Privacy Policy

1. Introduction

Cognora (“we”, “us”, “our”) is a child growth and cognitive ability mapping platform. We are committed to protecting the privacy and personal data of our users and their children in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal data and the personal data of children registered on our platform.

2. Data Controller

Cognora operates as the data controller for all personal data processed through this platform. For questions regarding this policy or your data rights, contact us at privacy@cognora.app.

3. Data We Collect

3.1 Parent/Guardian Data

• Full name and email address (required for account creation)
• Phone number (optional)
• Google account identifier (if using Google sign-in)
• Payment information (processed by Paystack; we store only transaction references, not card details)

3.2 Child Data

• Name and date of birth (required to derive age group for assessments)
• Gender (optional)
• School level
• Parent-reported concerns (optional tags such as “focus”, “reading”)
• Assessment responses, scores, and cognitive domain classifications
• Activity completion logs
• Badges earned

3.3 Technical Data

• IP address (for rate limiting and security; not stored long-term)
• Browser type and session cookies (for authentication only)

4. Lawful Basis for Processing

We process personal data on the following lawful bases under the NDPR:

• Consent:You explicitly consent to the collection and processing of your child's data when you create a child profile and initiate assessments.
• Contract: Processing is necessary to provide the services you have subscribed to.
• Legitimate Interest: Platform security, fraud prevention, and service improvement.

5. How We Use Your Data

• To administer cognitive assessments and compute growth scores
• To generate personalized growth plans and activity recommendations
• To track progress and award achievement badges
• To process subscription payments via Paystack
• To send transactional emails (verification, password reset)
• To provide aggregated analytics to administrators (no individual data is exposed)
• To improve our platform and assessment quality

6. Children's Data Protection

We take special care with children's data in accordance with NDPR provisions on vulnerable persons:

• Child profiles can only be created by a verified parent/guardian account.
• Children never interact with the platform unsupervised — assessments are designed to be facilitated by a parent.
• We do not collect children's email addresses, photos, or location data.
• We use growth-oriented language in all classifications (e.g., “Developing” rather than “weak”) to protect children's wellbeing.
• Child data is soft-deleted (marked inactive) rather than permanently deleted to allow for recovery, and can be permanently purged upon request.

7. Data Storage and Security

• All data is stored in a PostgreSQL database hosted on secured infrastructure.
• Passwords are hashed using bcrypt with a cost factor of 12.
• All connections use HTTPS/TLS encryption in transit.
• Authentication tokens (JWT) expire after 7 days and are cryptographically signed.
• Rate limiting is applied to authentication and assessment endpoints to prevent abuse.
• Payment data is handled entirely by Paystack, a PCI DSS compliant payment processor. We never store credit card numbers.

8. Data Sharing

We do not sell personal data. We share data only with:

• Paystack: Payment processing (email and transaction metadata only).
• Resend: Transactional email delivery (email addresses only).
• Google: If you use Google sign-in (OAuth authentication only; we receive your name and email).

We do not share data with advertisers, data brokers, or any other third parties.

9. Data Retention

• Account data is retained for as long as your account is active.
• Assessment data is retained to enable progress tracking and retest comparisons.
• If you delete your account, all associated data (including child profiles, assessments, and activity logs) will be permanently deleted within 30 days.
• Rate limiting data (IP addresses) is automatically purged every 60 seconds.

10. Your Rights Under NDPR

As a data subject, you have the right to:

• Access: Request a copy of all personal data we hold about you and your children.
• Rectification: Correct inaccurate personal data via your account settings.
• Erasure: Request deletion of your account and all associated data.
• Restriction: Request that we limit the processing of your data.
• Data Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Withdraw Consent: Withdraw consent at any time by deleting child profiles or your account.

To exercise any of these rights, email privacy@cognora.app. We will respond within 30 days.

11. Cookies

We use only essential cookies required for authentication session management. We do not use tracking cookies, advertising cookies, or analytics cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email to registered users. The “Last updated” date at the top indicates the most recent revision.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng.

14. Contact

For any questions about this Privacy Policy or your personal data:

• Email: privacy@cognora.app
• Platform: Cognora — cognora.app