Back to Sandhed

Privacy Policy

Version 1.0 · Effective February 1, 2026

Last updated: February 1, 2026. This Privacy Policy explains how we collect, use, and protect your personal data when you use the Sandhed platform.

1. Introduction

Cognition ApS ("Cognition", "we", "us", or "our"), a company registered in Denmark, operates the Sandhed IoT Digital Twin platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal data in connection with our Service.

We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. If you have any questions about this Privacy Policy, please contact us at [email protected].

2. Data Controller

Cognition ApS is the data controller for personal data we collect directly from you (such as account registration information and usage data).

For personal data that Customers upload or transmit through the Service (including IoT telemetry data that may contain personal information), the Customer is the data controller and Cognition acts as a data processor on behalf of the Customer. The processing of such data is governed by our Data Processing Agreement.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Name and email address
  • Company/organization name
  • Job title or role
  • Account credentials (passwords are stored in hashed form)

3.2 Usage Data

  • Login times and session duration
  • Features accessed and actions performed
  • IP addresses
  • User preferences and settings

3.3 Device Information

  • Browser type and version
  • Operating system
  • Device type and screen resolution

3.4 IoT and Telemetry Data

When Customers use our Service to process IoT telemetry data, this data may include location information, equipment status, and other operational data. Cognition processes this data on behalf of the Customer as a data processor.

4. Legal Basis for Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service and fulfill our contractual obligations to you
  • Legitimate Interests (Art. 6(1)(f)): Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your rights
  • Consent (Art. 6(1)(a)): For marketing communications and optional features where we have obtained your explicit consent
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations

5. How We Use Your Data

We use personal data for the following purposes:

5.1 Providing the Service

  • Creating and managing your account
  • Authenticating your access to the platform
  • Processing and displaying your IoT data
  • Sending service-related notifications and alerts

5.2 Security and Fraud Prevention

  • Detecting and preventing unauthorized access
  • Monitoring for security threats
  • Investigating potential violations of our Terms of Service

5.3 Customer Support

  • Responding to your inquiries and support requests
  • Providing technical assistance

5.4 Analytics and Improvement

  • Understanding how users interact with our Service
  • Identifying areas for improvement
  • Developing new features and functionality

6. Data Sharing

We may share personal data with the following categories of recipients:

6.1 Sub-Processors

We use third-party service providers to help operate our Service, including:

  • Cloud hosting providers (infrastructure)
  • Analytics services (usage statistics)
  • Email service providers (transactional communications)

All sub-processors are bound by data processing agreements and are required to protect your data in accordance with applicable laws.

6.2 Legal Requirements

We may disclose personal data if required by law, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, property, or safety, or that of others.

6.3 Business Transfers

If Cognition is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

7. International Transfers

Cognition is based in the European Union (Denmark), and we primarily process personal data within the EU/EEA. Where we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other approved transfer mechanisms under GDPR

8. Data Retention

We retain personal data for the following periods:

  • Account Data: Duration of your account plus 90 days after account closure
  • Usage Logs: 12 months from collection
  • Backup Retention: 30 days after deletion from active systems
  • Support Records: 3 years from resolution for quality and legal purposes

We may retain certain data longer if required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Denmark, this is the Danish Data Protection Agency (Datatilsynet).

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

10.1 Essential Cookies

Required for the Service to function, including session management and authentication. These cookies cannot be disabled.

10.2 Analytics Cookies

Help us understand how visitors interact with the Service. We only use analytics cookies with your consent. You can manage your cookie preferences through your browser settings or our cookie consent banner.

For more details, please see our Cookie Policy.

11. Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Role-based access controls
  • Regular security assessments and penetration testing
  • Employee security training and awareness programs
  • Incident response procedures

While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you have reason to believe your data has been compromised, please contact us immediately.

12. Children's Privacy

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending you an email notification
  • Displaying a notice within the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Information

For questions about this Privacy Policy or our data practices, please contact us:

Cognition ApS

Email: [email protected]

This Privacy Policy is effective as of February 1, 2026 and applies to all users of the Sandhed platform operated by Cognition ApS.