Privacy Policy
Effective date: June 2, 2026 Last updated: June 2, 2026
Plain-language summary. Cogito is an AI philosophy-research assistant. To give you answers, we send the things you type and the files you upload to an AI provider (Anthropic) and a small number of other service providers that run the app. We do not sell or share your personal information, and we don't show ads. You can ask us to access, correct, export, or delete your data at any time by emailing williamchastain2005@gmail.com. This summary is for convenience only; the full terms below govern.
This document is provided in good faith and is accurate to the operation of the service, but it is not legal advice and is not a substitute for review by a licensed attorney.
1. Who we are
Cogito (the "Service") is operated by William Chastain, an individual sole proprietor doing business as "Cogito" ("we", "us", or "our"). We are based in the State of California, United States.
For any privacy question or to exercise your rights, contact us at:
- Email: williamchastain2005@gmail.com
- Service: https://cogito.williamchastain.com
We are the data controller for the personal information described in this policy.
2. Information we collect
We collect only what we need to run the Service.
2.1 Information you provide
- Account & identity information. When you create an account, authentication is handled by our identity provider, Clerk. Clerk collects and stores your email address, authentication credentials (e.g., password or social-login identifiers), and basic profile details. We store the Clerk-issued user ID that identifies your account.
- Conversation content. The prompts, questions, and messages you send, and the assistant's responses, are stored so you can return to your conversations. This includes conversation titles and the research mode you select.
- Uploaded documents. If you upload a file (PDF, text, or markdown, up to 2 MB), we store the file and the text extracted from it so the assistant can reference it during your conversation. Please do not upload information you are not authorized to share, or sensitive personal information (see Section 2.4).
2.2 Information we generate or collect automatically
- Usage and billing data. Your subscription plan (Free, Pro, or Max), token-usage counts, computed usage cost, billing-cycle dates, and your citation-format preference. If you close your account, we keep a minimal, pseudonymized record of your recent usage to enforce our free-plan limits (see Section 7).
- Payment identifiers. If you subscribe to a paid plan, payment is processed by Stripe. We do not receive or store your full card number. We store only the Stripe customer and subscription identifiers that let us manage your subscription.
- Technical/session data. Standard data needed to operate a secure web application, such as the session cookie set by Clerk. See Section 6.
2.3 California "categories of personal information" (CCPA/CPRA)
For transparency, the categories of personal information we have collected in the past 12 months, mapped to the statutory categories, are:
| Statutory category | Do we collect it? | Examples |
|---|---|---|
| Identifiers | Yes | Account ID, email (via Clerk); a one-way hashed email is briefly retained after account deletion for abuse prevention (see Section 7) |
| Customer records / financial information | Limited | Subscription status; Stripe identifiers (no card data stored by us) |
| Commercial information | Yes | Plan tier, transaction and usage records |
| Internet or network activity | Limited | Usage counts, session data |
| Contents of communications | Yes | Your prompts, messages, and uploaded documents |
| Geolocation data | No | — |
| Biometric information | No | — |
| Sensitive personal information | Not intentionally | We do not request it; do not upload it (see 2.4) |
| Audio/visual/thermal/olfactory | No | — |
| Professional/employment information | No | — |
| Education information | No | — |
| Inferences/profiles | No | We do not build advertising or behavioral profiles |
2.4 We do not want your sensitive data
We do not ask for special-category or "sensitive" personal information (such as health, racial or ethnic origin, religious beliefs, precise geolocation, government IDs, or financial account numbers). Because conversations and uploads are free-form, please do not enter or upload sensitive personal information about yourself or others.
3. How we use your information
We use your information to:
- provide the Service — generate AI research responses to your prompts and uploaded materials;
- maintain your account, conversations, and uploaded files;
- enforce usage limits and process subscriptions and payments;
- secure the Service, prevent abuse, and debug problems; and
- comply with our legal obligations.
We do not use your conversations or uploads to serve advertising, and we do not sell or share your personal information (see Section 8).
4. How AI processing works
Cogito is an artificial-intelligence service; responses are generated by a machine, not a human. To produce a response:
- The text of your prompts and the text extracted from your uploaded files are sent to our AI provider, Anthropic (the Claude API), which processes them to generate a response.
- To find relevant references, the Service may send search terms derived from your request (not your account identity) to external research sources: the Stanford Encyclopedia of Philosophy, the Internet Encyclopedia of Philosophy, arXiv, and Wikipedia.
We rely on our AI provider's commitments regarding the handling of data submitted through its API. We encourage you to review Anthropic's privacy policy (linked in Section 5).
5. Service providers (sub-processors)
We share personal information with a limited set of service providers ("sub-processors") that process it only on our behalf and on our instructions to operate the Service. We do not authorize them to use it for their own purposes.
| Provider | Purpose | What it processes | Privacy policy |
|---|---|---|---|
| Anthropic | AI model that generates responses | Your prompts and uploaded file text | https://www.anthropic.com/legal/privacy |
| Clerk | Authentication and account management | Email, credentials, profile, session | https://clerk.com/legal/privacy |
| Stripe | Subscription payments | Billing details and payment method (collected directly by Stripe) | https://stripe.com/privacy |
| Vercel (incl. Vercel Blob) | Application hosting and file storage | App traffic; your uploaded files | https://vercel.com/legal/privacy-policy |
| Neon | Database hosting (PostgreSQL) | Account, conversation, and usage records | https://neon.tech/privacy-policy |
| Inngest | Background job processing | Triggers file-processing tasks | https://www.inngest.com/privacy |
The following providers are part of our infrastructure but do not currently process your personal information: Qdrant stores our public-domain reference corpus (Project Gutenberg philosophy texts), not user data; and Nomic (text embeddings) is reserved for a planned full-text upload-search feature that is not currently active. If that feature launches, this policy will be updated before your uploads are embedded, and this table will be revised accordingly.
We may also disclose information if required by law, to enforce our Terms of Service, or to protect the rights, safety, or property of our users or the public.
6. Cookies, tracking, and Do-Not-Track
- Cookies we use. We use only the strictly necessary session cookie set by our authentication provider (Clerk) to keep you signed in. This cookie is required for the Service to function.
- No analytics or advertising. We do not use third-party analytics, advertising, behavioral-tracking, or fingerprinting cookies or pixels.
- Do-Not-Track (DNT). Because we do not track you across third-party websites or over time, we do not change our behavior in response to browser "Do Not Track" signals. We treat all users the same regardless of any DNT signal.
7. Data retention
We retain your information for as long as your account is active or as needed to provide the Service. Specifically:
- Conversations, messages, and uploaded files are kept until you delete them or close your account. Deleting a conversation or file removes the associated records and the stored file from our file storage.
- When you close your account, associated conversations, messages, uploads, and usage records are deleted by cascade. You may also email us to request deletion (see Section 8).
- Abuse-prevention record. When you close your account, we retain a minimal, pseudonymized record solely to enforce our free-plan usage limits and prevent their circumvention by repeatedly deleting and re-creating accounts. This record contains a one-way cryptographic hash of your email address (from which your email cannot be recovered), your recent usage total, and the date your current usage window began — and no conversation content, uploads, name, or readable email. We keep it only for as long as it is useful for this purpose — at most until your usage window elapses (about 35 days) — after which it is automatically deleted.
- Billing records held by Stripe may be retained by Stripe to meet its own legal, accounting, and tax obligations, independent of our deletion.
We may retain limited information where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
8. Your privacy rights
Depending on where you live, you may have some or all of the rights below. We extend these rights to all users as a matter of practice, to the extent they apply to us.
- Access / know — what personal information we hold about you and how we use it.
- Correction — fix inaccurate information.
- Deletion — delete your account and associated data.
- Portability / export — receive a copy of your data in a portable format.
- Object / restrict — object to or restrict certain processing.
- Limit use of sensitive information — we do not intentionally collect sensitive personal information, so there is generally nothing to limit.
- Non-discrimination — we will not deny service, charge a different price, or provide a different quality of service because you exercised your rights.
We do not sell or share your personal information for cross-context behavioral advertising or any other purpose, and we have not done so. Because we do not sell or share, we do not provide a "Do Not Sell or Share My Personal Information" link.
How to exercise your rights. Email williamchastain2005@gmail.com. We will verify your request against your account and respond within 30 days (we will tell you if we need more time, where the law allows). You may use an authorized agent where the law permits.
Exception for abuse prevention. When you delete your account, we remove your personal data as described in Section 7, except a minimal, pseudonymized usage record we retain to detect and prevent fraud and abuse of our free-plan limits (for example, GDPR Art. 17(3) and the comparable CCPA fraud-prevention exception). This record cannot be used to identify you and is deleted automatically once it is no longer needed (see Section 7).
8.1 For users in the EU / EEA / UK (GDPR & UK GDPR)
- Controller: William Chastain (contact above).
- Lawful bases: we process your information to perform our contract with you (Art. 6(1)(b) GDPR) — i.e., to provide the Service you signed up for — and on our legitimate interests (Art. 6(1)(f)) in securing the Service and preventing abuse, where those interests are not overridden by your rights. Where we ever rely on consent, you may withdraw it at any time.
- International transfers. We and our sub-processors are located in, or transfer data to, the United States. Such transfers are protected by appropriate safeguards, such as the EU-US Data Privacy Framework and/or Standard Contractual Clauses, where applicable.
- Complaints. You may lodge a complaint with your local supervisory authority, though we encourage you to contact us first.
8.2 For users in California (CCPA/CPRA)
You have the rights to know, delete, correct, and opt out of the sale/sharing of personal information, and to limit the use of sensitive personal information. As noted above, we do not sell or share personal information, and we do not collect sensitive personal information for the purpose of inferring characteristics. We do not knowingly process the personal information of anyone under 18 (see Section 10).
9. Security
We protect your information using industry-standard measures, including encryption in transit (HTTPS), access controls, scoped per-user storage, and private (non-public) storage of uploaded files. Service-to-service requests are authenticated with secret tokens.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential.
10. Children's privacy
The Service is not intended for anyone under 18 years of age, and we do not knowingly collect personal information from children. If you believe a minor has provided us personal information, contact us at williamchastain2005@gmail.com and we will delete it.
11. International users
The Service is operated from the United States, and your information is processed and stored in the United States and other jurisdictions where our sub-processors operate. By using the Service, you understand that your information will be processed in the United States. For EU/EEA/UK transfer safeguards, see Section 8.1.
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate or legally required, notify you (for example, by email or an in-app notice). Your continued use of the Service after changes take effect means you accept the updated policy.
13. Contact us
Questions, requests, or complaints:
William Chastain (Cogito) Email: williamchastain2005@gmail.com
See also our Terms of Service.