Privacy Policy
Effective Date: [INSERT DATE, e.g., June 1, 2026] Last Updated: [INSERT DATE]
This Privacy Policy describes how [YOUR LEGAL NAME / COMPANY NAME] (“Cogent,” “we,” “us,” or “our”) collects, uses, stores, and shares your personal information when you use the Cogent mobile application (the “App”) and related services (collectively, the “Service”).
By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
1. Who We Are
Cogent is an AI-powered decision coach that helps users pause before impulsive choices through Socratic dialogue and behavioral-economics techniques.
- Data Controller: [YOUR LEGAL NAME / COMPANY NAME]
- Contact Email: [YOUR SUPPORT EMAIL, e.g., privacy@cogent.app]
- Postal Address: [YOUR BUSINESS ADDRESS — required for GDPR; if you are a sole proprietor, this can be your registered address]
If you are a resident of the European Economic Area (“EEA”), the United Kingdom, or Switzerland, the data controller for your information is the entity named above.
2. Information We Collect
2.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account information | Email address, display name, profile photo URL, authentication provider (Google / Apple / email) | Create and secure your account |
| Decision content | “Brain dumps” you type or speak, your chat messages with the AI coach, your stated goals (“Pillars”), past-decision outcomes (“Regret Ledger”), post-mortem ratings | Provide the core Service |
| Voice recordings | Audio captured when you use voice features | Transcribed in real time to text via our speech-to-text provider; the raw audio is not retained after transcription |
| Subscription information | Subscription tier, status, trial end date, purchase receipts (handled by Apple / Google / RevenueCat) | Manage entitlements and billing |
| Support correspondence | Messages you send us | Respond to your inquiries |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device information | Device model, operating system, app version, language, time zone | Diagnose issues, improve compatibility |
| Usage data | Features used, screens viewed, session timestamps, error logs | Understand product usage, fix bugs |
| Identifiers | Anonymous Firebase user ID, RevenueCat customer ID, anonymized device identifier | Link your sessions and entitlements securely |
We do not use third-party advertising identifiers (IDFA / AAID) and do not show ads.
2.3 Information from Third Parties
If you sign in with Google or Apple, we receive your email, name, and a unique user identifier from that provider, in accordance with the permissions you granted at sign-in.
3. How We Use Your Information
We use your information to:
- Operate the Service — create your account, save your decisions, run the AI coaching pipeline.
- Personalize coaching — feed your stated goals (Pillars), past outcomes (Regret Ledger), and decision style (Persona) to the AI models so responses reflect your context.
- Process payments and subscriptions — through Apple, Google, and RevenueCat.
- Communicate with you — service notifications, security alerts, support replies. We do not send marketing emails unless you have explicitly opted in.
- Improve and secure the Service — diagnose bugs, prevent abuse, monitor system health.
- Comply with law — respond to lawful requests and enforce our Terms.
Legal bases (GDPR/UK GDPR users): We rely on (a) performance of a contract (to deliver the Service), (b) legitimate interests (security, fraud prevention, product improvement), (c) consent (where required, such as for voice processing), and (d) legal obligations.
4. AI Processing — Important Disclosures
Cogent’s core functionality relies on third-party large-language-model (“LLM”) providers. When you submit a decision or chat message:
- The text content of your decision and conversation is transmitted to Anthropic, PBC (“Claude”) and Google LLC (“Gemini”) for inference.
- Your voice input is transmitted to Deepgram, Inc. for speech-to-text transcription, and AI-generated responses may be sent back to Deepgram for text-to-speech synthesis.
- These providers process your data under their respective terms and do not use your inputs to train their public foundation models when accessed via paid API (as of the Effective Date of this Policy).
- We do not send your name, email, or other directly identifying information to these providers — only the decision text and a pseudonymous session identifier.
You should not enter sensitive personal information (e.g., government IDs, financial account numbers, health diagnoses, information about other identifiable individuals) into your decisions or chats.
5. How We Share Your Information
We do not sell your personal information. We share it only with the following categories of recipients:
| Recipient | Role | Data Shared | Location |
|---|---|---|---|
| Google Firebase (Google LLC) | Authentication, push notifications | Email, display name, auth tokens | USA |
| Railway Corp. | Database and server hosting (PostgreSQL + Node.js) | All Service data we store | USA |
| RevenueCat, Inc. | Subscription management | Pseudonymous user ID, email, display name, purchase events | USA |
| Anthropic, PBC | LLM inference (Claude) | Decision text, chat messages, pseudonymous session ID | USA |
| Google LLC (Gemini API) | LLM inference (classification, gatekeeping) | Decision text, pseudonymous session ID | USA |
| Deepgram, Inc. | Speech-to-text and text-to-speech | Voice audio (transient), text strings | USA |
| Apple Inc. / Google LLC | App distribution, in-app purchase processing | Purchase receipts, anonymized device identifier | USA |
We may also disclose information:
- to comply with law or valid legal process;
- to protect our rights, users, or the public from harm or fraud;
- as part of a merger, acquisition, or asset sale, in which case we will notify you in advance.
6. International Data Transfers
Cogent is operated from [YOUR COUNTRY], and our servers and subprocessors are primarily located in the United States. If you access the Service from the EEA, UK, Switzerland, or any other jurisdiction with data-protection laws different from those of the U.S., your information will be transferred to and processed in the U.S.
For transfers from the EEA/UK/Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK/Swiss safeguards entered into with our subprocessors.
7. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until you delete your account, then permanently deleted within 30 days |
| Decision content and chat history | Same as above |
| Voice audio | Not retained — discarded immediately after transcription |
| Subscription / payment records | Retained for 7 years to comply with tax and accounting law |
| Anonymized logs and analytics | Up to 90 days |
You can delete your account at any time from the App’s Profile → Delete Account option, or by emailing [YOUR SUPPORT EMAIL].
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to erase your data (subject to legal retention exceptions).
- Portability — receive your data in a machine-readable format.
- Restriction / Objection — limit or object to certain processing.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint with your local data-protection authority (e.g., your EU member-state DPA, the UK ICO, or the Swiss FDPIC).
California residents (CCPA/CPRA): You have the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as defined by California law.
To exercise any right, email [YOUR SUPPORT EMAIL]. We will respond within 30 days (45 days for California requests, extendable as permitted by law). We may need to verify your identity before fulfilling the request.
9. Children’s Privacy
Cogent is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us and we will delete it.
10. Security
We implement industry-standard security measures, including:
- TLS 1.2+ encryption in transit;
- Encryption at rest for the PostgreSQL database hosted on Railway;
- Firebase Authentication for credential handling (we never see your password);
- Tenant isolation: every server request is verified against a Firebase ID token before any data is returned;
- Rate-limiting and input validation on all API endpoints.
No system is 100% secure. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.
11. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will notify you via in-app notice or email and update the “Last Updated” date above. Continued use of the Service after such changes constitutes acceptance.
12. Contact Us
For privacy questions or to exercise your rights:
Email: [YOUR SUPPORT EMAIL] Postal: [YOUR BUSINESS ADDRESS]
This Privacy Policy is provided as a starting template. It is not legal advice. Consider having it reviewed by a licensed attorney before publishing.