Privacy Policy

1. Introduction

Cograph, Inc. ("Cograph," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our offboarding intelligence platform and related services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, company name, job title, and password when you create an account.
• Profile Information: Additional details you choose to add to your profile, such as profile photo, department, and role.
• Communication Data: Information you provide when contacting our support team or participating in surveys.
• Payment Information: Billing details and payment method information processed through our secure payment processor.

2.2 Information from Connected Services

When you connect third-party services (such as Google Workspace, Slack, or GitHub), we collect:

• Metadata by Default: We analyze metadata (who communicated with whom, document ownership patterns, collaboration frequency) rather than content.
• Content with Consent: When explicitly enabled and with appropriate consent, we may analyze content to extract knowledge and expertise patterns.
• User Directory Information: Employee names, email addresses, job titles, and organizational structure.

2.3 Google Workspace Data

When you connect Google Workspace, we request access to specific Google API scopes. We collect the following categories of data:

• Directory Information (Admin SDK, read-only): Employee names, email addresses, job titles, departments, manager relationships, and organizational unit paths.
• Drive File Metadata (read-only): File names, types, creation and modification dates, ownership, and sharing permissions. We do not access or download file content.
• Calendar Event Metadata (read-only): Event titles, times, attendee lists, and RSVP statuses from the past six months. We do not access event descriptions or attachments.
• Gmail Metadata (metadata only): Email headers including sender, recipients, subject lines, and dates. We never access email body content, attachments, or draft messages.

All Google Workspace data is accessed using read-only API scopes. We cannot modify, delete, or create data in your Google Workspace environment.

2.4 Automatically Collected Information

We automatically collect certain information when you use our Services:

• Usage Data: Features used, actions taken, time spent, and interaction patterns.
• Device Information: Browser type, operating system, device type, and unique device identifiers.
• Log Data: IP addresses, access times, pages viewed, and referring URLs.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions and understand usage patterns.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Generate knowledge graphs and risk assessments for offboarding
• Identify expertise areas and recommend knowledge transfer paths
• Send transactional communications (account updates, security alerts)
• Provide customer support and respond to your requests
• Analyze usage patterns to improve product features and user experience
• Detect, prevent, and address security issues and fraud
• Comply with legal obligations and enforce our terms of service

4. AI and Machine Learning

Our Services use artificial intelligence to analyze workplace data and generate insights. Here's how we handle AI processing:

4.1 Privacy-Preserving AI

• Anonymization: We anonymize personal identifiers before processing content with AI models.
• PII Redaction: Personally identifiable information is redacted from content sent to external AI services.
• Metadata Focus: We prioritize metadata analysis over content analysis wherever possible.

4.2 Third-Party AI Services

• We use OpenAI's API for certain analysis features with zero-retention agreements.
• We never use your data to train AI models shared with other customers.

5. Google API Services Usage

Cograph's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Limited Use Disclosure

We only use Google user data to provide and improve user-facing features of Cograph that are visible in our application. Specifically, we use Google Workspace data to:

• Build knowledge graphs mapping employee expertise and collaboration patterns.
• Generate risk assessments for employee departures based on document ownership and communication patterns.
• Recommend knowledge transfer paths and successor candidates.

5.2 Prohibited Uses

We do not use Google user data for any of the following purposes:

• Transferring or selling data to third parties such as advertising platforms, data brokers, or information resellers.
• Serving advertisements, including retargeting, personalized, or interest-based advertising.
• Determining credit-worthiness or for lending purposes.
• Conducting or providing data to entities conducting surveillance.

5.3 Human Access to Google Data

Cograph employees and contractors do not read your Google user data unless:

• You have given us affirmative consent for a specific purpose (for example, investigating a support issue you reported).
• It is necessary for security purposes, such as investigating abuse or a data breach.
• It is required to comply with applicable law.
• The data has been aggregated and anonymized for internal operations and cannot be associated with any individual user.

6. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

6.1 With Your Organization

Information about employees is shared with authorized administrators within your organization as part of normal service operation.

6.2 Service Providers

We share information with third-party vendors who assist in providing our Services, including:

• Cloud infrastructure providers (hosting and storage)
• Payment processors (billing and invoicing)
• Analytics services (aggregated, anonymized usage data)
• Customer support tools (ticket management)

All service providers are bound by contractual obligations to protect your information and use it only for specified purposes.

6.3 Legal Requirements

We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to:

• Comply with applicable laws or regulations
• Protect the rights, property, or safety of Cograph, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transfers

If Cograph is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

7. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access Controls: Role-based access controls and multi-factor authentication.
• Infrastructure: SOC 2 certified cloud infrastructure (via Railway) with regular security audits.
• Monitoring: Security monitoring and incident response procedures.
• Employee Training: Regular security awareness training for all staff.

For more details, see our Security & Compliance page.

8. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this policy:

• Account Data: Retained while your account is active and for 90 days after deletion request.
• Knowledge Transfer Data: Retained according to your organization's configured retention policies.
• Audit Logs: Retained for 2 years for compliance and security purposes.
• Aggregated Analytics: May be retained indefinitely in anonymized, aggregated form.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

9.1 Access and Portability

You can request a copy of the personal information we hold about you in a structured, commonly used format.

9.2 Correction

You can request that we correct inaccurate or incomplete personal information.

9.3 Deletion

You can request deletion of your personal information, subject to certain legal exceptions.

9.4 Opt-Out Rights

• Employee Opt-Out: Employees can opt out of having their data analyzed. Contact your organization's administrator.
• Marketing Communications: Unsubscribe from marketing emails using the link in any email.
• Cookies: Manage cookie preferences through your browser settings.

9.5 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@cograph.app. We will respond to your request within 30 days.

10. International Data Transfers

Cograph is based in the United States. If you access our Services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate.

We protect international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Compliance with the EU-US Data Privacy Framework

11. Additional Information for EEA, UK, and Swiss Users

11.1 Legal Basis

Under GDPR, we process your information based on the following legal bases:

• Contract Performance: Processing necessary to provide our Services to you.
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, product improvement).
• Consent: Where you have given explicit consent for specific processing activities.
• Legal Obligation: Processing necessary to comply with applicable laws.

11.2 Data Controller

For customers, Cograph acts as a data processor. Your organization is the data controller and determines the purposes and means of processing employee data.

12. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to Know: What personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: We do not sell personal information, so this right does not apply.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@cograph.app or call 1-800-COGRAPH.

13. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending an email notification to account administrators
• Displaying a notice within our application

Your continued use of our Services after such notice constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: