Public policy

Privacy Policy

This Privacy Policy explains how cog handles personal data for the public website, the waitlist, and the intended calendar-planning product hosted at runcog.dev. Some sections apply only when a feature is enabled for your account, such as local login, Google sign-in, Google Calendar or Google Contacts sync, household invitations, generated calendar output, or future planning recommendations.

Last updated: May 22, 2026

1. Who this policy covers

This policy applies to the cog website, waitlist, web application, related APIs, communications, and connected account features we operate under the cog name. In this policy, "cog," "we," "us," and "our" refer to Cornelius Wichering, Am Heidbergstift 58, 28717 Bremen, Germany.

If you have questions about this policy or want to exercise privacy rights, contact us at mail@runcog.dev.

For purposes of applicable data-protection law, the controller for the processing described in this policy is Cornelius Wichering, Am Heidbergstift 58, 28717 Bremen, Germany, unless this policy explicitly says otherwise.

2. Information we collect

Information you provide directly

  • waitlist and communication data, such as your email address and the fact that you requested or confirmed a subscription or unsubscribe action;
  • account and identity data, such as name, email address, household role, timezone, login credentials, or identity information received from a sign-in provider;
  • household and planning data, such as household membership, dependent and relationship information, recurring schedules, care rules, availability windows, transport buffers, blackout periods, preferences, categories, routines, policies, notes, and manual overrides;
  • invitation and collaboration data, such as invitee email addresses, acceptance status, and membership activity; and
  • support, feedback, or notification data, such as messages you send us and notification preferences you choose.

Information from connected services

If you enable future integrations, we may process:

  • Google account identifiers, granted scopes, and OAuth tokens needed to maintain a Google connection;
  • selected Google Calendar data, including calendar identifiers, source events, event timing, travel or availability signals, and output calendar mappings for events generated by cog; and
  • Google Contacts data, including names, email addresses, phone numbers, and birthdays where available.

Information generated inside the service

  • generated plans, planned events, and planning explanations;
  • system inferences such as consistency anchors, acceptance or rejection signals, and stale-plan or conflict states; and
  • audit and sync metadata needed to keep planning output coherent, avoid duplicates, and respect manual edits.

Information collected automatically

  • technical and usage data such as IP address, browser type, device information, timestamps, requested URLs, referrers, and error or health diagnostics;
  • security and service logs needed to operate, protect, and troubleshoot the service; and
  • essential session or preference data if and when account features require authentication or stateful sessions.

Sensitive and third-party data

The product is not designed to act as a medical record, emergency system, or general repository for highly sensitive special-category personal data. However, planning can involve family structure, children, relationship context, care requirements, recovery needs, or other personal constraints, and data you choose to enter may reveal sensitive context about you or other people.

Only provide personal data that is reasonably necessary for the service and that you are allowed to share. If you upload or sync information about another adult, child, dependent, or contact, you are responsible for having an appropriate legal basis or authority to do so.

3. How we use personal data

  • to operate the public site, waitlist, and account lifecycle;
  • to create and manage households, roles, invitations, preferences, and privacy settings;
  • to sync selected calendars and contacts, maintain external connections, and publish generated events back to connected calendars;
  • to generate, explain, and refine planning outputs, including conflict explanations, masked availability, and future tradeoff suggestions;
  • to send confirmations, invitations, product notices, security alerts, and service-related emails;
  • to secure, monitor, debug, and improve the service;
  • to enforce our terms, respond to legal requests, and protect users, the service, and our rights; and
  • to comply with legal obligations, recordkeeping duties, and legitimate operational requirements.

4. Legal bases for processing

If the GDPR, UK GDPR, or similar laws apply, we generally rely on one or more of the following bases:

  • contract performance, when processing is necessary to provide the service you request;
  • consent, when you join the waitlist, connect third-party integrations, choose to receive optional communications, or otherwise authorize specific processing;
  • legitimate interests, such as operating the product, preventing abuse, protecting users, maintaining logs, improving planning quality, and keeping integrations reliable; and
  • legal obligations, when we must retain, disclose, or otherwise process data to comply with applicable law.

5. How data may be shared

  • with hosting, infrastructure, database, email delivery, monitoring, and support providers that help us operate the service;
  • with Google or other connected platform providers when you choose to enable calendar, contact, or identity integrations;
  • within a household according to the product's privacy model, including household-shared data and masked "busy" signals where private events still affect availability;
  • with professional advisers, auditors, insurers, or acquirers when reasonably necessary; and
  • with courts, regulators, law enforcement, or other third parties when we believe disclosure is required or justified by law or to protect the service.

We are not in the business of selling personal information or using it for third-party behavioral advertising.

6. Google services notice

If you connect a Google account, we use Google data only to deliver the features you ask us to provide, such as reading selected source calendars and contacts, keeping sync state current, and writing cog-generated events to an output calendar we manage on your behalf.

Use of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements.

7. Cookies and similar technologies

The current public launch does not rely on advertising cookies or third-party marketing trackers. For the final product, we may use strictly necessary cookies or similar technologies for authentication, session continuity, security, and preference storage.

If we later introduce non-essential analytics, advertising, or similar technologies, we will update this policy and request consent where the law requires it before activating them.

8. Data retention

  • Waitlist email addresses are retained until you unsubscribe, ask us to delete them, or we determine they are no longer needed for the launch process.
  • Account, household, planning, and sync data are retained while the relevant account or household remains active and for a reasonable period afterward to resolve disputes, prevent abuse, comply with legal duties, and support backups or restoration.
  • Connected calendar and contact data, output mappings, and sync cursors are retained for as long as the integration stays active and then as needed to support disconnection, deletion, audit, and replay prevention.
  • Verification tokens and similar credentials are kept only for limited periods. Current waitlist verification tokens are configured to expire after up to seven days.
  • Log and diagnostic data are retained only as long as reasonably necessary for security, integrity, and troubleshooting.

9. International transfers

The service is designed for a self-hosted deployment model, but personal data may still be processed in countries other than your own depending on where the service is hosted, which providers are used, and where connected platforms operate. Where required, we will rely on appropriate safeguards such as adequacy decisions, contractual safeguards, or comparable lawful transfer mechanisms.

10. Security

We use reasonable technical and organizational measures to protect personal data, including access controls, environment-based secret management, and operational logging. No service can promise perfect security, and you should use a strong password and review connected integrations carefully.

11. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to our processing of your personal data, and to withdraw consent where processing depends on consent.

To make a request, contact mail@runcog.dev. If you are in the EEA, UK, or another region with a similar regime, you may also lodge a complaint with your local supervisory authority.

12. Children and dependent data

The intended product does not provide child logins. However, adult users may enter schedule and care information about children or other dependents when it is necessary for household planning. You must only do that when you have the authority to provide the information and when the information is relevant to the planning purpose.

13. Automated planning and human review

cog may use rules, scoring, automation, and future model-assisted features to generate planning suggestions, explain tradeoffs, reshuffle future events, or mark conflicts. Those outputs are intended to support human decision-making, not replace it.

You remain responsible for reviewing generated events and recommendations before relying on them. The service is not presented as a system for making solely automated decisions with legal or similarly significant effect.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect product, infrastructure, legal, or operational changes. When we do, we will update the "Last updated" date on this page and may also provide additional notice where appropriate.

15. Contact

Privacy questions, data requests, and complaints can be sent to Cornelius Wichering, Am Heidbergstift 58, 28717 Bremen, Germany, or to mail@runcog.dev.