password or Google).
  • Company and benchmark profile — your company name and the profile you provide at signup (industry, company size, number of people using AI, functions, and your role). These are used as anonymous cohort keys for cross-company benchmarking, not to profile you as an individual.
  • Waitlist and enquiries — if you join our waitlist or contact us, your name, email, company, and message.
  • Website and security data — cookies, IP address, and authentication events needed to run and secure the service.

The Claude Code telemetry itself (usage counts, models, cost, timing) is processed on our customers’ behalf. It is designed so that emails are one-way hashed and prompt and output content is stripped before anything is stored — see section 9 and our DPA.

5. Why we process it, and our lawful basis

We pair each purpose with a specific lawful basis under UK GDPR Article 6:

PurposeLawful basis
Create and operate your account; authenticate youPerformance of a contract (Art 6(1)(b))
Provision your tenant and issue your ingest tokenPerformance of a contract (Art 6(1)(b))
Secure the service, prevent abuse, audit loggingLegitimate interests (Art 6(1)(f)) — security
Improve the service through product analyticsLegitimate interests (Art 6(1)(f)); you can opt out
Cross-company cohort benchmarking (aggregated)Legitimate interests (Art 6(1)(f)) — no individual company is identifiable
Send you service and transactional emailsPerformance of a contract (Art 6(1)(b))
Send marketing to business contactsLegitimate interests / consent — always with an opt-out
Non-essential cookies and analyticsConsent (Art 6(1)(a))
Meet legal and accounting obligationsLegal obligation (Art 6(1)(c))

Where we rely on legitimate interests, we have carried out a balancing assessment and you have the right to object (section 8).

6. Who we share it with, and where it is held

We use a small set of trusted providers to run the service. Each is bound by a data processing agreement and processes data only on our instructions:

ProviderRoleLocation / transfer
Amazon Web ServicesBackend, telemetry storageEEA (Ireland) — UK adequacy
NeonAccount database (Postgres)EEA (Germany) — UK adequacy
VercelWebsite hostingUS — EU-US DPF (UK Extension) / IDTA
GoogleOptional sign-in (OAuth)US — EU-US DPF

Our infrastructure is hosted in the European Economic Area (Ireland and Germany), which the UK recognises as providing adequate protection, so no additional transfer safeguard is required for that storage. Where a provider is in the United States (currently our website host and optional sign-in), the transfer is covered by the provider’s certification under the EU-US Data Privacy Framework and its UK Extension, and/or the UK International Data Transfer Agreement.

7. How long we keep it

  • Account data is kept for the life of your account and for a limited period after closure to meet legal and accounting duties, then deleted.
  • Your hashed password is deleted when your account is deleted.
  • Your benchmark profile is kept while your account is active; aggregated cohort statistics that no longer identify you or your company may be retained.
  • Waitlist and enquiry data is kept until it is no longer needed for the purpose you contacted us about.
  • Security and log data is kept for a short defined window.
  • Customer telemetry (our processor role) is retained per the customer’s instructions in the DPA and erased using the mechanism in section 9.

8. Your rights

Under UK and EU GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased;
  • restrict or object to processing;
  • receive your data in a portable format; and
  • withdraw consent at any time where we rely on it (this does not affect earlier processing); and
  • lodge a complaint with a supervisory authority (see below).

To exercise any of these, email privacy@cognita.tech. We respond within one month and do not charge for this. We may need to verify your identity first.

If your data reached us via your employer (our processor role), your request must go to your employer, who is the controller. Because the analytics store holds only one-way hashes, we cannot re-identify you from it without your employer’s identity map, so we will refer your request to them and assist as needed.

You also have the right to complain to the Information Commissioner’s Office (ICO) (ico.org.uk, helpline 0303 123 1113), or, if you are in the EEA, to your local supervisory authority. We would appreciate the chance to resolve your concern first.

9. Privacy by design: pseudonymisation and erasure

The product is built so that our analytics store never holds a plaintext email or the content of your prompts. At the point of collection, each email is replaced with a one-way, per-customer keyed hash (HMAC(tenant_key, email)), and prompt and output content is stripped. The analytics store only ever contains these pseudonymous hashes.

This data is pseudonymised, not anonymised — it remains personal data, because the separate identity map and key make it re-identifiable by the controller. We describe it honestly on that basis.

Because a plaintext identifier exists in exactly one place (the identity map), an erasure request is a single deletion: removing that one record renders all of that person’s hash-keyed telemetry permanently unresolvable. We call this crypto-shred, and it is how erasure is carried out.

10. Automated decisions

We do not make solely automated decisions that produce legal or similarly significant effects about you. Our benchmarking and coaching features produce analytics and insights for your review; they are not automated decisions in the sense of Article 22.

11. Cookies

We use strictly necessary cookies to run the site and keep you signed in (no consent required), and, where you consent, analytics cookies to understand how the site is used. You can accept or reject non-essential cookies via our cookie banner, and change your choice at any time. Rejecting them is as easy as accepting them.

12. Changes to this policy

We may update this policy from time to time. We will post the new version here with an updated date and, for material changes, notify account holders. The version in force is always the one published on this page.

This document is provided for transparency and does not constitute legal advice. Cognita Tech Ltd, 87a Worship Street, London EC2A 2BE.