CogniKin Privacy Policy

Last updated: 22 April 2026 · Effective immediately

CogniKin is a product of Kuranda Industries Pty Ltd (ACN 000228928, Australia). This policy explains how the CogniKin connectors for third-party services (Microsoft 365, Google, others) handle your data.

Summary in one sentence

When you connect a third-party account to CogniKin, your access tokens live only on your device, and the content of your email and calendar is never sent to or stored on CogniKin servers.

What CogniKin is, technically

The CogniKin connectors are a client application (installed on your computer) plus a thin cloud proxy we run at proxy.cognikinconnect.me. When you connect a third-party account:

• You authorise the third-party (Microsoft, Google, etc.) to issue an OAuth token on your behalf.
• The third-party sends that token to our proxy as part of the standard OAuth redirect handshake.
• Our proxy holds the token in memory for at most two minutes, exactly long enough for your device to pick it up.
• Your device stores the token locally in a file readable only by your operating-system user account.
• From that point on, your device talks directly to the third-party's servers using your token. CogniKin infrastructure is not in the middle of those calls.

What we do not do

• We do not store, persist, or log your third-party access or refresh tokens on our servers.
• We do not read, copy, index, or transmit the content of your email messages, calendar events, or other third-party data.
• We do not sell your data. We do not share it with advertisers. We do not use it to train any machine-learning models.
• We do not provide a way for ourselves to impersonate you to your third-party provider.

What we do collect

To run the OAuth handshake and keep the proxy healthy, we collect the minimum necessary:

• OAuth handshake metadata — the client nonce, HMAC-signed state token, and the timestamp of consent. Retained only for the ~2-minute pickup window, then discarded from memory.
• Server logs — request path, HTTP method, HTTP status code, and IP address of the requesting machine. Used for security monitoring and debugging. Retained 30 days then deleted. Logs are not indexed or data-mined.
• Your CogniKin brain-holder identity — an account ID we issued when you joined the platform. Used solely to authenticate you to our LLM proxy endpoints.

Google user data specifically

When you connect a Google account, CogniKin requests the following scopes:

• openid email profile — to show you which account is connected.
• https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail, so the CogniKin assistant running on your device can help you with your inbox.
• https://www.googleapis.com/auth/calendar.readonly — read-only access to your Calendar.

CogniKin's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide the user-facing CogniKin features you activated.
• We do not transfer Google user data to third parties, except as necessary to provide or improve user-facing features, and only with explicit consent.
• We do not use Google user data for serving advertisements.
• No human at CogniKin reads your Google user data, except where explicitly required for debugging at your request, for security investigations, or to comply with the law.

Microsoft 365 user data

The same principles apply to Microsoft Graph data. We request delegated read-only access to mail, calendar, and basic profile. CogniKin does not persist, index, or transmit the content of your Microsoft 365 data through CogniKin infrastructure.

Where data is stored

• On your device. OAuth tokens and any cached third-party data, in a file readable only by your OS user account (mode 0600 on Unix).
• In our AWS region in Sydney, Australia (ap-southeast-2). Server logs and the small metadata needed to operate the proxy and your CogniKin account. Encrypted in transit and at rest.

Your rights

• Disconnect at any time. Use the in-app Disconnect button, or delete the local token file (~/.cognikin/integrations/). This immediately stops CogniKin from being able to use your token.
• Revoke consent upstream. Visit myaccount.google.com/permissions or myaccount.microsoft.com/privacy to revoke CogniKin's ability to request new tokens.
• Request deletion. Email privacy@kurandaindustries.com.au and we will delete any account-level data within 30 days.
• Access, correction, or complaint rights under the Australian Privacy Act 1988 (Cth) and the GDPR where applicable.

Security

• All connections to CogniKin infrastructure use TLS 1.2 or higher.
• OAuth state tokens are HMAC-signed and expire in 10 minutes.
• Third-party access tokens never leave your device in cleartext except when used directly against the third-party API over TLS.
• We do not have any mechanism to decrypt or recover tokens that have been delivered to a user device.

Contact

Kuranda Industries Pty Ltd
Brisbane, Queensland, Australia
Privacy enquiries: privacy@kurandaindustries.com.au

Home · Terms of Service