Privacy Policy

1. Introduction

Cograph, Inc. ("Cograph," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our offboarding intelligence platform and related services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, company name, job title, and password when you create an account.
• Profile Information: Additional details you choose to add to your profile, such as profile photo, department, and role.
• Communication Data: Information you provide when contacting our support team or participating in surveys.
• Payment Information: Billing details and payment method information processed through our secure payment processor.

2.2 Information from Connected Services

When you connect third-party services (such as Google Workspace, Slack, or GitHub), we collect:

• Metadata by Default: We analyze metadata (who communicated with whom, document ownership patterns, collaboration frequency) rather than content.
• Content with Consent: When explicitly enabled and with appropriate consent, we may analyze content to extract knowledge and expertise patterns.
• User Directory Information: Employee names, email addresses, job titles, and organizational structure.

2.3 Automatically Collected Information

We automatically collect certain information when you use our Services:

• Usage Data: Features used, actions taken, time spent, and interaction patterns.
• Device Information: Browser type, operating system, device type, and unique device identifiers.
• Log Data: IP addresses, access times, pages viewed, and referring URLs.
• Cookies and Tracking: We use cookies and similar technologies to maintain sessions and understand usage patterns.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Generate knowledge graphs and risk assessments for offboarding
• Identify expertise areas and recommend knowledge transfer paths
• Send transactional communications (account updates, security alerts)
• Provide customer support and respond to your requests
• Analyze usage patterns to improve product features and user experience
• Detect, prevent, and address security issues and fraud
• Comply with legal obligations and enforce our terms of service

4. AI and Machine Learning

Our Services use artificial intelligence to analyze workplace data and generate insights. Here's how we handle AI processing:

4.1 Privacy-Preserving AI

• Anonymization: We anonymize personal identifiers before processing content with AI models.
• PII Redaction: Personally identifiable information is redacted from content sent to external AI services.
• Metadata Focus: We prioritize metadata analysis over content analysis wherever possible.

4.2 Third-Party AI Services

• We use OpenAI's API for certain analysis features with zero-retention agreements.
• We never use your data to train AI models shared with other customers.

5. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 With Your Organization

Information about employees is shared with authorized administrators within your organization as part of normal service operation.

5.2 Service Providers

We share information with third-party vendors who assist in providing our Services, including:

• Cloud infrastructure providers (hosting and storage)
• Payment processors (billing and invoicing)
• Analytics services (aggregated, anonymized usage data)
• Customer support tools (ticket management)

All service providers are bound by contractual obligations to protect your information and use it only for specified purposes.

5.3 Legal Requirements

We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to:

• Comply with applicable laws or regulations
• Protect the rights, property, or safety of Cograph, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

5.4 Business Transfers

If Cograph is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

6. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access Controls: Role-based access controls and multi-factor authentication.
• Infrastructure: SOC 2 certified cloud infrastructure (via Railway) with regular security audits.
• Monitoring: Security monitoring and incident response procedures.
• Employee Training: Regular security awareness training for all staff.

For more details, see our Security & Compliance page.

7. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this policy:

• Account Data: Retained while your account is active and for 90 days after deletion request.
• Knowledge Transfer Data: Retained according to your organization's configured retention policies.
• Audit Logs: Retained for 2 years for compliance and security purposes.
• Aggregated Analytics: May be retained indefinitely in anonymized, aggregated form.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 Access and Portability

You can request a copy of the personal information we hold about you in a structured, commonly used format.

8.2 Correction

You can request that we correct inaccurate or incomplete personal information.

8.3 Deletion

You can request deletion of your personal information, subject to certain legal exceptions.

8.4 Opt-Out Rights

• Employee Opt-Out: Employees can opt out of having their data analyzed. Contact your organization's administrator.
• Marketing Communications: Unsubscribe from marketing emails using the link in any email.
• Cookies: Manage cookie preferences through your browser settings.

8.5 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@getmeridian.net. We will respond to your request within 30 days.

9. International Data Transfers

Cograph is based in the United States. If you access our Services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate.

We protect international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Compliance with the EU-US Data Privacy Framework

10. Additional Information for EEA, UK, and Swiss Users

10.1 Legal Basis

Under GDPR, we process your information based on the following legal bases:

• Contract Performance: Processing necessary to provide our Services to you.
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, product improvement).
• Consent: Where you have given explicit consent for specific processing activities.
• Legal Obligation: Processing necessary to comply with applicable laws.

10.2 Data Controller

For customers, Cograph acts as a data processor. Your organization is the data controller and determines the purposes and means of processing employee data.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to Know: What personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: We do not sell personal information, so this right does not apply.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@getmeridian.net or call 1-800-COGRAPH.

12. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending an email notification to account administrators
• Displaying a notice within our application

Your continued use of our Services after such notice constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: