Privacy Policy

1. Introduction

This Privacy Policy explains how Cognitive Flow AI ("CFAI", "we", "us", or "our") collects, uses, and protects your personal information when you use our Windows desktop application for meeting transcription and cognitive support.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect and Store

We collect and store the following information:

• Email address — stored in plain text for account identification and communication
• Password — hashed using Argon2id algorithm (irreversible, industry-standard security)
• IP address and device information — for session management and security purposes
• Your API keys — OpenAI and Google Cloud API keys you provide are encrypted using AES-GCM encryption before storage
• Anonymous interaction counts — only the type and number of interactions, never the content
• Custom tags and prompts — any personalized settings you create within the app

3. Data That Passes Through But Is NOT Stored

The following data is processed in real-time but never saved on our servers:

• Audio recordings — transmitted via HTTPS to OpenAI/Google for transcription, never stored on our servers
• Text transcriptions — returned to you in real-time, not persisted on our infrastructure
• AI chat conversations — processed and returned to you, never saved server-side

Important: Your audio and transcription data goes directly from your device to your own OpenAI and Google Cloud accounts using your personal API keys. We act only as a conduit and never access, store, or analyze this content.

4. Third-Party Services

CFAI integrates with the following third-party services:

• OpenAI — for Whisper transcription and AI processing (using your personal API keys)
• Google Cloud Speech-to-Text — for alternative transcription (using your personal API keys)
• Railway — backend hosting infrastructure (EU region)
• Neon — PostgreSQL database hosting

Each of these services has their own privacy policies. We encourage you to review them. However, because you use your own API keys for OpenAI and Google Cloud, your data is governed by your own agreements with those providers.

5. Data Security

We implement robust security measures to protect your data:

• All traffic is encrypted using HTTPS/TLS
• API keys are encrypted at rest using AES-GCM encryption
• Passwords are hashed with Argon2id (not reversible)
• Backend servers are hosted in the EU region
• Regular security audits and updates

6. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right to access — request a copy of your personal data
• Right to rectification — correct inaccurate personal data
• Right to erasure — request deletion of your account and all associated data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to certain types of processing
• Right to withdraw consent — withdraw consent at any time

To exercise any of these rights, please contact us at support@cfai.io.

7. API Key Management

You can delete your API keys from our system at any time through the application settings. Once deleted, the encrypted keys are permanently removed from our database.

8. Data Retention

We retain your account data for as long as your account is active. If you request account deletion, all your data will be permanently removed within 30 days.

9. Children's Privacy

CFAI is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through the application.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: support@cfai.io