CognistaseEarly Access

Privacy Policy

How Cognistase collects, uses, stores, and protects your personal data and your child's data.

Effective Date: April 10, 2026 Version: 1.0 Last Modified: April 10, 2026

Crealot Publications Limited, trading as Cognistase ("Cognistase," "we," "us," or "our"), is committed to protecting the privacy of our users and, most importantly, the children whose data is entrusted to our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our website, platform, and related services (collectively, the "Service").

This Privacy Policy is provided in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR") as applicable to our EU-based users, and all other applicable data protection legislation.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Crealot Publications Limited (trading as Cognistase) Registered in England and Wales Email: privacy@cognistase.com Data Protection Officer: dpo@cognistase.com

Our Data Protection Officer (DPO) is available to answer any questions regarding the processing of your personal data. The DPO reports directly to the board and operates independently from the engineering and product teams.

2. Categories of Personal Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash; we never store or see your plaintext password)
  • Account preferences (language, notification settings)
  • Payment information (processed and stored by our PCI DSS-compliant payment processor; we do not store your complete payment card details)

2.2 Child Developmental Data (Special Category Data)

When you use the Service to create child profiles, the data you provide may include:

  • Child's first name or pseudonym (as chosen by you)
  • Date of birth or age range
  • Developmental assessment results and scores
  • Clinical observations and professional evaluations
  • Educational documents (uploaded reports, school correspondence)
  • Notes and observations entered by parents or professionals
  • Developmental profile data generated by the Service

This data qualifies as special category data (health-related data) under Article 9 of the GDPR and is processed only on the basis of your explicit consent.

2.3 Usage Data

We collect limited technical data necessary to operate, secure, and improve the Service:

  • Pages visited and features used within the platform
  • Timestamps of actions
  • Device type and browser type
  • IP address (anonymized and not stored permanently)
  • Error logs and performance metrics

2.4 Communication Data

If you contact us (e.g., via email or through the platform), we collect and retain the content of your communication and our response for customer support and record-keeping purposes.

2.5 Data We Do NOT Collect

We want to be explicit about what we do not collect:

  • We do not collect location data (GPS or network-based).
  • We do not collect social media profiles or identifiers.
  • We do not collect browsing history outside our platform.
  • We do not collect biometric data.
  • We do not use advertising identifiers or tracking pixels.
  • We do not deploy third-party analytics tools (such as Google Analytics, Meta Pixel, or similar services).

3. Purposes and Legal Basis for Processing

PurposeData CategoriesLegal Basis (GDPR)
Account creation and managementAccount dataArt. 6(1)(b), Performance of a contract
Providing developmental profiling featuresChild developmental dataArt. 6(1)(a) + Art. 9(2)(a), Explicit consent
AI-assisted education plan document generationChild developmental dataArt. 6(1)(a) + Art. 9(2)(a), Explicit consent
Executive Planner (task support for children)Usage data, de-identified interaction dataArt. 6(1)(a) + Art. 9(2)(a), Explicit consent
Peer Matching featuresDe-identified interest profilesArt. 6(1)(a) + Art. 9(2)(a), Explicit consent
Professional access to shared child dataChild developmental dataArt. 6(1)(a), Explicit consent of the parent/guardian
Payment processingPayment informationArt. 6(1)(b), Performance of a contract
Service security and fraud preventionUsage data, technical logsArt. 6(1)(f), Legitimate interest
Compliance with legal obligationsAs required by lawArt. 6(1)(c), Legal obligation
Customer supportCommunication dataArt. 6(1)(b), Performance of a contract
Service improvement (aggregated, anonymized)Anonymized usage statisticsArt. 6(1)(f), Legitimate interest

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Children's Data Protection

4.1 Parental Consent

In accordance with Article 8 of the GDPR and the UK Data Protection Act 2018 (which sets the age of digital consent at 13 in the UK), children under 13 (UK) or under the applicable age set by national law in their EU Member State cannot create accounts or consent to data processing. Only a parent or legal guardian may create child profiles and consent to the processing of a child's personal data.

4.2 Granular Consent

We implement a per-child, per-module consent model. This means:

  • Consent is requested separately for each child profile you create.
  • Consent is requested separately for each module of the Service (e.g., Asynchronicity Monitor, Document Engine, Executive Planner, Peer Matching).
  • You may enable or disable individual modules for each child at any time.
  • Withdrawal of consent for one module does not affect the other modules.

4.3 Minimization of Child Data

We apply strict data minimization principles to child data:

  • We collect only the developmental data necessary to provide the specific features you have enabled.
  • Child profiles do not require a surname, address, or any identifying information beyond what you choose to provide.
  • You control what identifying information, if any, is associated with your child's profile.

4.4 De-Identification Before AI Processing

Before any child data is processed by our AI systems, personal identifiers are stripped from the data. The AI processes clinical and developmental data points only. It does not know whose data it is processing. This de-identification is a mandatory, non-optional step in our processing pipeline.

5. How We Use AI and Automated Processing

5.1 AI Processing Overview

The Service uses AI to provide several features, including developmental profiling, education plan document drafting, and task planning support. We believe you have a right to understand how AI processes your data.

5.2 Transparency Principles

  • All AI-generated content is clearly labeled as AI-generated.
  • AI outputs are presented as editable drafts for your review and approval.
  • Clinical calculations (scores, percentiles, indices) are performed by separate, validated calculation software and are not produced by the AI model itself.
  • We do not use your personal data or child data to train, fine-tune, or improve generalized AI models. Your data is used exclusively to provide the Service to you.

5.3 No Fully Automated Decision-Making

In accordance with Article 22 of the GDPR, we do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. All AI-generated outputs in Cognistase are reviewed by a human (you, the user) before any action is taken.

5.4 Right to Explanation

You have the right to request an explanation of how any AI-generated output was produced. You may contact us at dpo@cognistase.com to exercise this right.

6. Data Sharing and Recipients

6.1 We Do Not Sell Your Data

We do not sell, rent, lease, or trade your personal data or child data to any third party. Period.

6.2 We Do Not Share Data for Advertising

We do not share any data with advertising networks, data brokers, social media platforms, or marketing companies.

6.3 Limited Sharing Within the Service

Within the Service, data is shared only as follows:

  • Teacher Bridge: If you choose to share specific information with an educator via Teacher Bridge, only the data you explicitly select for sharing (e.g., a developmental profile chart and tailored recommendations) is made accessible to that educator through a time-limited, read-only link. The educator does not gain access to your full account or child profile.
  • Professional Access: If you explicitly authorize a professional (e.g., psychologist, therapist) to access your child's data within the platform, that professional can view only the data within the scope of the authorization you provide. You may revoke this authorization at any time.

6.4 Sub-Processors

We use a limited number of sub-processors, all located within the European Union:

Sub-ProcessorPurposeData AccessLocation
EU-based hosting providerInfrastructure and server hostingEncrypted data only (no access to plaintext)EU (Germany)
EU-based payment processorPayment processingPayment transaction data onlyEU

We maintain a complete and current list of sub-processors. We will notify you of any changes to our sub-processors at least 30 days in advance, and you have the right to object to the appointment of a new sub-processor.

6.5 Legal Obligations

We may disclose personal data if required to do so by law or in response to a valid and binding order from a competent authority (e.g., a court order or regulatory request). In such cases, we will:

  • Verify the validity and scope of the request.
  • Disclose only the minimum data necessary to comply.
  • Notify you of the disclosure unless prohibited by law from doing so.
  • Document the disclosure in our audit trail.

6.6 No Cross-Border Transfers

All personal data is stored and processed within the European Union and the European Economic Area. We do not transfer personal data to any country outside the EU/EEA. We do not use public cloud AI APIs that could route data internationally. All AI processing occurs on our privately managed, EU-based infrastructure.

7. Data Storage and Security

7.1 Infrastructure

All data is stored on privately managed servers located within the European Union (Germany). We do not use US-based public cloud providers (such as AWS, Google Cloud, or Microsoft Azure) for the storage or processing of personal data or child data.

7.2 Encryption

  • In transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
  • At rest: All stored data is encrypted using AES-256-GCM.
  • Per-record encryption: Each record is encrypted with its own unique Data Encryption Key (DEK). This enables cryptographic erasure (see Section 8.5).
  • Key management: Encryption keys are stored in a separate, dedicated key management system with strict access controls.

7.3 Access Controls

  • We implement strict role-based access controls across all systems.
  • Our staff cannot access your child's clinical data in plaintext under normal operating conditions.
  • All access to personal data is logged in an immutable audit trail.
  • Multi-factor authentication is enforced for all staff with access to infrastructure.

7.4 PHI Isolation

Clinical and developmental data is stored in a separate, isolated network segment (the "PHI Isolation Zone"). This segment has additional access controls, monitoring, and security measures beyond those applied to other data.

7.5 Security Testing

We conduct regular security assessments, including:

  • Regular vulnerability scanning
  • Penetration testing by independent third parties
  • Security code reviews
  • Incident response drills

7.6 Incident Response

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours, as required by Article 33 of the GDPR.
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.
  • Document the breach, its effects, and the remedial actions taken.

8. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data. You can access and export your data at any time through the self-service data export feature in your account.

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data. You can edit your personal data directly in your account settings at any time.

8.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data. See Section 8.5 for details on our erasure process.

8.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing of your personal data. You can restrict processing per child and per module through the consent controls in your account.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV). You may exercise this right through the self-service data export feature or by contacting us.

8.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data where processing is based on our legitimate interest (Article 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

8.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing. As described in Section 5.3, all AI outputs are presented as drafts for your review. No automated decision produces legal effects concerning you without your explicit review and action.

8.8 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw consent at any time. You may do so through your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

8.9 Exercising Your Rights

You may exercise any of these rights by:

  • Using the self-service features in your account (where available).
  • Contacting our Data Protection Officer at dpo@cognistase.com.

We will respond to your request within 30 days. If your request is complex, we may extend this period by an additional 60 days, in which case we will inform you within the initial 30-day period.

We will not charge a fee for processing your request, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

8.10 Cryptographic Erasure

When you request deletion of your data, we perform cryptographic erasure:

  1. The unique encryption key (DEK) associated with your records is permanently destroyed.
  2. Without the key, the encrypted data is mathematically impossible to decrypt or read.
  3. This process renders your data permanently and irrecoverably inaccessible, even in backup systems.
  4. Erasure is completed within 30 days of your request.

This approach exceeds the GDPR's requirements for data erasure by ensuring that data cannot be recovered from backups or residual storage.

9. Data Retention

9.1 Active Accounts

We retain your personal data for as long as your account is active and for the period necessary to provide the Service to you.

9.2 After Account Termination

After you terminate your account:

  • Your data is retained for 30 days to allow you to request a data export or reactivate your account.
  • After the 30-day period, all personal data is permanently erased through cryptographic erasure.
  • Exception: certain data may be retained for longer periods where required by applicable law (e.g., financial records for tax compliance, or audit logs for regulatory compliance). Such data is retained only for the minimum legally required period.

9.3 Audit Logs

Immutable audit logs recording system access events and data processing activities are retained for a minimum of 7 years, as required for regulatory compliance. Audit logs do not contain clinical or developmental data; they contain only metadata about actions performed on the system (who accessed what, when, and what action was taken).

9.4 Anonymized Data

Truly anonymized, aggregated data (from which no individual can be identified, directly or indirectly) is not personal data under the GDPR and may be retained indefinitely for statistical, service improvement, and research purposes.

10. Cookies

We use only strictly necessary cookies required for the operation of the Service. We do not use tracking cookies, advertising cookies, or third-party cookies. For full details, please see our Cookie Policy.

11. International Compliance

11.1 UK GDPR, Data Protection Act 2018, and EU GDPR

Cognistase is fully compliant with the UK General Data Protection Regulation (UK GDPR) as retained in UK law, the Data Protection Act 2018, and the EU General Data Protection Regulation (EU) 2016/679 as applicable to our EU-based users. We adhere to the highest standard of data protection across both jurisdictions.

11.2 EU AI Act

As a provider of AI-based services involving children, health-related data, and educational decisions, Cognistase is classified as a high-risk AI system under the EU AI Act (Regulation (EU) 2024/1689). We comply with all applicable requirements, including risk management, data governance, transparency, human oversight, and accuracy standards. For details, see our AI Transparency page.

11.3 HIPAA Alignment

While Cognistase operates under EU law, we voluntarily align with the HIPAA Safe Harbor de-identification standard as an additional protective measure. This means that 18 categories of personal identifiers are removed from data before AI processing.

11.4 Data Protection Impact Assessment

We have completed a Data Protection Impact Assessment (DPIA) covering all personal data processing activities across all modules of the Service. The DPIA is reviewed annually and updated whenever significant changes are made to data processing activities.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant authority is:

Information Commissioner's Office (ICO) Website: https://ico.org.uk Telephone: 0303 123 1113

If you are located in the European Union, you also have the right to lodge a complaint with the supervisory authority of the EU Member State in which you reside, work, or where the alleged infringement occurred.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Modified" and "Version" indicators at the top of this page.
  • Notify you by email at least 30 days before the changes take effect.
  • Display a prominent notice on the Service.

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you should stop using the Service and contact us to exercise your data subject rights.

We maintain a version history of all prior versions of this Privacy Policy, available upon request.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Data Protection Officer Email: dpo@cognistase.com

General Privacy Inquiries Email: privacy@cognistase.com

Security Concerns Email: security@cognistase.com

This Privacy Policy was last updated on April 10, 2026.