Cognitivess Cognitivess AI
Services API Approach Contact Get started

Legal

Privacy Policy

How CognitivessAI collects, uses and protects your personal data — compliant with the EU General Data Protection Regulation (GDPR) and Romania's Law 190/2018.

Last updated: July 2026

In short: We are an EU-based company. We collect only what's needed to run your account, your API usage and your payments. We do not use your prompts or model outputs to train any AI model. You can access, export or delete your data at any time. This page explains the details.

On this page

  • 1. Data controller
  • 2. What data we collect
  • 3. Legal basis for processing
  • 4. How we use your data
  • 5. Prompts, outputs & local mode
  • 6. Who we share data with
  • 7. International data transfers
  • 8. How long we keep data
  • 9. Cookies & similar technologies
  • 10. Security
  • 11. Your rights (GDPR)
  • 12. Data breach notification
  • 13. Children's privacy
  • 14. Changes to this policy
  • 15. Contact us

1. Data controller

CognitivessAI, a company registered and operating in the European Union (Romania), is the data controller responsible for your personal data under Article 4(7) GDPR. This policy covers our website (cognitivess.com), the API platform (api.cognitivess.com), the cognitivess CLI, and related services (collectively, "the Service").

If you have any question about how we handle your data, you can reach us at [email protected].

2. What data we collect

We keep data collection to the minimum required to operate the Service. We split it into data you give us and data we collect automatically.

2.1 Information you provide

  • Account information: your email address (used as your login and identifier). We do not require your real name.
  • Support & contact messages: anything you send us through the contact form, by email, or in a support request — including any prompt or output content you choose to paste in to help us debug an issue.
  • Career inquiries: if you submit a CV through the contact form, the file and the details you provide in it.

2.2 Information collected automatically

  • API key metadata: the names and fingerprints of the keys you generate, their scope (full / read-only), usage limits, and last-used timestamps.
  • Usage & billing metadata: per-request token counts (input, output, cached), the model requested, cost (real and billed), request status (ok / error), latency, time-to-first-token, and timestamps. This is stored per request to power your usage dashboard and billing.
  • Payment metadata: your Stripe customer ID, subscription status, and credit balance/transactions. Your card number is never stored by us — it is handled entirely by Stripe.
  • Technical data: IP address, approximate region (country-level), and basic browser/device characteristics, collected for security and abuse prevention.
  • Session data: an authentication cookie (session) containing a signed JWT, used to keep you logged in. It is HttpOnly and expires after your session window.

3. Legal basis for processing

Under Article 6 GDPR, we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — to create your account, serve your API requests, compute usage, and process payments, all of which are necessary to deliver the Service you signed up for.
  • Legal obligation (Art. 6(1)(c)) — to retain billing/tax records and to respond to lawful requests from authorities where required by EU or Romanian law.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud and abuse prevention, rate limiting, and keeping the Service running and improving. These interests are balanced against your rights and never override them.
  • Consent (Art. 6(1)(a)) — for any non-essential processing where we ask for your explicit consent (for example, certain cookies or optional communications). You can withdraw consent at any time.

4. How we use your data

  • To create and manage your account and authenticate your sessions.
  • To operate the API: routing requests, counting tokens, computing cost, and enforcing quotas and rate limits.
  • To process payments via Stripe and maintain your credit balance and subscription.
  • To display your usage, billing and recent requests in your dashboard.
  • To detect, prevent and investigate fraud, abuse, and security incidents.
  • To respond to your support requests.
  • To comply with legal obligations.

We do not use your data for profiling that produces legal or similarly significant effects about you.

5. Prompts, outputs & local mode

This is the part most people care about, so we state it plainly: we do not use your inputs or outputs to train any AI model.

When you call the cloud-hosted model (Cognitivess-1), your prompts and responses are processed transiently to fulfil your request. We retain the metadata described in section 2 (token counts, cost, latency, status) — but the full prompt and response bodies are only kept where you have explicitly enabled request logging (the Logs & Replay feature), and you can disable or clear that at any time.

If you run a model locally with cognitivess --local, your prompts and outputs are processed entirely on your own machine. They are never sent to us.

6. Who we share data with

We do not sell your personal data. We share it only with the processors needed to run the Service, under Article 28 GDPR data processing agreements:

  • Model inference provider — routes your API requests to the upstream model serving Cognitivess-1.
  • Stripe — handles all payments. Card data is collected directly by Stripe and never touches our servers.
  • Cloud infrastructure & database hosting — where the Service is deployed and your metadata is stored.
  • Email & communications — for transactional and, with your consent, marketing email.

We may also disclose data when required by EU or Romanian law, or to protect the rights, property or safety of CognitivessAI, our users, or others.

7. International data transfers

Because some of our processors operate outside the EU (for example, model inference and Stripe), your data may be transferred to third countries. Where this happens, we ensure appropriate safeguards are in place as required by Chapter V GDPR — such as Standard Contractual Clauses (SCCs) adopted by the European Commission, and — where the destination is the US — participation in an adequacy framework such as the EU-US Data Privacy Framework. You can request a copy of the safeguards used by contacting us.

8. How long we keep data

We keep your data only as long as needed for the purposes in this policy, then delete or anonymise it.

  • Account information: kept while your account is active; deleted when you close your account, subject to legal retention obligations.
  • Usage & request metadata: retained to operate your dashboard and billing; older records are aggregated or deleted after the period needed for reporting.
  • Request/response bodies (Logs & Replay): kept only if you enable it, and cleared when you disable it or on a rolling window.
  • Billing & credit records: retained as required by Romanian tax and accounting law (typically 10 years for accounting documents).
  • Session cookies: expire after your session window or when you log out.

9. Cookies & similar technologies

We use only the cookies strictly necessary for the Service to function:

  • Session cookie (session): stores your signed authentication token so you stay logged in. It is HttpOnly and is not used for tracking or advertising.
  • Security cookies: if applicable, to protect against abuse (e.g. CSRF or rate-limit tokens).

Because these cookies are strictly necessary, we do not require a consent banner for them under the ePrivacy Directive. We do not use advertising, marketing or cross-site tracking cookies. You can clear cookies in your browser at any time; note that this will log you out.

10. Security

We implement technical and organisational measures appropriate to the risk: encrypted authentication tokens, hashed credentials, least-privilege access, and monitoring for abuse. However, no method of transmission over the internet or electronic storage is completely secure. If you have a security concern, please contact us immediately.

11. Your rights (GDPR)

As a data subject in the EU/EEA, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
  • Restriction — ask us to limit processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format and, where technically feasible, have it transmitted to another controller.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdrawal of consent — at any time, for processing based on your consent, without affecting lawfulness before withdrawal.
  • Right to lodge a complaint — with the Romanian supervisory authority, ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, dataprotection.ro), or with the authority in your EU member state, if you believe our processing infringes your rights.

To exercise any of these rights, email [email protected]. We will verify your identity and respond within one month (extendable by two further months for complex requests, in which case we will inform you of the extension and the reason).

12. Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also inform you directly without undue delay.

13. Children's privacy

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, please contact us and we will promptly delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by providing a more prominent notice. We encourage you to review this page periodically.

15. Contact us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

CognitivessAI
Email: [email protected]
Phone: +40 769 317 205

© 2024– Cognitivess. All rights reserved.

Cognitivess Cognitivess

We build the entire AI value chain for your business.

Navigation

Services Approach Contact

Legal

Privacy Policy Terms of Service

Connect

© 2024- Cognitivess. All rights reserved.