Privacy policy

Cogito operates under Decart AI's audited control environment. SOC 2 Type II is certified through Decart AI; reports are available under NDA. We are GDPR-compliant by design, with EU data residency on enterprise clusters. HIPAA BAA is in active rollout (target H2 2026) — reach out if a healthcare deployment is gated on it.

Prompts, completions, and embeddings sent to Cogito are not retained beyond the lifetime of the request, are not used to train any model, and are not shared with third parties. Free and Pro tiers may opt-in to logging for debugging at the API key level.

Account email, organization name, payment metadata (handled by Stripe), API request metadata (model, token counts, latency, status, request id), and infrastructure logs.

We do not log prompt or completion content, system prompts, tool arguments, embedding vectors, or attached file content beyond what is required to fulfill the request and bill for it.

We use Vercel for hosting, Neon for managed Postgres, Stripe for billing, and AWS for Trainium and GPU compute. A full subprocessor list is available on request.

EU and California residents may request export or deletion of their account data via cogito@decart.ai at any time. We respond to verified DSRs within 30 days.