Privacy Policy

1. Who we are

Cognitive Lab ("Cognitive Lab", "we", "us", "our") is a company based in Canada that develops and provides CogniFlow, a self-learning supply chain and operations intelligence platform. This Privacy Policy explains how we handle personal information across our website, our communications, and the CogniFlow platform.

2. Scope & our roles

This Policy covers personal information we handle in two different capacities:

• As a controller — for information about visitors to our website, prospects, pilot applicants, and the individual users our customers authorise to access CogniFlow (for example, account and login details). We decide why and how this information is processed.
• As a processor (service provider) — for the business and operational data our customers load into, or connect to, CogniFlow. Our customer is the controller of that data; we process it on their behalf and under their instructions, governed by the customer agreement and, where applicable, a Data Processing Addendum (DPA). See Section 6.

3. Information we collect

3.1 Information you give us

• Contact & pilot enquiries: name, work email, company, role, and anything you choose to write in a message.
• Account information: for authorised users — name, email, role/permissions, and authentication credentials.
• Correspondence: records of your communications with us.

3.2 Information collected automatically

• Usage & device data: IP address, browser and device type, pages viewed, and similar diagnostic data, collected through standard logging and limited analytics.
• Cookies and similar technologies: see Section 13.

3.3 Customer data processed within CogniFlow

When a customer uses CogniFlow, the platform processes the business data they connect or upload (for example, records from ERP systems, documents, and operational signals). This data may contain personal information about the customer's own staff or contacts. We process it as a processor on the customer's behalf — see Section 6.

4. How we use information

• To provide, operate, secure and improve our website and the CogniFlow platform.
• To respond to enquiries, evaluate pilot applications, and communicate with you.
• To administer accounts, authenticate users, and enforce role-based access.
• To maintain security, prevent abuse, and meet legal and contractual obligations.
• To understand and improve how our website and product are used, in aggregate.

We do not sell personal information, and we do not display third-party advertising.

5. Legal bases for processing (EU/EEA & UK)

Where the GDPR (or UK GDPR) applies, we rely on the following legal bases:

• Contract — to provide services to you or your organisation.
• Legitimate interests — to operate, secure and improve our business, balanced against your rights.
• Consent — for optional communications and non-essential cookies, which you may withdraw at any time.
• Legal obligation — where the law requires us to process information.

6. Customer data in CogniFlow (our role as processor)

For data our customers process through CogniFlow:

• The customer is the controller and determines what data enters the platform and why.
• We process it only on documented instructions from the customer, to provide and support the service.
• We apply the technical and organisational safeguards described in our Data Security page.
• For the CogniFlow Secure deployment, the platform runs entirely inside the customer's own environment; in that model Cognitive Lab does not have access to the customer's operational data.
• A separate Data Processing Addendum is available to customers who require one (for example, under the GDPR).

7. Sharing & disclosure

We share personal information only as follows:

• Service providers (sub-processors): vetted vendors who help us run our business (for example, cloud hosting, email, analytics), bound by confidentiality and data-protection obligations and permitted to use the data only to provide services to us.
• Legal & safety: where required by law, regulation, or valid legal process, or to protect rights, safety and security.
• Business transfers: in connection with a merger, acquisition or sale of assets, subject to this Policy.

A current list of sub-processors is available to customers on request.

8. International data transfers

We are based in Canada and may process information in Canada, the United States and other countries. Where we transfer personal data out of the EU/EEA or UK, we use a lawful transfer mechanism — typically the European Commission's Standard Contractual Clauses (and the UK Addendum) — together with appropriate safeguards. Customers using CogniFlow Secure can keep all processing within their own environment and jurisdiction.

9. Data retention

We retain personal information only as long as necessary for the purposes described here, to comply with legal obligations, resolve disputes and enforce agreements. Customer data processed within CogniFlow is retained according to the customer agreement and the customer's instructions, and is deleted or returned on termination as set out there.

10. Your privacy rights

Subject to applicable law, you may have the right to access, correct, delete, or restrict processing of your personal information, to object to certain processing, to data portability, and to withdraw consent. Under Canada's PIPEDA you may access and correct your personal information held by us. To exercise any right, contact us (Section 16). Where we process data as a processor on a customer's behalf, we will refer your request to that customer.

11. US state privacy rights

Residents of certain US states (for example, California, Virginia, Colorado and others) may have rights to know, access, correct, delete and limit the use of their personal information, and to opt out of "sale" or "sharing" and targeted advertising. We do not sell or share personal information for cross-context behavioural advertising, and we do not serve targeted advertising. You may exercise applicable rights by contacting us, and we will not discriminate against you for doing so.

12. Security

We maintain administrative, technical and physical safeguards designed to protect personal information. For details of how we secure the CogniFlow platform and customer data, see our dedicated Data Security page.

13. Cookies & similar technologies

Our website uses essential cookies needed for it to function, and may use limited analytics to understand usage in aggregate. Where required, we request consent for non-essential cookies and provide controls to manage them. You can also control cookies through your browser settings.

14. Children

Our website and CogniFlow are intended for businesses and are not directed to children. We do not knowingly collect personal information from children.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a revised effective date and, where appropriate, provide additional notice.

16. Contact & complaints

To ask a question, exercise a right, or raise a concern, contact Cognitive Lab through the contact form on our website. If you are in the EU/EEA or UK and believe we have not resolved your concern, you may lodge a complaint with your local supervisory authority. In Canada, you may contact the Office of the Privacy Commissioner of Canada.

Questions about this document? Contact our privacy and security team via the contact form. We respond personally within 48 hours.