CognitoDoc Privacy Policy

Last Updated: January 05, 2026

We respect your privacy. This Privacy Policy explains how CognitoDoc ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our desktop software ("Software"), website, or account services.

Key Summary: We collect hardware identifiers to generate a unique machine fingerprint for license verification and local data encryption. This data never leaves your device unless you send us a support request. We do not track your documents or AI queries.

1. Who We Are

**INNOWARE LTD**, trading as CognitoDoc, is a company registered in England and Wales (Company No. [14918694]). We are the data controller. CognitoDoc is a desktop application for building local, private AI-powered knowledge bases. We are based in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

2.1 Account Data (When You Sign Up or Log In)

Email address
Hashed password
Subscription plan
Login timestamps (website and desktop app)
IP address (temporary, for fraud prevention)

Lawful Basis: Contract (to provide your account and license)

2.2 Hardware Fingerprint (License Verification & Encryption)

We collect non-personal technical identifiers from your computer to:

Verify your license is used on authorized devices
Generate a machine-bound encryption key to protect your local knowledge base

Data Collected	Source	Used For
Machine Architecture	`platform.machine()`	Fingerprint + encryption key
Processor Type	`platform.processor()`	Fingerprint + encryption key
Operating System	`platform.system()`	Fingerprint + encryption key
CPU ID	`wmic cpu get ProcessorId` (Win) or fallback	Fingerprint + encryption key
Disk Serial Number	`wmic diskdrive get SerialNumber` or `lsblk -o SERIAL`	Fingerprint + encryption key
BIOS Serial Number	`wmic bios get SerialNumber` or fallback	Fingerprint
Motherboard Serial Number	`wmic baseboard get SerialNumber` or fallback	Fingerprint

Fallback Values: If real hardware IDs are unavailable (e.g., VM, restricted OS), we generate deterministic placeholders (e.g., disk_stable_abc123) using a hash of architecture + processor. These are not real serial numbers and cannot identify you.

How It’s Used:

All valid identifiers → combined → SHA-256 hashed → first 32 chars = Hardware Fingerprint
Subset (machine, processor, OS, CPU ID, disk) + salt → SHA-256 → 32-byte key → Base64 URL-safe encoded = Encryption Key

Lawful Basis: Legitimate Interests (prevent piracy, secure local data)

2.3 Usage & Telemetry (Optional, Opt-Out)

App version, OS version
Feature usage (e.g., “used AI query”)
Crash reports (anonymized)

You can disable this in Settings > Privacy.

Lawful Basis: Consent (you can opt out)

2.4 Support Requests

If you contact us, we may receive:

Your email and message
Logs or fingerprints (only if you include them)

2.5 Payment Data (Via Stripe)

When you subscribe or purchase (e.g., Ultimate plan), we use Stripe to process payments. Stripe collects:

Name, email, billing address (for verification)
Payment details (card number, expiry—encrypted; we never store full cards)
Transaction ID, amount, subscription status
Last 4 card digits (for your account display)

Lawful Basis: Contract (to fulfill your purchase/subscription).

Retention: Transaction records kept for 7 years (UK tax law); Stripe retains per their policy.

Full details: See Stripe's Privacy Policy.

2.6 Cookies and Local Storage

We use strictly necessary cookies and local storage to keep you logged into your account (Firebase) and to ensure secure payment processing (Stripe). We do not use advertising or tracking cookies.

For details, see our Cookie Policy.

3. How We Use Your Data

License Validation: Compare fingerprint against your account
Local Encryption: Bind your knowledge base to your machine
Account Management: Login, subscription, support
Improve Software: Anonymous analytics and crash reports

We do NOT:

Access your documents or knowledge base
Store AI queries sent to third parties (OpenAI, etc.)
Sell or share your data with advertisers

4. Data Storage, Security & Retention

Local Data: Your documents, knowledge base, and machine-bound encryption keys never leave your device. We cannot recover this data if lost.
Cloud Data: Account details and hashed hardware fingerprints are stored via Firebase on secure servers (prioritizing UK/EU regions).
Retention:
- Account data is kept until you request deletion or after 24 months of inactivity.
- Financial records are kept for 7 years to comply with UK tax (HMRC) requirements.
- Telemetry data is anonymized and rotated every 90 days.

5. Third-Party Data Processors

We share limited data with the following service providers to operate CognitoDoc. We do not share your hardware fingerprints or documents with these partners.

Partner	Purpose	Data Shared
Google (Firebase)	Authentication & Database	Email, hashed password, login timestamps.
Stripe	Payment Processing	Name, email, billing address, and transaction metadata.
AI Providers	AI Functionality	Your prompts (sent directly via your API key). Review their policies for data retention.

For international users, data may be transferred to the US under the UK-US Data Bridge or Standard Contractual Clauses (SCCs).

6. Your Rights (UK GDPR)

You have the right to:

Access your data
Correct inaccurate data
Delete your account and data
Object to processing (e.g., telemetry)
Data portability
Withdraw consent (for optional features)

Email us at contact@cognitodoc.com to exercise your rights. We respond within 30 days.

7. International Transfers

Firebase may process data in the US under the UK-US Data Bridge and Standard Contractual Clauses.

8. Children

Our Software is not for children under 16. We do not knowingly collect their data.

9. Changes to This Policy

We may update this policy. Major changes will be notified via email or in-app alert.

10. Contact Us

Email: contact@cognitodoc.com