CognitoBuddyTerms of Service

Privacy Policy

Last updated: February 7, 2026

1. Introduction

CognitoBuddy ("we," "our," or "us") is an AI-powered visual knowledge management platform that helps users build interconnected mind maps and track learning progress. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application at cognitobuddy.vercel.app (the "Service"). Please read this policy carefully. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and password (stored in hashed form). We also record your account creation date and last sign-in timestamp.

2.2 User-Generated Content

We store the knowledge maps, concepts, connections, and other learning content you create within the Service. This includes map titles, descriptions, node labels, difficulty levels, and the spatial layout of your maps.

2.3 Learning Progress Data

We track your learning activity to provide personalized insights, including confidence levels per concept, review history, study session durations, focus timer usage, streak data, and spaced repetition scheduling.

2.4 Billing Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store your Stripe customer ID, subscription status, and billing period dates. We do not store credit card numbers, bank account details, or other sensitive financial information on our servers.

2.5 Google Calendar Data (Cortex Tier)

If you enable Google Calendar integration (available on the Cortex plan), we request access to create and manage calendar events related to your study plans. We store OAuth tokens securely to maintain the connection. We only access calendar data necessary for syncing your study schedule and do not read or modify unrelated calendar events.

2.6 AI Processing Data

When you use AI-powered features (concept expansion, semantic search), your content is sent to third-party AI providers for processing. We track API usage (request counts, token usage, costs) for operational purposes. We do not use your content to train AI models.

2.7 Automatically Collected Information

We automatically collect certain technical information when you access the Service, including your IP address, browser type, device type, and pages visited. This data is collected through standard web server logs and analytics provided by our hosting platform (Vercel).

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To personalize your learning experience with AI-powered features
  • To track your learning progress, streaks, and study analytics
  • To process subscription payments and manage your account
  • To sync study plans with Google Calendar (if enabled)
  • To send transactional emails (account verification, password resets, billing receipts)
  • To monitor and prevent abuse, fraud, and security threats
  • To comply with legal obligations

4. Third-Party Service Providers

We use the following third-party services to operate the Service. Each provider has its own privacy policy governing their use of data:

  • Supabase — Database hosting, user authentication, and backend infrastructure. Your data is stored in Supabase-managed PostgreSQL databases with row-level security enforced.
  • Stripe — Payment processing for subscription billing. Stripe handles all sensitive payment data in compliance with PCI-DSS standards.
  • Vercel — Web application hosting and deployment. Vercel processes standard web traffic data.
  • OpenRouter / AI Providers — AI-powered features including concept expansion and semantic search. Content is processed but not retained for model training.
  • Google — Calendar integration (Cortex tier only) via OAuth 2.0 for syncing study schedules.

5. Data Security

We implement industry-standard security measures to protect your data, including:

  • All data transmitted over HTTPS/TLS encryption
  • Passwords are hashed and never stored in plain text
  • Row-level security (RLS) policies ensure users can only access their own data
  • OAuth tokens are stored securely with encryption at rest
  • Admin actions are logged in an audit trail
  • Regular security reviews and updates

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your account data and user-generated content for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records for tax compliance). API usage logs are retained for up to five years for cost tracking and auditing.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to certain processing of your data
  • Restriction: Request that we limit processing of your data

To exercise any of these rights, contact us at support@cognitobuddy.com. We will respond within 30 days.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell your personal information to third parties.

9. European Residents (GDPR)

If you are a resident of the European Economic Area (EEA), we process your personal data under the following legal bases: consent (for optional features like Google Calendar integration), contract performance (to provide the Service), and legitimate interests (for security, analytics, and service improvement). You have the right to withdraw consent at any time and to lodge a complaint with your local data protection authority.

10. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete such information promptly.

11. Cookies and Tracking

We use essential cookies and local storage to maintain your authentication session and user preferences (such as theme settings). We do not use third-party advertising cookies or cross-site tracking. Our hosting provider (Vercel) may collect standard web analytics data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: support@cognitobuddy.com