CognoShift
TermsPrivacyDPAAUPSub-processors

Privacy Policy

Last updated · 2026-04-25

This Policy describes how COGNOSHIFT PRIVATE LIMITED ("we") collects and processes personal data about Sanad users themselves — that is, the people who sign up for and operate Sanad tenants. For data Sanad processes on behalf of a tenant (consent receipts, rights requests, etc.) the tenant is the data fiduciary; refer to that tenant's privacy notice and to our DPA.

What we collect

  • Account data — organisation name, contact email, license key, signing seed (server-side only), enabled modules.
  • Usage data — API request metadata (route, status, IP hash, timestamp) for security, billing, and abuse monitoring.
  • Billing data — payment metadata returned by Razorpay (subscription IDs, payment IDs); we do not store card details.

How we use it

  • To operate the Service: signing artifacts, delivering webhooks, generating reports.
  • To bill you: subscription management via Razorpay.
  • To secure the Service: rate limiting, abuse detection, audit logging.
  • To communicate with you: account notices, security alerts, product updates that materially change the Service.

Data residency

All operational data — including signing keys, hash chains, and signed artifacts — is stored in India (Supabase ap-south-1 region). Backups stay within the same jurisdiction.

Sub-processors

We rely on a small set of sub-processors. The current list is published at /legal/sub-processors. We notify tenants by email of additions or replacements at least 30 days in advance.

Retention

Account and signed-artifact data are retained for the life of the tenant relationship and for 90 days after termination, after which they are erased and a signed erasure attestation is generated. Operational logs are retained for 12 months.

Your rights

You may request access, correction, or erasure of personal data we hold about you by emailing dpo@cognoshift.in. Where we process data on behalf of a tenant, those requests should go to the tenant directly.

Security

We use industry-standard transport security (TLS 1.2+), at-rest encryption, and least-privilege access controls. Incident response is governed by our internal IR runbook. We will notify affected users without delay where required by law.

Contact

Privacy questions: dpo@cognoshift.in.

CognoShift Private Limited · CIN U85499HR2025PTC130446 · Registered office: Haryana, India