Legal

Acceptance

By using Cogito Coach, you agree to these terms. If you don't agree, please don't use our service.

The Service

Cogito Coach is an AI coaching tool that helps students develop critical thinking through guided questioning. We provide coaching sessions, progress tracking, and reports for students, teachers, and parents.

User Accounts

• You must provide accurate registration information
• You're responsible for your account security
• Students in grades K-5 require teacher or parent supervision

Acceptable Use

Use the service for lawful, educational purposes only. Don't attempt to hack, disrupt, or misuse the service.

Payment

Subscriptions are billed in advance. You may cancel anytime; cancellation takes effect at the end of your billing period.

Liability

The service is provided "as is." We're not liable for indirect damages. Our total liability is limited to what you paid us in the past 12 months.

What We Collect

• Account info: Name, email, school, grade level
• Conversation content: Every message you send during a coaching session, including the topic, decision, claim, or question you bring in. This is what gets sent to our AI provider — see "How AI Processes Your Conversations" below.
• Progress data: Scores, completion status, session metadata
• Technical data: Device info, IP address, browser type, cookies
• Payment info: If you subscribe, payment details are collected and stored by Stripe (we never see your full card number)

How We Use It

• Provide and improve the coaching service
• Generate progress reports and analytics for students, parents, and teachers
• Communicate updates and support
• Ensure security and prevent abuse
• Comply with legal obligations

How AI Processes Your Conversations

What we send to Anthropic:

• The student's messages during the session (topic, decision, claim, questions, follow-up answers)
• The AI coach's previous replies in the same session (so the conversation has context)
• Basic session attributes: student first name (or display name), grade level, language preference, and the coaching mode

What we do NOT send to Anthropic:

• Your password or authentication credentials
• Payment card numbers or financial account details
• Email address (we use a non-identifying student name in prompts)
• IP address, device fingerprints, or other technical metadata

What Anthropic does with that data: Anthropic uses it to generate the coaching response and then retains it for a limited period (currently up to 30 days under their commercial API terms) for trust-and-safety review. Anthropic does not use Cogito Coach API inputs or outputs to train its models per its commercial API terms.

Where the processing happens: Anthropic's infrastructure is located in the United States. If you access Cogito Coach from outside the U.S., your conversation content is transferred to and processed in the U.S. By using the service you consent to that transfer; we rely on appropriate safeguards (Standard Contractual Clauses or equivalent) where required by EU, UK, or other applicable law.

What you should not share: Cogito Coach is for educational coaching. Please do not include in your messages: government identification numbers (Social Security, passport, etc.), payment-card data, medical records, full home address, login credentials, or other sensitive personal information about yourself or any third party. AI coaching is not a confidential channel — treat it like a classroom conversation.

Data Sharing

We do not sell your data and we do not share it for cross-context behavioral advertising. We share information only with:

• Sub-processors who help us operate the service (listed under "Third-Party Services" below). All are bound by contractual data-protection terms.
• Teachers, parents, and school administrators for students they manage, in line with FERPA's school-official exception
• Legal authorities when we're required to comply with a valid legal request
• An acquirer or successor in the event of a merger, acquisition, or sale of assets — we will notify users of any such change and your rights remain unchanged

Children's Privacy (COPPA Compliance)

We fully comply with the Children's Online Privacy Protection Act (COPPA). For children under 13:

• What we collect: Name, grade level, questions asked, and session content
• What we don't collect: Photos, precise location, contact lists, or social media accounts
• Parental consent: Required before any child can use the service
• Parental access: Parents can review their child's data at any time
• Deletion rights: Parents can request deletion of all child data
• No advertising: We never use child data for behavioral advertising
• AI processing: Our AI provider (Anthropic) does not retain or train on child data

Student Data Privacy (FERPA Compliance)

We comply with the Family Educational Rights and Privacy Act (FERPA). For schools and districts:

• School official exception: We operate under the "school official" provision of FERPA
• Educational purpose only: Student data is used solely for educational services
• Data Processing Agreements: We provide DPAs upon request for schools and districts
• Access rights: Schools can access, review, and request correction of student records
• No unauthorized disclosure: We never share student data without proper authorization
• Breach notification: We notify schools within 72 hours of any data security incident

Data Retention

We retain student data only as long as necessary:

• Active accounts: Data retained while account is active
• Inactive accounts: Data deleted after 24 months of inactivity
• Upon request: Data deleted within 30 days of deletion request
• School contracts: Data handled per DPA terms upon contract end

Third-Party Services (Sub-processors)

We use the following service providers. Each is contractually bound by appropriate data-protection terms.

• Anthropic, PBC (United States) — generates AI coaching responses. Receives session conversation content as described above. Does not train on Cogito Coach API data per Anthropic's commercial API terms.
• Amazon Web Services, Inc. (United States) — application hosting, database (DynamoDB), and storage. Stores all account and session data at rest, encrypted.
• Postmark (ActiveCampaign / Wildbit) (United States) — transactional email delivery (magic-link sign-in, session and report notifications). Receives recipient email address and message content.
• Stripe, Inc. (United States) — payment processing for paid subscriptions. Receives payment details directly from your browser; Cogito Coach does not see or store full card numbers.
• Google LLC (United States) — optional Google Sign-In (you choose whether to use it).
• Amazon CloudFront (global edge) — content delivery for the website. Processes request metadata (IP, user agent) for performance and security.

We will update this list as our sub-processors change. If you have a Data Processing Agreement (DPA) with us, you'll be notified of material changes per the DPA terms.

Your Rights

Depending on where you live, you have some or all of the following rights with respect to your personal information:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct information that's inaccurate or incomplete
• Deletion / erasure — request that we delete your account and associated data (subject to legal-retention exceptions)
• Portability — receive your data in a portable, machine-readable format
• Objection / restriction — object to or restrict certain processing of your data
• Withdraw consent — where processing is based on consent, you can withdraw it at any time
• Lodge a complaint with a supervisory authority (e.g., your local data-protection regulator)

To exercise any of these rights, email support@cogitocoach.com from the address on your account, or use the in-product "Delete account" option in your settings. We respond within 30 days.

California Residents (CCPA / CPRA)

If you are a California resident, you have the rights described above plus the right to know what personal information we collect, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it. The categories of personal information we process are described under "What We Collect" and "Third-Party Services" above. We do not sell or share personal information for cross-context behavioral advertising. You can exercise your CCPA rights using the contact methods listed under "Your Rights."

EU / UK / Swiss Residents (GDPR / UK GDPR)

Cogito Coach acts as a data controller for account and account-management data, and as either a controller or processor for student session content depending on the relationship (school-managed deployments may involve a school controller). The legal bases we rely on are: performance of a contract (delivering the service), legitimate interests (improving and securing the service), consent (where required, including for any optional features), and compliance with legal obligations. Where data is transferred to the United States, we rely on Standard Contractual Clauses or other approved safeguards.

Data Security

We use TLS encryption in transit, encryption at rest for stored data, role-based access controls, and audit logging. No system is 100% secure, but we take reasonable measures and follow industry best practices. If a security incident affects your data, we will notify you and any relevant authorities within the timeframes required by applicable law (and within 72 hours for school customers under our DPA terms).

What Are Cookies?

Cookies are small text files stored on your device that help websites function and remember your preferences.

Cookies We Use

• Essential: Required for login, security, and basic functionality
• Functional: Remember your preferences and settings
• Analytics: Help us understand how users interact with our service

Third-Party Cookies

We may use analytics services (like Google Analytics) that set their own cookies. These help us improve the service.

Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect functionality. Most browsers let you:

• See what cookies are stored
• Delete cookies individually or all at once
• Block cookies from specific or all sites