CogFlow Privacy Policy
Effective Date: April 1, 2026
Last Updated: April 1, 2026
1. Introduction
CogFlow ("we," "our," or "us") provides a browser extension that connects to your Microsoft Outlook or Google Calendar to analyse calendar events and generate cognitive-load insights.
For the purposes of applicable data protection laws, including the UK GDPR and EU GDPR, CogFlow acts as the data controller of your personal data.
This policy explains what data we collect, how we use it, the legal basis for processing, how it is stored, and your rights.
2. Data We Collect
2.1 Account Information
- Email address
- Full name
- Account identifier
2.2 Calendar Event Data
- Event title
- Start and end time
- Duration
- Categories or labels
- Cancellation status
We do not access:
- Event descriptions
- Attendees
- Locations
- Attachments
2.3 Cognitive Load Metadata
- Cognitive intensity level (Low, Medium, High), stored within the event title
2.4 User Preferences
Stored locally:
- Working hours
- Category filters
- Provider selection
2.5 AI Interaction Data
- User messages
- AI responses
- Calendar-derived context (event titles, time, duration, categories, cognitive load)
2.6 System Data
- Activation and referral data
- AI usage counts
3. How and Why We Use Your Data (Legal Basis)
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Account data | Create and manage account | Contract |
| Calendar data | Generate analytics | Contract |
| Cognitive metadata | Enhance insights | Contract |
| Preferences | Customise experience | Legitimate interest |
| AI data | Provide assistant responses | Contract |
| Usage data | Enforce limits, improve service | Legitimate interest |
We do not use your data for advertising or unrelated profiling.
4. Behavioural Analysis
CogFlow analyses calendar activity patterns to generate productivity and cognitive-load insights. This may involve automated processing of behavioural data, but it does not produce legal or similarly significant decisions.
5. Data Sharing and Third Parties
We share data only where necessary to provide the service:
- Microsoft / Google: calendar access and authentication
- Supabase (Backend infrastructure): data storage and authentication
- OpenAI (AI processing): chat requests and calendar summaries
International Transfers
Some providers may process data outside the UK or EEA. Where this occurs, we rely on appropriate safeguards such as standard contractual clauses.
6. Data Retention
We retain data only as long as necessary:
- Account data: retained while account is active
- AI chat history: retained until deletion is requested or account is deleted
- Usage data: retained for service operation and analytics
- Local data: stored on your device and cleared on sign-out
We periodically review stored data and minimise retention where possible.
7. Your Rights
You have the right to:
- Access your data
- Correct inaccurate data
- Request deletion of your data
- Restrict or object to processing
- Request data portability
Account Deletion
You can request deletion of your account and associated data by contacting us. We will process deletion requests within 30 days.
You may also revoke calendar access at any time via your Google or Microsoft account.
8. Data Security
We use appropriate technical and organisational measures to protect your data, including:
- Encrypted communication
- Secure authentication
- Access controls
9. Children's Privacy
CogFlow is not intended for individuals under 13.
10. Changes to This Policy
We may update this policy periodically. Continued use of the service constitutes acceptance of updates.
11. Contact
Email: info@cogmap.ai