Legal
Privacy
Policy.
Last updated: June 9, 2026
Note: This is a working draft intended to describe our current practices in plain language. It is not legal advice and has not yet been reviewed by counsel. Please review and adapt it with a qualified attorney before relying on it for compliance.
Cogitan (“Cogitan,” “we,” “us,” or “our”) operates a pay-as-you-go API that serves physics-simulation surrogate models, together with an accompanying Python SDK, command-line tool, and the website at cogitan.ai. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have. It applies to your use of our website, API, SDK, and dashboard (collectively, the “Services”).
By using the Services, you agree to the collection and use of information as described here. If you do not agree, please do not use the Services.
Information we collect
We aim to collect only what we need to run the Services. The categories below describe everything we process.
Account information
When you create an account, we collect your email address and authentication credentials. Authentication is handled by Supabase, our identity provider. If you sign in with Google OAuth, we receive your email address and basic profile identifiers from Google; we do not receive your Google password. We store a profile record containing your account identifier, credit balance, and (where applicable) a Stripe customer identifier.
Payment information
Payments and prepaid credit purchases are processed entirely by Stripe through Stripe Checkout. Cogitan never sees, receives, or stores your full card number, CVC, or other raw payment-card details. Stripe provides us with limited, non-sensitive transaction metadata — such as a customer identifier, the amount and currency of a purchase, payment status, and the last four digits or card brand for receipts — which we use to credit your account and maintain billing records.
API keys
When you generate an API key, we store only a one-way SHA-256 hash of the key plus a short non-secret prefix, a name you choose, and any per-key spend cap. We cannot recover the original key from the hash; if you lose a key, you must create a new one.
Usage logs and metering
Each API call generates a usage event so we can meter and bill it. These records include a request identifier, the model invoked, a timestamp, response latency, the amount charged, the resulting account balance, and the API key used. We also record credit-ledger entries describing balance changes (top-ups, debits, and the reason for each).
Physics inputs you send to the API
When you call a prediction endpoint, you send model inputs — for the thermal model, parameters such as conductivity, heat sources, and boundary conditions. We process these inputs to compute and return a result. We may transiently log inputs and outputs for debugging, abuse prevention, reliability, and service-improvement purposes. We treat the substance of your inputs as confidential to your account and do not sell them or use them to build profiles about you.
Technical and device data
Like most online services, our infrastructure providers automatically receive technical data when you connect — such as IP address, request headers, user-agent, and approximate timing. This is used for security, rate limiting, and operating the network.
Communications
If you contact us (for example by email or a contact form), we keep your message and contact details so we can respond and maintain a record of the correspondence.
How we use your information
We use the information we collect to:
- Provide, operate, and maintain the Services, including running models and returning results.
- Authenticate you and secure your account.
- Meter usage, process prepaid credit purchases, debit your balance, and enforce spend caps.
- Maintain billing, accounting, and tax records.
- Monitor, debug, and improve the reliability, performance, and accuracy of our models and infrastructure.
- Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our terms.
- Communicate with you about your account, transactions, service changes, and support requests.
- Comply with legal obligations and enforce our agreements.
Where required by law, our legal bases for processing include performance of our contract with you, our legitimate interests in operating and securing the Services, your consent (where we ask for it), and compliance with legal obligations.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
Service providers and sub-processors
We rely on a small set of third-party providers to deliver the Services. Each processes data only as needed to perform its function and is bound by its own terms and privacy commitments.
Supabase
Authentication, account database, and credit/usage records.
Stripe
Payment processing and credit purchases. Stripe handles all card data; Cogitan does not.
Fly.io
Hosting and execution of the API gateway and model inference.
Vercel
Hosting and delivery of the cogitan.ai website and dashboard.
Optional Google OAuth sign-in, if you choose to use it.
We may update this list as our infrastructure evolves. If we introduce on-demand cloud compute that lets you choose the hardware your jobs run on, the provider operating the hardware tier you select will process your job inputs for the purpose of running that job, and we will update this section accordingly.
Cookies and sessions
We use cookies and similar browser storage primarily for essential, functional purposes: keeping you signed in, maintaining your authenticated session, and supporting the secure checkout flow. These are necessary for the website and dashboard to work.
We do not use advertising cookies or third-party tracking for targeted advertising. You can control cookies through your browser settings, but disabling essential cookies may prevent you from signing in or using parts of the Services.
Data retention
We retain personal information for as long as your account is active or as needed to provide the Services. Billing, transaction, and credit-ledger records are retained for as long as required to meet our legal, accounting, and tax obligations. Operational and usage logs are retained for a limited period for security, debugging, and reliability, after which they are deleted or aggregated into non-identifying statistics. When information is no longer needed, we delete or anonymize it.
Your rights and choices
Depending on where you live, you may have rights under laws such as the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, as amended (CCPA/CPRA). These may include the right to:
- Access the personal information we hold about you.
- Receive a portable copy of your data in a structured, machine-readable format.
- Correct inaccurate or incomplete information.
- Request deletion of your personal information, subject to legal exceptions (for example, records we must keep for tax or accounting).
- Object to or restrict certain processing based on our legitimate interests.
- Withdraw consent where processing is based on consent, without affecting prior processing.
- Not receive discriminatory treatment for exercising your privacy rights.
Because we do not sell or share personal information for cross-context behavioral advertising, there is nothing to opt out of in that respect. To exercise any right, contact us at the address below. We will verify your request and respond within the timeframes required by applicable law. You may also manage core account details and API keys directly from your dashboard, and you can lodge a complaint with your local data protection authority.
Security
We take reasonable technical and organizational measures to protect your information. API keys are stored only as salted one-way hashes, never in plaintext. Authentication and payment card handling are delegated to specialized providers (Supabase and Stripe). Traffic to the Services is encrypted in transit using TLS, and access to production systems is limited.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Keep your API keys and account credentials confidential, and notify us promptly if you believe your account or a key has been compromised so we can help you revoke and rotate it.
International data transfers
Cogitan and its service providers may process and store information in countries other than the one in which you reside, including the United States. These countries may have data-protection laws that differ from those in your jurisdiction. Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or another lawful transfer mechanism.
Children’s privacy
The Services are intended for businesses and professional users and are not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, please contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time as our Services and practices change. When we do, we will revise the “Last updated” date above and, for material changes, take reasonable steps to notify you — for example by email or a notice in the dashboard. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy.
Contact us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
See also our Terms of Service.