Data Processing and Subprocessor Information

• the Privacy Policy at /legal/privacy
• the Terms of Service at /legal/terms
• the Acceptable Use Policy at /legal/acceptable-use
• the Cookie Policy at /legal/cookie-policy
• the Refund Policy at /legal/refund-policy

1. Purpose of this page

This page is intended to provide product-specific data processing information for users, reviewers, customers, and platform partners.

It describes:

• processing roles
• processing activities
• data categories
• data subject categories
• subprocessors
• security measures
• retention and deletion practices
• international processing
• incident response
• privacy and data request channels

Unless a separate written agreement is signed, this page does not create custom enterprise audit rights, negotiated service-level commitments, or a separate standalone data processing agreement beyond the Terms of Service, Privacy Policy, and applicable law.

2. Product overview

Cognardo Workbench is a browser-extension and web-based workspace for people who use AI tools seriously.

It helps users save, organize, search, transform, summarize, compare, cite, copy, export, verify, and sync prompts, chats, AI responses, scratchpads, instruction profiles, selected text, page content, and related AI work.

Depending on the feature used and the user’s settings, Cognardo Workbench may process data:

• locally in the browser
• inside Chrome extension storage
• through the Cognardo Workbench website
• through Cognardo Workbench backend services
• in cloud infrastructure
• through third-party AI providers
• through search or webpage-fetching providers
• through authentication providers
• through payment providers once paid billing is enabled
• through support and email systems

3. Processing roles

Data protection roles may vary depending on the type of data, user type, jurisdiction, and feature used.

3.1 Account, website, billing, security, and service data

For account data, website usage data, authentication data, billing data, security data, fraud-prevention data, product analytics, diagnostic data, and support communications, Cognardo Workbench generally acts as an independent controller or business, depending on the applicable law.

This includes data used to:

• create and manage accounts
• authenticate users
• manage plans, credits, subscriptions, and billing
• prevent fraud and abuse
• secure the service
• respond to support requests
• maintain logs and diagnostics
• improve service reliability
• comply with legal, tax, accounting, and platform obligations

3.2 User content submitted for workspace features

For user content submitted to be saved, synced, analyzed, transformed, summarized, compared, exported, or otherwise processed as part of Cognardo Workbench features, Cognardo Workbench may act as a processor or service provider where required by applicable law and where the user or customer acts as the controller.

This may include content such as:

• prompts
• conversations
• AI responses
• scratchpads
• instruction profiles
• selected text
• webpage text
• citation links
• source URLs
• AI action inputs and outputs
• imported or exported workspace content

Where Cognardo Workbench acts as a processor or service provider, it processes user content according to the user’s instructions as expressed through:

• the Terms of Service
• the Privacy Policy
• this Data Processing page
• product settings
• feature usage
• Cloud Sync & Intelligence choices
• support requests
• account deletion requests
• written instructions accepted by Cognardo Workbench

3.3 Aggregated or de-identified intelligence signals

When Cloud Sync & Intelligence is enabled, Cognardo Workbench may generate aggregated or de-identified intelligence signals from synced workspace data.

These signals may include:

• cited URLs
• source domains
• brand or source mentions
• citation patterns
• source-quality signals
• model/provider behavior trends
• claim-source support patterns
• content categories
• usage trends
• quality signals

These signals may be used to improve Cognardo Workbench and develop related Cognardo products, including products that help users understand AI citation behavior, source visibility, brand mentions, and LLM-facing content performance.

Where such signals are no longer reasonably linked to a user account or private workspace content, they may be retained and used as aggregated or de-identified product intelligence.

4. User instructions

When Cognardo Workbench processes user content as a processor or service provider, the user instructs Cognardo Workbench to process that content for the following purposes:

• providing the product features selected by the user
• saving and organizing workspace content
• providing cloud sync and restore where enabled
• providing AI features requested by the user
• providing citation analysis and source verification requested by the user
• generating summaries, categories, smart suggestions, and quality signals
• exporting, importing, copying, and formatting user content
• maintaining account state, settings, and entitlements
• providing support
• securing the service
• complying with applicable law and platform requirements
• generating aggregated or de-identified intelligence signals where Cloud Sync & Intelligence is enabled

Users must not submit content that they are not authorized to process.

5. Processing activities

Cognardo Workbench may process data for the following activities.

5.1 Account and authentication

Processing may include:

• account creation
• login
• Google sign-in
• email verification
• session management
• API key or token management
• Firebase authentication
• profile management
• password or email change flows
• reauthentication
• OTP verification
• account deletion and reactivation

5.2 Cloud sync, backup, and restore

When Cloud Sync & Intelligence is enabled, processing may include:

• cloud backup
• cross-device sync
• account restore
• sync metadata management
• conflict detection
• retry queues
• cloud database writes and reads
• restoring supported workspace data after login

5.3 Workspace features

Processing may include:

• saving prompts
• organizing prompt libraries
• creating prompt sequences
• saving and editing scratchpads
• saving instruction profiles
• recording conversations
• searching workspace content
• pinning prompts or responses
• copying content
• exporting content
• importing prompts or other supported data
• generating bibliographies
• applying custom copy settings

5.4 AI features

Processing may include:

• prompt optimization
• web or selection summarization
• chat summaries
• explain-by-grade-level
• flashcard generation
• quiz generation
• tone rewriting
• expand/shorten actions
• cross-model comparison
• AI action history
• smart suggestions
• generated metadata

AI features may send user-submitted content to third-party AI providers depending on the feature and configuration.

5.5 Citation and source analysis

Processing may include:

• extracting citation links
• checking link status
• fetching source metadata
• verifying cited content
• comparing claims against sources
• detecting missing citations
• detecting unsupported claims
• scoring citation quality
• generating source-quality signals
• creating citation analysis results
• storing citation analysis history where supported

Citation and source analysis features reduce risk but do not guarantee that outputs are true, complete, lawful, professionally reliable, or safe to publish.

5.6 Billing, plans, and credits

Once paid billing is enabled, processing may include:

• plan management
• credit balance tracking
• monthly credit resets
• top-up credit tracking
• entitlement checks
• subscription status
• invoice records
• payment-provider identifiers
• payment failure state
• refund and dispute handling
• billing support

Paid checkout is not currently enabled. Once paid billing is enabled, payments may be processed by Paddle.

5.7 Security, abuse prevention, diagnostics, and support

Processing may include:

• request validation
• session validation
• user-scoped access checks
• rate limiting
• abuse detection
• fraud prevention
• diagnostic logs
• error logs
• runtime telemetry
• support ticket review
• security incident investigation
• account recovery and verification
• platform compliance review

5.8 Product improvement and related products

Processing may include:

• product analytics
• feature usage analysis
• performance improvement
• reliability improvement
• quality evaluation
• aggregated or de-identified intelligence signals
• source-quality trend analysis
• AI citation behavior analysis
• model/provider behavior analysis
• related Cognardo product development

Private workspace content is not published as a public dataset. User content is not used for third-party advertising.

6. Categories of data processed

Cognardo Workbench may process the following categories of data.

6.1 Identity and contact data

• email address
• display name or username
• Google profile name
• Google profile image URL
• uploaded avatar
• account ID or user ID
• account creation and update timestamps
• email verification state

6.2 Authentication and security data

• session tokens
• API keys or access keys
• authentication state
• login timestamps
• provider identifiers
• Firebase tokens
• OTP verification records
• password update metadata
• reauthentication records
• account deletion and reactivation records
• security logs and diagnostic records

6.3 User content

• prompts
• prompt sequences
• conversations
• AI responses
• scratchpads
• instruction profiles
• selected text
• webpage text
• saved responses
• citation links
• source URLs
• chat titles
• response markdown
• model/provider metadata
• imported content
• exported content
• copied or transformed content

6.4 AI inputs and outputs

• prompt optimization inputs and outputs
• summaries
• explanations
• flashcards
• quizzes
• tone rewrites
• expanded or shortened text
• cross-model comparison prompts and outputs
• AI-generated metadata
• citation analysis inputs and outputs
• hallucination analysis outputs
• source-quality signals

6.5 Usage, analytics, and diagnostic data

• event type
• event ID
• user ID
• device or installation ID
• session ID
• timestamp
• extension version
• environment
• client type
• feature usage
• setting toggles
• plan state
• usage counters
• runtime telemetry
• diagnostic metadata
• error metadata

Search-related analytics are designed not to include raw search query text. Search analytics may include metadata such as query length instead.

6.6 Billing, subscription, and credit data

• plan name
• plan status
• billing account ID
• subscription status
• included monthly credits
• remaining monthly credits
• top-up credit balance
• credit ledger entries
• renewal or reset dates
• invoices
• payment-provider customer or subscription identifiers
• payment failure state
• refund or dispute metadata

6.7 Settings, consent, and preference data

• Cloud Sync & Intelligence setting
• consent version
• consent scope
• consent action
• consent timestamp
• sidebar settings
• floater settings
• custom copy settings
• shortcut settings
• permitted origins
• theme preference
• extension state
• active instruction profile setting

6.8 Device, browser, and technical data

• browser type
• extension version
• client type
• environment
• request metadata
• routing metadata
• IP address or approximate location where processed by infrastructure providers
• user agent
• device or installation identifiers
• Cloudflare or hosting logs depending on configuration

7. Categories of data subjects

Cognardo Workbench may process data relating to:

• account users
• website visitors
• extension users
• paid subscribers once paid billing is enabled
• people who contact support
• people whose personal information appears in prompts, chats, AI responses, scratchpads, selected text, webpage text, source materials, citations, or imported content
• people represented in user-submitted business, research, client, academic, or project content

Users are responsible for ensuring that they have the right to submit or process personal data relating to other people.

8. Sensitive and regulated data

Cognardo Workbench is not designed for processing highly sensitive, confidential, regulated, or restricted information.

Users must not use Cognardo Workbench to submit, save, sync, analyze, summarize, transform, compare, verify, or export:

• medical records or protected health information
• financial account credentials or regulated financial records
• government ID numbers
• passwords, secrets, API keys, private keys, or authentication tokens
• children’s personal data
• confidential employer, client, customer, or third-party information without authorization
• attorney-client privileged information
• highly sensitive personal information
• regulated data that the user is not authorized to process
• content the user does not have the right to submit or process

If users process sensitive or regulated data despite this restriction, they are responsible for ensuring that they have the required authorization, legal basis, safeguards, contracts, and compliance measures.

9. Subprocessors

Cognardo Workbench uses subprocessors to provide infrastructure, authentication, cloud storage, AI processing, search, hosting, payment, support, and communication functions.

The subprocessor list may change as the product evolves.

| Subprocessor | Purpose | Data potentially processed | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Google Firebase Authentication | Account authentication, Google sign-in linkage, custom authentication tokens | Email, UID, authentication provider, verification state, authentication tokens | | Google Cloud Firestore | Cloud database and sync | Profile data, prompts, conversations, scratchpads, instruction profiles, AI histories, sync metadata, consent records, billing/account state | | Google Cloud Storage / Firebase Storage | Avatar and file storage | Profile images, avatar files, related file metadata | | Google Cloud Run | Backend API hosting and processing | API requests, user content submitted to features, authentication, billing, sync, AI, and account operations | | Cloudflare Workers | Website hosting, routing, security, and performance | Website request metadata, user agent, IP address, routing/security metadata, edge logs depending on configuration | | OpenAI | AI generation, transformation, summarization, citation analysis, and related AI features | Prompts, selected text, page text, chat summaries, rewrites, explanations, quiz/flashcard inputs, citation-analysis payloads, cross-compare payloads where applicable | | Anthropic | Cross-model comparison and selected AI features where configured | Prompt or text selected by the user for cross-model comparison or related features | | Google Gemini | Cross-model comparison and selected AI features where configured | Prompt or text selected by the user for cross-model comparison or related features | | Google Custom Search | Citation and source lookup | Search queries, claims, URLs, source lookup data, citation verification inputs | | Paddle | Future payment processing, merchant of record, billing, tax, invoice, subscription, fraud-prevention, and buyer support | Buyer data, payment metadata, tax data, invoice data, subscription data, customer identifiers, fraud-prevention data | | Email delivery providers | Transactional emails, OTPs, verification emails, deletion confirmations, account notices, and support communications | Email address, OTP or verification metadata, transactional message metadata | | Chrome / Google browser platform | Extension APIs and Chrome Web Store distribution | Extension install/use context handled by Chrome, extension permissions, browser platform metadata |

Paid checkout is not currently enabled. Once paid billing is enabled, payments may be processed by Paddle.

Stripe is not intended to be an active payment processor for the Cognardo Workbench launch. If Stripe or another payment provider is added later, this page should be updated.

10. Third-party AI and search providers

When a user requests AI, search, citation, or source-verification features, Cognardo Workbench may send submitted content, prompts, citations, links, source URLs, webpage text, selected text, or related metadata to third-party AI or search providers.

Depending on the feature and provider configuration, this may include:

• OpenAI
• Anthropic
• Google Gemini
• Google Custom Search
• webpage-fetching or source-verification services

Cognardo Workbench does not make unsupported claims about how every AI provider uses or retains submitted data. Third-party AI and search providers may process data under their own terms, privacy policies, data processing terms, account settings, and service configurations.

Users should not submit sensitive, confidential, regulated, or unauthorized third-party content to AI features.

11. Security measures

Cognardo Workbench uses technical and organizational measures designed to protect data, including:

• authenticated backend requests
• session validation
• user-scoped access checks
• rate limiting
• request validation
• field length limits
• input sanitization in selected workflows
• content minimization in selected workflows
• reauthentication for sensitive account actions
• OTP flows for selected verification actions
• managed Google Cloud and Firebase infrastructure
• Chrome extension content security policy restrictions
• extension-packaged scripts
• limited default content script behavior
• optional and revocable site permissions
• local and cloud feature separation
• analytics minimization for selected events
• diagnostic logging
• abuse-prevention controls
• entitlement checks for gated features
• billing checks for credit-based features
• avatar validation and file-size controls
• security and support contact channels

These safeguards are designed to reduce risk, but no system is perfectly secure. Cognardo Workbench cannot guarantee that data will always remain private, secure, available, or error-free.

Users are responsible for securing their own devices, browser profiles, accounts, credentials, API keys, session tokens, exported files, and local storage.

12. Local storage and cloud storage

Cognardo Workbench may process data locally and in the cloud.

12.1 Local browser and extension storage

The Chrome extension may store data locally in Chrome extension storage, including:

• authentication state
• account cache
• local workspace data
• prompts
• conversations
• scratchpads
• sync metadata
• retry queues
• settings
• permitted origins
• analytics queues
• extension state

Removing the Cognardo Workbench Chrome extension from a browser clears local extension data from that browser.

12.2 Website browser storage

The Cognardo Workbench website may use browser storage to store:

• authenticated website session information
• session tokens
• account cache
• theme preference
• account and profile state needed for website features

12.3 Cloud storage

When Cloud Sync & Intelligence is enabled or when a feature requires cloud processing, Cognardo Workbench may store or process data in cloud infrastructure, including Google Firebase, Google Cloud Firestore, Google Cloud Storage, and Google Cloud Run.

Cloud data may include:

• account profile data
• prompts
• conversations
• scratchpads
• instruction profiles
• AI action history
• citation analysis results
• sync metadata
• consent records
• billing and credit metadata

13. Cloud Sync & Intelligence

Cloud Sync & Intelligence is disabled by default.

When enabled, Cognardo Workbench may process supported workspace data to provide:

• cloud backup
• account restore
• cross-device sync
• AI features
• citation analysis
• smart suggestions
• product-quality insights
• aggregated or de-identified intelligence signals

These intelligence signals may include:

• cited URLs
• source domains
• brand or source mentions
• citation patterns
• source-quality signals
• model/provider behavior trends
• claim-source support patterns
• categories
• summaries
• usage trends
• quality signals

These signals may be used to improve Cognardo Workbench and develop related Cognardo products.

Cognardo Workbench does not publish raw private prompts, chats, scratchpads, saved responses, or account content as a public dataset. Cognardo Workbench does not use user content for third-party advertising.

If Cloud Sync & Intelligence is disabled, future cloud sync and intelligence processing stops where supported. Disabling it does not automatically delete data that was already synced, and it may not reverse aggregated or de-identified intelligence signals that were already generated.

14. Retention and deletion

Cognardo Workbench retains data for as long as reasonably necessary to provide the service, operate accounts, comply with legal obligations, resolve disputes, enforce agreements, maintain security, manage billing, and support the purposes described in the Privacy Policy and this page.

14.1 Account deletion

When a user deletes their account, account deletion begins a 30-day recovery window.

During this recovery window, signing in or signing up again with the same account may reactivate the account.

After the 30-day recovery window, cloud account data is scheduled for deletion or de-identification, subject to legal, billing, fraud-prevention, tax, security, backup, dispute, and compliance retention obligations.

14.2 Local data

Account deletion clears cloud account data through the account deletion process. It does not necessarily remove local data from every browser or device where the extension remains installed.

To clear local extension data from a browser, remove the Cognardo Workbench Chrome extension from that browser or clear the extension’s browser storage through Chrome controls where available.

14.3 Analytics and diagnostics

Product analytics events are intended to expire after approximately 60 days where configured.

Diagnostic, operational, security, and backend logs may be retained for different periods depending on infrastructure, security, troubleshooting, and compliance needs.

14.4 Consent records

Consent events and Cloud Sync & Intelligence records may be retained for audit, compliance, troubleshooting, or account history purposes.

Some consent event records may be cleaned up after approximately 90 days where configured.

14.5 Billing records

Billing, tax, invoice, payment, fraud-prevention, dispute, chargeback, and accounting records may be retained for longer periods where required or permitted by law, payment providers, tax authorities, or compliance obligations.

14.6 Aggregated or de-identified intelligence signals

Aggregated or de-identified intelligence signals that have already been generated from Cloud Sync & Intelligence may be retained and used after account deletion if they are no longer reasonably linked to a user account or private workspace content.

Account deletion is intended to delete or de-identify cloud account data associated with the account, but it may not reverse aggregated, de-identified, or derived intelligence that has already been separated from account-level records.

15. Data subject requests

Users may contact Cognardo Workbench to request access, correction, deletion, export, or other privacy-related assistance.

To make a privacy or data request, contact:

support@workbench.cognardo.com

We may need to verify the requester's identity before fulfilling a request.

Depending on applicable law, account status, data type, and processing role, we may:

• provide access to account information
• help correct inaccurate account information
• delete account-linked cloud data
• export supported user data
• restrict or stop certain processing
• respond to objections or consent withdrawal requests
• explain why a request cannot be fulfilled in full

We may decline, delay, or limit requests where allowed by law, including where retention is needed for billing, fraud prevention, security, legal compliance, tax, accounting, dispute resolution, platform requirements, or legitimate operational purposes.

Where applicable, we aim to respond to personal data requests within 30 days.

16. User responsibilities as controller

If a user or customer submits personal data relating to other people, the user or customer is responsible for:

• having a valid legal basis
• providing required notices
• obtaining required consents
• respecting applicable data subject rights
• complying with confidentiality obligations
• ensuring content is lawful to process
• avoiding prohibited sensitive or regulated data
• ensuring use complies with applicable privacy, data protection, employment, consumer, and platform laws

Cognardo Workbench does not determine whether a user has the right to submit third-party personal data. Users are responsible for the content they process through the service.

17. International processing and transfers

Cognardo Workbench is operated from India.

Data may be processed in countries where Cognardo Workbench, its infrastructure providers, AI providers, authentication providers, payment providers, hosting providers, or other subprocessors operate.

These countries may have privacy and data protection laws that differ from the laws in the user's location.

Where required by applicable law, Cognardo Workbench may rely on appropriate transfer mechanisms, provider data processing terms, contractual safeguards, or other lawful transfer bases.

18. Incident notification

If Cognardo Workbench becomes aware of a security incident affecting personal data, we will take reasonable steps to investigate, contain, and remediate the incident.

Where required by applicable law, we will notify affected users, customers, authorities, or other relevant parties within the required timeframe or without undue delay.

Security incidents can be reported to:

security@workbench.cognardo.com

Do not include unnecessary sensitive information in a security report.

19. Audit and security information

Cognardo Workbench may provide reasonable security, privacy, or subprocessor information on request.

Unless separately agreed in writing, Cognardo Workbench does not provide custom audit rights, onsite audits, penetration testing rights, or direct access to internal systems, logs, infrastructure, source code, employee systems, or security tools.

Security questions may be sent to:

security@workbench.cognardo.com

20. Changes to subprocessors

Cognardo Workbench may add, remove, or replace subprocessors as the product evolves.

When there are material changes to subprocessors, we may update this page, update the Privacy Policy, provide in-product notice, send email notice, or use another reasonable method where appropriate.

Continued use of Cognardo Workbench after updates means the user accepts the updated subprocessor list to the extent permitted by law.

21. Conflicts

If this page conflicts with the Privacy Policy or Terms of Service, the Privacy Policy and Terms of Service will control unless this page expressly provides more specific data processing information for a particular issue.

If a separate signed data processing agreement applies, that signed agreement will control to the extent it expressly conflicts with this page.

22. Contact

For data processing, privacy, subprocessor, or security questions, contact:

• Product support and privacy requests: support@workbench.cognardo.com
• General contact: contact@workbench.cognardo.com
• Billing, account, refund, and subscription questions: accounts@workbench.cognardo.com
• Security and abuse reports: security@workbench.cognardo.com

Public contact name: Raven Black Public trade name: Cognardo Product: Cognardo Workbench