Privacy Policy

Cognihex Limited
Effective date: 11 May 2026
Last updated: 11 May 2026

Cognihex Limited (“Cognihex”, “we”, “us”, “our”) respects your privacy. This Privacy Policy describes how we collect, use, store, and share personal data when you use the ExamAlly platform and related websites or services operated by Cognihex that link to this policy (together, the “Services”).

We aim to comply with applicable data protection laws, including the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018 and related guidance from the Information Commissioner’s Office (“ICO”)), where those laws apply to our processing.

1. Who is responsible for your data?

The data controller responsible for personal data described in this policy is Cognihex Limited.

• Company details: Registered in England and Wales. Company number and registered office are on the Companies House register (search Cognihex Limited).
• Privacy contact: contact@cognihex.com

If we appoint a Data Protection Officer (DPO), we will publish their contact details here.

2. Scope

This policy applies to personal data processed through the Services and when you visit the Cognihex corporate website (cognihex.com), contact us by email, or interact with cookies and similar technologies on the Site. Third-party sites or apps (including integrations you choose to enable) may have their own policies — please read those carefully.

3. Personal data we collect

Depending on how you use the Services, we may collect:

3.1 Waitlist and pre-launch sign-ups

If you join the ExamAlly waitlist on examally.com, we collect your email address, optional exam timing preference, consent record, and technical metadata (for example timestamp and browser user agent). We store this on secure cloud infrastructure operated by our service providers (including hosting and database services) to notify you when the product launches. Lawful basis: consent.

3.2 Account and identity information

• Name
• Email address
• Account credentials — passwords are stored using strong one-way hashing and appropriate security controls; we do not store plaintext passwords.
• Profile or preference details you choose to provide

3.3 Usage and learning activity data

• Tests or practice items attempted, responses, timing, and outcomes
• Scores, performance metrics, progress indicators, and similar analytics derived from use
• In-product interactions (for example features used, navigation paths, error logs)

3.4 Technical and device data

• IP address
• Browser type and version
• Device type, operating system, and diagnostic identifiers where needed for security
• Approximate location derived from IP (for fraud prevention or regional compliance)

3.5 Cookies and similar technologies

We use cookies and similar technologies (such as local storage or pixels) where necessary to operate the Services, maintain sessions, remember preferences, measure performance, and — if enabled — support analytics or marketing in line with your choices and applicable law.

3.6 Payment information

Payments are processed by our payment service provider (currently Stripe). Stripe receives payment details directly; we typically receive a limited subset (such as transaction status, partial card brand or last digits if shown by the provider, billing identifiers). We do not store full payment card numbers or CVV/CVC data on our systems.

3.7 Communications

If you email us or use in-product messaging, we keep those communications and associated metadata as needed to respond and maintain records.

3.8 Sensitive categories

We do not intentionally ask you to upload special-category data (such as health data) via the Services. If you voluntarily submit such information, contact us so we can assess whether we should delete or segregate it.

4. Artificial intelligence (AI)

Cognihex builds AI-assisted learning products. We want you to understand where AI is involved, its limits, and how we approach regulatory expectations (including transparency norms reflected in the EU Artificial Intelligence Act for certain AI systems that interact with users or produce synthetic content — relevant where EU users access features subject to those rules).

4.1 How we may use AI

Without limiting future features disclosed in-product, we may use AI to:

• Generate, adapt, or score practice questions, explanations, hints, or feedback
• Summarise performance, surface recommendations, or prioritise topics
• Detect misuse, spam, or policy violations
• Assist our internal teams with drafting, categorisation, or quality checks
• Support marketing or website assets (for example illustration or copy assistance)

4.2 Outputs may be wrong or unfair

AI-generated content can be inaccurate, incomplete, biased, or outdated. You should treat outputs as assistive, not authoritative. ExamAlly is not a substitute for a qualified teacher, examiner, or professional adviser. You remain responsible for how you prepare for examinations and for verifying important facts.

4.3 Transparency when content is AI-assisted

Where AI materially contributes to user-facing content or automated recommendations, we will provide clear in-product notices where practicable (for example labels, tooltips, or help centre articles). Where regulators require machine-readable indicators for synthetic media, we will implement measures that are technically feasible and proportionate for our stack.

4.4 Human oversight

We apply technical and organisational measures intended to keep meaningful human oversight for high-risk quality decisions, proportionate to the feature. That does not guarantee error-free operation.

4.5 Training and model improvement

We do not sell your personal data. Unless we tell you otherwise in specific product terms or obtain consent where required, we do not permit third-party foundation-model providers to use your personal exam responses or account profile for training their general models. If we introduce optional programmes (for example consent-based improvement datasets), we will describe them separately before collection.

4.6 Automated decisions about you

Where UK GDPR Article 22 could apply to solely automated decisions with legal or similarly significant effects, we will ensure a lawful basis and provide information about logic, significance, and your rights — including human review where required. Typical practice and assessment feedback inside ExamAlly is designed as educational support rather than decisions with legal effect; we will update this section if that changes.

5. Why we use personal data (lawful bases)

We process personal data on one or more of the following bases under UK GDPR Article 6:

• Contract: to provide the Services you request (accounts, tests, payments, essential communications).
• Legitimate interests: to secure and improve the Services, analyse aggregated usage, prevent fraud or abuse, and operate our business — balanced against your rights (you may object where applicable).
• Legal obligation: to comply with law, regulation, or regulator demands.
• Consent: where required for non-essential cookies, certain emails, or other processing we expressly describe at collection — you may withdraw consent without affecting lawfulness of earlier processing.

6. Analytics

When enabled, we may use analytics tools (such as Google Analytics or successors) to understand traffic, funnels, and product usage. Where required, we will obtain consent before enabling non-essential analytics cookies or similar tracking. You can manage cookie choices through our cookie banner or browser settings where available. Marketing sites may not use analytics until a banner is shown.

7. Sharing personal data

We do not sell your personal data.

We may share personal data with:

• Service providers under written contracts (processors), including hosting, authentication, email delivery, analytics, customer support tooling, security monitoring, and payments (for example Stripe).
• Professional advisers (lawyers, accountants, insurers) under confidentiality obligations.
• Authorities where we believe disclosure is required by law, court order, or lawful requests from regulators or law enforcement.
• Corporate transactions — if we merge, acquire, or sell assets, personal data may transfer subject to appropriate safeguards and notices.

Processors are permitted to process personal data only on our instructions and must implement appropriate security measures.

8. International transfers

Our service providers may process data in the UK, EEA, United States, or other countries. Where personal data leaves the UK/EEA, we implement safeguards recognised under UK GDPR (such as the UK International Data Transfer Agreement / Addendum, EU Standard Contractual Clauses as adapted, or adequacy regulations), unless an exception applies.

9. Retention

We retain personal data only as long as reasonably necessary for the purposes above, including to resolve disputes, enforce agreements, and meet legal, tax, or accounting requirements. When retention ends, we delete or anonymise data where feasible.

You may request account deletion subject to limited exceptions (for example billing records we must keep).

10. Security

We implement technical and organisational measures appropriate to the risk (access controls, encryption in transit where appropriate, monitoring, backups). No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Your rights

Subject to exemptions, where UK GDPR applies you may have the right to:

• Access a copy of your personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”) in certain cases
• Restrict processing in certain cases
• Data portability for data you provided, where processing is automated and based on consent or contract
• Object to processing based on legitimate interests or for direct marketing
• Withdraw consent where processing is consent-based
• Lodge a complaint with the ICO — see Section 13

To exercise rights, email contact@cognihex.com. We may need to verify your identity before responding. You may request account deletion at any time subject to Section 9.

12. Children

The Services are intended for users aged 13 and above. We do not knowingly collect personal data from children under 13. If you believe we have done so, contact us and we will take steps to delete the information promptly.

If you are between 13 and the age of majority in your region, you should use the Services with a parent’s or guardian’s permission where local rules require it.

13. Complaints

If you have concerns about how we handle personal data, please contact us first at contact@cognihex.com. You may also complain to the ICO: ico.org.uk/make-a-complaint/.

14. Disclaimers and limitation

To the fullest extent permitted by applicable law, the Services (including any AI-generated or AI-assisted content) are provided “as is”. We disclaim warranties (express or implied) regarding accuracy, reliability, availability, or fitness for a particular purpose, except where such disclaimers are not legally permitted.

Nothing in this policy limits liability that cannot be limited under applicable law (including liability for death or personal injury caused by negligence where UK law prohibits exclusion).

15. Changes

We may update this policy from time to time. We will post the revised version with a new effective date and, where changes are material, provide additional notice (for example email or in-product banner).

16. Contact

Privacy questions: contact@cognihex.com
General enquiries: hello@cognihex.com