Legal

Privacy Policy

Last updated: July 1, 2026

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, and password (stored as a one-way hash). We never store plaintext passwords.

API Keys: When you register model provider credentials (Google, NVIDIA, custom endpoints), they are encrypted using AES-256-GCM encryption before storage. Your keys are never logged, cached, or exposed in plaintext.

Usage Data: We collect anonymized telemetry including request counts, latency metrics, model selection patterns, and error rates. This data is used solely to improve platform reliability.

Chat History: Conversation messages between you and AI models are stored in your account's database. You can delete any chat session at any time.

2. How We Use Your Data

Service Operation: Your data is used exclusively to provide, maintain, and improve the CognyFlow platform.

Model Routing: We use your model preferences and request patterns to optimize routing decisions and fallback chains.

Security: We use authentication data to protect your account and prevent unauthorized access.

We never sell your data. We do not share personal information with third parties for marketing or advertising purposes.

3. Data Storage & Security

All data is stored in encrypted databases with AES-256-GCM encryption at rest.

API keys are encrypted with per-user encryption keys derived using PBKDF2.

All connections use TLS 1.3 with forward secrecy.

Session tokens use JWT with HS256 signing and automatic expiration.

Database backups are encrypted and stored in geographically redundant locations.

4. Third-Party Providers

When you send a message using a model provider (Google Gemini, NVIDIA NIM, DeepSeek), your prompt is transmitted to that provider's API. Each provider has their own privacy policy governing how they handle your data.

CognyFlow acts as a gateway — we route your requests but do not store copies of prompts or responses on third-party infrastructure.

For custom endpoints, data is transmitted directly to your specified server. CognyFlow does not intercept or cache this data.

5. Your Rights

Access: You can request a full export of your personal data at any time.

Deletion: You can delete your account and all associated data. This is irreversible.

Portability: You can export your chat history, model configurations, and settings in JSON format.

Correction: You can update your profile information at any time through the dashboard.

Opt-out: You can disable anonymized telemetry collection in your account settings.

6. Cookies

CognyFlow uses a single essential cookie (`auth-token`) for session authentication.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

The session cookie is HttpOnly, Secure, SameSite=Strict, and expires after 7 days.

7. Data Retention

Active accounts: Data is retained for the duration of your account.

Deleted accounts: All personal data is permanently deleted within 30 days of account deletion.

Anonymized usage metrics may be retained indefinitely for platform improvement.

8. Contact

For privacy-related inquiries, please contact us at privacy@cognyflow.dev

For data deletion requests, use the account settings page or email privacy@cognyflow.dev