Privacy Policy
Last updated 14 July 2026
This policy explains what personal data Cognaby (“we”, “us”) collects, why, and your rights over it. We are the data controller for the personal data described here. Questions or requests? Email privacy@cognaby.com.
What we collect
- Account details: your email address, a display name you choose, and the year of birth you give at signup (for our age requirement).
- Study material you upload: the notes, documents or text you add. We extract the text to make cards; we do not store your original uploaded files, and document text is never written to our logs.
- Study data: the decks and cards created for you, your reviews, sessions and progress, and preferences such as timezone, reminders and accessibility settings.
- Technical data: basic information needed to run the Service securely (for example, to sign you in, prevent abuse and keep the app working).
How we use it
- to provide the Service, creating cards from your material and scheduling your reviews;
- to sign you in and keep your account secure;
- to prevent abuse and stay within cost limits;
- to fix problems and improve the Service.
Our lawful bases (UK GDPR) are: performance of our contract with you (to run the Service), our legitimate interests (security, preventing abuse, improving the product), consent where we ask for it, and legal obligationwhere the law requires. We do not use your content for advertising, and we do not sell your data.
Who processes your data (sub-processors)
We use a small number of trusted providers to run the Service. They process your data only on our instructions and only to provide their part of the Service:
- Supabase: database, authentication and hosting of your account and study data.
- Cloudflare: application hosting/CDN and bot protection (Turnstile) on sign-in.
- Vercel AI Gateway: routes your study text to the AI model that generates your cards. Through it, text may be processed by OpenAI, Google and Anthropic as model providers. This is how your uploads become cards.
- Resend: sends your sign-in code and other transactional emails.
- Stripe: payment processing (only if and when paid plans are enabled).
Some of these providers may process data outside the UK/EEA. Where they do, appropriate safeguards (such as standard contractual clauses) apply.
How long we keep it
We keep your data for as long as your account is active. When you delete your account (from Settings), your account and the data linked to it (decks, cards, reviews, sessions and connections) are erased. Some records may persist briefly in backups before being overwritten on their normal cycle.
Your rights
Under UK GDPR you have the right to:
- access your data, and export it: download a full copy any time from Settings;
- correct inaccurate data;
- erase your data: delete your account any time from Settings;
- object to or restrict certain processing, and withdraw consent where processing relies on it;
- complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.
Children
Cognaby is not for children under 16. We ask for your year of birth at signup and do not permit accounts below that age. If you believe a younger child has created an account, contact us and we will remove it.
Security
We protect your data with row-level access controls (so your data is only ever accessible to you), encrypted connections, and least-privilege access to our systems. No system is perfectly secure, but we take reasonable, industry-standard measures.
Changes
We may update this policy as the Service evolves. We’ll change the “last updated” date above and, for material changes, tell you in the app.
Contact
For any privacy question or to exercise your rights, email privacy@cognaby.com.