Your privacy is important to us. It is Cognition's policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, https://www.cognition.run, and other sites we own and operate.
Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service.
In the event our site contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy information about how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site.
This policy is effective as of 1 February 2022.
Last updated: 16 April 2026
Information we collect falls into one of two categories: “voluntarily provided” information and “automatically collected” information.
“Voluntarily provided” information refers to any information you knowingly and actively provide us when using or participating in any of our services and promotions.
“Automatically collected” information refers to any information automatically sent by your devices in the course of accessing our products and services.
When you visit our website, our servers may automatically log the standard data provided by your web browser. It may include your device’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details about your visit.
Additionally, if you encounter certain errors while using the site, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem. You may or may not receive notice of such errors, even in the moment they occur, that they have occurred, or what the nature of the error is.
Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.
We may ask for personal information — when you contact us — which may include one or more of the following:
We consider “user-generated content” to be materials (text, image and/or video content) voluntarily supplied to us by our users for the purpose of publication, processing, or usage on our platform. All user-generated content is associated with the account or email address used to submit the materials.
Please be aware that any content you submit for the purpose of publication will be public after posting (and subsequent review or vetting process). Once published, it may be accessible to third parties not covered under this privacy policy.
Transaction data refers to data that accumulates over the normal course of operation on our platform. This may include transaction records, stored files, user profiles, analytics data and other metrics, as well as other types of information, created or generated, as users interact with our services.
We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you. This includes processing that occurs when you use our platform through a web browser or through programmatic access via the API or MCP.
We may collect personal information from you when you do any of the following on our website or through our programmatic interfaces:
We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes:
We may combine voluntarily provided and automatically collected personal information with general information or research data we receive from other trusted sources. For example, If you provide us with your location, we may combine this with general information about currency and language to provide you with an enhanced experience of our site and service.
When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification.
Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure, and no one can guarantee absolute data security.
You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services. For example, ensuring you do not make your personal information publicly available via our platform.
We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this privacy policy. For example, if you have provided us with personal information such as an email address when contacting us about a specific enquiry, we may retain this information for the duration of your enquiry remaining open as well as for our own records so we may effectively address similar enquiries in future. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.
However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes.
We do not aim any of our products or services directly at children under the age of 13, and we do not knowingly collect personal information about children under 13.
We may disclose personal information to:
Third parties we currently use include:
Additionally, when you voluntarily connect a third-party AI application to your account via MCP or API (such as Anthropic's Claude, OpenAI's ChatGPT, or other AI clients), your experiment data — including metadata, source code, and, for non-PHI projects, participant data — may be transmitted to that third party. This transfer is initiated by you and governed by the third party's own privacy policy. Cognition does not control the data practices of AI providers you choose to connect. See the “Third-Party AI Integrations” section below for details.
Cognition is hosted on Amazon Web Services (AWS). Our database is hosted on Amazon Web Services (AWS RDS). AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. Third-party auditors regularly test and verify the effectiveness of AWS security as part of the AWS compliance programs. To learn about the compliance programs that apply to Amazon RDS, see AWS Services in Scope by Compliance Program. The data collected from the experiments is stored on Amazon Simple Storage Service (Amazon S3), whose servers are located in Frankfurt (Germany) by default. Users have the option to select a different location for the servers being used, such as North America (US), Europe (Germany), or Asia (Japan) to comply with country-specific data protection regulations. All traffic to and from Cognition is encrypted via TLS/SSL.
Effective from 15 June 2020, any change in our privacy policy will need to be communicated to the user.
The personal information we collect is stored and/or processed in Germany, or where we or our partners, affiliates, and third-party providers maintain facilities.
The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.
Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our website or the products and/or services offered on or through it.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.
Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.
Access: You may request details of the personal information that we hold about you.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.
Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example processing transaction data), we will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.
Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.
Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.
Unsubscribe: To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided in this privacy policy, or opt-out using the opt-out facilities provided in the communication. We may need to request specific information from you to help us confirm your identity.
We use “cookies” to collect information about you and your activity across our site. A cookie is a small piece of data that our website stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified.
Please refer to our Cookie Policy for more information.
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy, which they will be required to assume as it is the basis for any ownership or use rights we have over such information.
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.
At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.
If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.
Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles in the Privacy Act. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.
The GDPR distinguishes between organisations that process personal information for their own purposes (known as “data controllers”) and organizations that process personal information on behalf of other organizations (known as “data processors”). We, Cognition, located at the address provided in our Contact Us section, are a Data Controller and/or Processor with respect to the personal information you provide to us.
We will only collect and use your personal information when we have a legal right to do so. In which case, we will collect and use your personal information lawfully, fairly, and in a transparent manner. If we seek your consent to process your personal information, and you are under 16 years of age, we will seek your parent or legal guardian’s consent to process your personal information for that specific purpose.
Our lawful bases depend on the services you use and how you use them. This means we only collect and use your information on the following grounds:
Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, you may consent to your name and email address being used so we can respond to your enquiry. While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.
Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, if you purchase a product, service, or subscription from us, we may need to use your personal and payment information in order to process and deliver your order.
Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.
In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further enquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.
We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.
Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.
Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.
Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.
Deletion: You may have a right to request that we delete the personal information we hold about you at any time, and we will take reasonable steps to delete your personal information from our current records. If you ask us to delete your personal information, we will let you know how the deletion affects your use of our website or products and services. There may be exceptions to this right for specific legal reasons which, if applicable, we will set out for you in response to your request. If you terminate or delete your account, we will delete your personal information within 30 days of the deletion of your account. Please be aware that search engines and similar third parties may still retain copies of your personal information that has been made public at least once, like certain profile information and public comments, even after you have deleted the information from our services or deactivated your account.
Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.
To make such a request, please contact us using the details provided in this privacy policy with “Request for California privacy information” in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organisations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.
Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser “Do Not Track” signals.
We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.
At all times, you may decline cookies from our site if your browser permits. Most browsers allow you to activate settings on your browser to refuse the setting of all or some cookies. Accordingly, your ability to limit cookies is based only on your browser’s capabilities. Please refer to the Cookies section of this privacy policy for more information.
In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels for the goods or services we provide.
Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
In the past 12 months, we have collected the following categories of personal information enumerated in the California Consumer Privacy Act:
For more information on information we collect, including the sources we receive information from, review the “Information We Collect” section. We collect and use these categories of personal information for the business purposes described in the “Collection and Use of Information” section, including to provide and manage our Service.
If you are a California resident, you have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:
To exercise any of these rights, please contact us using the details provided in this privacy policy.
If you are a California resident, in addition to the rights discussed above, you have the right to request information from us regarding the manner in which we share certain personal information as defined by California’s “Shine the Light” with third parties and affiliates for their own direct marketing purposes.
To receive this information, send us a request using the contact details provided in this privacy policy. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code.
Cognition does not automatically collect healthcare information. Researchers who use the platform may design experiments that collect health-related data from participants. The researcher is solely responsible for determining whether their experiment collects Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
For purposes of this policy, PHI means health-related information (medical, psychiatric, psychological, physiological, or clinical data) combined with identifiers (such as names, email addresses, IP addresses, dates of birth, or any identifier traceable to a real person).
Every experiment on Cognition has a PHI classification with three states:
The PHI declaration is managed through the MCP and API interfaces. When a connected AI client first attempts to access participant data for an undeclared experiment, the researcher is prompted to classify the experiment before access is granted. The declaration is recorded with a timestamp and the identity of the user who made it. The researcher is solely responsible for the accuracy of this declaration. Cognition provides this classification mechanism as a reasonable safeguard but does not independently verify the nature of data collected by experiments.
Researchers create cognitive experiments hosted on the platform. Participants visit the experiment's URL and complete the experiment. During execution, participants may provide responses that constitute health-related information if the researcher's experiment is designed to collect such data. This data is collected and stored on our servers.
Participant data is stored in CSV files on Amazon S3. The data is used by researchers for scientific research purposes, primarily data analysis.
Cognition has a signed HIPAA Business Associate Agreement (BAA) with Amazon Web Services (AWS), our infrastructure provider. This BAA covers the storage and processing of PHI on AWS services including Amazon S3 and Amazon RDS.
Cognition does not have BAAs with third-party AI providers that may connect via MCP or API. Therefore, MCP and API connections are not HIPAA-compliant data channels. Researchers who collect PHI must classify their experiments as PHI-protected, which prevents participant data from being transmitted through these channels.
The individual responsible for overseeing HIPAA-related practices within our organization is Javier Vidal Peña, the maintainer of Cognition.
In the event of a data breach involving participant data, we will notify affected researchers by email. For breaches involving PHI, we will follow applicable HIPAA breach notification requirements.
Users can file complaints regarding data handling practices by contacting us at admin@cognition.run.
Cognition offers optional integration with external AI clients through the Model Context Protocol (MCP) and REST API. These integrations require your explicit authorization via OAuth 2.1 or a Personal Access Token (PAT) before any external application can access your account.
You may connect third-party AI applications (such as AI coding assistants or automation tools) to your Cognition account. When you authorize an external AI client, you grant it the ability to interact with your account on your behalf through a defined set of operations.
Once authorized, an external AI client may access and interact with the following data associated with your account:
For experiments where you have declared that the data does not contain Protected Health Information (PHI), authorized AI clients may also access participant-level behavioral data (trial-level CSV data). For experiments marked as containing PHI, participant-level data is never transmitted through MCP or API. See the “HIPAA and Protected Health Information” section for details on the PHI declaration system.
Authorized AI clients may also perform actions on your behalf, such as creating or updating experiments, modifying source code, managing collaborators, and deleting runs or experiments.
When you connect an AI client via MCP, the data exposed through the MCP server is transmitted to the AI provider operating that client (for example, Anthropic, OpenAI, or another provider). This transmission is initiated by your authorization and occurs each time the AI client makes a request to your account.
Cognition does not have data processing agreements or Business Associate Agreements (BAAs) with AI providers. MCP and API connections are not HIPAA-compliant data channels. If your experiment collects PHI, you must classify it accordingly using the PHI declaration system, which will prevent participant data from being transmitted through these channels.
External AI applications are operated by third parties and governed by their own privacy policies and terms of service. We do not control how these applications process, store, or retain the data they access from your account. We strongly encourage you to review the privacy policy of any AI application before authorizing it.
You are responsible for the actions that authorized AI clients perform on your behalf through MCP and API. This includes any changes made to your experiments, data, or account settings. You are also responsible for ensuring that you do not expose PHI through MCP by correctly classifying your experiments using the PHI declaration system.
You may revoke an AI application's access to your account at any time by visiting the Connected Apps section in your account settings, or by revoking individual Personal Access Tokens. Revoking access immediately prevents the application from making further requests to your account. Previously accessed or downloaded data may still be retained by the third-party application in accordance with their own data retention policies.
For any questions or concerns regarding your privacy, you may contact us using the following details:
Javier Vidal Peña
admin@cognition.run