Privacy posture

Effective 2026-04-24 · Plain language first · Legal boilerplate at the bottom

Cognielo is architecturally incapable of reading your data. Not because we promise. Because we designed it that way.

What we collect from you

Nothing. We have no analytics endpoint that receives user behavior data. The privacy dashboard inside Cognielo shows a running byte counter of everything Cognielo has sent to Cognielo's servers. It will always read zero.

What your phone talks to, and when

The app is local-first. Four outbound connections happen only when you explicitly authorize them:

Plaid — if you link a bank account in Savelo. Plaid receives your bank credentials; Cognielo receives Plaid's transaction list. Unlink any time in Savelo → Connected Accounts.
Apple HealthKit — local-only read permission you grant to Healthelo. No data leaves the device.
Your mail / calendar provider (Gmail, Outlook, iCloud, Zoho) — if you connect one. OAuth scoped to your account, read-only unless you explicitly enable drafts.
Anthropic Claude API — when you talk to the Coach. The prompt and its reply travel to Anthropic's API. Anthropic's retention terms apply (see their privacy policy). Disable in Settings to keep every insight on-device.

Four free public databases also run on-device queries (OpenFoodFacts, OpenFDA, NHTSA vPIC, Open Library) when you scan a barcode. The scanned value goes to the database; nothing about you does.

How the architecture enforces privacy

The master key is generated on your device the first time you launch the app. It is never transmitted. If you wipe the app, it is gone forever.
Every kit derives its keys from the master via HKDF-SHA256 with a domain-separated context string (RFC 5869). Savelo cannot read Healthelo's vault. Healthelo cannot read Legelo's. The keys are mathematically distinct.
Every row stored is AES-256-GCM ciphertext at rest under the kit's derived key.
Cross-app reads require a grant record. When Healthelo wants to correlate with Savelo, a grant record (signed by both) authorizes the read. You can revoke any grant in Settings.
A hybrid post-quantum complement via CRYSTALS-Kyber (NIST FIPS 203) complements the classical suite so your data stays safe against future quantum attackers.

Subpoena posture

Cognielo receives no user data. If we receive a subpoena, we have nothing to hand over that contains your data — we have no copy of your master key, no copy of your derived keys, and no copy of your ciphertext. The most we could disclose is the fact that you installed the app (if we even know your email from a waitlist signup, which is optional). This is subpoena-resistance by construction, not by policy.

What happens if Cognielo shuts down

Nothing. Your data was always on your device. Profile → "Export Everything" dumps the entire corpus as plain-text JSON at any time, with no server involvement. If Cognielo disappears, your data stays where it always was.

HIPAA

Cognielo implements HIPAA-grade encryption and access controls. Formal HIPAA compliance certification is a post-launch milestone — the architecture is ready for the audit; the paperwork is in progress.

Children

Cognielo is rated 4+ on the App Store. We do not knowingly collect any data from children under 13. If you are a parent and discover that a child has entered data into Cognielo, note that the data lives on that device only — no server collection occurred.

Third-party trackers

Zero. No Google Analytics. No Facebook Pixel. No Mixpanel. No Segment. No Amplitude. No Sentry without on-device opt-in for crash reporting. No ad SDKs.

Your controls

Privacy dashboard (Hub → "N data points on device · 0 left your device") — see every byte.
Coach opt-out — Settings → Coach → disable Anthropic API calls.
Export everything — Profile → Export Everything — any time.
Clear demo data — Profile → Starter Data → Demo Data — removes all first-launch seed.
Account deletion — there is no account. Deleting the app deletes your data.

Regulatory notices

California residents (CCPA/CPRA): Cognielo does not "sell" or "share" your personal information as those terms are defined. We do not retain your data, so Right to Delete requests are moot from our side.
EU residents (GDPR): we are not a controller or processor of your personal data because we do not receive it. If you consider the on-device master key to be data, it is under your sole control.
EU AI Act: the Coach is an on-device general-purpose model with user-supplied prompts. We do not train on user data.

Changes to this policy

If we change this policy, the updated version lives at cognielo.com/privacy. Because we collect nothing, most changes are cosmetic.

Contact

Privacy-specific questions: privacy@cognielo.com. General: hello@cognielo.com.

Patent Pending — U.S. App. No. 64/041,821 · Elo AI · Greeley, Colorado