PRIVACY POLICY - UPDATED FOR THREE-LAYER BUSINESS MODEL

Cognitiva Systems Inc.
Effective Date: 15 April 2026
Last Updated: 15 April 2026

BINDING LEGAL DOCUMENT

This Privacy Policy is a binding legal agreement between you and Cognitiva Systems Inc. By using our services, you agree to this policy. If you do not agree, do not use our services.

English Version Controls: In case of conflicts between translations, the English version govails.

KEY PRINCIPLES

✓ Data Protection - Your data is protected with industry-standard security
✓ GDPR/CCPA Compliance - Full compliance with global privacy regulations
✓ Your Rights - Access, correct, delete, or export your data anytime
✓ International Standards - EU-U.S. Data Privacy Framework, Standard Contractual Clauses

PREAMBLE

Cognitiva Systems Inc. ("Cognitiva," "we," "us," or "our") operates a three-layer platform:

Layer 1 - CognitivaOS: Campaign execution platform (SaaS subscription)
Layer 2 - Data Infrastructure: Anonymized dataset creation and licensing
Layer 3 - Intelligence Platform: AI-powered decision APIs

This Privacy Policy explains how we collect, use, share, and protect personal data across all three layers.

Critical Disclosure: We generate revenue from all three layers, including licensing anonymized datasets and selling AI services. This is core to our business model and funds platform development.

SECTION 1: SCOPE AND APPLICATION

1.1 Who This Policy Applies To

This Privacy Policy applies to:

Website Visitors: Anyone visiting cognitiva.systems or related domains
Platform Users: Agencies, brands, creators using CognitivaOS
API Clients: Organizations accessing Intelligence Platform APIs
Enterprise Customers: Organizations licensing anonymized datasets
Job Applicants: Individuals applying for positions
Business Partners: Vendors, contractors, and service providers

1.2 Regulatory Compliance

We comply with:

GDPR: EU General Data Protection Regulation (Regulation 2016/679)
UK GDPR: UK Data Protection Act 2018
FADP: Swiss Federal Act on Data Protection
CCPA/CPRA: California Consumer Privacy Act and Rights Act
Other Jurisdictions: Applicable data protection laws where we operate

1.3 Data Collection Methods

Personal data is collected ONLY through:

✓ Direct provision by you (account creation, forms, API usage)
✓ Automatic collection (cookies, logs, analytics)
✓ Client API exports (with explicit authorization)

✗ We do NOT scrape, harvest, or collect data without authorization
✗ We do NOT purchase personal data from third-party brokers
✗ We do NOT access client systems without explicit permission

SECTION 2: DATA CONTROLLER

2.1 Controller Identity

Data Controller:
Cognitiva Systems Inc.
407 E Ayre St #1484
Wilmington, DE 19804
United States

Privacy Contact:
Email: privacy@cognitiva.systems
Response Time: Within 48 hours for urgent requests

2.2 Controller Responsibilities

As data controller, we:

Determine purposes and means of personal data processing
Ensure lawful, fair, and transparent processing
Implement appropriate technical and organizational measures
Respect your data subject rights under applicable law
Maintain records of processing activities

SECTION 3: EU REPRESENTATIVE

3.1 GDPR Article 27 Representative

For EU data subjects, our designated EU Representative is:

Contact: eu-datarights@cognitiva.systems

EU residents may contact our representative regarding:

Exercising GDPR rights
Data protection inquiries
Complaints to supervisory authorities
GDPR compliance questions

Note: This does not replace your right to contact us directly or file complaints with your local Data Protection Authority.

SECTION 4: PROCESSING ROLES AND PURPOSES

4.1 When Cognitiva Acts as Controller

We are the data controller for:

Website & Marketing:

Website visitor analytics and optimization
Marketing communications and lead generation
Demo requests and sales inquiries
Newsletter subscriptions

Account Management:

User account creation and authentication
Subscription billing and payment processing
Customer support and service delivery
Fraud detection and prevention
Identity verification (KYC/AML where required)

Product Development:

Feature usage analytics
A/B testing and optimization
Bug tracking and error reporting
Security monitoring

4.2 When Clients Act as Controller

For campaign execution data within CognitivaOS:

Client is Controller:
Clients determine purposes and means of processing campaign data (messages, approvals, deliverables, participant information).

Cognitiva is Processor:
We process this data solely on client instructions to provide the CognitivaOS platform.

Data Processing Agreement:
Enterprise clients receive a separate DPA governing processor obligations.

4.3 Joint Controller Arrangements

For certain data transformation activities:

Joint Determination:
When clients authorize export of campaign data for anonymization and AI training, we jointly determine:

Anonymization methodologies
Dataset creation purposes
AI model training scope

Client Rights:
Clients may opt-out of contributing data to anonymized datasets (contact privacy@cognitiva.systems). This may limit access to certain AI-powered features.

4.4 AI Model Training and Commercial Use

Critical Disclosure:

Anonymized campaign data (per Section 8) is used to train machine learning models that power:

✓ Creator matching algorithms
✓ Payment risk detection systems
✓ Campaign success prediction models
✓ Compliance monitoring tools
✓ Content quality scoring
✓ Timeline risk assessment
✓ Budget optimization

Commercial Deployment:

These models are offered commercially as:

Platform Features: Embedded in CognitivaOS subscriptions (included)
API Services: Intelligence Platform APIs (per-decision pricing)
Licensed Technology: Enterprise licensing agreements

Revenue Model:

AI model development and deployment is a core revenue stream. Subscription fees alone do not fund platform development. Data-derived and AI revenues subsidize competitive subscription pricing.

Client Consent:

By using CognitivaOS and authorizing data export, you consent to AI training on anonymized derivatives. You may withdraw consent (limits features).

SECTION 5: CATEGORIES OF PERSONAL DATA

5.1 Business & Account Data

What We Collect:

Full name
Business email address
Company/organization name
Job title and role
Business phone number (optional)
Communications with support/sales
Technical identifiers (IP address, device ID, browser fingerprint)

Why We Collect:

Account creation and authentication
Service delivery and support
Billing and invoicing
Fraud prevention
Legal compliance

Legal Basis: Contract performance, legitimate interest

5.2 Identity & Payment Data

What We Collect:

Government-issued ID (where required for verification)
Tax identification numbers (where legally required)
Stripe onboarding data (collected by Stripe, not stored by us)
Payment transaction records (amounts, dates, status)
Bank account details (tokenized by Stripe)

Why We Collect:

Payment processing
Tax compliance
Anti-money laundering (AML)
Know Your Customer (KYC) requirements
Fraud prevention

Legal Basis: Contract performance, legal obligation

Important: Actual payment credentials are processed by Stripe, our payment processor. We receive only tokenized references, never raw payment card data.

5.3 Campaign Execution Data

Critical Section - Read Carefully

What Is Campaign Execution Data:

When clients use CognitivaOS, they create campaigns containing:

Campaign briefs and requirements
Creator communications and messages
Approval workflows and decisions
Deliverable submissions
Payment records
Participant metadata

How We Collect It:

✓ Data is generated WITHIN CognitivaOS during normal platform use
✓ Clients may authorize API export for enhanced features
✓ Export is OPTIONAL and explicitly consented to

✗ We do NOT scrape external platforms
✗ We do NOT access client data without authorization
✗ We do NOT collect data from sources outside our platform

What We Do With It:

Raw Data (As Processor):

Stored encrypted in client workspace
Accessible only to authorized client users
Processed solely per client instructions
Subject to client's data retention policies

Anonymized Data (As Controller):

When clients authorize export:

Transformation: Raw data undergoes anonymization (Section 8)
Dataset Creation: Anonymized data forms structured datasets
Model Training: Datasets train AI models (Section 4.4)
Commercial Use: Anonymized datasets may be licensed (Section 11.7)

Key Safeguards:

✓ Direct identifiers removed
✓ Contextual information minimized
✓ Re-identification risk assessed
✓ Unique markers suppressed

Client Ownership:

Clients own ALL raw campaign data
We own anonymized derivatives we create
Clients may request dataset exclusion

5.4 Technical & Usage Data

Automatically Collected:

IP addresses and geolocation (city-level)
Browser type, version, and language
Operating system and device type
Referring URLs and clickstream data
Pages visited and time spent
Feature usage patterns
API request logs
Error reports and crash data

Why We Collect:

Platform performance optimization
Security monitoring and threat detection
Feature usage analytics
Bug identification and fixing
Capacity planning

Legal Basis: Legitimate interest, contract performance

Retention: Logs retained for 90 days; aggregated analytics retained indefinitely

SECTION 6: SPECIAL CATEGORY DATA

6.1 Intentional Non-Collection

We do NOT intentionally collect special category data under GDPR Article 9:

✗ Health or medical information
✗ Biometric data for unique identification
✗ Religious or philosophical beliefs
✗ Trade union membership
✗ Genetic data
✗ Data concerning sex life or sexual orientation
✗ Racial or ethnic origin
✗ Political opinions
✗ Criminal convictions or offenses

6.2 Inadvertent Detection

If special category data is detected in campaign content:

Automated Response:

Processing is immediately halted
Content is flagged for review
Special category elements are filtered/redacted
Remaining content proceeds with extra safeguards

Manual Review:

Trained personnel assess context
Data minimization applied
Excessive special category data triggers deletion
Client is notified if content violates terms

6.3 Children's Data

Age Restriction: CognitivaOS requires users be 18+ (or age of majority in jurisdiction).

No Intentional Collection:
We do NOT knowingly collect data from individuals under 18.

Discovery Protocol:
If we learn a user is underage:

Account is suspended immediately
Data is deleted within 30 days
Parent/guardian is notified if contact info available

Campaign Content:
If campaign content involves minors (e.g., educational campaigns):

Extra safeguards apply
Parental consent must be obtained by client
Special category treatment for sensitive contexts

SECTION 7: INSOLVENCY PROCEEDINGS

7.1 Legal Authority Processing

In insolvency, bankruptcy, or liquidation proceedings:

Lawful Basis:
We may process company communications under court authority or administrator direction.

Permitted Uses:

Asset valuation for creditors
Fraud investigation
Claims substantiation
Regulatory compliance

Limitations:

Only with proper legal authority
Limited to insolvency purpose
Subject to court oversight
Anonymization applies where feasible

No Legal Advice:
This policy does not constitute legal advice about insolvency proceedings. Consult qualified insolvency counsel.

SECTION 8: ANONYMIZATION PROCEDURES

Critical Section for Understanding Data Monetization

8.1 Anonymization Standard

We apply anonymization per:

GDPR Recital 26 (irreversible de-identification)
Article 29 Working Party Opinion 05/2014
ISO/IEC 20889:2018 (Privacy enhancing techniques)
NIST Privacy Framework

Anonymization Goal:
Data cannot be re-identified using reasonably available means, considering:

Technical feasibility
Cost of re-identification
Time required
Available technology

8.2 Anonymization Techniques

Direct Identifier Removal:

Names, email addresses, phone numbers removed
Account IDs replaced with random tokens
IP addresses hashed or removed
User-specific metadata stripped

Contextual Minimization:

Temporal precision reduced (exact timestamps → day/week)
Geographic precision reduced (exact location → region)
Rare events suppressed
Outliers normalized

Structural Transformation:

Message sequences shuffled
Syntax preserved, specific phrasing generalized
Proper nouns replaced with category labels
Unique stylistic markers removed

Metadata Stripping:

File metadata removed
Creation timestamps generalized
Author attribution removed
Version history deleted

Re-Identification Risk Controls:

Automated uniqueness detection
Statistical disclosure control
K-anonymity and L-diversity assessment
Manual review for high-risk content

8.3 What Anonymization Is NOT

Anonymized data is NOT:

✗ Encrypted data (encryption is reversible)
✗ Pseudonymized data (pseudonyms can be reversed)
✗ Aggregated data (aggregation alone doesn't prevent re-identification)
✗ "De-identified" without verification (we verify irreversibility)

Anonymized data IS:

✓ Irreversibly transformed
✓ No reasonable re-identification path
✓ Outside GDPR scope (Recital 26)
✓ Freely usable for research, AI training, commercial licensing

8.4 Limitations and Risks

No Absolute Guarantee:
While we apply rigorous anonymization, we cannot guarantee absolute elimination of re-identification risk. Future techniques or data combinations might enable re-identification.

Ongoing Assessment:
We continuously monitor:

Academic literature on re-identification attacks
New privacy-enhancing technologies
Regulatory guidance updates
Actual re-identification attempts (none to date)

Client Disclosure:
Clients authorizing data export acknowledge anonymization limitations and accept residual risk.

SECTION 9: LEGAL BASES FOR PROCESSING

9.1 GDPR Legal Bases

Contract Performance (GDPR Article 6(1)(b)):

Account creation and management
Service delivery (CognitivaOS platform)
Payment processing
Customer support

Legitimate Interest (GDPR Article 6(1)(f)):

Fraud detection and security
Product improvement and analytics
Marketing to existing customers
Network and system security

Legal Obligation (GDPR Article 6(1)(c)):

Tax compliance
AML/KYC requirements
Regulatory reporting
Court orders and legal process

Consent (GDPR Article 6(1)(a)):

Marketing to non-customers
Optional data export for anonymization
Non-essential cookies
Newsletter subscriptions

9.2 Legitimate Interest Balancing

Where we rely on legitimate interest, we balance:

Our Interests:

Platform security and fraud prevention
Service improvement
Efficient operations
Direct marketing to customers

Your Rights:

Data minimization
Transparency
Objection rights
Reasonable expectations

Assessment:
We conduct and document legitimate interest assessments (LIAs) available upon request.

SECTION 10: DATA PROTECTION IMPACT ASSESSMENT (DPIA)

10.1 High-Risk Processing Assessment

We conduct DPIAs for:

Large-scale automated decision-making
Special category data processing (if occurs)
Systematic monitoring of public areas
Data matching or combining datasets
Processing data of vulnerable individuals
Innovative technologies or processing methods

10.2 Campaign Data Anonymization DPIA

Identified Risks:

Re-identification despite anonymization
Unexpected data combinations enabling identification
Disproportionate impact on data subjects
Function creep (expanded use beyond stated purposes)

Mitigation Measures:

Multi-layered anonymization (Section 8)
Regular re-identification testing
Purpose limitation enforcement
Ongoing risk monitoring
Client opt-out mechanisms

Proportionality Assessment:

Benefits: AI development, platform improvement, competitive pricing
Risks: Residual re-identification risk (assessed as low)
Balance: Benefits outweigh minimal residual risk
Necessity: Anonymization necessary for AI training feasibility

10.3 Review and Updates

DPIAs are reviewed:

Annually
When processing operations change materially
When new risks are identified
When technology evolves

Supervisory Authority Consultation:
If high residual risk cannot be mitigated, we consult with relevant Data Protection Authority before proceeding.

SECTION 11: DATA SHARING AND DISCLOSURE

11.1 Internal Personnel

Who Has Access:

Engineering teams (platform operations)
Support teams (customer service)
Security teams (threat monitoring)
Legal/compliance teams (regulatory obligations)

Access Controls:

Role-based access control (RBAC)
Least privilege principle
Audit logging of all access
Regular access reviews

11.2 Service Providers

Categories:

Cloud infrastructure (AWS, GCP)
Payment processing (Stripe)
Analytics services (anonymized data only)
Customer support tools
Security monitoring

Safeguards:

Data Processing Agreements (DPAs)
Contractual data protection obligations
Regular vendor assessments
Subprocessor lists maintained

11.3 Stripe Payment Processing

What Stripe Receives:

Payment card details (entered directly to Stripe)
Billing information
Transaction details
Identity verification data

Stripe's Role:
Stripe is an independent data controller for payment data.

Stripe's Privacy Policy:
https://stripe.com/privacy

Our Responsibility:
We are NOT liable for:

Stripe's data security
Stripe's compliance decisions
Payment holds or verification requirements
Stripe's fraud detection actions

11.4 Legal and Regulatory

Required Disclosures:

Court orders and subpoenas
Law enforcement requests (with legal basis)
Regulatory authorities
Tax authorities
Insolvency administrators (with court authority)

Disclosure Protocol:

Legal basis verification
Scope minimization
User notification (unless legally prohibited)
Transparency report publication (annual)

11.5 Business Transfers

Mergers, Acquisitions, Asset Sales:

If Cognitiva is acquired or merges:

Your data may transfer to the acquiring entity
This Privacy Policy remains in effect
You will be notified before transfer
You may delete your account before transfer

Bankruptcy/Insolvency:

If Cognitiva enters insolvency:

Data may transfer to administrator or buyer
Anonymized datasets may be sold as assets
Raw customer data subject to court approval
You will be notified per legal requirements

11.6 Advisors and Auditors

Limited Access:

Legal counsel (attorney-client privilege)
Financial auditors (confidentiality agreements)
Security auditors (NDA-protected)
Board of directors (fiduciary duties)

Purpose: Corporate governance, compliance, financial reporting

11.7 Data-Derived Products (Revenue Model)

CRITICAL COMMERCIAL DISCLOSURE

Revenue Stream Transparency

Cognitiva generates revenue from THREE sources:

1. Execution SaaS ($200-500/month per agency):

CognitivaOS platform subscriptions
Feature access and support
Standard SaaS business model

2. Data Product Licensing (Enterprise pricing):

Anonymized datasets licensed to third parties
Per Section 8 anonymization procedures
This is a CORE REVENUE STREAM

3. AI Intelligence Services (Per-decision pricing):

API access to ML models
Trained on anonymized campaign data
Commercial AI-as-a-Service offering

Who We License Anonymized Data To

Permitted Licensees:

Academic and research institutions
Market intelligence providers
AI/ML platform companies
Enterprise organizations for internal use
Technology companies building products

Prohibited Licensees:

Direct competitors to our clients
Data brokers for re-sale
Surveillance or law enforcement (without legal order)
Entities in sanctioned jurisdictions
Any party attempting re-identification

What Anonymized Datasets Include

Included:

Anonymized message content (linguistic patterns preserved)
Workflow structures (anonymized participant roles)
Outcome data (success/failure indicators)
Temporal patterns (time-series data)
Categorical variables (industry, campaign type)

Excluded:

Direct identifiers (names, emails, IDs)
Unique identifying information
Special category data
Children's data
Confidential business information beyond linguistic patterns

Dataset Use Restrictions

Licensees are contractually prohibited from:

✗ Attempting to re-identify data subjects
✗ Combining datasets to reverse anonymization
✗ Selling or sublicensing data
✗ Using data for discriminatory purposes
✗ Using data for surveillance
✗ Using data beyond licensed scope

Enforcement:
License violations result in immediate termination and legal action.

Client Rights Regarding Data Licensing

Opt-Out Option:

Clients may request exclusion from data product contributions:

Email: privacy@cognitiva.systems
Subject: "Data Product Opt-Out Request"
Processing time: 30 days
Effect: Future data excluded; past anonymized data already distributed cannot be recalled

Opt-Out Consequences:

Exclusion may limit access to:

AI-powered creator matching
Predictive analytics features
Benchmark comparisons
Advanced insights

Basic platform functionality remains available.

No Opt-Out Fee:
Opt-out is free. Subscription price remains unchanged.

Revenue Necessity Disclosure

Why Data Revenue Matters:

SaaS subscription fees ($200-500/month) do NOT fully fund:

Platform development costs
Infrastructure expenses
AI research and development
Competitive feature development

Data product revenue subsidizes subscription pricing, keeping CognitivaOS affordable for small agencies while funding innovation.

Alternative Business Model:

Without data revenue, subscription prices would need to be 3-5x higher to achieve financial sustainability. Data licensing enables us to serve smaller agencies that couldn't afford premium-only pricing.

Transparency Commitment

Public Reporting:

We publish annually:

Number of dataset licenses sold
General categories of licensees (without names)
Approximate data volume licensed
Anonymization effectiveness metrics

Next Report: 15 April 2026

CCPA "Sale" Disclosure

California Residents:

Under CCPA/CPRA, licensing anonymized data may constitute a "sale" even if data is anonymized.

Your CCPA Rights:

Right to know what data is "sold"
Right to opt-out of "sales"
Right to non-discrimination for opting out

Opt-Out Link:
[Do Not Sell My Personal Information]

Processing Time: 15 business days

Note: Opt-out applies to future data only. We cannot recall anonymized data already distributed.

SECTION 12: INTERNATIONAL DATA TRANSFERS

12.1 Transfer Necessity

Cognitiva operates globally. Data may be transferred to:

United States (primary processing location)
European Economic Area (EU representative, some clients)
Other jurisdictions where clients or service providers operate

12.2 Transfer Safeguards

For EEA to U.S. Transfers:

EU-U.S. Data Privacy Framework (if certified)
Standard Contractual Clauses (SCCs): EU Commission-approved
Adequacy Decisions: Where available
Binding Corporate Rules: For intra-group transfers

SCC Modules Used:

Controller-to-Controller (for data product licensing)
Controller-to-Processor (for CognitivaOS client data)

Supplementary Measures:

Encryption in transit and at rest
Pseudonymization where feasible
Access controls and logging
Transfer impact assessments (TIAs)
Legal review of destination country laws

12.3 Schrems II Compliance

Following CJEU Schrems II decision:

Risk Assessment:
We assess U.S. surveillance law impact on each data transfer.

Additional Safeguards:

Encryption prevents government access to plaintext
Minimal personal data in anonymized datasets
Contractual commitments to resist overbroad demands
Transparency reporting of government requests

Client Notification:
If we receive government access demands affecting EEA data, we notify affected clients unless legally prohibited.

12.4 Data Localization Options

Enterprise Clients:

Upon request and subject to feasibility:

EU-only data residency
Regional data isolation
Local processing nodes

Additional Cost:
Data localization may incur additional infrastructure costs.

SECTION 13: DATA RETENTION

13.1 Retention Principles

We retain personal data only as long as necessary for:

Fulfilling processing purposes
Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Legitimate business interests

13.2 Retention Periods

Account Data:

Active accounts: Duration of account + 90 days post-deletion
Inactive accounts: Deleted after 3 years of inactivity
Financial records: 7 years (tax compliance)
Identity verification: 7 years (AML compliance)

Campaign Execution Data:

Raw data in client workspace: Per client retention policy
Platform-generated metadata: 2 years post-campaign completion
Anonymized datasets: Indefinite (outside GDPR scope)

Technical Logs:

Access logs: 90 days
Security logs: 1 year
Aggregated analytics: Indefinite

Marketing Data:

Opted-in subscribers: Until opt-out
Non-customer leads: 2 years of inactivity
Rejected applications: 90 days

Legal Hold:
Data subject to litigation, investigation, or regulatory action is retained until matter resolution.

13.3 Deletion Procedures

Secure Deletion:

Overwriting with random data
Cryptographic erasure (destroy encryption keys)
Physical destruction of media (when retired)
Deletion verification and logging

Anonymized Data:

Once data is anonymized (Section 8), it is outside GDPR scope and may be retained indefinitely without deletion upon request.

Backup Retention:

Backups containing personal data:

Retained for 30 days
Automatically overwritten
Not used for restoration unless catastrophic failure
Subject to same security as live data

SECTION 14: YOUR RIGHTS

14.1 GDPR Rights (EEA/UK Residents)

Right of Access (Article 15):

Obtain confirmation we process your data
Receive a copy of your data
Learn processing purposes, categories, recipients
Request time: 30 days, free of charge

Right to Rectification (Article 16):

Correct inaccurate personal data
Complete incomplete data
Immediate effect on live data
Backups updated on next cycle

Right to Erasure / "Right to be Forgotten" (Article 17):

Delete data when no longer necessary
Withdraw consent (where consent is legal basis)
Object to processing (legitimate interest basis)
Exception: Anonymized data cannot be "erased" (already anonymized)

Right to Restriction (Article 18):

Limit processing while accuracy is contested
Suspend processing pending objection resolution
Retain data but not actively process

Right to Data Portability (Article 20):

Receive personal data in structured, machine-readable format
Transmit data to another controller
API export available
Limitation: Only data YOU provided, not derived data

Right to Object (Article 21):

Object to processing based on legitimate interest
Object to direct marketing (absolute right)
Object to profiling and automated decision-making
We must stop unless compelling legitimate grounds

Right to Not Be Subject to Automated Decisions (Article 22):

Not be subject to solely automated decisions with legal/significant effects
Right to human review
Right to explanation
Our Practice: All significant decisions include human review

14.2 CCPA/CPRA Rights (California Residents)

Right to Know:

Categories of personal information collected
Categories of sources
Business purposes for collection
Categories of third parties we share with
Specific pieces of information we hold about you

Right to Delete:

Request deletion of personal information
Exceptions: Legal obligations, fraud prevention, internal uses

Right to Correct:

Correct inaccurate personal information

Right to Opt-Out of Sale/Sharing:

Opt-out of "sales" (including data licensing)
Opt-out of "sharing" for cross-context behavioral advertising
Link: [Do Not Sell My Personal Information]

Right to Limit Use of Sensitive Personal Information:

Limit use to necessary purposes only
If applicable to data we collect

Right to Non-Discrimination:

No discrimination for exercising CCPA rights
No denial of service
No different pricing (except reasonably related to value)

14.3 How to Exercise Rights

Contact Methods:

Email: privacy@cognitiva.systems
Subject Line: "[RIGHT NAME] Request - [Your Name]"
Include: Full name, email address, account details (if applicable)

Identity Verification:

To prevent unauthorized access:

We may request additional identifying information
Account holders: Login verification
Non-account holders: Email confirmation or ID verification
Processing may be delayed if identity cannot be confirmed

Response Time:

GDPR: 30 days (extendable to 90 days if complex)
CCPA: 45 days (extendable to 90 days if necessary)
Urgent requests: Flagged for expedited handling

No Fee:
First request is free. Excessive or repetitive requests may incur reasonable administrative fee.

Authorized Agent (CCPA):

California residents may designate an authorized agent:

Provide signed permission
Agent must verify your identity and their authority
We may contact you directly to confirm

SECTION 15: SECURITY MEASURES

15.1 Technical Safeguards

Encryption:

Data in transit: TLS 1.3
Data at rest: AES-256
Database encryption
Backup encryption

Access Controls:

Multi-factor authentication (MFA) required
Role-based access control (RBAC)
Least privilege principle
Regular access reviews
Automated session termination

Network Security:

Firewall protection
Intrusion detection systems (IDS)
Distributed Denial of Service (DDoS) mitigation
Virtual Private Cloud (VPC) isolation
Network segmentation

Application Security:

Secure development lifecycle
Code review and testing
Vulnerability scanning
Penetration testing (annual)
Bug bounty program

15.2 Organizational Safeguards

Personnel:

Background checks for security-sensitive roles
Confidentiality agreements
Security awareness training
Incident response training
Segregation of duties

Vendor Management:

Vendor security assessments
Data Processing Agreements (DPAs)
Regular audits
Subprocessor approval process

Physical Security:

Data centers with 24/7 monitoring
Biometric access controls
Video surveillance
Environmental controls
Redundant power and cooling

15.3 Incident Response

Breach Detection:

24/7 security monitoring
Automated anomaly detection
Log analysis
Threat intelligence integration

Breach Response:

Contain: Isolate affected systems
Assess: Determine scope and impact
Notify: Affected individuals, authorities (if required)
Remediate: Fix vulnerabilities
Review: Post-incident analysis

Notification Timeline:

GDPR: 72 hours to supervisory authority (if high risk)
CCPA: Without unreasonable delay
Affected individuals: Concurrent with authority notification

What We Tell You:

Nature of breach
Categories and approximate number affected
Likely consequences
Measures taken
Contact point for questions

SECTION 16: COOKIES AND TRACKING

16.1 Cookie Categories

Strictly Necessary:

Session management
Authentication
Security features
Load balancing

Not Used: NO strictly necessary cookies can be declined.

Performance/Analytics:

Google Analytics (anonymized IP)
Error tracking
Feature usage metrics

Can Decline: YES, but impacts product improvement.

Functional:

Language preferences
Interface customization
Saved settings

Can Decline: YES, but impacts user experience.

Marketing:

Conversion tracking
Retargeting pixels
Social media integrations

Can Decline: YES, no impact on core functionality.

16.2 Cookie Control

Banner: Displayed on first visit with granular consent options.

Manage Settings: Available at privacy-settings page anytime.

Do Not Track: We respect DNT signals from browsers.

Third-Party Cookies:
We limit third-party cookies to essential service providers.

16.3 Analytics Details

Google Analytics:

IP anonymization enabled
Demographics/interest reports disabled
Data retention: 14 months
Data sharing with Google: disabled

Purpose: Understand how users interact with our site to improve experience.

Opt-Out: https://tools.google.com/dlpage/gaoptout

SECTION 17: CHILDREN'S PRIVACY

17.1 Age Restrictions

Minimum Age: 18 years or age of majority in your jurisdiction.

Verification: Self-certification during signup.

Enforcement: Suspension upon discovery of underage users.

17.2 Parental Rights

If we learn we have collected data from a child:

Account suspended immediately
Data deleted within 30 days
Parent/guardian notified (if contact info available)
No further processing

Parent Contact: privacy@cognitiva.systems with "Child Privacy" subject line.

17.3 Campaign Content Involving Minors

If campaigns target/involve minors (educational, youth programs):

Client Obligations:

Obtain required parental consents
Verify age-appropriate content
Comply with COPPA/local equivalents
Flag minor-related content

Our Safeguards:

Enhanced anonymization
Manual content review
Restricted data sharing
No AI training on minor-related content (unless educational research with ethics approval)

SECTION 18: CHANGES TO THIS POLICY

18.1 Update Process

Review Frequency: At least annually

Triggers for Updates:

Regulatory changes
Business model changes
New processing activities
Security incident learnings
User feedback

18.2 Notification

Material Changes:

Email notification to account holders
Prominent banner on website
30 days before effective date
Option to object or close account

Non-Material Changes:

Updated policy posted
"Last Updated" date changed
No proactive notification

18.3 Continued Use

Continued use after effective date constitutes acceptance of updated policy.

Objection:
If you object to material changes:

Close your account before effective date
Request data export
Data deleted per Section 13

SECTION 19: CONTACT AND COMPLAINTS

19.1 Privacy Team Contact

General Inquiries:
Email: privacy@cognitiva.systems
Response Time: 48 hours for urgent, 5 business days for general

Data Subject Rights Requests:
Email: privacy@cognitiva.systems
Subject: "[RIGHT NAME] Request"
Response Time: 30 days (GDPR), 45 days (CCPA)

EU Representative:
Email: eu-datarights@cognitiva.systems

Security Issues:
Email: security@cognitiva.systems
Response Time: 24 hours for critical issues

19.2 Supervisory Authority Complaints

EEA/UK Residents:

You have the right to lodge a complaint with your Data Protection Authority:

Lead Supervisory Authority (if established):
[To be determined based on EU establishment]

Find Your Local DPA:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK:
Information Commissioner's Office (ICO)
https://ico.org.uk/make-a-complaint/

19.3 California Attorney General

California Residents:

CCPA violations may be reported to:

California Attorney General
Privacy Unit
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

SECTION 20: DEFINITIONS

Anonymization: Irreversible transformation preventing re-identification.

Controller: Entity determining purposes and means of processing.

Personal Data: Information relating to identified or identifiable individual.

Processing: Any operation on personal data (collection, storage, use, etc.).

Processor: Entity processing data on behalf of controller.

Special Category Data: Sensitive data under GDPR Article 9 (health, biometric, etc.).

EFFECTIVE DATE

This Privacy Policy is effective as of 15 April 2026.

Previous version: [LINK TO ARCHIVED VERSION]

END OF PRIVACY POLICY

Document Version: 2.0
Last Reviewed: 15 April 2026
Next Review: [INSERT DATE + 12 months]
Approved By: [Legal Counsel Name], [Date]

QUICK REFERENCE

Your Rights:

Access your data
Correct inaccurate data
Delete your data
Opt-out of data sales
Object to processing

Contact:

privacy@cognitiva.systems
eu-datarights@cognitiva.systems (EU residents)

Key Points:

We license anonymized data (Section 11.7)
We train AI on anonymized data (Section 4.4)
You can opt-out (may limit features)
Data revenue funds competitive pricing
Anonymized data retained indefinitely

Transparency:

No hidden data uses
Clear revenue model
Client opt-out available
Annual public reporting