Privacy Policy | Cognitive Rise

At Cognitive Rise, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our workplace wellbeing platform.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using our platform, you agree to the collection and use of information in accordance with this policy.

1. Data Controller

Company: Cognitive Rise Ltd

Email: privacy@cognitiverise.co.uk

Website: cognitiverise.co.uk

2. Information We Collect

2.1 Personal Information

Account Information: Username (nickname), email address, password (encrypted)
Profile Information: First name, last name, job title, department
Company Information: Company name, company ID
Role Information: Your role within the platform (Participant, Curator, or Administrator)

2.2 Programme Participation Data

Task Submissions: Your responses to mindfulness exercises, reflections, and assignments
Practice Logs: Records of meditation sessions and mindfulness practices
Progress Data: Completion status, scores, and feedback from curators
Messages: Communications with curators and administrators
Event Registrations: Attendance at workshops, webinars, and sessions

2.3 Usage Information

Login Activity: Login timestamps, session duration
Platform Activity: Pages visited, features used, time spent on platform
Device Information: Browser type, operating system, IP address (anonymised)
Performance Data: Error logs and diagnostic information (via Sentry)

3. Legal Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following legal bases:

Contractual Necessity: To deliver the mindfulness programme to you as part of your employer's wellbeing initiative
Legitimate Interests: To improve our platform, provide customer support, and conduct analytics
Consent: Where you have provided explicit consent for specific purposes (e.g., optional surveys)
Legal Obligations: To comply with applicable laws and regulations

4. How We Use Your Information

We use your personal data to:

Provide access to the 6-month mindfulness programme
Track your progress and provide personalised feedback
Enable communication between participants, curators, and administrators
Send notifications about new content, deadlines, and events
Generate anonymised analytics for employers (aggregated data only)
Improve platform functionality and user experience
Provide technical support and respond to enquiries
Ensure platform security and prevent unauthorised access
Comply with legal obligations and respond to lawful requests

5. Data Sharing and Access

5.1 Within the Platform

Participants can see: Their own data and progress
Curators can see: Data for participants in their assigned companies, including task submissions and progress
Administrators can see: All platform data, including user management and company-wide analytics

5.2 With Your Employer

We provide your employer with aggregated, anonymised data only. Your employer will receive:

Overall programme participation rates
Completion statistics (number of participants, not individual names)
Aggregated engagement metrics

Your employer will NOT receive access to your individual submissions, reflections, or personal progress data unless required by law.

5.3 Third-Party Service Providers

We share data with trusted third parties who help us operate the platform:

Hosting: Vercel (US/EU) - Platform hosting and deployment
Database: Supabase (EU) - PostgreSQL database hosting
Error Monitoring: Sentry (EU) - Error tracking and performance monitoring
Email: Email service provider for notifications and communications

All third-party processors are required to comply with UK GDPR and have appropriate data protection agreements in place.

6. Your Data Protection Rights

Under UK GDPR, you have the following rights:

Right of Access

Request a copy of all personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure ('Right to be Forgotten')

Request deletion of your personal data (subject to legal obligations)

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests

Right to Restrict Processing

Request limitation of how we use your data

To exercise any of these rights, please contact us at privacy@cognitiverise.co.uk. We will respond within one month.

7. Data Security

We implement industry-standard security measures to protect your personal data:

Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest
Authentication: Secure password hashing (bcrypt) and session management
Access Controls: Role-based access control (RBAC) limiting data visibility
Database Security: Connection pooling, parameterised queries to prevent SQL injection
Monitoring: Continuous security monitoring and error tracking
Regular Updates: Security patches and updates applied promptly

8. Data Retention

We retain your personal data for the following periods:

Active Programme: Throughout your 6-month programme plus 12 months after completion
Account Data: Until you request deletion or your employer terminates the contract
Anonymised Analytics: Retained indefinitely for research and improvement purposes
Legal Requirements: Some data may be retained longer to comply with legal obligations (e.g., financial records for 7 years)

After the retention period, your data will be securely deleted or anonymised.

9. International Data Transfers

Your data is primarily stored within the UK and European Economic Area (EEA). Where we use service providers outside the UK/EEA (such as Vercel in the US), we ensure:

Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
Adequacy decisions where applicable
Additional safeguards to ensure UK GDPR-level protection

10. Cookies and Tracking Technologies

We use the following cookies:

Essential Cookies (Required)

Session Cookies: To keep you logged in and maintain your session
Authentication Cookies: To verify your identity (NextAuth.js)

Analytics Cookies (Optional)

Usage Analytics: To understand how you use the platform and improve user experience
Performance Monitoring: To track errors and performance issues (Sentry)

You can control cookies through your browser settings. Note that disabling essential cookies may impact platform functionality.

11. Children's Privacy

Our platform is designed for workplace use and is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@cognitiverise.co.uk.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting the updated policy on this page with a new "Last updated" date
Sending an email notification to registered users
Displaying a prominent notice on the platform

We encourage you to review this policy periodically. Your continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us and Complaints

Data Protection Enquiries

Email: privacy@cognitiverise.co.uk

Response Time: We aim to respond within 5 working days

Regulatory Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane

Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113

Thank you for trusting Cognitive Rise with your personal data. We are committed to protecting your privacy and providing a safe, secure platform for your mindfulness journey.