CognoCogno Privacy Policy (English Version / Delaware Law)
Version: v3.0 Effective Date: May 18, 2026 Last Revised: May 29, 2026
Genaxis Inc., a Delaware corporation ("Company," "we," "us," or "our"), provides this Privacy Policy (the "Policy") to describe how we handle personal information and Customer Data in connection with our service "Cogno" (the "Service").
Capitalized terms not defined in this Policy have the meanings given in the Cogno Terms of Service (English version) (the "Terms"). This English version of the Policy is the controlling version. Translations into Japanese or other languages may be provided for reference only; in case of any discrepancy, the English version prevails.
â ïž Note: A separate Japanese-language Privacy Policy governed by Japanese law applies to Customers based in Japan. The version corresponding to the Terms of Service Customer accepts at registration governs.
1. Basic Principles
The Company complies with applicable data protection laws, including the Act on the Protection of Personal Information of Japan (APPI), the EU General Data Protection Regulation (GDPR) where applicable, the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) where applicable, and Japan's Telecommunications Business Act (external transmission rule), and handles personal information and Customer Data in accordance with this Policy.
2. Information We Collect
The Company may collect the following information in providing the Service:
2.1 Account Information: name, email address, organization, role, profile image, and authentication credentials (passwords are stored as hashes).
2.2 Usage Information: IP address, device information, browser information, Cookie identifiers, access logs, operation logs, error logs, and performance data.
2.3 Integrated Service Data: data acquired from integrated services to the extent the Customer or End User has authorized such integration. Details are in Section 6.
2.4 Billing Information: information related to invoicing and payment of Fees. Credit card numbers themselves are processed by Stripe, Inc., and the Company does not retain them.
2.5 Inquiry Information: information submitted via inquiry forms and support correspondence history.
3. How We Collect Information
The Company collects information as follows:
3.1 Directly from the Customer or End User upon account registration and use of the Service.
3.2 Via API from integrated services, with the authorization of the Customer or End User.
3.3 Automatically as logs generated through use of the Service.
3.4 Via inquiry forms and support channels.
4. Purposes of Use
The Company uses collected information for the following purposes:
4.1 To provide, operate, maintain, and improve the Service.
4.2 To authenticate accounts and detect and prevent fraudulent use.
4.3 To respond to inquiries from Customers and End Users.
4.4 To bill Fees and process payments.
4.5 To send important announcements and incident notifications regarding the Service.
4.6 To improve the quality of the Service and develop features, using fully anonymized and aggregated data (subject to Section 8.6 of the Terms).
4.7 To comply with applicable laws.
The Company will not use collected information for purposes other than the above. We do not engage in advertising delivery, sale of information to third parties, or use of data for AI model training (see Section 7).
5. Disclosure to Third Parties
The Company will not disclose personal information to third parties without the consent of the data subject, except in the following cases:
5.1 As required by law.
5.2 When necessary to protect the life, body, or property of a person and it is difficult to obtain the data subject's consent.
5.3 When necessary for improving public health or for promoting the sound growth of children and it is difficult to obtain the data subject's consent.
5.4 When cooperating with a national agency, local government, or person commissioned by them in performing legally prescribed duties.
5.5 In the case of entrustment to the Company's Subprocessors (Section 10) (including cases that do not constitute "disclosure to third parties" under APPI).
5.6 In the case of business succession (merger, corporate split, business transfer, etc.).
6. Details of Information from Integrated Services
The Service collects information from the following integrated services with the authorization of the Customer or End User. Treatment is specified for each service.
6.1 Slack
| Item | Detail |
|---|---|
| Data collected | Channel and direct message contents, threads, mentions, reactions, file attachments, user profiles, channel lists, workspace information |
| Purpose | To extract operational signals (task proposals, blocker detection, progress tracking) from team communications and provide Service features |
| Method | Slack Web API and Events API following Slack OAuth authorization |
| Excluded scope | Channels not explicitly authorized at integration; Slack admin-only feature information |
| Prohibition of secondary use | The Company will not use data acquired from Slack for purposes other than providing Service features (no advertising, resale, AI model training, etc.). This is an obligation under the Slack API Terms |
| Disconnection | Customers may disconnect at any time via Slack workspace settings or Service settings. Upon disconnection, the Company will delete such data within a reasonable time per Section 12 |
6.2 Google Workspace (Calendar, Meet, Drive, Sheets)
Google API Services User Data Policy (Limited Use) Compliance Declaration
The use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
For data acquired from Google APIs, the Company complies with the Limited Use requirements as follows:
- Purpose limitation: Used only to provide Service features to the Customer.
- No transfer to third parties except: (a) with the Customer's explicit consent; (b) for security purposes (fraud investigation, incident response); (c) for legal compliance or response to valid legal process; (d) to a successor in a merger or acquisition that maintains this Policy.
- No advertising use: Data will not be used for any advertising purpose, including personalized advertising.
- Limited human access: Human access to data by Company employees and others is limited to: (a) explicit Customer consent; (b) security purposes; (c) legal compliance; (d) aggregated and anonymized internal operations; (e) Customer-requested support (with Customer consent).
- No AI model training: Google user data will not be used to train or improve any general-purpose AI model or individualized AI model of the Company or any third party.
| Item | Detail |
|---|---|
| Data collected | Calendar events, meeting participants, Google Meet recordings and transcripts, Drive files (as designated by Customer), Sheets contents (as designated by Customer) |
| Purpose | Automatic task drafting from meeting content, schedule awareness, reference to related documents |
| Excluded scope | Scopes not authorized at integration |
6.3 GitHub
| Item | Detail |
|---|---|
| Data collected | Repository information, Issues, Pull Requests, commit history, code review comments, organization and team member information |
| Purpose | Awareness of code repository activity, tracking Issue and PR progress, detecting stalled items, suggesting appropriate reviewers |
| Scope | Limited to repositories approved at GitHub App installation |
| Method | GitHub OAuth and GitHub App authorization |
| Prohibition of secondary use | The Company will not use data acquired from GitHub for purposes other than providing Service features. This is an obligation under the GitHub Terms of Service |
6.4 Notion
| Item | Detail |
|---|---|
| Data collected | Page titles, body content, database contents, comments, edit history |
| Purpose | Document-based knowledge reference, task creation, automatic linking of related information |
| Scope | Limited to workspaces and pages authorized in Notion integration settings |
6.5 Microsoft Teams
| Item | Detail |
|---|---|
| Data collected | Channel messages, team information, meeting recordings, user profiles |
| Purpose | Extraction of operational signals from team communications |
| Method | Microsoft Graph API |
7. AI Processing
7.1 Use of AI Services
The Service uses the following AI services as Subprocessors to process Customer Data:
- Anthropic, PBC (Claude series)
- OpenAI, OpenAI Global, LLC (GPT series, Codex, etc.)
- Other providers listed in the Subprocessor list (Section 10)
7.2 Prohibition of AI Model Training Use
In accordance with Section 8.4 of the Terms, the Company:
- Will not use Customer Data to train or improve the Company's AI models.
- Will not provide Customer Data to the above AI service providers for training their general-purpose AI models. Specifically, for the Anthropic API and OpenAI API, the Company applies opt-out settings for training use (Anthropic does not use API data for training by default; OpenAI Zero Data Retention or equivalent measures).
- Integrated Service Data will not be used for any AI model training under any circumstances, with or without Customer consent.
7.3 Location of AI Processing
AI processing may transit Anthropic's and OpenAI's servers (primarily located in the United States) on a transient basis. These providers operate as Subprocessors of the Company and are bound by this Policy and their own privacy terms.
8. Rights of Data Subjects
Customers and End Users have the following rights regarding their personal information:
8.1 Right of disclosure: to request disclosure of their personal information held by the Company.
8.2 Right of correction, addition, or deletion: to request correction, addition, or deletion of inaccurate personal information.
8.3 Right of suspension of use or erasure: to request suspension of use or erasure where the information has been handled beyond the necessary scope or obtained improperly.
8.4 Right to object to third-party disclosure: to request suspension of disclosure to third parties.
8.5 Right to data portability (GDPR-eligible individuals only): to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
8.6 Right to withdraw consent: to withdraw consent at any time for processing based on consent.
These rights may be exercised by contacting the Company at the address in Section 15. The Company will respond within a reasonable period (or within the period required by law) after verification of identity.
9. Cookies and Similar Technologies
9.1 The Service uses Cookies and similar technologies (including local storage; collectively, "Cookies") for the following purposes:
(a) maintaining login state (essential); (b) remembering language and theme preferences (functional); (c) analyzing usage (analytics, used with the user's consent).
9.2 In accordance with Japan's Telecommunications Business Act (external transmission rule), information regarding the transmission of Cookie IDs and other information from the Service to third parties (analytics providers, Subprocessors, etc.) is disclosed in this Policy or in a separately maintained "External Transmission Disclosure" page.
9.3 Users may reject Cookies through browser settings, but doing so may prevent some Service features from working.
9.4 For users in the EU or other regions where prior Cookie consent is legally required, the Company obtains consent via a Cookie banner on the Service.
10. Subprocessors
10.1 The Company uses the following categories of Subprocessors to provide the Service. A complete list (legal name, country of operation, services provided, data handling) is maintained at cogno.studio/subprocessors and updated as needed.
| Category | Example Provider | Main Location |
|---|---|---|
| Cloud Infrastructure | Amazon Web Services, Inc., etc. | United States (regions used: Tokyo, US-East, etc.) |
| Authentication & Database | Supabase, Inc. or equivalent | United States |
| Payment Processing | Stripe, Inc. | United States |
| AI Services | Anthropic, PBC; OpenAI, OpenAI Global, LLC | United States |
| Monitoring & Logging | Sentry, Datadog, etc. | United States |
| Email Delivery | Resend, SendGrid, etc. | United States |
| Hosting | Vercel, Inc. | United States |
10.2 When adding new Subprocessors, the Company will update the Subprocessor list and provide notice via its website or to Customers.
10.3 The Company shall impose on Subprocessors data protection obligations no less stringent than this Policy and the Terms.
11. International Data Transfers
11.1 Cross-Border Transfers
In providing the Service, personal information and Customer Data may be transferred to Subprocessors outside Japan (primarily in the United States).
11.2 Information on Destination Countries
Information on the data protection regimes in destination countries, measures taken by Subprocessors, and measures the Company takes (e.g., standard contractual clauses, encryption, access controls) is posted at cogno.studio/subprocessors.
11.3 Consent to Cross-Border Transfer
The Company obtains the user's consent to cross-border transfers under APPI Article 28 at the time the user starts using the Service or upon material changes. The user may withdraw such consent at any time via the contact in Section 15 or via Service settings. Withdrawal of consent may make all or part of the Service unavailable.
11.4 Safeguards at the Destination
In accordance with APPI Article 28, the Company implements the following reasonable measures to ensure Subprocessors maintain a protection level comparable to that in Japan:
- Concluding contracts with Subprocessors imposing data protection obligations no less stringent than this Policy and the Terms (including standard contractual clauses or equivalent).
- Verifying Subprocessor certifications (APEC CBPR, ISO 27001, SOC 2, etc.).
- Encrypting data in transit and at rest.
11.5 Additional Information for EU/UK Residents
When personal data of EU/UK residents is transferred to the United States, the Company implements appropriate safeguards under GDPR Article 46 (such as standard contractual clauses).
12. Retention Period
12.1 Customer account information is retained while the Customer uses the Service.
12.2 Integrated Service Data is retained while the integration is maintained. Upon disconnection, the Company will delete such data within a reasonable time.
12.3 Retention and deletion after termination follow Section 10.6 of the Terms (retained for 30 days post-termination, then deleted within a target of 90 days).
12.4 Information subject to statutory retention obligations is retained for the period required by law.
12.5 Operational information such as access logs is retained for up to two (2) years.
13. Security Measures
13.1 The Company implements reasonable technical and organizational security measures to protect personal information and Customer Data, including:
(a) encryption in transit (TLS 1.2 or higher); (b) encryption at rest (AES-256 equivalent); (c) access control and the principle of least privilege; (d) periodic security evaluation and employee training.
13.2 Notifications of security incidents follow Section 10.5 of the Terms (target: within 72 hours of discovery).
14. Children's Privacy
The Service is not intended for use by persons under 18 years of age. The Company does not knowingly collect personal information from persons under 18. If the Company learns that it has collected personal information from a person under 18, it will promptly delete such information.
15. Contact and Complaints
For inquiries about handling of personal information, requests for disclosure, complaints, or other matters, please contact:
- Personal Information Handler: Genaxis Inc.
- Personal Information Protection Manager: Yusei Moriwaki (Representative Director / CEO)
- Email: privacy@cogno.studio
- Address: Genaxis Inc., Delaware, United States of America
EU residents may also lodge a complaint with the Company's appointed EU representative (to be appointed when GDPR applicability is expected) or with the supervisory authority in their location.
Users in Japan may also file complaints with the Personal Information Protection Commission of Japan (https://www.ppc.go.jp/).
16. Changes to this Policy
16.1 The Company may amend this Policy in response to changes in law or to the Service.
16.2 For material adverse changes, the Company will notify users of the changes and the effective date at least thirty (30) days before the effective date, through the Service or via email.
16.3 The latest version of this Policy is always available on the Privacy Policy page of the Company's website (/privacy).
17. Governing Law and Dispute Resolution
The governing law and dispute resolution of this Policy follow Section 22 of the Terms (English version) â Delaware law and JCAA arbitration in Tokyo. However, mandatory data protection laws of the user's country of residence that cannot be excluded by agreement apply to the extent legally required.
Effective: This Policy first took effect on May 18, 2026 and was last revised on May 29, 2026 (v3.0).
Genaxis Inc. Delaware, United States of America Contact: privacy@cogno.studio