CogniLead
Sign in
Privacy

Your data

This page describes exactly what personal data CogniLead stores about you as a registered user, how you can export it, and how to permanently delete your account. For the full legal policy see Privacy Policy.

What we store about you

Account identity

  • Email address — used for sign-in, transactional emails, and DPO communications.
  • Auth provider — Github or Google OAuth identifier when you sign in with a social provider; otherwise email + bcrypt hash via Supabase Auth.
  • Workspace name — the label you chose during onboarding, stored in tenants.name.
  • Jurisdiction selection — CH or EU, determines data residency and the applicable DPA clause.

Authentication & MFA

  • Supabase Auth manages session tokens, password hashes (bcrypt via GoTrue), and TOTP factor secrets for MFA — stored in the Supabase Auth schema, never in our application tables.
  • MFA factors (TOTP) are listed under Settings → Security. You can enroll and remove factors there at any time.
  • Session cookies are strictly necessary (no tracking, no analytics). See Cookies.

Email & marketing pipeline data

  • Contacts — recipient records you upload or import, stored in the leads table, scoped to your tenant.
  • Sends & campaigns — email send records (sends), campaign configurations (campaigns), and delivery events.
  • Suppressions — email addresses or domains you have suppressed from outbound sends.
  • Signal pipeline — HN / Crunchbase / GitHub signals ingested and linked to your workspace.

This data belongs to you as data controller. We process it as data processor under the DPA.

IMAP-ingested mail

If you connect a warming mailbox via IMAP (imap_pool table), CogniLead stores the mailbox credentials (encrypted at rest), polling state, and warming metrics. No email bodies are retained beyond the warming-pass cycle. Disconnect at any time from Pool.

API keys

API keys you create are stored as an Argon2id hash; we never retain the cleartext secret after display. Manage and revoke keys in API keys.

Operational logs

API request logs (HTTP method, path, status, source IP, user-agent) are kept for 90 days in the api_calls table for security and debugging, then aggregated and dropped. Financial records are retained 7 years per Swiss law (CO 958f) and cannot be deleted on request.

How to export your data

You can download machine-readable exports from the dashboard:

  • Contacts — CSV export from the contacts table.
  • Sends — full send log with delivery events.
  • Leads — all enriched lead records.

For a full structured export of everything we hold about your account (including auth records), email dpo@cognilead.ai — we fulfill portability requests (Art. 20 GDPR / Art. 28 revFADP) within 30 days.

How to delete your account

Deleting your account removes:

  • Your Supabase Auth user (email, password hash, OAuth tokens, MFA factors)
  • Your tenant row and all tenant membership records
  • All pipeline data scoped to your tenant (leads, sends, campaigns, signals, suppressions, contacts, API keys)
  • IMAP pool / warming-pool records

Financial records (Stripe billing history) are retained 7 years per Swiss law (CO 958f) and are not deleted. Chainlog audit events are immutable by design.

Self-serve: Go to Settings → Account and use the "Delete account" section. The action is permanent and requires you to type your email address to confirm.

Email fallback: If you no longer have access to your account, email dpo@cognilead.ai with the subject line "Erasure request" and we will manually complete deletion within 30 days.