Cognosco – Privacy Policy

Last Updated: December 1, 2025

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data. The operator is the data controller.

Data Controller:

Laszlo Jørgenvåg
Email: sworn-twice-rut@duck.com
Norway

This policy complies with GDPR and the Norwegian Personal Data Act.

2. Our Commitment to Your Privacy

We believe your data belongs to you. We have made the following binding commitments regarding how we handle your information:

We will NOT train AI on your data.

Your content, uploads, and interactions are never used to train, fine-tune, or improve any AI models—ours or anyone else's.

We will NOT advertise with your data.

Your personal information and content are never sold, shared, or used for advertising, marketing profiles, or targeted ads.

We will NOT read your data unless required by law.

Your content remains private. We do not access, review, or monitor your data unless compelled by a valid legal obligation.

These commitments apply to all data you provide, including study materials, flashcards, quiz content, chat messages, and any uploaded files.

3. Information We Collect

2.1 Information You Provide

  • Account details (email, username, password)
  • Profile settings and preferences
  • Uploaded content (flashcards, notes, quizzes, messages, media)
  • Communications with us (support requests)

2.2 Automatically Collected Data

  • IP address, device and browser information
  • Usage data (pages visited, features used)
  • Error logs and diagnostic data
  • Cookies and similar technologies

2.3 AI Input Data

When using AI features, we collect the text, images, audio, or video you submit for processing.

2.4 Legal Bases

We process data based on:

  • Contractual necessity – providing the service
  • Consent – optional analytics cookies, or optional features
  • Legitimate interests – service improvement, security, abuse prevention
  • Legal obligations – compliance with Norwegian or EU law

4. How We Use Your Data

We use your personal data to:

  • Provide and improve the service
  • Authenticate and manage accounts
  • Process uploaded content and generate AI outputs (for your immediate use only)
  • Respond to support requests
  • Monitor usage, detect abuse, ensure security
  • Comply with legal requirements

We do not:

  • Use your data for marketing or advertising
  • Sell or trade your personal information
  • Train AI models on your content or interactions
  • Access or read your private content except when legally required

5. Sharing and Disclosure

4.1 Third-Party Service Providers

We use the following providers:

AI Processing

OpenRouter – processes user inputs (text, audio, images, video) to generate AI outputs. Acts as our processor.

Hosting & Infrastructure

Vercel – hosts the frontend and backend, processes IP addresses, logs, and server-level analytics.

Supabase – provides database, authentication, and storage. Acts as our processor.

Payments

Stripe – processes payments as an independent controller. We do not store or see your full payment details.

Each provider is contractually required to process data in compliance with GDPR.

4.2 Legal Requirements

We may disclose data where required by law or lawful request.

4.3 Protection of Rights

We may disclose data to prevent fraud, security incidents, or harm.

4.4 No Sale of Personal Data

We do not sell or trade personal data.

6. Data Security

We implement:

  • Encryption in transit (TLS)
  • Encryption at rest for sensitive data
  • Secure password hashing
  • Access controls
  • Regular updates and security reviews

No system is fully secure. As a hobbyist project, resources may be limited, but we apply appropriate safeguards.

7. Cookies and Tracking Technologies

We use:

  • Necessary cookies – login, sessions, security
  • Preference cookies – language, theme
  • Analytics cookies – collected server-side by Vercel Analytics; optional and disabled unless you consent

You can control cookies via your browser or our cookie banner settings.

8. Your Rights

You may:

  • Access your data
  • Request correction or deletion
  • Request data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • File a complaint with Datatilsynet

Contact us to exercise these rights.

9. Data Retention

  • Account data: retained while your account is active and for ~30 days after deletion
  • Content: retained until deleted by you or your account is deleted
  • Logs: retained up to 12 months
  • AI processing data: may be temporarily logged by OpenRouter
  • Payment data: stored by Stripe according to legal obligations

We delete or anonymize data when no longer needed.

10. International Transfers

Some providers process data outside the EEA (e.g., United States).

We use appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Technical and organizational measures

11. Children's Privacy

The service is not intended for children under 13. If you believe a child provided data, contact us and we will remove it.

Users aged 13–18 must have guardian consent.

12. Data Protection Officer

Not required due to the scope and nature of processing.

13. Changes to This Privacy Policy

We may update this policy. Significant changes will be communicated via email or a notice in the service.

14. Contact

For privacy inquiries:

Laszlo Jørgenvåg
Email: sworn-twice-rut@duck.com

If unresolved, you may contact Datatilsynet at www.datatilsynet.no

Back to Home