CognitoDoc Privacy Policy

Last Updated: November 10, 2025

We respect your privacy. This Privacy Policy explains how CognitoDoc ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our desktop software ("Software"), website, or account services.

Key Summary: We collect hardware identifiers to generate a unique machine fingerprint for license verification and local data encryption. This data never leaves your device unless you send us a support request. We do not track your documents or AI queries.

1. Who We Are

**INNOWARE LTD**, trading as CognitoDoc, is a company registered in England and Wales (Company No. [14918694]). We are the data controller. CognitoDoc is a desktop application for building local, private AI-powered knowledge bases. We are based in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

2.1 Account Data (When You Sign Up or Log In)

Email address
Hashed password
Subscription plan
Login timestamps (website and desktop app)
IP address (temporary, for fraud prevention)

Lawful Basis: Contract (to provide your account and license)

2.2 Hardware Fingerprint (License Verification & Encryption)

We collect non-personal technical identifiers from your computer to:

Verify your license is used on authorized devices
Generate a machine-bound encryption key to protect your local knowledge base

Data Collected	Source	Used For
Machine Architecture	`platform.machine()`	Fingerprint + encryption key
Processor Type	`platform.processor()`	Fingerprint + encryption key
Operating System	`platform.system()`	Fingerprint + encryption key
CPU ID	`wmic cpu get ProcessorId` (Win) or fallback	Fingerprint + encryption key
Disk Serial Number	`wmic diskdrive get SerialNumber` or `lsblk -o SERIAL`	Fingerprint + encryption key
BIOS Serial Number	`wmic bios get SerialNumber` or fallback	Fingerprint
Motherboard Serial Number	`wmic baseboard get SerialNumber` or fallback	Fingerprint

Fallback Values: If real hardware IDs are unavailable (e.g., VM, restricted OS), we generate deterministic placeholders (e.g., disk_stable_abc123) using a hash of architecture + processor. These are not real serial numbers and cannot identify you.

How It’s Used:

All valid identifiers → combined → SHA-256 hashed → first 32 chars = Hardware Fingerprint
Subset (machine, processor, OS, CPU ID, disk) + salt → SHA-256 → 32-byte key → Base64 URL-safe encoded = Encryption Key

Lawful Basis: Legitimate Interests (prevent piracy, secure local data)

2.3 Usage & Telemetry (Optional, Opt-Out)

App version, OS version
Feature usage (e.g., “used AI query”)
Crash reports (anonymized)

You can disable this in Settings > Privacy.

Lawful Basis: Consent (you can opt out)

2.4 Support Requests

If you contact us, we may receive:

Your email and message
Logs or fingerprints (only if you include them)

2.5 Payment Data (Via Stripe)

When you subscribe or purchase (e.g., Ultimate plan), we use Stripe to process payments. Stripe collects:

Name, email, billing address (for verification)
Payment details (card number, expiry—encrypted; we never store full cards)
Transaction ID, amount, subscription status
Last 4 card digits (for your account display)

Lawful Basis: Contract (to fulfill your purchase/subscription).

Retention: Transaction records kept for 7 years (UK tax law); Stripe retains per their policy.

Full details: See Stripe's Privacy Policy.

5. Data Sharing

Firebase (Google): Authentication, database, analytics
Payment Processor: Stripe (name, email, billing info, payment method details for processing subscriptions and one-off payments). Stripe complies with UK GDPR as our processor under a Data Processing Addendum.
Legal Requirement: Only if required by UK law

We do not share hardware fingerprints or documents with Stripe. For international users, Stripe may transfer data to the US under the UK Extension to the EU-US Data Privacy Framework and Standard Contractual Clauses.

3. How We Use Your Data

License Validation: Compare fingerprint against your account
Local Encryption: Bind your knowledge base to your machine
Account Management: Login, subscription, support
Improve Software: Anonymous analytics and crash reports

We do NOT:

Access your documents or knowledge base
Store AI queries sent to third parties (OpenAI, etc.)
Sell or share your data with advertisers

4. Data Storage & Security

Local Data: Your documents and encryption key never leave your device
Cloud Data: Account + fingerprint stored in Firebase (Google Cloud, UK/EU servers)
Encryption: Data in transit (TLS 1.3), at rest (AES-256)
Retention:
- Account data: until you delete your account
- Fingerprint: tied to license, deleted on account closure
- Telemetry: 90 days (anonymized)

5. Data Sharing

Firebase (Google): Authentication, database, analytics
Payment Processor: Stripe (email, last 4 card digits, transaction ID)
Legal Requirement: Only if required by UK law

We do not share hardware fingerprints with third parties except for support (with your consent).

6. Your Rights (UK GDPR)

You have the right to:

Access your data
Correct inaccurate data
Delete your account and data
Object to processing (e.g., telemetry)
Data portability
Withdraw consent (for optional features)

Email us at cognitodoc@outlook.com to exercise your rights. We respond within 30 days.

7. International Transfers

Firebase may process data in the US under the UK-US Data Bridge and Standard Contractual Clauses.

8. Children

Our Software is not for children under 16. We do not knowingly collect their data.

9. Changes to This Policy

We may update this policy. Major changes will be notified via email or in-app alert.

10. Contact Us

Email: cognitodoc@outlook.com