Cognitor Privacy policy
Cognitor respects your privacy. This policy explains what personal data we process, for what purposes, how long, with whom we share it and what your rights are, in a multi-country model with emphasis on Brazil for Portuguese-language users.
1. Data controller / Operator
The controller of personal data is the entity operating the Cognitor site and service:
Legal name: [to be defined — country of incorporation below]
Country of incorporation / principal seat: [to be defined — e.g. Brazil, Portugal, United States]
Full address: [to be defined]
CNPJ or local tax ID: [to be defined — e.g. CNPJ in Brazil, NIF in the EU, EIN in the US, if applicable]
General email: [to be defined]
Privacy / data subject email: privacidade@cognitor.example (replace)
Data protection officer (DPO / LGPD officer): [to be defined or «not applicable»] — [email]
2. Scope
This policy applies to: visitors to the public website (landing); contacts collected for the waitlist or product communications; registered portal users (account, settings, language preference); customers with paid or trial subscriptions.
3. Personal data we process
Depending on your interaction, we may process:
- Identity and contact: email address, name or profile identifier when you sign in with an identity provider (e.g. name and email from Google), preferred language.
- Account and subscription: user ID on the authentication platform, plan or subscription metadata used to authorise access to content (weekly documents, podcasts, briefings, special content), relevant dates.
- Payment data: as a rule, card and sensitive financial data are processed by the payment provider (Stripe). The Operator may receive customer identifiers, subscription status and minimum data for billing and legal compliance.
- Technical and security: IP address, device and browser type, security logs, cookies or session tokens required for the portal, server request timestamps.
- Communications: support request records, marketing preferences where applicable.
We do not routinely request sensitive data (health, racial origin, etc. under LGPD or special categories under GDPR). Do not send such data by email or forms.
4. Purposes and legal bases (multi-jurisdictional reference)
Bases vary by country. The table summarises typical references for EU/EEA (GDPR) and Brazil (LGPD); the Operator should finalise mapping with counsel in the Operator's country and other relevant markets.
| Purpose | GDPR (EU/EEA) — reference | LGPD (Brazil) — reference |
|---|---|---|
| Operate site and portal, authentication, abuse prevention and security | Contract / pre-contract; legitimate interest (Art. 6(1)(b), (f)) | Contract; legitimate interest (Art. 7, V and IX as applicable) |
| Subscription, billing and support | Contract; legal obligation (Art. 6(1)(b), (c)) | Contract; legal obligation (Art. 7, II and V) |
| Waitlist, newsletters and Cognitor marketing | Consent or legitimate interest as appropriate (Art. 6(1)(a), (f)) | Consent or legitimate interest (Art. 7, I and IX), case-by-case and ANPD guidance |
| Product improvement, aggregate metrics, stability | Legitimate interest; consent for non-essential cookies | Legitimate interest or consent (Art. 7), as applicable |
| Defence in judicial or administrative proceedings | Legitimate interest or legal obligation (Art. 6(1)(c), (f)) | Regular exercise of rights or legal obligation (Art. 7, II and VI) |
5. Processors and sub-processors
We use third-party services that may process data on our behalf under applicable contracts (including DPAs and standard clauses where required):
- Google (Firebase Authentication, Firestore and related) — account, session and user metadata;
- Google Cloud Storage — private storage of content files (PDF, audio); access is controlled on the portal server after permission checks;
- Stripe — payments, billing and subscription management portal;
- Hosting and infrastructure (e.g. Vercel or equivalent) — application execution and HTTP delivery.
An up-to-date list of sub-processors can be requested by email to the privacy address. Those vendors may also act as independent controllers on their platforms under their policies.
6. International transfers
Some providers may process data outside your country, Brazil or the EEA. Brazil: LGPD and ANPD rules on international transfers apply. EU/EEA: where the GDPR applies, we may use safeguards such as EU Commission Standard Contractual Clauses or adequacy decisions. Other countries: local requirements (e.g. US) may apply.
7. Retention
- Account and contract: for the relationship and, after termination, as long as needed for legal obligations (tax, etc.) and rights defence — periods vary by Operator country and law.
- Marketing / waitlist: until consent withdrawal or objection, and at most [24] months after last contact without relevant interaction (adjust with counsel).
- Security logs: [90] days unless legal defence or investigation requires longer.
8. Cookies and similar technologies
The portal may use cookies or local storage strictly necessary for session and security. If we enable non-essential analytics or marketing tools, we will request consent where required (LGPD, Brazilian Marco Civil, EU cookie/ePrivacy rules, ANPD guidance, etc.).
9. Your rights
Brazil (LGPD): under Arts. 18 et seq. of Law 13.709/2018, you may request confirmation of processing, access, correction, anonymisation, portability, deletion, information on sharing, withdrawal of consent where applicable, and objection to processing based on legitimate interest. Complaints to the ANPD — www.gov.br/anpd.
EU/EEA (GDPR): access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and complaint to the supervisory authority in your country of residence or work (e.g. CNIL, ICO, AEPD, CNPD).
Other countries: additional rights may exist under local law (e.g. US state laws); check applicable channels.
Requests: privacidade@cognitor.example (replace). We may ask for proof of identity before disclosing or changing data.
10. Minors
The Service is not directed at people under 18 (or the age of majority or digital capacity required in your jurisdiction). We do not knowingly collect data from minors; if you become aware of this, contact us for deletion.
11. Changes to this policy
We will publish the updated version on this page. If the change is material, we will notify by email or through the portal when possible.
Last revised: 28 March 2026.
General terms of use: Terms of use.