Privacy Notice

Last updated: 2026-04-22

This notice describes how COHESION AUTH LLC (Washington, USA) processes data in the COHESION v1.2.0 release. It applies to the public API, SDKs, and the customer dashboard at cohesionauth.com.

1. Data we collect

COHESION is middleware between AI systems and human operators. We collect only what is necessary to score and maintain the Judgment Independence Score (JIS).

  • API-key prefix hashes (the 8-character non-secret prefix and the SHA-256 hash of the full key).
  • Behavioral telemetry per interaction: time_to_decision_ms, decision, modification_extent, hover_events, scroll_depth, alternative_views_checked, and outcome_correct when the customer supplies it.
  • A pseudonymous operator_id set by the customer.
  • Request metadata: timestamp, request ID, IP address (for rate-limiting only), user agent, response status.

2. Data we do not collect

We do not collect names, email addresses, dates of birth, government identifiers, or other personally identifiable information beyond the pseudonymous operator_id. If a customer places PII inside operator_id, that is a customer configuration choice and the customer is the controller for that field. Our recommendation is to hash or pseudonymize before the value leaves your system.

3. GDPR rights (EU and UK)

Where the General Data Protection Regulation applies, data subjects have the following rights:

  • Access (Art 15), rectification (Art 16), erasure (Art 17), restriction of processing (Art 18), data portability (Art 20), objection (Art 21).
  • Right not to be subject to a decision based solely on automated processing (Art 22). COHESION scores inform human decisions; they do not make legally significant decisions alone.

These rights are currently served by a manual workflow with a 30-day response SLA. Self-service subject-rights endpoints are scheduled for v1.3 per the post-launch roadmap.

4. Colorado Privacy Act rights

Colorado residents have the right to access, delete, correct, and receive a portable copy of their data, and to opt out of targeted advertising, sale of personal data, and profiling for decisions with legal or similarly significant effects. COHESION does not sell personal data or use it for targeted advertising. Manual 30-day SLA applies.

5. California CPRA rights

California residents have the right to know what we collect, delete what we hold, correct inaccurate data, limit use and disclosure of sensitive personal information, receive a portable copy, opt out of sale and sharing, and not be discriminated against for exercising these rights. COHESION does not sell or share personal information in the CPRA sense.

6. Retention

  • Interaction telemetry: 24 months.
  • Audit log entries: 90 days.
  • Rate-limit counters: 2 hours.
  • Alerts: 90 days.

Details live in the security posture document. Retention is enforced by Cloudflare Cron Triggers on the COHESION Worker.

7. Sub-processors

Cloudflare, Inc. is our sole sub-processor. It hosts the COHESION Worker, the D1 database, KV namespaces, and the static assets at cohesionauth.com.

Sentry is an optional sub-processor that is only engaged when a customer explicitly enables SDK telemetry by setting enableTelemetry: true and providing a DSN. PII scrubbing is applied before any event leaves the SDK.

Current and historical sub-processors are listed in the sub-processors ledger. We will notify pilot customers of new sub-processors at least 30 days before they go live.

8. Cookies and analytics

The v1.1.0 website uses no analytics cookies. The dashboard uses a single, essential, first-party session cookie for authentication. If we introduce analytics in a future release, an opt-in cookie banner will be deployed at the same time.

9. Data Processing Agreement

Enterprise pilots are executed under a Data Processing Agreement. The current template is available at legal/templates/DPA-TEMPLATE.md. EU customers may elect standard contractual clauses via the DPA addendum.

10. Regulatory mapping

COHESION is designed to help customers satisfy human-oversight obligations under:

11. Jurisdiction

This notice is governed by the laws of the State of Washington, USA, subject to any override executed in a signed DPA for EU or UK customers.

12. Contact

Privacy and data-subject requests: [email protected].

Postal: COHESION AUTH LLC, Washington, USA. Mail address available on request during pilot onboarding.