CogniGrit

Privacy Policy

Last updated: February 23, 2026 | Effective for all users

1. Our Commitment to Your Privacy

CogniGrit Academy ("we," "us," "our," or "CogniGrit") is committed to protecting the privacy of children and families. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, services, and websites (collectively, the "Service").

We comply fully with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. Section 6501 et seq.) and the General Data Protection Regulation (GDPR, EU 2016/679). For EU residents, additional rights apply; see Section 13 below.

2. What Information We Collect

We collect only information necessary for instruction and service delivery:

Necessary Information:

  • Name, email, phone (child and parent/guardian)
  • Age/date of birth (for age verification and COPPA compliance)
  • Assessment results (cognitive evaluations, learning profiles)
  • Progress data (session attendance, work samples, instructor feedback)
  • Communication logs (emails, messages with instructors and parents)
  • Payment information (name, address, payment method, processed securely via Stripe; we do NOT store full card numbers)

Information We Do NOT Collect:

  • Browsing history or device fingerprints
  • Location data (GPS, IP address for tracking)
  • Biometric data
  • Marketing tracking pixels or cookies unrelated to function
  • Demographic data beyond what's necessary (race, religion, socioeconomic status)

3. How We Use Your Information

We use personal information only for:

  • Instruction and Learning: Personalizing curriculum, assessing progress, and providing feedback
  • Communication: Updating you on your child's progress, program updates, and account management
  • Safety and Security: Detecting fraud, preventing abuse, and maintaining service integrity
  • Legal Compliance: Meeting COPPA, GDPR, and tax/legal obligations
  • Service Improvement: Analyzing anonymized trends to improve teaching methods (never published with identifying information)

We do not: Sell data, share data for marketing, use data for behavioral profiling, or retain data longer than necessary.

4. Parental Consent (COPPA Compliance)

For children under 13, we require verifiable parental consent before collecting any information. Parents will:

  1. Receive a clear notice of this Privacy Policy
  2. Verify identity (email verification + phone verification or digital signature)
  3. Affirmatively consent to data collection
  4. Have the right to access, correct, or delete the child's data
  5. Receive notice of any material changes to this policy

5. How We Protect Your Data

CogniGrit implements industry-standard security measures:

  • Encryption: AES-256 encryption at rest; TLS 1.3+ in transit
  • Authentication: Secure password hashing, optional two-factor authentication
  • Access Controls: Role-based permissions; only authorized staff access sensitive data
  • Infrastructure: Data stored on secure, certified cloud providers (Google Cloud Platform)
  • Regular Audits: Annual third-party security assessments
  • Breach Notification: We notify affected users within 24-72 hours of discovering a breach

6. Sharing Your Data

We do NOT sell or share student data for marketing, profiling, or third-party benefit. We may share data only:

  • With Service Providers: Our vendors (email service, payment processor, hosting) under signed Data Processing Agreements (DPAs) that restrict their use
  • By Law: If legally required by court order, subpoena, or law enforcement (we will notify you unless prohibited)
  • With Your Consent: Only if you explicitly opt-in (e.g., sharing progress with a school counselor)

Critical: We do not use any data for behavioral targeting, profiling, or algorithmic recommendations to children.

7. Data Retention

We retain data only as long as necessary:

  • During enrollment: Active data retention for instruction and communication
  • After withdrawal: Assessment records kept for 1 year (for portfolio purposes); deleted upon parental request
  • Payment records: Retained for 7 years (tax and legal compliance)
  • Upon deletion request: All personal data purged within 30 days; backups deleted within 90 days

8. Your Rights and Choices

Parents and students (13+) have the right to:

  • Access: Request a copy of all personal data we hold (via parent dashboard or download)
  • Correct: Update inaccurate information
  • Delete: Request erasure of data (with exceptions for legal/tax records)
  • Opt-Out: Opt out of non-essential communications
  • Withdraw Consent: Revoke permission for data processing (will limit service availability)

To exercise any right, contact: privacy@cognigrit.com. We will respond within 10 business days.

9. Cookies and Tracking

CogniGrit uses minimal cookies-only for:

  • Authentication: Session management (required for login)
  • Preferences: Storing user language and display preferences

We do not use third-party tracking cookies or retargeting pixels. To disable cookies, adjust your browser settings (though this may limit functionality).

10. Third-Party Links

Our platform may link to external resources (Zoom, Google Docs, etc.). CogniGrit is not responsible for third-party privacy practices. Always review their privacy policies before sharing information.

11. Data Processors and DPAs

We work with carefully vetted service providers under Data Processing Agreements:

Hosting: Google Cloud Platform (HIPAA-eligible, SOC 2 certified)

Email: Brevo (GDPR-compliant)

Payments: Stripe (PCI DSS Level 1)

Authentication: Firebase Auth (Google-managed, encrypted)

Full DPA details available upon request (contact legal@cognigrit.com).

12. Children's Specific Rights (COPPA)

For children under 13:

  • We do NOT condition service on providing more data than necessary
  • We do NOT market to children or use data for advertising
  • We do NOT create detailed behavioral profiles
  • Parents have absolute right to review, modify, or delete the child's data

13. EU Data Subjects (GDPR Rights)

If you are in the EU, you have additional rights under GDPR:

  • Right of Access: Obtain a copy of all personal data we hold (Art. 15)
  • Right to Rectification: Correct inaccurate data (Art. 16)
  • Right to Erasure: Delete data in certain circumstances (Art. 17)
  • Right to Restrict Processing: Limit how we use your data (Art. 18)
  • Right to Data Portability: Receive data in portable format (Art. 20)
  • Right to Object: Opt out of processing for direct marketing (Art. 21)
  • Right to Lodge a Complaint: Contact your local Data Protection Authority

To exercise EU rights, contact: privacy@cognigrit.com or our Data Protection Officer.

14. California Privacy (CCPA/CPRA)

California residents have specific rights under CCPA/CPRA:

  • Right to know what data we collect
  • Right to delete personal data
  • Right to opt-out of sale or sharing (we don't do either)
  • Right to correct inaccurate data

Contact: privacy@cognigrit.com.

15. Data Breach Notification

If we discover a data breach affecting personal information, we will:

  1. Notify affected users within 24-72 hours
  2. Describe the type of data involved and potential impact
  3. Recommend steps to protect themselves
  4. Notify relevant authorities if legally required

16. Policy Changes

We may update this Privacy Policy. For material changes, we will notify you via email and request re-consent from parents/guardians. Continued use after changes means you accept the updated policy.

17. Business Transfer and Successor Obligations

If CogniGrit is involved in a merger, acquisition, financing, or asset transfer, personal information may be transferred as part of that transaction.

Any successor must honor this Privacy Policy and the Data Guarantee for previously collected student data unless new consent is obtained where required by law.

18. Contact Us

Privacy Questions: privacy@cognigrit.com

Data Rights Requests: privacy@cognigrit.com (respond within 10 business days)

Data Controller Location: Surrey, BC, Canada

Complaints: You have the right to lodge a complaint with your local Data Protection Authority (for EU residents) or the California Attorney General (for CA residents).

Transparent & Simple: This policy avoids legal jargon where possible. If you have questions, reach out directly-we're happy to explain.

Last Updated: February 23, 2026 | Next Review: August 23, 2026