CognistaseEarly Access

GDPR Compliance

Cognistase is fully GDPR compliant. We process personal data exclusively on valid legal bases and with full transparency.

Cognistase is fully GDPR compliant. We process personal data exclusively on valid legal bases and with full transparency. This is not a checkbox exercise. Privacy is foundational to how we built the platform.

Legal basis for processing

We process personal data based on explicit consent (Article 6(1)(a) GDPR). For special category data, including health-related developmental assessment data, we rely on explicit consent under Article 9(2)(a). Consent is granular: you consent to each specific type of processing separately, and you can withdraw consent for any processing activity at any time.

Your rights under GDPR

  • Right of access: request a copy of all data we hold about you and your child at any time
  • Right to rectification: correct inaccurate data immediately
  • Right to erasure: request deletion of all data, executed through cryptographic erasure
  • Right to data portability: export your data in a standard, machine-readable format
  • Right to object: object to specific processing activities at any time
  • Right to restriction: request that we stop processing while a dispute is resolved

Where your data lives

All data is processed and stored on servers within the European Union. We use self-hosted infrastructure on a dedicated server in Germany. No data is transferred to or processed in the United States or any other jurisdiction outside the EU. This is not a configuration option. The infrastructure is physically located in the EU and managed by our team.

Data Protection Impact Assessment

We have completed a Data Protection Impact Assessment (DPIA) as required for processing that is likely to result in a high risk to the rights and freedoms of individuals. The DPIA covers all processing activities involving children's developmental data and is reviewed and updated when processing activities change.

Data Protection Officer

You can reach our Data Protection Officer for any privacy-related questions or requests. Contact details are available on the contact page.

Sub-processors

We maintain a current list of sub-processors involved in providing the service. All sub-processors are EU-based and bound by data processing agreements that meet GDPR requirements. We notify users before adding new sub-processors.

Data Processing Agreement

Organizations using Cognistase can download a standard Data Processing Agreement (DPA) that meets GDPR requirements. The DPA covers all processing activities, sub-processor obligations, and data subject rights. Contact us for the signing process.