Privacy Policy

Effective date: June 23rd, 2025

This Privacy Notice (“Notice”) describes how CogniSwitch Inc. processes Personal Data in its role as a controller (i.e., CogniSwitch Inc. decides what Personal Data is collected and what it is used for) or processor (i.e., CogniSwitch Inc. only processes the data as per the controller's instructions), as the case may be. It also describes your choices regarding use, access and correction of your Personal Data.

ABOUT COGNISWITCH'S

Our Service Model: CogniSwitch operates as a professional services organization specializing in custom AI implementations for regulated industries. We function as contractors who extend our clients' existing IT capabilities through AI expertise and solution building.

Key Characteristics:

  • Custom Development: Each client engagement involves bespoke solution development
  • Flexible Infrastructure: Solutions operate within client-controlled, CogniSwitch-managed, or hybrid environments based on client requirements
  • Professional Services: We provide AI expertise and development services, not platform access
  • Enterprise Contracts: All client data processing governed by formal contractual agreements

Data Processing Role: We act as both a data controller (for our business operations) and data processor (for client data processing under contractual agreements). Consent for client data processing is obtained through formal contracts as customers do not login to any platform - all data processing is governed by enterprise agreements.

DEFINITIONS

The capitalized terms used in this Notice but not defined herein shall have the same meaning as defined in the Terms of Service

WHOM DOES THIS NOTICE APPLY TO?

This Notice applies to:

(i) Business Contacts and Prospects - individuals who engage with us for business purposes, attend our events, or express interest in our services

(ii) Website Visitors - individuals who visit our websites and interact with our online content

(iii) Employees and Contractors - individuals who work for or with CogniSwitch

(iv) Partners and Vendors - individuals representing organizations we work with

ANY QUESTIONS?

If you have questions or complaints regarding our privacy notice or practices, please contact us at support@cogniswitch.ai or our Data Protection Officer at dpo@cogniswitch.ai

Data Protection Officer

We are committed to upholding your privacy rights and maintaining transparency and accountability in our data processing activities. To support this commitment, we have appointed a Data Protection Officer (DPO) responsible for overseeing our privacy and data protection program.

Our DPO's Responsibilities Include:
  • Ensuring compliance with applicable privacy and data protection laws including GDPR, CCPA, HIPAA, and SOC2 requirements
  • Monitoring internal privacy policies, controls, and procedures
  • Advising on data protection impact assessments and high-risk processing activities
  • Serving as the primary point of contact for supervisory authorities and data subjects regarding privacy matters
  • Coordinating breach response and data subject rights fulfillment
  • Overseeing staff training on data protection and privacy matters
  • Conducting regular privacy audits and assessments

Contact Information

Data Protection Officer: Joshua Thomas
Email: dpo@cogniswitch.ai
Alternative Contact: joshuat@cogniswitch.ai
Company: CogniSwitch Inc.
Address: 8 The Green, Ste R, Dover, DE 19901, USA

You may contact our DPO for any inquiries, concerns, or complaints related to your personal information or your rights under this Privacy Policy. We will respond to your request in accordance with applicable legal requirements and our privacy obligations, and in a timely and transparent manner.

Data Subject Rights

We respect and uphold your fundamental rights regarding your personal data. Below is a comprehensive overview of your rights and how to exercise them:

1. Right to Be Informed (Transparency)

You have the right to be provided with clear, transparent information about:

  • Identity and contact details of the controller (CogniSwitch Inc.)
  • Purpose and legal basis of processing
  • Data retention periods
  • Third parties with whom data is shared
  • Your rights regarding your personal data
2. Right to Access

You can request a copy of your personal data, including:

  • Categories of data processed
  • Purpose of processing
  • Data recipients
  • Retention periods
  • Source of the data (if not collected directly from you)

How to exercise: Contact us at support@cogniswitch.ai with "Data Access Request" in the subject line.

3. Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will take reasonable steps to verify the accuracy of any new data provided.

How to exercise: Contact us at support@cogniswitch.ai with details of the correction needed.

4. Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data when:

  • It's no longer necessary for the purposes for which it was collected
  • You withdraw consent (where consent was the legal basis)
  • Processing is unlawful
  • You object to processing and no overriding legitimate grounds exist
  • Required for compliance with legal obligations

Limitations: We may retain data where required by law or for legitimate business purposes.

5. Right to Restrict Processing

You have the right to limit the processing of personal data under certain conditions:

  • When contesting the accuracy of personal data
  • When processing is unlawful but you oppose deletion
  • When data is no longer needed but required for legal claims
  • When you have objected to processing pending verification of legitimate grounds
6. Right to Data Portability

You have the right to:

  • Receive your data in a structured, commonly used, and machine-readable format (such as CSV or JSON)
  • Transmit the data to another controller without hindrance
  • Have data transmitted directly to another controller where technically feasible

Applies to: Data processed based on consent or contract, and by automated means.

7. Right to Object to Processing

You can object to:

  • Processing based on legitimate interest or public interest
  • Direct marketing (including profiling for marketing purposes)
  • Processing for scientific/historical research or statistics

Marketing objection: You can object at any time, and we will stop processing for marketing purposes immediately.

8. Rights Related to Automated Decision-Making and Profiling

You have the right:

  • Not to be subject to decisions based solely on automated processing (including profiling) that have legal or significant effects
  • To human intervention in automated decision-making
  • To express your point of view regarding automated decisions
  • To contest automated decisions
9. Right to Withdraw Consent

Where processing is based on your consent, you have the right to:

  • Withdraw consent at any time
  • Have withdrawal be as easy as giving consent
  • Continue to have data processed lawfully before withdrawal

Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

10. Right to Lodge a Complaint

You have the right to:

  • Lodge a complaint with a supervisory authority
  • Contact our internal complaint mechanism
  • Receive information about available remedies

Internal complaints: Contact our DPO at dpo@cogniswitch.ai

Exercising Your Rights

To exercise any of these rights:

  1. Email us at support@cogniswitch.ai or dpo@cogniswitch.ai
  2. Include "Data Subject Rights Request" in the subject line
  3. Specify which right(s) you wish to exercise
  4. Provide sufficient information to verify your identity
  5. Expect a response within 30 days (may be extended by 60 days for complex requests)

What Personal Data Do We Collect and Why?

As a professional services organization, our data processing activities primarily involve business contact information, website analytics, and employment-related data. We do NOT operate a customer-facing platform or process end-user data directly.

1. Personal Data we collect and process for our own purposes: Collected Data

When you visit our websites or participate in CogniSwitch Inc.’s events, CogniSwitch Inc. may collect information, which may include Personal Data, from Individuals as set forth below (collectively referred to as “Collected Data”). For the purposes of General Data Protection Regulation (GDPR), CogniSwitch Inc. shall be the controller for the Collected Data – this means that CogniSwitch Inc. decides what Collected Data is processed and why.

When does CogniSwitch Inc. process Collected Data?

1.1 CogniSwitch Inc. Careers.  

When you apply for an open position by populating the application form, we may collect your  

(i) contact information, such as name, email address, mailing address, phone number, links to your social networking profiles; and  

(ii) any other information contained in the resume that you submit to us. Subject to this Notice, we will use such data to evaluate you for the open position that you have applied for or any position that we consider you suitable for at the time you submit your resume or at any later date. Unless you notify us otherwise by an e-mail to careers@cogniswitch.ai, we will retain such data for a period of 1 year for archival purposes. If you wish to update the data you provided to us, you may do so by contacting us at careers@cogniswitch.ai.

For the purpose of evaluating you for an open position, you understand that we may internally rate you based on parsing of your resume and your information. If you do not wish to be rated by us, please do not provide us your information.

1.2. Events.  

When you attend an event conducted by CogniSwitch Inc., including webinars or seminars, we may collect your contact information such as name, e-mail address, designation and company name. Subject to this Notice, we will use such data, including without limitation, to  

(i) assess needs of your business to determine or suggest suitable Service(s);  

(ii) send you requested information about the Service(s);  

(iii) send you promotional and marketing communications (where you have requested us to do so); and  

(iv) respond to your questions and concerns.

1.3. Program Registrations.  

When you register for any of our programs through a registration form on our websites, we may collect information such as name, e-mail address, company name and website URL, company details, location and contact information. Subject to this Notice, we will use such data, including without limitation, to  

(i) facilitate your use of the program portal for which you have registered;  

(ii) send you communication from within the Service(s);  

(iii) send you requested information about our Service(s);  

(iv) respond to your requests, questions, and concerns; and  

(v) send you promotional and marketing communications (where you have requested us to do so).

1.4 Public forums, Forms and Newsletters.  

When you visit our publicly accessible community forums and blogs or submit any forms on our website, you should be aware that any information you provide in these areas may be read, collected, and used by others who access them. Further, we may collect your  

(i) contact information such as name, e-mail address, mailing address, or phone number;  

(ii) information about your business, such as company name, company size, business type; and  

(iii) a short bio about you to identify you as the author of the post. When you actively subscribe to our newsletters, we collect your e-mail address to share our newsletters with you.

Subject to this Notice, we will use such data, including without limitation, to  

(i) assess needs of your business to determine or suggest suitable Service(s);  

(ii) send you requested information about the Service(s);  

(iii) send you promotional and marketing communications (where you have requested us to do so); and  

(iv) respond to your questions and concerns.

1.5. Cookies and Similar Technologies.  

We and our third-party advertising partners use cookies and similar technologies in analyzing trends, administering the website, tracking users’ movements around the site, and gathering demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis. Most web browsers support cookies and users can control the use of cookies at the individual browser level. Please note that if you choose to disable cookies, it may limit your use of certain features or functions on our websites and services.  

As is true of most websites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our website (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data. We link this automatically collected data to other data we collect about you. We do this mainly to improve the services we offer you, to improve marketing, analytics, and/or Website performance and functionality.

Please see our Cookies Policy for further information about our use of Cookies and similar technologies.

1.6. Analytics.  

Apart from the aforementioned information collected by us, we automatically receive and record certain Personal Data of yours when You visit our websites. This includes device model, IP address, the type of browser being used, usage pattern through cookies and browser settings, query logs and product usage logs. We also collect clicks, scrolls, conversion and drop-off on our Websites and Service(s) to render user journey at real-time. Subject to this Notice, we will use such data, including without limitation, to  

(i) assess needs of your business to determine or suggest suitable Service(s);  

(ii) send you requested information about the Service(s);

(iii) respond to customer service requests, questions and concerns; and  

(iv) for analytical purposes.

You authorize CogniSwitch Inc. and its service providers to perform analytics on such Collected Data, to  

(i) improve, enhance, support and operate the Websites; and  

(ii) compile statistical reports and record insights into usage patterns.  

You acknowledge that CogniSwitch Inc. uses Collected Data, as the case may be, for the aforementioned purposes.

1.7. Testimonials.  

We may post your testimonials/comments/reviews on our Websites which may contain your Personal Data. Before posting the testimonial, we will obtain your consent to post your name and the testimonial. If you want your testimonial removed, please contact us at support@cogniswitch.ai  

1.8. Marketing communications.  

We may use your e-mail address, collected as part of Collected Data, to send our newsletters and/or marketing communications about our products and services. Where you have so requested, we will also send you marketing communications about our third-party partners. If you no longer wish to receive these communications, you can opt out by following the instructions contained in the e-mails you receive or by contacting us at support@cogniswitch.ai  

1.9. What is our legal basis for processing Personal Data (EEA and Swiss visitors only)?  

If you are a visitor from the European Economic Area or Switzerland, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it.

However, we will normally collect Personal Data from you only where we need the Personal Data to perform a contract with you, or where the processing is in our legitimate interests or rely upon your consent where we are legally required to do so and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Data from you or may otherwise need the Personal Data to protect your vital interests or those of another person.

If we ask you to provide Personal Data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Data is mandatory or not (as well as of the possible consequences if you do not provide your Personal Data).

Similarly, if we collect and use your Personal Data in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us at legal@cogniswitch.ai

2. Professional Services Data

Our Role as Data Processor

Primary Relationship: In most client engagements, CogniSwitch acts as a data processor, processing data on behalf of and under the instructions of our clients (who act as data controllers).

Key Principles:

  • Client Control: Clients maintain full ownership and control of their data
  • Data Processing Framework: We primarily work with anonymized data, with HIPAA-compliant ePHI processing capabilities available through dedicated Business Associate Agreements.
  • Client Infrastructure: All processing occurs within client-controlled environments
  • Contractor Access: Our team accesses client systems as authorized contractors only
2.1. Client Data Processing

In the course of providing professional AI solutions, we may process various types of client data, which may include:

Types of Data We May Process:

  • Call recordings and transcripts: Audio recordings and text transcripts from healthcare consultations, business meetings, or other client operations
  • Clinical documentation: Medical records, patient notes, treatment plans (in healthcare engagements)
  • Business documents: Reports, communications, operational data
  • AI training datasets: Data used to develop and refine AI models
  • Output files and deliverables: Processed results, analytics, AI model outputs

PII/PHI Content: PII/PHI Content: Client data may contain Personally Identifiable Information (PII) and Protected Health Information (PHI), depending on the client's industry and specific engagement requirements. For ePHI processing, dedicated Business Associate Agreements and enhanced HIPAA-compliant safeguards are implemented.

Integration and Output Sharing

Deliverable Sharing: Final output files and AI-generated insights may be shared with:

  • Client-Provided LLM Systems: Integration with client's existing AI infrastructure
  • Client Business Systems: Direct integration with client's operational platforms
  • Third-Party Systems: As specified in client contracts and with appropriate safeguards

Data Flow Controls: All data sharing is governed by specific contractual provisions and technical safeguards appropriate to the data sensitivity level.

Compliance Framework

Shared Responsibility Model:

  • Client responsibility: Data governance, regulatory compliance, access management
  • CogniSwitch responsibility: Secure handling of anonymized data, following client procedures
  • Joint responsibility: Maintaining security during collaborative development

Data Flow Controls: All data sharing is governed by specific contractual provisions and technical safeguards appropriate to the data sensitivity level.

Compliance Framework

Enterprise Compliance Model:

  • Business Associate Agreements: HIPAA-compliant BAAs executed for all healthcare-related engagements involving ePHI processing.
  • Data Processing Agreements: GDPR-compliant DPAs for all client data processing activities
  • Industry-Specific Controls: Additional security and compliance measures based on client industry requirements

Shared Responsibility Model:

  • Client Responsibility: Data governance, regulatory compliance for their industry, end-user consent (where applicable)
  • CogniSwitch Responsibility: Secure processing according to contractual specifications, incident response, data protection controls
  • Joint Responsibility: Security during collaborative development, compliance monitoring, audit coordination

Legal basis: Contract performance, legitimate interests
Retention period: As specified in individual client agreements, typically duration of project plus 7 years

Data Storage Locations

Geographic Data Storage

Primary Storage Locations:

  • United States: Primary data processing and storage facilities located in AWS, GCP, and Azure data centers within the United States
  • Client-Specified Locations: Data may be stored in other geographic regions as specified by client requirements and contractual agreements
  • Multi-Region Backup: Backup and disaster recovery systems may span multiple geographic regions for business continuity if applicable
Cloud Infrastructure Partners

Primary Cloud Providers:

  • Google Cloud Platform (GCP): Primary hyperscaler for AI and machine learning services
  • Amazon Web Services (AWS): Secondary cloud infrastructure provider
  • Microsoft Azure: Additional cloud services provider

Data Residency Controls:

  • Data location requirements specified in individual client contracts
  • Compliance with data sovereignty requirements as needed
  • Geographic restrictions implemented based on regulatory requirements (GDPR, HIPAA, etc.). For ePHI processing engagements, additional data residency controls and BAA-specified requirements apply
Cross-Border Data Transfers

International Transfers: When client data is transferred across international borders:

  • Appropriate safeguards implemented (Standard Contractual Clauses, adequacy decisions)
  • Client notification and consent obtained through contractual agreements
  • Additional security measures applied based on destination country requirements
  • Compliance with applicable data protection laws (GDPR, local privacy regulations)
Client-Controlled Storage

Client Environment Storage: When data remains in client-controlled environments:

  • Storage location determined entirely by client
  • CogniSwitch accesses data through secure, client-provided interfaces
  • No data replication to CogniSwitch infrastructure
  • Client maintains full sovereignty over data location and transfers
2.2. Contractor Access Management

When our team works within client environments:

  • Access credentials: Provided and managed by clients
  • Activity logs: Access times, systems used, actions performed
  • Training records: Compliance training for working in regulated environments

Legal basis: Contract performance, legal obligations
Retention period: Per client requirements and legal obligations

HIPAA COMPLIANCE FRAMEWORK

CogniSwitch maintains a tiered approach to HIPAA compliance designed to serve clients across regulated industries:

Current Services

Our standard AI implementation services are configured for non-ePHI operations. Our current standard services operate without ePHI processing, working primarily with anonymized data sets while maintaining contractual guidance to preserve this framework.

HIPAA-Ready Infrastructure

Our platform architecture is designed to enable rapid activation of HIPAA-compliant capabilities when business requirements and contractual agreements dictate ePHI processing needs. This proactive compliance approach ensures seamless service delivery whether clients require standard AI solutions or full HIPAA-compliant ePHI processing capabilities.

HIPAA-Compliant Service Capabilities

Available through dedicated Business Associate Agreements (BAAs) with enterprise-grade safeguards that build upon our existing security framework including:

  • AES 256 Encryption: Advanced encryption standards for data at rest and in transit
  • Role-Based Access Controls: Granular access management with principle of least privilege
  • Comprehensive Audit Trails: Complete logging and monitoring of all data access and processing activities
  • Regulatory-Compliant Data Handling: Procedures designed to meet HIPAA administrative, physical, and technical safeguards
Implementation Framework

When HIPAA-compliant services are activated:

  • Business Associate Agreements: Formal BAAs executed prior to any ePHI processing
  • Enhanced Security Controls: Additional safeguards specific to ePHI sensitivity requirements
  • Compliance Monitoring: Continuous monitoring and audit capabilities for regulatory compliance
  • Incident Response: HIPAA-specific breach notification and response procedures
Contact for HIPAA Services

For inquiries about HIPAA-compliant service capabilities and Business Associate Agreement discussions, contact our Data Protection Officer at dpo@cogniswitch.ai

SINGLE SIGN-ON

You may be able to log in to our Websites using sign-in services such as Google, Facebook Connect and LinkedIn. These services will authenticate your identity and provide you the option to share certain Personal Data with us such as your name and e-mail address. Services like Google, Facebook Connect, Twitter, LinkedIn give you the option to post information about your activities on our Websites to your profile page and to share information with others within your network. We will never post anything on your behalf on your social networks without your consent.

SHARING OF PERSONAL DATA

Personal data will never be sold to or shared with other companies or organizations for commercial purposes, except as outlined in this Notice and as specifically authorized in client contracts.

Service Delivery and Integration

As part of our professional services delivery, we may share processed data with client-provided Large Language Model systems, sharing final output files and AI-generated insights with the client's existing LLM infrastructure. We also facilitate integration with client business systems and operational platforms, and may share data with client-specified third parties including vendors or partners specifically designated by the client in contractual agreements.

All sharing is governed by specific contractual provisions with technical safeguards appropriate to the data sensitivity level. We maintain audit trails for all data sharing activities and require client approval for any sharing not explicitly covered in agreements.

Cloud Infrastructure and Processing

Client data may be processed by our cloud infrastructure partners including Google Cloud Platform for primary AI and machine learning processing, Amazon Web Services for additional cloud infrastructure services, and Microsoft Azure for supplementary cloud services. All cloud providers maintain appropriate Business Associate Agreements for healthcare data processing.

Third-Party Service Providers

We may share business contact data, but not client data, with communication platforms for email services and business communications, CRM and sales tools for managing business relationships, analytics providers for website and marketing analytics where data is anonymized where possible, and IT service providers for infrastructure and technical support. All third-party providers are bound by confidentiality agreements and data processing agreements.

We also work with professional services partners including subcontractors who assist in delivering client solutions, technology partners for specialized technical capabilities, and compliance partners for audit and compliance support. All partners must meet our security standards and sign appropriate agreements.

Legal Requirements

We may disclose personal data when required by applicable law or regulation, court orders or legal process, law enforcement requests, national security requirements, or to protect our rights and interests.

International Transfers

Personal data may be transferred to and processed in countries outside your country of residence, including the United States. For transfers outside the EEA or Switzerland, we implement appropriate safeguards including Standard Contractual Clauses and adequacy decisions, ensure recipients are bound by equivalent data protection obligations, and implement additional security measures where required.

INFORMATION THAT WE OBTAIN FROM THIRD PARTIES

From time to time, we may receive personal information about you from third party sources like databases and social media but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.  

The types of information we obtain from such third parties include your name, e-mail address, postal address, location, designation, telephone number and we use the information we receive from these third parties to maintain and improve customer support experience, improve the accuracy of the records we hold about you and for our sales and marketing purposes.

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or online profiles. We (or service providers on our behalf) may then send communications and marketing to these emails or profiles. You may opt out of receiving this advertising by visiting https://app.retention.com/optout

HOW DO WE KEEP PERSONAL DATA SECURE?

We use appropriate technical and organizational measures to protect the Personal Data that we collect and process. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data.    

While information security risks are always evolving, so are the controls. The controls, so implemented, are periodically reviewed as part of internal and external audits. If you have questions about the security of your Personal Data, please contact us immediately as described in this Privacy Notice.

Data Processing Agreements

For all client engagements involving data processing, we maintain:

  • Comprehensive Data Processing Agreements (DPAs)
  • Clear role definitions (controller vs. processor)
  • Detailed security requirements and procedures
  • Incident response protocols
  • Data retention and deletion procedures

DATA BREACH NOTIFICATION AND INCIDENT RESPONSE

We implement and maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, use, modification, or destruction.

Our Incident Response Process

Upon detection of a potential breach, our security team conducts an immediate assessment within one hour, classifying breaches as low, medium, high, or critical based on data sensitivity and scope. All incidents are logged with timestamps, affected systems, and preliminary impact assessment.

Affected systems are isolated within two hours to prevent further compromise, followed by a thorough forensic investigation conducted by our incident response team to determine the nature and scope of the breach, personal data involved, likely consequences for data subjects, and measures taken to address the breach.

Notification Requirements

We notify supervisory authorities within 72 hours of becoming aware of the breach where required by law, providing information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Data subjects are notified without undue delay when the breach is likely to result in high risk to rights and freedoms, through direct communication via email, postal mail, or prominent website notice.

For client data breaches, we notify clients immediately upon detection within one hour through direct contact to primary client contacts, coordinate with the client's incident response team, and provide technical assistance in containment and remediation.

Remediation and Recovery

Affected systems are restored from secure backups after vulnerability remediation, additional security measures are implemented to prevent similar incidents, and enhanced monitoring is maintained for 30 days post-incident. We conduct comprehensive root cause analysis to identify the incident's cause, update policies and procedures based on lessons learned, and provide additional training to relevant staff members.

Post-Incident Review

  • Root Cause Analysis: Comprehensive review to identify the incident's root cause
  • Process Improvement: Updates to policies and procedures based on lessons learned
  • Staff Training: Additional training provided to relevant staff members

Client Environment Incidents

For client data incidents, we implement special procedures including immediate client notification within one hour, supporting client-led response procedures, coordinating all actions with the client rather than taking independent action, and maintaining detailed logs for client review.

Reporting a Security Incident

If you suspect a security incident, contact us at security@cogniswitch.ai and include a description of the suspected incident, affected systems, and any relevant details.

We respond to security-related inquiries within 24 hours.

Compliance Frameworks

Our security program is designed to meet:

  • SOC2 Type 1: Security, availability, processing integrity, confidentiality, and privacy
  • HIPAA: Administrative, physical, and technical safeguards (for healthcare engagements)
  • GDPR: Privacy by design and data protection principles
EEA AND SWISS SPECIFIC RIGHTS
A. Collected Data  

If you are an individual resident in EEA or Switzerland, you have the following data protection rights regarding Collected Data:

a. If you wish to access, correct, update or request deletion of your Personal Data, you can do so at any time by contacting us.

b. You can object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data. Again, you can exercise these rights by contacting us.

c. You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us.

d. Similarly, if we have collected and process your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.

e. You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.  

f you seek access to, or wish to correct, update, modify or delete Personal Data (hereinafter referred to as a “Request”) which forms a part of Collected Data,  please contact us at support@cogniswitch.ai. We respond to all requests we receive from individuals wishing to exercise their data protection rights within a reasonable timeframe in accordance with applicable data protection laws.

B. Service Data  

We acknowledge that you have the right to access your Personal Data. CogniSwitch Inc. has no direct relationship with the individuals whose Personal Data it processes. If you seek access to, or wish to correct, update, modify or delete Personal Data (hereinafter referred to as a “Request”) which is part of the Service Data and processed by us on behalf of our Customer or if you are an End-User of one of our Customers and would no longer like to be contacted by one of our Customers that uses our Service(s), you should direct your query to our Customer i.e, the controller. If requested to remove data, we will respond within a reasonable timeframe.  

If you are a Customer of our Service(s) and wish to raise a Request on behalf of your Users and End-Users in connection with Service Data, you may raise a ticket on the support portal of the relevant Service. Please note that if a Customer has subscribed to more than one Service, a Request on a particular Service support portal is specific to that Service only and separate Requests need to be raised across other relevant Service support portals.

OTHER COMMUNICATIONS

If you are our Customer, we will send you announcements related to the Service(s) on occasions when it is necessary to do so. For instance, if our Service(s) is temporarily suspended for maintenance, we might send you an e-mail. Generally, you may not opt-out of communications which are not promotional in nature. If you do not wish to receive them, you may deactivate your Account.

RETENTION OF PERSONAL DATA

Retention Principles

We retain personal data only as long as necessary for the purposes for which it was collected, to meet legal and regulatory requirements, and for legitimate business purposes.

Specific Retention Periods

For business contact data, we retain information for active business relationships for the duration of the relationship plus three years, marketing communications until opt-out or three years of inactivity, and event registrations for three years from the last event.

Professional services data retention includes client call recordings and transcripts per client contract requirements, typically three to seven years; AI model training data for the duration of model lifecycle plus retention requirements; project deliverables for the duration of agreement plus seven years; and access logs and audit trails per client requirements and regulatory obligations.

Retention periods may vary based on storage location, with CogniSwitch environment retention managed according to our policies and client requirements, client environment retention managed entirely by client according to their policies, and hybrid arrangements having retention schedules that may vary by data type and storage location.

Employee data is retained for personnel records for the duration of employment plus seven years and recruitment data for one year unless otherwise requested. Website analytics are retained for 24 months for anonymous analytics and as specified in cookie preferences for cookie data.

Secure Deletion

When personal data is deleted, data is removed from all active systems within 30 days, backup copies are securely overwritten during regular backup cycles, and physical media is destroyed using certified destruction methods. To request deletion of your personal data, contact support@cogniswitch.ai.

LINKS TO THIRD PARTY SITES

Our Websites contain links to other websites that are not owned or controlled by CogniSwitch Inc.. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware when you leave our Websites and to read the privacy policies of each and every website that collects Personal Data.

CHILDREN'S PERSONAL DATA

CogniSwitch Inc. does not knowingly collect any Personal Data from children under the age of 16. If you are under the age of 16, please do not submit any Personal Data through our Websites or Service(s). We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Notice by instructing their children never to provide Personal Data through our Service(s) or Websites without their permission. If you have reason to believe that a child under the age of 16 has provided Personal Data to us through our Websites or Service(s), please contact us and we will endeavor to delete that information and terminate the child's account from our databases.

AMENDMENTS

Amendments to this Notice will be posted to this URL and will be effective when posted. If we make any material changes, we will notify you by means of a notice on this Website prior to the change becoming effective and if you are our customer, via e-mail (specified in your Account). Provided, we will not notify you if we amend the Notice to make additions, deletions, or modifications to the list of cookies sometimes to keep them current and accurate. You should frequently visit this Notice to check for amendments. Your continued use of our Websites or the Service(s) following the posting of any amendment, modification, or change to this Notice shall constitute your acceptance of the amendments to this Notice. You can choose to discontinue use of the Websites or Service(s), if you do not accept the terms of this Notice, or any modified version of this Notice.

LEGAL DISCLOSURE

We, including our Group Companies reserve the right to disclose your personal data contained in Collected Data and Service Data as required by applicable law, in response to lawful requests by public authorities, including meeting national security or law enforcement requirements and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or other legal process served on us. Collected Data and Service Data will also be shared between our Group Companies for the activities permitted under the Terms and this Notice.  

In the event CogniSwitch Inc. goes through a business transition, such as a merger or acquisition by another company, or sale of all or a portion of its assets, Customer’s Account, Collected Data and Service Data will likely be among the assets transferred. A prominent notice will be displayed on our websites to intimate you of any such change in ownership or control and Customers will be notified via an e-mail from support@cogniswitch.ai.

For HIPAA-compliant engagements involving ePHI, any business transitions will comply with HIPAA requirements for covered entity and business associate obligations, with appropriate client notification as required by applicable Business Associate Agreements.

CONTACTING US

If you have any questions about this privacy notice or your dealings with the CogniSwitch Inc., you can contact us at privacy@cogniswitch.ai or support@cogniswitch.ai or via postal mail at CogniSwitch Inc., 8 The Green, Ste R, Dover, DE 19901, USA for the attention of the Data Protection Officer with a CC to legal@cogniswitch.ai

Name and email ID of the DPO: Joshua Thomas, joshuat@cogniswitch.ai