Legal

Privacy Policy

Last updated: 20 May 2026 · Effective: 20 May 2026

This Privacy Policy explains how Cognexiaai LLP("Cognexia AI", "we", "us", "our") collects, uses, shares and protects your personal data when you use the Cognexia AI Legal platform ("Platform", "Service"). This Policy applies to all users globally and is designed to comply with:

  • 🇪🇺 EU General Data Protection Regulation (GDPR) 2016/679
  • 🇮🇳 Digital Personal Data Protection Act 2023 (DPDP Act) — India
  • 🇺🇸 California Consumer Privacy Act (CCPA) / CPRA
  • 🇦🇪 UAE Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL)
  • 🇸🇦 Saudi Personal Data Protection Law (PDPL) 2021
  • 🇬🇧 UK GDPR & Data Protection Act 2018
  • 🇸🇬 Singapore Personal Data Protection Act (PDPA) 2012
  • 🇦🇺 Privacy Act 1988 (Australia)

Contents

1. Who We Are2. Data We Collect3. How We Use Your Data4. Legal Basis for Processing5. Data Sharing & Transfers6. AI Processing & LLM Usage7. Data Retention8. Your Rights9. Cookies & Tracking10. Security11. Children's Privacy12. India — DPDP Act 202313. EU / UK — GDPR Rights14. California — CCPA/CPRA15. Contact & DPO

1. Who We Are

Cognexiaai LLPis an Indian technology company incorporated under the Companies Act 2013. We operate the Cognexia AI Legal platform ("CAILegal") — an AI-powered legal intelligence SaaS product available globally at cognexiaailegal.com.

Data Controller / Data Fiduciary

Cognexiaai LLP
Cognexia AI, India
Email: privacy@cognexiaai.com
Data Protection Officer: dpo@cognexiaai.com

2. Data We Collect

We collect the following categories of personal data:

Account Data

Full name, email address, password (hashed), country of registration, plan tier, subscription status, account creation date.

Usage & Query Data

Legal queries you submit to the platform, tool inputs (facts, jurisdiction, documents), AI-generated responses, session history.

Payment & Billing Data

Payment method details (processed by Razorpay — we do not store card numbers), subscription plan, transaction history, invoices.

Technical Data

IP address, browser type and version, device type, operating system, time zone, referring URL, pages visited, session duration, error logs.

Advocate Marketplace Data

For advocates: bar enrolment number, bar council, courts practised, specialisations, city/state, consultation fee, availability schedule, case statistics, reviews received.

Communication Data

Support tickets, contact form submissions, forum posts, questions and answers, appointment booking information.

Cookies & Analytics

Session cookies, authentication tokens, analytics identifiers (see Section 9).

⚠ Important: Do Not Enter Sensitive Personal Data

Please do not enter special categories of personal data (health, biometric, financial, criminal history, religious beliefs) into the platform unless strictly necessary for your legal query. We process such data solely on your instructions and do not use it for any other purpose.

3. How We Use Your Data

Provide the Service: Authenticate your account, process your legal queries through our AI engine, deliver results, maintain your session and conversation history.
Billing & Subscriptions: Process payments via Razorpay, manage subscription plans, apply credit deductions, send invoices and payment confirmations.
Platform Improvement: Analyse anonymised usage patterns to improve our AI models, features, and user experience. Individual queries are never used to train models without explicit consent.
Security & Fraud Prevention: Monitor for suspicious activity, prevent unauthorised access, enforce our Terms of Service, and protect the integrity of the platform.
Communications: Send transactional emails (password reset, billing receipts), important service notices, and (with consent) product updates and newsletters.
Legal Compliance: Comply with applicable laws, respond to lawful legal requests from courts or government authorities, maintain required records.
Advocate Marketplace: Display advocate profiles to prospective clients, facilitate booking of consultations, deliver client inquiries (leads) to advocates.
Research & Analytics: Generate anonymised aggregate statistics about platform usage, jurisdictions accessed, and feature adoption.

5. Data Sharing & International Transfers

We share personal data only with the following categories of recipients:

Anthropic (AI Processing)USA — Standard Contractual Clauses (SCCs)

Your legal queries are processed by Anthropic's Claude API to generate AI responses. Anthropic processes data under a Data Processing Agreement and does not use your data for training purposes.

Razorpay (Payment Processing)India — same jurisdiction

Payment card data and transaction information for subscription billing. Razorpay is PCI-DSS compliant.

Railway.app (Cloud Hosting)USA — SCCs / adequacy decision

Backend infrastructure hosting. Our servers are operated on Railway's cloud platform.

Vercel (Frontend Hosting)USA — SCCs

Frontend web application hosting.

Legal & ComplianceJurisdiction-specific

We may disclose data to courts, regulators, or law enforcement where required by applicable law, subject to legal review.

We do not sell your personal data to third parties. We do not share data with advertising networks or data brokers.

6. AI Processing & Large Language Model Usage

The CAILegal platform uses large language model (LLM) technology powered by Anthropic's Claude API to generate legal research, draft documents, analyse cases, and provide legal intelligence. Key disclosures:

  • Your queries are transmitted to Anthropic's API servers for processing. Anthropic does not retain query data beyond the duration of the API call under our enterprise agreement.
  • AI-generated responses are NOT legal advice. They are research tools only. Always verify with a qualified lawyer before acting on any AI output.
  • We do not use your queries to train our own AI models unless you give explicit consent.
  • For document analysis, uploaded document content is processed by the AI and may be temporarily cached using Anthropic's Files API for efficiency. Cached files are deleted within 28 days.
  • We implement guardrails to prevent generation of harmful content. All outputs include appropriate legal disclaimers.

7. Data Retention

Account & profile dataDuration of account + 3 years after account closure
Legal query history / chat logs2 years from query date, or until you delete your account
Billing records7 years (statutory requirement under tax laws)
Payment transaction logs7 years
Technical logs & access logs90 days rolling
Advocate profilesDuration of active registration + 1 year
Uploaded documents (Files API cache)28 days (auto-deleted by Anthropic)
Marketing consent recordsUntil withdrawn + 5 years

After expiry of retention periods, data is securely deleted or anonymised. You may request earlier deletion (see Section 8 — Your Rights).

8. Your Rights

Depending on your country of residence, you have the following rights regarding your personal data:

Right of Access

Request a copy of all personal data we hold about you.

GDPR · DPDP · CCPA · UK GDPR

Right to Rectification

Request correction of inaccurate or incomplete data.

GDPR · DPDP · UK GDPR

Right to Erasure (Right to be Forgotten)

Request deletion of your personal data, subject to legal retention requirements.

GDPR · DPDP · CCPA · UK GDPR

Right to Data Portability

Receive your data in a machine-readable format (JSON/CSV).

GDPR · DPDP · UK GDPR

Right to Restrict Processing

Request we limit how we use your data while a dispute is resolved.

GDPR · UK GDPR

Right to Object

Object to processing based on legitimate interests.

GDPR · UK GDPR

Withdraw Consent

Withdraw consent for processing where consent was the basis.

GDPR · DPDP · CCPA · UK GDPR

Right to Non-Discrimination

We will not discriminate against you for exercising privacy rights.

CCPA · DPDP

Right to Nominate

Under DPDP 2023, you may nominate a person to exercise rights on your behalf in the event of death/incapacity.

DPDP (India)

Grievance Redressal

File a complaint with our Grievance Officer (India) or Data Protection Officer (EU).

DPDP · GDPR

How to Exercise Your Rights

Email us at privacy@cognexiaai.comwith subject line "Privacy Rights Request". Include your full name, email address, and the specific right you wish to exercise. We will respond within 30 days (GDPR) / 21 days (DPDP Act India) / 45 days (CCPA).

9. Cookies & Tracking Technologies

Essential CookiesSession / 30 days

Authentication (JWT session token), CSRF protection, user preferences. Cannot be disabled — required for the service to function.

Analytics90 days

Anonymous usage statistics to understand platform performance. We use privacy-first analytics that do not track you across sites or build advertising profiles.

PerformanceSession

Measure page load times and identify technical errors.

We do not use third-party advertising cookies, cross-site tracking, or social media tracking pixels. You can manage cookie preferences via your browser settings.

10. Security

We implement the following security measures to protect your personal data:

TLS 1.3 encryption for all data in transit
bcrypt hashing for all user passwords
JWT tokens with short expiry + refresh rotation
PostgreSQL database with connection pooling and WAL encryption
IP-based rate limiting on authentication endpoints
Regular security dependency updates (Dependabot)
Access controls — least privilege principle
No storage of payment card data (Razorpay PCI-DSS tokenisation)

In the event of a personal data breach that risks your rights and freedoms, we will notify affected users and the appropriate supervisory authority within 72 hours (GDPR requirement) or within prescribed timeframes under applicable national law.

11. Children's Privacy

The CAILegal platform is intended for professional and legal use by adults aged 18 and above. We do not knowingly collect personal data from children under 18 years of age. If you believe a child has provided personal data to us, please contact us at privacy@cognexiaai.com and we will promptly delete such data.

12. India — Digital Personal Data Protection Act 2023 (DPDP Act)

As an Indian company, Cognexia AI is a Data Fiduciary under the DPDP Act 2023. We comply with all obligations including:

  • Obtaining free, specific, informed, unconditional and unambiguous consent before processing personal data
  • Providing a clear and plain language privacy notice at the time of data collection
  • Processing data only for the purpose specified in the notice
  • Ensuring accuracy of personal data that may be used for decisions affecting you
  • Implementing reasonable security safeguards under Section 8(5)
  • Deleting personal data and withdrawing consent requests as required under Section 9
  • Grievance Officer appointed — contact: grievance@cognexiaai.com — response within 21 days
  • In case of a data breach, notifying the Data Protection Board of India and affected Data Principals as prescribed

Grievance Officer (India): grievance@cognexiaai.com · Response within 21 days
Data Protection Board of India: You may file a complaint with the Board if your grievance is not resolved.

13. EU / UK — GDPR Rights

If you are located in the European Economic Area (EEA) or the United Kingdom, the following additional provisions apply:

  • Data Controller: Cognexiaai LLP, India
  • EU Representative (Article 27 GDPR): [EU Representative to be appointed] — eu-rep@cognexiaai.com
  • UK Representative (UK GDPR): [UK Representative to be appointed] — uk-rep@cognexiaai.com
  • International transfers to India are conducted under the EU-India Standard Contractual Clauses (SCCs) where required
  • You have the right to lodge a complaint with your national Data Protection Authority (DPA). EU DPAs: edpb.europa.eu/about-edpb/board/members_en. UK ICO: ico.org.uk
  • Automated decision-making: We do not make solely automated decisions that produce significant legal effects about you

14. California — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply. Additional rights include:

  • Right to Know: Know what personal information we collect, use, share and sell about you
  • Right to Delete: Request deletion of personal information we collected from you
  • Right to Opt-Out of Sale: We do NOT sell personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information
  • Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights
  • To exercise rights: email privacy@cognexiaai.com with subject 'California Privacy Rights'
  • Authorised Agent: You may designate an authorised agent to submit requests on your behalf

15. Contact & Data Protection Officer

General Privacy Queries

privacy@cognexiaai.com

For privacy questions, data subject requests, consent withdrawal.

Data Protection Officer (DPO)

dpo@cognexiaai.com

For GDPR / DPDP Act DPO contact, breach notifications, regulatory matters.

Grievance Officer (India — DPDP)

grievance@cognexiaai.com

For complaints under the DPDP Act 2023. Response within 21 days.

EU Representative (GDPR)

eu-rep@cognexiaai.com

For EU residents unable to contact us directly.

Changes to this Policy: We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the platform at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.