legal

Privacy Policy

Last updated: May 2, 2026  ·  Effective: May 2, 2026  ·  Version 2026-05-02-v2

This Privacy Policy explains how Cognire LLC, a Georgia limited liability company and the parent company that owns and operates the agent14 brand and platform (collectively "Cognire", "agent14", "we", "us"), collects, uses, shares, and protects personal information when you use agent14.online, our dashboard, APIs, and related services (the "Service"). Cognire LLC is headquartered in the State of Georgia, USA. By using the Service you acknowledge the practices described here.

1. Scope

This Policy applies to information we collect about (a) visitors to our website, (b) account holders and their authorized users, and (c) end-users who interact with hosted agents you build on the Service. It does not apply to third-party websites or services that have their own privacy policies.

Controller / Processor. For information about you as a customer or visitor, agent14 is the "controller" (or, in California, "business"). For Customer Content you submit, you are the controller and agent14 acts as your "processor" (or "service provider") under applicable law.

2. Information We Collect

a. Information you provide

  • Account data: name, email address, password (hashed), display name, avatar.
  • Billing data: billing name and address, last four digits of payment card, payment-processor token. Full card numbers are handled by our PCI-DSS compliant processor; we do not store them.
  • Customer Content: the prompts, files, and other inputs you submit, and the AI outputs returned to you.
  • Communications: messages you send to support, survey responses, and marketing preferences.

b. Information collected automatically

  • Device & log data: IP address, browser type, operating system, language, referring URL, pages viewed, timestamps, error logs.
  • Usage data: features used, requests sent, model and token counts, latency, cost metrics, session length.
  • Cookies and similar technologies: see Section 8 below.

c. Information from third parties

  • Identity providers (e.g., Supabase Auth, Google) when you sign in through them.
  • Payment processors (e.g., Stripe) for transaction status.
  • Analytics and security providers for fraud-prevention and bot detection.

3. How We Use Information

We process personal information for the following purposes and on the legal bases noted (where European law applies, the bases are listed in brackets):

  • Provide, operate, secure, and improve the Service [contract; legitimate interests].
  • Authenticate users and prevent fraud, abuse, and security incidents [legitimate interests; legal obligation].
  • Process payments and manage subscriptions [contract; legal obligation].
  • Send transactional communications (e.g., receipts, security alerts, password resets) [contract].
  • Send service updates and, with consent where required, marketing communications [consent; legitimate interests]. You can opt out at any time.
  • Comply with law and respond to lawful requests from authorities [legal obligation].
  • Defend and enforce our legal rights, including the agent14 Terms [legitimate interests].
  • Conduct internal research and analytics in aggregated or de-identified form.

4. AI-Specific Data Practices

Important. Please read. The Service uses third-party AI models. Information you submit may be transmitted to those providers for inference. Do not submit information you are not authorized to share with them.
  • Inference processors. We send Inputs to AI inference providers such as the Lovable AI Gateway, OpenAI, Anthropic, Google, and similar services to generate Outputs. These providers process Inputs only as our service providers.
  • No training on your content by default. We do not use your Inputs or Outputs to train our or any third party's foundation models unless you expressly opt in. Where we have visibility into a provider's settings, we configure them to disable training on Customer Content.
  • Abuse monitoring and safety. Inputs and Outputs may be retained by us or our providers for a limited period for safety, abuse-detection, and legal-compliance purposes (typically up to 30 days, longer where required by law or to investigate an active incident).
  • Hallucinations and accuracy. AI Outputs may be inaccurate, incomplete, or misleading. We do not represent that Outputs are accurate, and we are not responsible for decisions you make based on them. See the Terms, Section 9.
  • No automated decisions with legal effect. agent14 itself does not use personal information to make decisions about you that produce legal or similarly significant effects without human involvement. If you build hosted agents that do, you are responsible for compliance with applicable law (including the FCRA, ECOA, ADA, and state AI laws).
  • Sensitive categories. Do not submit sensitive personal information (e.g., government identifiers, precise geolocation, biometric data, health information, children's data, or information about criminal proceedings) unless you have a documented lawful basis and a separate written agreement with us covering it. The Service is not HIPAA-compliant by default.
  • Synthetic content. If you publish AI-generated content, you may be required by law to disclose that fact. agent14 does not automatically apply provenance metadata; you are responsible for any required watermarking or labeling.

5. How We Share Information

We share personal information only as described below. We do not sell personal information for monetary consideration.

  • Service providers / sub-processors who help us run the Service, including hosting (e.g., Cloudflare), database and auth (Supabase), AI inference (Lovable AI Gateway, OpenAI, Anthropic, Google, Meta WhatsApp), payments (e.g., Stripe), email/SMS delivery, analytics, and security. They may process personal information only on our instructions and under contract.
  • Within your organization or workspace, where applicable.
  • Legal and safety. When we reasonably believe disclosure is required by law, legal process, or to protect the rights, safety, or property of agent14, our users, or others.
  • Business transfers. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. We will require the recipient to honor this Policy.
  • With your consent. For any other purpose disclosed at the time of collection.

6. Data Retention

We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Account data: for the life of your account plus up to 24 months after deletion (for backup, audit, and dispute purposes).
  • Customer Content: until you delete it or until 30 days after account deletion.
  • Logs: typically up to 90 days for security and operational logs.
  • Billing and tax records: at least 7 years, as required by U.S. tax law.
  • Abuse-monitoring data: typically up to 30 days unless an investigation requires longer retention.

7. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption at rest where appropriate, role-based access control, secrets management, audit logging, least privilege, and routine reviews of our service providers. No system is perfectly secure. You are responsible for maintaining the confidentiality of your account credentials.

Breach notification. If we become aware of a breach of unencrypted personal information about a Georgia resident, we will notify you in accordance with the Georgia Personal Identity Protection Act, O.C.G.A. § 10-1-910 et seq., and any other applicable state or federal breach-notification law.

8. Cookies and Tracking

We use first-party cookies and similar technologies to keep you signed in, remember preferences, secure the Service, and measure usage. You can control cookies through your browser settings. We currently honor Global Privacy Control (GPC) signals where applicable. We do not knowingly engage in cross-context behavioral advertising.

9. Your Rights

Depending on where you live, you may have some or all of the following rights:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your personal information, subject to legal exceptions.
  • Port your information in a structured, machine-readable format.
  • Opt out of marketing communications and of any "sale" or "sharing" of personal information for cross-context behavioral advertising (we do not engage in either).
  • Restrict or object to certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority or, in the U.S., your state Attorney General.

Georgia residents. Georgia does not currently have a comprehensive consumer privacy statute, but we extend the access, correction, and deletion rights described above to Georgia residents as a matter of policy. To exercise a right, please submit a request through our contact form from the account you wish to act on. We will verify your identity before responding and will reply within the timeframes required by applicable law (typically 30 to 45 days).

Authorized agents. You may use an authorized agent to submit requests where allowed by law. We may require the agent to provide proof of authorization and may require you to verify your identity with us directly.

Non-discrimination. We will not discriminate against you for exercising any of the rights described in this Policy.

10. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, please let us know through our contact form and we will delete it promptly. The Service is not COPPA-compliant.

11. International Transfers

agent14 is based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the United States and other countries that may have data-protection laws different from those in your country. Where required by law (e.g., GDPR), we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

12. California Disclosures (CCPA/CPRA)

In the past 12 months we have collected the categories of personal information described in Section 2 (Identifiers, Commercial Information, Internet/Network Activity, Inferences, and Customer Content). We disclose those categories for the business purposes in Section 3 to the categories of recipients in Section 5. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not knowingly collect or sell the personal information of consumers under 16. California residents may exercise access, deletion, correction, opt-out, and limit-use-of-sensitive personal information rights as described in Section 9.

13. Other U.S. State Disclosures

Where the comprehensive privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other U.S. states apply, we will honor the access, correction, deletion, portability, and opt-out rights described in Section 9. To appeal a denial of a rights request, reply to our denial email and write "Privacy Appeal" in the subject line.

14. Changes to this Policy

We may update this Policy from time to time. If we make a material change we will provide reasonable notice (for example, by updating the "Last updated" date and, where appropriate, by email or in-app notice). Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance.

15. Customer Data Processed on Behalf of Tenants

This section covers personal information about our tenants' customers — the people whose contact details a tenant uploads, syncs, or otherwise provides to the Service so we can communicate with them on the tenant's behalf. It supplements the general practices in Sections 2–4. The tenant-facing legal commitments live in Section 22 of our Terms of Service.

a. What we process for tenants

We process the following categories of personal information about tenants' end customers, solely as a data processor on the tenant's instructions:

  • Identifiers: name, email address, phone number, postal address.
  • Commercial data: subscription status, invoice and payment history, contract dates, product or plan names.
  • Communications: the SMS, email, and voice messages we send and receive on the tenant's behalf, including conversation transcripts and disposition (replied, opted out, etc.).
  • Inferences: the agent's classification of the customer (for example, "price-sensitive," "support-frustrated," "preferred channel: SMS").

b. Roles under data-protection law

For Customer Data the tenant is the "data controller" (in California, "business") and agent14 is the "data processor" (in California, "service provider"). The tenant determines the purposes and means of processing; we act on the tenant's documented instructions.

A data-processing agreement is included by reference in our Terms of Service (Section 22). EU-resident tenants may request a stand-alone executed DPA copy by contacting us through our contact form.

c. Subject rights

A customer of one of our tenants who wants to exercise a subject right (access, deletion, correction, portability, opt-out) should contact the tenant directly. The tenant is the controller and is the appropriate first point of contact.

When a tenant receives such a request, the tenant can use agent14's tools to fulfil it: deleting the customer record from the tenant workspace, exporting communications history, or invoking the tenant-delete endpoint to remove all data tied to that customer.

If you contact agent14 directly with a subject-rights request about Customer Data, we will route the request to the relevant tenant and notify you of that routing. We do not unilaterally action requests against a tenant's data.

d. Data lifecycle

We retain Customer Data for the duration of the tenant's account plus a 30-day grace period to support reactivation. After the grace period, Customer Data is deleted from primary storage. Audit-log records that reference Customer Data (including account_audit_log and cron_invocations_log) are retained for legal-compliance purposes for up to 7 years; personally identifying fields in those records are anonymized at the time of tenant deletion.

A tenant can delete an individual customer record at any time through the dashboard or via the tenant-delete API. Deletion takes effect within 24 hours across primary storage; backup snapshots roll off within 30 days.

e. Cross-border transfer

Customer Data is hosted in the U.S. region of our Supabase project (project reference vnfhcxmywfhiuzkamggk). Sub-processor providers (Twilio, Resend, Microsoft Azure, Stripe, Cloudflare) may process Customer Data in the U.S. and other jurisdictions consistent with their published data-residency policies.

For tenants whose end customers reside in the EU, EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and the UK International Data Transfer Addendum as the lawful transfer mechanism, executed by reference in our Terms.

f. Audit logs

The Service maintains audit logs of authentication events, configuration changes, deletion requests, and cron-driven background activity. These logs are retained for security, compliance, and incident-response purposes and may persist beyond the deletion of a tenant's primary data. PII fields in audit-log rows that reference deleted customers are scrubbed at the time of deletion; the structural log row is retained.

g. No re-use across tenants

We do not share, sell, license, mine, or use one tenant's Customer Data for any other tenant or for any purpose outside the Service. The cross-tenant opt-out registry described in Section 22.4 of our Terms is the only exception, and it stores only the channel-and-address pair that opted out — not the originating tenant or any context.

16. Contact Us

For questions about this Policy or to exercise your rights, please get in touch through our contact form, or write to us by mail at:

Cognire LLC
Attn: Privacy
State of Georgia, USA

See also our Terms of Service.

This document is a template provided as a starting point and is not legal advice. Please have it reviewed and customized by a Georgia-licensed attorney before relying on it.