Privacy Policy

1. Definitions

The following terms have the meanings given below throughout this Policy:

• "Personal Data" / "Personal Information": Any information relating to an identified or identifiable natural person, including name, email address, IP address, store URL, and authentication credentials.
• "Data Controller" / "Data Fiduciary": The entity that determines the purposes and means of processing Personal Data. Under the GDPR this is the "Data Controller"; under India's DPDPA 2023 this is the "Data Fiduciary." We use both terms interchangeably throughout this Policy.
• "Data Processor" / "Data Fiduciary (Processor)": The entity that processes Personal Data on behalf of a Data Controller/Fiduciary.
• "Data Subject" / "Data Principal": The natural person whose Personal Data is processed. Under the GDPR this is the "Data Subject"; under the DPDPA this is the "Data Principal."
• "Integration Credentials": The WordPress Application Password, CSPRNG-generated API Secret, and store URL transmitted to us upon license activation, used exclusively to authenticate the MCP Adapter.
• "Merchant Data": WooCommerce order records, product data, and customer account information belonging to your store, accessed ephemerally by our API on each request.
• "Services": The CognitCXT platform, including the cognitcxt.com website, web dashboard, backend API, and WordPress plugin.
• "Sub-processor": Any third-party processor engaged by us to process Personal Data in connection with the Services.

2. Data Controller / Data Fiduciary

The Services are operated by Connexion Technologies LLP ("Company", "we", "us"), a limited liability partnership incorporated in India. For the purposes of the UK GDPR and EU GDPR, we are the Data Controller in respect of Personal Data collected from account holders. For the purposes of the Digital Personal Data Protection Act, 2023 (India) ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), we are the Data Fiduciary. In respect of your store's end-customers whose Merchant Data we access to provide AI responses, we act as Data Processor / Data Fiduciary (acting on your instructions), and you remain the Data Controller / Data Fiduciary for that data. Designated contact point for all privacy and data protection queries (as required by DPDP Rule 9): Email: [email protected] General: [email protected]

3. Information We Collect

We collect only the categories of Personal Data described below. Where we rely on a lawful basis under the GDPR, it is stated in parentheses. All processing under the DPDPA is conducted for the specified purpose stated alongside each category.

• Account registration data: Name, business name, and email address collected at registration, used to create and manage your account. Lawful basis: performance of contract (GDPR Art. 6(1)(b)); purpose: provision of account and dashboard access (DPDPA).
• Integration Credentials: Upon license activation, the plugin transmits your store's canonical URL (home_url()), a CSPRNG-generated API Secret (prefixed cgnt_, stored server-side in encrypted form), and a WordPress Application Password (username + a one-time plain-text credential transmitted once over HTTPS; WordPress retains only a bcrypt hash; we do not store the plain text). Used exclusively to authenticate the MCP Adapter's real-time requests to your WooCommerce REST API. Lawful basis: performance of contract; legitimate interests in securing API communications (GDPR Art. 6(1)(b),(f)); purpose: secure service delivery and API authentication (DPDPA).
• License key data: Domain-locked license keys linked to your account and store URL, used to verify authorised store access. Lawful basis: performance of contract (GDPR Art. 6(1)(b)); purpose: access control and licence management (DPDPA).
• Technical and log data: Server logs (IP addresses, request paths, HTTP status codes, timestamps) and aggregate API call counts per store for quota enforcement and abuse prevention. Individual chat conversation content is not stored — it is processed ephemerally in memory for the duration of a single request and immediately discarded. Lawful basis: legitimate interests in platform security, reliability, and fair usage (GDPR Art. 6(1)(f)); purpose: infrastructure security, quota enforcement, and abuse prevention (DPDPA).
• Billing and payment data: Subscription management and payment processing is handled by Stripe, Inc. We store only a Stripe Customer ID and subscription status flags. We never receive, store, or transmit raw card numbers, CVV codes, or bank account details. Lawful basis: performance of contract; compliance with legal obligation for financial record-keeping (GDPR Art. 6(1)(b),(c)); purpose: subscription management and statutory accounting obligations (DPDPA).
• Communications data: Content of emails you send to our support address, retained to respond to and resolve your enquiry. Lawful basis: legitimate interests in providing customer support (GDPR Art. 6(1)(f)); purpose: customer support (DPDPA).
• Consent and withdrawal: Where any processing relies on consent as the lawful basis, you (as Data Principal under DPDPA) may withdraw consent at any time by emailing [email protected]. Withdrawal will not affect the lawfulness of processing carried out before withdrawal. We will cease processing within 30 days of receiving a valid withdrawal request, unless we are required by law to retain the data.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 13(2)(f)).

4. End-Customer Data (Merchant Data)

When the chat widget is active on your WooCommerce store, our MCP Adapter issues authenticated requests to your WooCommerce REST API to retrieve order records, product data, and customer account information belonging to your store's logged-in customers ("End-Customer Data" / "Merchant Data"). The following conditions apply: (a) Merchant Data is fetched on-demand in real time and used solely to formulate the AI-generated response to the customer's current conversational message. It is not written to any Company database, is not retained beyond the request-response cycle, and is not used for any secondary purpose. (b) You remain the Data Controller / Data Fiduciary for all End-Customer Data. We act as your Data Processor. By activating the plugin and providing us with Integration Credentials, you instruct us to process Merchant Data on your behalf and you accept the data processing obligations set out in this section. (c) You are responsible for ensuring that your store's privacy notice discloses to your customers that CognitCXT (operated by Connexion Technologies LLP) processes their data on your behalf to deliver AI-powered support responses, as required by GDPR Art. 14 and DPDPA §8. (d) We implement technical and organisational safeguards for Merchant Data that are at least equivalent to those we apply to our own account holder data, as required by GDPR Art. 28 and DPDPA §8(5). (e) A standalone Data Processing Addendum (DPA) governing our processing of Merchant Data in greater detail is available upon written request to [email protected].

5. How We Use Your Data

We process Personal Data strictly for the following purposes. The lawful basis is stated in parentheses.

• Provisioning, operating, and authenticating the Services, including API communication via the MCP Adapter (performance of contract).
• Subscription management, invoicing, and transmission of billing notifications (performance of contract; legal obligation).
• Transactional communications: email address verification, password reset, and license key delivery (performance of contract).
• Usage quota enforcement, rate limiting, and detection and prevention of fraudulent or abusive access (legitimate interests — we have conducted a balancing test and determined our interests are not overridden by your rights).
• Maintenance of platform security, infrastructure integrity, and audit logging (legitimate interests — same balancing test applies).
• Compliance with applicable legal obligations, including responding to lawful governmental requests (legal obligation).
• We do not sell Personal Data, use it for behavioural advertising, or train artificial intelligence or machine learning models on it.

6. Data Sharing and Sub-processors

We do not sell or rent Personal Data. We share it only as follows:

• Stripe, Inc. (United States): Our payment processor, acting as an independent data controller for payment card data under its own privacy policy (stripe.com/privacy). We transmit only the minimum data necessary to establish a billing relationship.
• Cloud infrastructure Sub-processors: Hosting and database providers whose servers are located in India and/or the United States, bound by data processing agreements requiring data protection standards equivalent to those in this Policy. A current list of Sub-processors is available upon written request to [email protected].
• Professional advisors: Lawyers, accountants, and auditors where disclosure is necessary for the provision of professional services, subject to confidentiality obligations.
• Legal compulsion: Where required by applicable law, regulation, judicial order, or valid governmental request. We will notify you in advance where legally permissible.
• Corporate transactions: In connection with a merger, acquisition, or asset sale, subject to standard confidentiality obligations. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. International Data Transfers

The Services are operated from India. India does not currently hold an EU or UK adequacy decision. For transfers of Personal Data originating from the European Economic Area (EEA) or UK to India and/or the United States (where our Sub-processors are located), we rely on: — EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 2: Controller-to-Processor) for transfers from the EEA. — The UK International Data Transfer Addendum (UK IDTA, effective 21 March 2022) for transfers from the United Kingdom. For transfers between India and other jurisdictions, we comply with the cross-border transfer requirements under the DPDPA 2023 and DPDP Rules 2025 as they come into effect. You may request a copy of the applicable transfer mechanism documentation by emailing [email protected].

8. Data Retention

We retain Personal Data only for as long as the purpose for which it was collected is being served, or for the period stated below, whichever is sooner — in accordance with the purpose-limitation principle under GDPR Art. 5(1)(e) and the DPDPA.

• Account registration data: retained while your account is active and for 90 days after you submit a verified account deletion request, after which it is permanently purged.
• Integration Credentials (API Secret, store URL, WordPress username): deleted within 7 business days of license deactivation, subscription expiry, or plugin uninstallation, whichever occurs first. The WordPress Application Password is revoked automatically by the plugin's uninstall.php routine upon plugin deletion.
• Billing records (Stripe Customer ID, subscription status, invoices): retained for a minimum of 7 years from the date of the relevant transaction to satisfy applicable statutory accounting and tax obligations.
• Server and processing logs (IP addresses, request paths, timestamps): retained for a minimum of 12 months as required under the DPDP Rules 2025 (India), after which they are purged from production systems.
• Communications data: retained for the period reasonably necessary to resolve the enquiry, and in no event longer than 2 years from receipt.
• End-customer (Merchant Data): not retained. Processed ephemerally in memory per API request and immediately discarded at the end of each request-response cycle. Retention period: zero.
• Notwithstanding the above, we may retain Personal Data for longer periods where required by applicable law or where necessary to establish, exercise, or defend legal claims.

9. Security Measures

We implement the following technical and organisational measures to protect Personal Data: — All data in transit is encrypted via HTTPS (TLS 1.2 or higher). The WordPress plugin refuses to transmit Integration Credentials over plain HTTP. — Sensitive data is encrypted at rest using AES-256 or an equivalent industry-standard algorithm. — API Secrets are stored in encrypted form; plain-text values are never logged after initial generation. — WordPress Application Passwords are stored by WordPress as bcrypt hashes; the plain-text credential is transmitted once at activation and is not subsequently available in plain text from any system. — Role-based access controls restrict access to Personal Data to Company personnel with a legitimate operational need. — We conduct periodic reviews of our security posture and engage in responsible vulnerability management. To report a security vulnerability, please follow our Vulnerability Disclosure Policy at cognitcxt.com/security (or email [email protected]). No security measure is infallible — we cannot guarantee absolute security and disclaim liability for breaches attributable to circumstances beyond our reasonable control.

10. Personal Data Breach Notification

A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Not every security incident constitutes a notifiable breach — notification obligations arise only where a breach is likely to result in a risk to the rights and freedoms of individuals (GDPR) or is likely to cause harm (DPDPA). Upon becoming aware of a notifiable breach, we will: GDPR path (EEA/UK residents' data): Notify the relevant EEA or UK supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. Where notification cannot be made within 72 hours, we will provide the reasons for the delay. Where the breach is likely to result in a high risk to individuals, we will notify affected Data Subjects without undue delay (Art. 34). DPDPA path (India residents' data): Notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of the breach, as required by the DPDP Rules 2025 (Rule 7). Note: the Data Protection Board of India has not yet been constituted as of May 2026 (full enforcement expected May 2027). Until the Board is operational, we will follow the interim notification guidance issued by the Ministry of Electronics and Information Technology and will notify affected Data Principals directly. In all cases, breach notifications will include: the nature of the breach, categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach. We maintain an internal breach register documenting all incidents.

11. Your Rights

The rights available to you depend on your jurisdiction. To exercise any right, email [email protected]. We will respond within 30 calendar days (extendable by a further 2 months for complex requests, with notice to you). We will not charge a fee for reasonable requests.

• EEA / UK residents — rights under GDPR / UK GDPR
• Right of access (Art. 15): Request a copy of the Personal Data we hold about you and information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete Personal Data.
• Right to erasure (Art. 17): Request deletion of your Personal Data where it is no longer necessary for the purpose collected, subject to legal retention obligations.
• Right to restriction (Art. 18): Request that we restrict processing while accuracy is contested or an objection is pending.
• Right to data portability (Art. 20): Request your Personal Data in a structured, machine-readable format where processing is based on contract or consent and carried out by automated means.
• Right to object (Art. 21): Object to processing based on our legitimate interests. We will cease unless we demonstrate compelling legitimate grounds.
• Right not to be subject to automated decisions (Art. 22): We do not carry out automated decision-making or profiling with significant legal effects. If this changes, we will update this Policy and provide this right accordingly.
• Right to lodge a complaint: You may lodge a complaint with your national supervisory authority. UK residents: Information Commissioner's Office (ico.org.uk). Irish residents: Data Protection Commission (dataprotection.ie).
• India residents — rights under DPDPA 2023
• Right to information (§12(a)): Request a summary of the Personal Data we process about you and the processing activities.
• Right to correction and erasure (§12(b),(c)): Request correction of inaccurate or incomplete data, or erasure of data no longer required for the purpose collected.
• Right to grievance redressal (§13): Lodge a grievance with our designated Grievance Officer. We will acknowledge within 48 hours and resolve within 30 days. Contact: [email protected].
• Right to nominate (§14): Nominate another individual to exercise your DPDPA rights on your behalf in the event of your death or incapacity. Submit a nomination in writing to [email protected].
• Right to complain to the Data Protection Board (§27): Once constituted, you may escalate unresolved grievances to the Data Protection Board of India.

12. Cookies and Tracking Technologies

cognitcxt.com uses only strictly necessary session cookies required to maintain your authenticated state within the web dashboard. "Strictly necessary" means these cookies are essential for the site to function and cannot be disabled without breaking core functionality. No advertising, analytics, or cross-site tracking cookies are deployed. Because we use only strictly necessary cookies, no cookie consent banner is displayed on cognitcxt.com — this is consistent with ICO and EDPB guidance on the ePrivacy Directive. The chat widget embedded on your WordPress store renders inside an HTML <iframe> and uses the browser's localStorage API (scoped to the iframe's origin, not your store's domain) to persist the open/closed state of the widget between page loads. localStorage is not a cookie and is not subject to the ePrivacy Directive. We do not use fingerprinting, pixel tracking, or any similar cross-session identification technology.

13. Children's Data

The Services are directed exclusively at merchants operating commercial businesses. You must be at least 18 years of age to create an account. We do not knowingly collect or process Personal Data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact [email protected] immediately. We will delete such data promptly upon verification. For the purposes of the DPDPA 2023 (§9), which requires verifiable parental consent before processing data of children (under 18): our Services are not directed at children, and we do not knowingly onboard minors as account holders. We therefore do not currently implement a verifiable parental consent mechanism. Should we ever offer services directed at individuals under 18, we will update this Policy and implement the full consent framework required by §9 of the DPDPA and the DPDP Rules 2025 before any such processing begins.

14. Changes to This Policy

We may update this Policy at any time. We distinguish between material and non-material changes: Material changes — those that substantively affect your rights or our processing obligations — will be notified by email to the address associated with your account at least 30 days before the effective date. Non-material changes (typographical corrections, clarifications that do not alter our practices) will be effective upon posting, with the "Effective" date updated at the top of this page. Where a change materially alters the purpose for which we process your Personal Data and that processing relies on consent as the lawful basis, we will seek fresh consent from you before processing begins for the new purpose, as required by the DPDPA. Continued use of the Services after the effective date of any material change constitutes acceptance of the revised Policy. If you do not accept a material change, you may close your account and request deletion of your data in accordance with §11.

15. Contact and Grievance Officer

All privacy enquiries, data subject/principal rights requests, DPA requests, and breach reports should be addressed to: Connexion Technologies LLP — Privacy Team / Grievance Officer Email: [email protected] General: [email protected] Website: connexion-technologies.com We endeavour to acknowledge all enquiries within 48 hours and to resolve them within 30 calendar days. For complex requests we may extend this by a further 2 months and will notify you of the extension and the reason.