Privacy Policy for Cognatio Lab Limited

Effective Date: 2nd May 2026

Last Updated: 2nd May 2026

This notice describes how Cognatio Lab Limited handles personal data. It is written in plain English. If you would like a more detailed technical version (covering our internal data architecture and our Legitimate Interests Assessment), email privacy@cognatio-lab.com and we will share it on request.

1. About this notice

This privacy notice explains how Cognatio Lab Limited collects, uses, and protects personal data when you visit cognatio-lab.com, when one of our operators connects with you on LinkedIn, when you become a client of ours, or when someone refers you to us.

We are committed to handling your data responsibly and in line with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who we are

Cognatio Lab Limited is the data controller for the personal data processed under this notice. We are registered in England & Wales under company number 13888676. Our current registered office is held at Companies House and can be looked up free of charge at find-and-update.company-information.service.gov.uk.

We are registered with the United Kingdom Information Commissioner’s Office (ICO) under reference ZB886925.

The most reliable way to contact us about anything in this notice, including to exercise any of the rights set out in section 9, is by emailing privacy@cognatio-lab.com. This inbox is monitored on every working day.

3. What personal data we collect

We collect and process the following categories of personal data.

  • Identity data: full name, job title, employer name.

  • Contact data: business email address, LinkedIn profile URL, and business phone number where you have shared it.

  • Professional context: sector, industry, public LinkedIn-visible role history, public organisational data.

  • Conversation history: the content of messages you and we send via LinkedIn direct message, including timestamps and message direction.

  • Internal classifications: we maintain operational classifications about you to prioritise our outreach and ensure good record-keeping (for example, contact stage, do-not-contact preference, and referral potential). These are inferred or assigned by us and used internally only.

  • Operator notes: professional and commercial notes our operators write about you in the course of normal business development and relationship management. These notes are subject to a strict hygiene rule that excludes any special-category data (see below).

  • Draft messages: AI-generated draft messages that one of our operators may then review, edit, and send to you. We retain a record of the draft, the edits made, and which operator sent it.

  • Commercial data (clients only): deal value, contract dates, invoice and payment status, and account-health classification.

  • Field-change audit: a record of when an operator edits any of the fields above, who made the change, and when.

We do not knowingly collect special-category data under Article 9 of the UK GDPR (information about your health, religion, political opinions, trade union membership, sexual orientation, ethnic origin, or biometric or genetic data). Our operator notes that the hygiene rule explicitly excludes the capture of this data, and we review compliance with the rule each quarter.

4. How we collect your data

  • From you directly: When you reply to one of our LinkedIn messages, accept a connection request from one of our operators, fill in a form on cognatio-lab.com, sign a contract, or email us.

  • From LinkedIn: When you accept a connection request from one of our operators, your public LinkedIn profile data and the contents of any direct messages between us become available to our operator. We use a LinkedIn outreach automation provider to manage connection requests and to maintain a copy of our message history with you.

  • From AI inference: We use an artificial-intelligence inference provider to classify your role and sector and to draft suggested messages in our operator's voice. The inference is transient and the provider does not use the data to train its models.

  • From referrals: If a mutual contact introduces us, your name and the context for the introduction may be recorded.

  • From public sources: We may augment your record with publicly available information about your role at your employer.

5. Why we use your data (our lawful bases)

We rely on the following lawful bases under Article 6 UK GDPR.

  • Legitimate interests (Article 6(1)(f)) for business development, operational efficiency, relationship management, and ongoing client relationship management. We have completed a Legitimate Interests Assessment that documents the necessity, proportionality, and balance of this processing. A copy is available on request via privacy@cognatio-lab.com.

  • Contract (Article 6(1)(b)) for the processing of your data while you are a client of Cognatio Lab Limited, including the management of contracted services, deliverables, and invoicing.

  • Consent (Article 6(1)(a)) where you fill in a form on cognatio-lab.com and indicate that you wish to receive marketing communications from us.

  • Legal obligation (Article 6(1)(c)) for retention of records that we are required by law to keep, including tax and accounting records under HMRC rules.

We do not use your data to make solely automated decisions that produce legal effects or similarly significantly affect you. Our operators review every outbound message before it is sent. Our internal classifications surface contacts in our operators’ work queue, but do not trigger automatic actions against you.

6. Who we share your data with

We share your data with the processors listed below. Each acts under a Data Processing Agreement with us and is bound by appropriate UK GDPR safeguards.

  • Customer relationship management (CRM) system provider: for storing your contact record, our deals, and notes (United States headquartered, with European Union and United States infrastructure).

  • Artificial-intelligence inference provider: for data enrichment and message drafting (United States).

  • Application hosting provider: for running our application (United Kingdom).

  • Edge security provider: for inbound webhook redundancy (United Kingdom and global edge).

  • LinkedIn outreach automation provider: for connection requests and message scheduling (European Union).

  • Encrypted backup storage provider: for off-site backups of our internal database (United States).

  • Invoicing platform: for accounts receivable (United Kingdom and European Union instance).

  • Single sign-on and email provider: for operator authentication and outbound email (European Union and United States).

  • Error-monitoring service: with 30-day retention (United States).

For our current list of named processors, please email privacy@cognatio-lab.com, and we will share it upon request.

We do not sell your data. We do not share your data with third parties for their own marketing purposes.

7. International transfers

Some of our processors are located outside the United Kingdom. Where personal data is transferred to the United States, we rely on the United Kingdom International Data Transfer Addendum to the European Union Standard Contractual Clauses, or equivalent. We have copies of each transfer agreement on file and can confirm the route of any specific data flow on request.

Our application is hosted in London. Backups are encrypted before they are transferred to the United States.

8. How long we keep your data

We retain your data for the following periods.

  • Operational lead and conversation data (your contact record, message history, draft history): 365 days from the most recent sync.

  • Operator notes and field-change audit records: 6 years from creation, aligned to the United Kingdom statute of limitations for contractual claims.

  • Client commercial records (deals, contracts, invoices): 6 years from the close of the contract, in line with our legal obligations under HMRC record-keeping rules.

  • Backups: held alongside the source data for 30 days.

  • Error monitoring records: 30 days.

  • Customer relationship management records: while you remain an active contact or for 24 months from your last interaction with us, whichever is longer. Deal records are retained for 6 years from contract close.

When your retention window expires, your data is deleted automatically. You may at any time ask us to delete your data ahead of these windows; see section 9.

9. Your rights

Under UK GDPR, you have the following rights in relation to your personal data.

  • Right to be informed. This notice is the means by which we inform you of our processing.

  • Right of access (Article 15). You can ask us for a copy of all personal data we hold about you. We will provide this within one calendar month of your request, in a structured and readable form.

  • Right to rectification (Article 16). You can ask us to correct any data we hold about you that is inaccurate or incomplete.

  • Right to erasure (Article 17), commonly known as the right to be forgotten. You can ask us to delete your data. We will do so unless we have a legal obligation to retain specific records (for example, invoice records under HMRC rules).

  • Right to restrict processing (Article 18). You can ask us to stop processing your data while a question about its accuracy or our lawful basis is resolved.

  • Right to data portability (Article 20). You can ask us to provide your data in a structured, commonly used, machine-readable format that you can transfer to another organisation.

  • Right to object (Article 21). You can ask us to stop processing your data on the basis of legitimate interests. On objection, we set a do-not-contact flag against your record so no further outreach is generated. We retain the suppression record itself so we do not contact you again in error.

  • Rights in relation to automated decision-making (Article 22). You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. As described in section 5, our operators review every outbound message, and our internal classifications do not trigger automatic actions against you.

10. How to exercise your rights or contact us

To exercise any of the rights in section 9, or to ask any question about this notice, please email privacy@cognatio-lab.com.

We aim to respond to all requests within one calendar month. If your request is complex or you have made a number of requests, we may need an additional two months, and we will tell you so within the first month.

11. Complaints

If you are not satisfied with how we have handled your data, you have the right to complain to the United Kingdom’s Information Commissioner’s Office.

  • Information Commissioner’s Office

  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

  • Telephone: 0303 123 1113

  • Web: ico.org.uk

We would prefer the chance to address your concern first, so please consider contacting us at privacy@cognatio-lab.com before approaching the Information Commissioner.

12. Updates to this notice

We will keep this notice under review and update it whenever our processing surface materially changes. The version number and date below indicate when this notice was last reviewed.

When we make a material change, we will publish the updated notice on cognatio-lab.com and indicate the most material changes in a “What’s changed” note for one calendar month.