Privacy Policy
Cogsr (“Cogsr,” “we,” “our,” or “us”) provides margin intelligence software for restaurant operators. This Privacy Policy explains what information we collect, why we collect it, how we use, store, and share it, and what rights you have. We are committed to protecting your data and being transparent about our practices.
By using Cogsr, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
1. Scope and Our Roles Under Privacy Laws
This Policy applies to all users of the Cogsr platform, including our website, web application, APIs, MCP server, integrations, and related services (collectively, the “Service”). It covers personal information we collect from restaurant operators, their authorized team members, prospective customers, and visitors to our website.
Our Role as Controller and as Processor
Cogsr acts in two distinct capacities depending on the data involved:
- As a controller (or “business” under US state privacy laws): We determine the purposes and means of processing for personal information about website visitors, prospects, customer account contacts, billing contacts, support communications, and our own employees. This Privacy Policy governs that processing.
- As a processor (or “service provider” under US state privacy laws): When our restaurant-operator customers upload operational data into the Service — such as invoices, recipes, supplier records, inventory counts, and POS-derived sales data — we process that data on the customer’s behalf and under their instructions. The customer is the controller of that data. Our processing is governed by the data processing provisions in Section 6 of our Terms of Service, not by this Privacy Policy.
If you are an employee, contractor, or authorized user of a Cogsr customer and have questions about how your employer uses Cogsr to process data about you, please contact your employer directly. We will refer such requests to the customer-controller.
Geographic Scope
This Policy applies to users in Canada, the United States, and any other jurisdiction where Cogsr is offered.
2. Information We Collect
2.1 Account and Contact Information
- Email address
- Name and login credentials
- Company or restaurant name, location, and contact details
- Job title and role
- Billing information (processed securely by Stripe; we do not store full credit card numbers)
2.2 Operational Data (Customer-Uploaded)
This is the core data customers provide or that flows into Cogsr through connected systems. As described in Section 1, we process this data as a processor on behalf of the customer-controller:
- Menu items, recipes, and ingredient data
- Supplier names and pricing
- Uploaded invoices and related documents
- Item-level and aggregated sales data from POS integrations
- Inventory counts and food cost records
2.3 Usage and Technical Data
- Browser type, device information, and IP address
- Pages visited, features used, and session duration
- Referring URLs and approximate (city/region-level) location derived from IP
- Cookies and similar tracking technologies (see Section 8)
2.4 Communications
- Support requests, feedback, and correspondence with our team
- Marketing-list signups and event-registration data
2.5 What We Do NOT Collect
We do not collect or store personal data about your restaurant’s customers from POS systems. This includes customer names, phone numbers, email addresses, and payment card information. We only receive aggregated or item-level sales data necessary to power your margin insights.
We do not collect Sensitive Personal Information. Cogsr does not knowingly collect or process Sensitive Personal Information as defined under the California Consumer Privacy Act, California Privacy Rights Act, or other US state privacy laws. We do not collect racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic data, neural data, philosophical beliefs, union membership, contents of mail or messages, or government identifiers (other than business tax IDs voluntarily provided by customers).
We do not collect Consumer Health Data. Cogsr does not collect or process Consumer Health Data as defined under Washington’s My Health My Data Act (RCW 19.373), Nevada Senate Bill 370 (NRS 603A.400 et seq.), Connecticut’s health data provisions, or any comparable law. Restaurant ingredient, inventory, supplier, invoice, and operational margin data processed by the Service does not identify or infer any individual consumer’s physical or mental health status.
We do not collect Biometric Identifiers. Cogsr does not collect, capture, store, transmit, sell, lease, trade, or otherwise process any biometric identifier or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington’s biometric privacy statute (RCW 19.375), or the New York City biometric law. The Service does not employ facial recognition, fingerprint, voiceprint, retina or iris scan, or hand or face geometry technology. Photographs of physical documents or invoices uploaded by customers are processed through optical character recognition for data extraction only; no biometric template is generated or stored.
We do not collect precise geolocation data. We do not collect geolocation data within a 1,750-foot radius. We may derive approximate location (city, region, country) from IP address for security and analytics purposes.
We are not a data broker. Cogsr is not a “data broker” as defined under California’s Delete Act (Cal. Civ. Code §1798.99.80 et seq.), Texas, Oregon, or Vermont data broker registration laws. We have a direct relationship with all individuals about whom we collect personal information.
2.6 Categories of Personal Information (CCPA/CPRA Disclosure)
For users in California, we disclose that in the preceding 12 months we have collected the following categories of personal information:
- Identifiers (name, email, IP address, account credentials, unique device identifiers)
- Commercial information (subscription records, billing history, products purchased)
- Internet or network activity (usage logs, feature interactions, browser/device info)
- Geolocation data (approximate location based on IP address)
- Professional or employment information (job title, restaurant business details)
- Inferences (preferences, characteristics, predispositions drawn from the above)
We do not collect any of the categories of Sensitive Personal Information defined under CPRA. We do not knowingly collect personal information from minors.
2.7 Waitlist and Contact Form Submissions
When you join our waitlist or submit our contact form, we collect your name, email address, restaurant or business name, and any details you choose to include in your message. We use this information solely to contact you about beta access, product updates, and to respond to your inquiry. We store it in our Supabase database (Canada Central region) and do not sell it or share it with third parties for their own purposes.
You can opt out at any time by using the unsubscribe link in any email we send you, or by emailing support@cogsr.com. On request, we will remove you from our waitlist and delete your information from our records, except where we are required to retain it by law.
3. How We Use Your Data
We use the information we collect to:
- Provide food cost tracking, menu profitability analysis, and operational insights
- Process and extract data from uploaded invoices
- Monitor supplier pricing changes and alert you to variances
- Send onboarding communications, product updates, and operational alerts
- Improve product functionality, performance, and user experience
- Respond to support requests
- Process billing and payments
- Comply with legal obligations
- Detect, prevent, and address fraud, abuse, security incidents, and violations of our terms
We do not sell your data. We do not share your operational data with advertisers, data brokers, or any third party for their own marketing purposes. We do not engage in “cross-context behavioral advertising” as that term is defined under CCPA/CPRA.
3.1 Artificial Intelligence and Machine Learning
The Service uses machine learning and artificial intelligence (“AI/ML”) to:
- Extract structured data from invoices, receipts, and supplier documents (optical character recognition and document parsing)
- Analyze and benchmark margin, food cost, beverage cost, and labor cost performance against aggregated, de-identified peer data
- Surface insights, alerts, and recommendations to restaurant operators about pricing, vendor selection, recipe costing, and inventory management
Our AI/ML processing is not used to make “significant decisions” about any individual consumer (such as decisions concerning financial or lending services, housing, education, employment, healthcare, or essential goods or services) within the meaning of the California Privacy Protection Agency’s automated decision-making technology regulations or analogous state laws. Decisions made by restaurant-operator users of the Service in reliance on Cogsr’s outputs are made by the user, with full ability to review, accept, modify, or reject any AI-generated recommendation. Cogsr does not replace, and does not substantially replace, human decision-making.
If you are a US resident and Cogsr were ever to use automated decision-making technology to make a significant decision concerning you, you would have the right to (a) receive a pre-use notice describing the purpose, logic, and outputs; (b) opt out of such use; (c) access information about how the technology was applied to you; and (d) request meaningful human review. You may exercise these rights by contacting support@cogsr.com.
We do not use your data to train third-party AI models. We do not share customer-uploaded data with foundation model providers or any third party for the purpose of training their AI systems. We may use customer data to improve Cogsr’s own internal models that power features such as invoice extraction and margin analysis.
3.2 Aggregated and Anonymized Data
We may use aggregated, anonymized data — meaning data that cannot reasonably be used to identify you, your business, or your suppliers — for the following purposes:
- Internal product improvement and analytics
- Generating industry benchmarks and trend reports made available to Cogsr customers
- Publishing aggregated insights (such as regional cost trends) in marketing content, blog posts, or community resources
If we ever publish or share aggregated data externally, it will be presented at a level of aggregation that protects the identity of individual operators and businesses.
3.3 Data Protection Assessments
We conduct and document data protection assessments (also called risk assessments or privacy impact assessments) for processing activities that present a heightened risk of harm, including for our use of automated processing and machine learning. We retain these assessments for the period required by applicable law and make them available to relevant regulators upon lawful request.
4. How We Share Your Data
We share your data only in the following circumstances:
- Service providers and processors — Trusted third parties who help us operate the Service, listed in Section 5
- Legal requirements — When required by law, subpoena, court order, or to protect rights, safety, or property
- Business transfers — In the event of a merger, acquisition, financing, or sale of assets, your data may be transferred to the acquiring entity (you will be notified in advance where required)
- With your consent — Any other sharing requires your explicit consent
We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA, the Virginia CDPA, the Colorado CPA, or any other US state privacy law.
5. Service Providers and Sub-Processors
We engage trusted third-party providers to help operate and improve Cogsr. Each is bound by a written agreement that imposes data protection and confidentiality obligations no less protective than those in this Policy and that meets the requirements of applicable privacy laws (including the contractual requirements of CCPA/CPRA for service providers and contractors, and the equivalent provisions of the VCDPA, CPA, CTDPA, OCPA, TDPSA, MCDPA, MODPA, and other state laws).
Our current sub-processors include:
- Supabase — Database hosting and storage for account, waitlist, and contact-form data (hosted on Amazon Web Services, Canada Central / `ca-central-1` region)
- Google Cloud Platform — Application hosting and compute (App Engine)
- Vercel — Website / front-end hosting (processes technical data such as IP addresses)
- PostHog — Product analytics and session recordings (feature usage, page views, and session replays used for internal product improvement only; not sold or shared)
- Microsoft Clarity — Session recording and heatmap analytics (records user sessions and click/scroll patterns for internal UI improvement only; not sold or shared)
- Stripe — Subscription billing
- Resend — Transactional and onboarding emails
- POS integration partners — Toast, Square, and other POS providers you connect to your account
A current list of sub-processors is maintained at cogsr.com/legal/subprocessors. We provide reasonable advance notice of new sub-processors via email or in-app notification, and customers may object to a new sub-processor as set forth in Section 6 of our Terms of Service.
Upon written request from a Minnesota or Oregon consumer, we will provide the list of specific third parties to which we have disclosed that consumer’s personal data, or, if not maintained in consumer-specific format, the list of specific third parties to which we have disclosed any consumer’s personal data.
We evaluate all providers for their security practices and compliance posture before sharing any data with them.
6. Data Storage, Security, and International Transfers
6.1 Storage Location
Your data is stored in Canada using Supabase, whose database infrastructure is hosted on Amazon Web Services in the Canada Central (`ca-central-1`) region. Some personal information may also be processed by our other service providers located in the United States, as described in Section 5.
6.2 International Data Transfers
Cogsr is headquartered in British Columbia, Canada, and processes personal information in Canada and the United States. Personal information about US-based users may be transferred to and stored on servers in either country, and personal information about Canadian users may be transferred to the United States for processing by us or our sub-processors.
By using the Service, you understand that your personal information may be transferred to, stored in, and processed in jurisdictions other than your own, including the United States, and may be subject to access by foreign government, law enforcement, and national security authorities under the laws of those jurisdictions (including the US PATRIOT Act and FISA).
We use contractual and technical safeguards to protect personal information regardless of where it is processed, including:
- Data processing agreements with sub-processors
- Standard contractual clauses where applicable
- Encryption in transit (TLS/SSL) and at rest
- Role-based access controls
We remain accountable for personal information transferred to a service provider for processing as required by PIPEDA, PIPA BC, and other applicable Canadian privacy laws.
6.3 Security Measures
We implement industry-standard security practices, including:
- Encryption in transit (TLS/SSL) and at rest
- Role-based access controls and least-privilege permissions
- Regular security reviews and monitoring
- Secure authentication practices
- Documented incident response procedures
No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.
6.4 Breach Notification
If we determine that a security incident has resulted in unauthorized access to or acquisition of personal information, we will notify affected individuals and applicable regulators without unreasonable delay and, in any event, no later than 30 calendar days after determination of the incident, except where a longer period is permitted to accommodate the legitimate needs of law enforcement or to determine the scope of the incident and restore the integrity of affected systems.
Where required, we will also notify the relevant state Attorney General, the Office of the Privacy Commissioner of Canada, provincial privacy commissioners, and consumer reporting agencies in accordance with applicable law.
7. Data Retention
We retain your data for as long as your account is active and as needed to provide the Service.
When you delete your account:
- Operational data (menus, recipes, invoices, supplier data, sales data) is permanently deleted within 30 days
- Uploaded invoice files and any derivative data from processing are deleted on the same schedule
- Aggregated and anonymized data that cannot identify you or your business may be retained for the purposes described in Section 3.2
- Certain records may be retained longer if required by law (such as tax, financial, audit, or legal-hold obligations)
We maintain a documented data inventory and privacy program as required by Minnesota’s Consumer Data Privacy Act (Minn. Stat. § 325M.16(c)) and as best practice under all applicable state privacy laws.
8. Cookies and Tracking Technologies
Cogsr and our analytics providers use cookies and similar technologies to:
- Maintain your logged-in session
- Remember your preferences
- Understand how the product is used so we can improve it
You can manage cookie preferences through your browser settings. Disabling certain cookies may affect product functionality.
Our analytics tools (PostHog and Microsoft Clarity) set their own cookies. We configure these tools to minimize data collection and do not use them to track you across other websites.
We do not use cookies or tracking technologies for cross-context behavioral advertising.
8.1 Global Privacy Control and Universal Opt-Out Signals
If you use a browser or browser extension that sends a Global Privacy Control (“GPC”) or other recognized universal opt-out preference signal, we treat that signal as a valid request to opt out of any “sale” or “sharing” of your personal information (including for cross-context behavioral advertising) for the browser or device sending the signal. Where you are logged into a Cogsr account, we propagate the opt-out across the linked account ecosystem.
We display a confirmation indicator on our website when an opt-out preference signal has been recognized and processed, in accordance with California Consumer Privacy Act regulation § 7025(c)(6).
9. Your Privacy Rights
Depending on your jurisdiction, you have the rights described in this Section. To simplify compliance, we extend these rights to all US residents regardless of state of residence, except where state law specifically conditions or limits a right.
9.1 Rights Available to All Users
- Access — Request a copy of the personal data we hold about you, including the categories collected, sources, purposes of processing, and categories of recipients
- Correction — Update or correct inaccurate information
- Deletion — Request deletion of your account and associated personal data
- Data Portability — Request your data in a structured, commonly used, machine-readable format
- Withdraw Consent — Where processing is based on consent, withdraw it at any time
- Opt Out of Marketing Communications — Unsubscribe from non-essential emails at any time
9.2 Additional Rights for US Residents
- Opt out of sale or sharing — Note: we do not sell or share personal information as defined under CCPA/CPRA or other state laws
- Opt out of targeted advertising — Note: we do not engage in targeted advertising
- Opt out of profiling for decisions that produce legal or similarly significant effects — Note: we do not use profiling for such decisions
- Limit use of Sensitive Personal Information — Note: we do not collect Sensitive Personal Information
- Right to question profiling decisions (Minnesota) — request additional information about a profiling decision and the right to be reviewed by a human
- Right to obtain a list of specific third parties (Minnesota and Oregon) — request the list of specific third parties to which we have disclosed your data
- Non-discrimination for exercising your privacy rights
- Authorized agent — designate an agent to exercise your rights on your behalf (see Section 9.5)
- Right to appeal — appeal our denial of a privacy rights request (see Section 9.6)
9.3 Additional Rights for California Residents (CCPA/CPRA)
California residents also have the right to:
- Know what categories of personal information we collect, the sources, the purposes of processing, and the categories of third parties with whom we share it
- Know specific pieces of personal information we have collected about you
- Opt out of the sale or sharing of personal information (note: we do not sell or share)
- Limit the use of Sensitive Personal Information (note: we do not collect SPI)
- Receive non-discriminatory treatment for exercising privacy rights
- Designate an authorized agent
To exercise California rights, email support@cogsr.com with “California Privacy Request” in the subject line. We will verify your identity before fulfilling requests where required and respond within 45 days.
9.4 Additional Rights for Canadian Residents
Under PIPEDA, PIPA BC, and other applicable Canadian privacy laws, you have rights of access, correction, and to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner. Quebec residents have additional rights under Law 25, including rights related to automated decision-making and de-indexing.
9.5 Authorized Agents
You may designate an authorized agent to submit privacy rights requests on your behalf. To do so, the agent must provide us with:
- Signed written permission from you authorizing the agent to act, or a valid power of attorney; and
- Sufficient information to verify your identity
We may contact you directly to confirm authorization or verify identity before processing requests. We do not require you to provide additional information beyond what is necessary to verify the request. Opt-out preference signals (such as GPC) are treated as a valid form of opt-out request and do not require additional verification.
9.6 Right to Appeal
If we deny a privacy rights request in whole or in part, you have the right to appeal our decision within 60 days of our response. To submit an appeal, email support@cogsr.com with “Privacy Rights Appeal” in the subject line. We will respond to your appeal within 60 days, providing a written explanation of our decision.
If your appeal is denied, you may submit a complaint to your state Attorney General, the California Privacy Protection Agency (for California residents), the Office of the Privacy Commissioner of Canada, or your provincial privacy commissioner.
9.7 How to Exercise Your Rights
To exercise any privacy right, contact us at support@cogsr.com. We will respond within:
- 30 days for Canadian users (PIPEDA standard)
- 45 days for US users (CCPA standard, with possible 45-day extension for complex requests)
We may need to verify your identity before fulfilling your request. We will not require you to create an account to submit a request.
9.8 Non-Discrimination
We will not discriminate against you for exercising any privacy right described in this Policy. This means we will not (a) deny you goods or services; (b) charge different prices or rates for goods or services, including by granting discounts or other benefits or imposing penalties; (c) provide a different level or quality of goods or services; or (d) suggest that you will receive a different price, rate, or quality. We may charge a different price or provide a different level of service if the difference is reasonably related to the value provided to us by your data, in compliance with applicable law.
10. Marketing Communications
We send commercial electronic messages (such as product updates, newsletters, and promotional emails) only to recipients who have provided express or implied consent under Canada’s Anti-Spam Legislation (CASL) and applicable US laws (the CAN-SPAM Act and analogous state laws).
Each marketing email contains an unsubscribe mechanism that you can use at any time. We honor unsubscribe requests within 10 business days. To unsubscribe, click the link at the bottom of any marketing email or contact support@cogsr.com.
Transactional and service-related communications (such as billing notifications, security alerts, and important account updates) are necessary to provide the Service and cannot be opted out of while your account is active.
We do not use pre-checked consent boxes and do not employ “dark patterns” in our consent flows.
11. Children’s Privacy
The Cogsr Service is a business-to-business product intended exclusively for use by restaurant operators and their authorized employees in the course of business operations. The Service is not directed to, marketed to, or designed for use by children or minors under 18.
We do not knowingly collect personal information from any individual under 18. If we learn that we have inadvertently collected personal information from a person under 18, we will delete it promptly.
Children’s privacy laws — including the federal Children’s Online Privacy Protection Act (COPPA), the California Age-Appropriate Design Code Act, Connecticut SB 1295, the Maryland Kids Code, the Nebraska AADC, the New York Child Data Protection Act, and the Arkansas Children and Teens’ Online Privacy Protection Act — do not impose substantive obligations on Cogsr because we do not knowingly process minors’ personal information.
12. Applicable Law and Compliance
Cogsr is operated from British Columbia, Canada. We comply with applicable privacy laws in every jurisdiction where we offer the Service, including:
Canadian laws:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Personal Information Protection Act (PIPA BC)
- Quebec Law 25 (where applicable)
- Other provincial privacy laws as applicable
- Canada’s Anti-Spam Legislation (CASL)
US laws:
- California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
- Comprehensive privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island, and other US state comprehensive privacy laws as they take effect
- Sectoral and category-specific laws including the Illinois BIPA, Texas CUBI, Washington biometric privacy law, Washington My Health My Data Act, Nevada SB 370, and similar
- The CAN-SPAM Act
- The Children’s Online Privacy Protection Act (COPPA)
We monitor changes in privacy law and update our practices as new laws take effect.
If you believe we have not handled your data appropriately, you may file a complaint with:
- The Office of the Privacy Commissioner of Canada
- The California Privacy Protection Agency or California Attorney General
- Your state Attorney General or relevant provincial or state privacy authority
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Notify you by email or through an in-app notification
- Post the updated Policy with a revised “Last Updated” date
- Provide a summary of material changes
- Give you a reasonable window to review changes before they take effect
We review and update this Policy at least annually, as required by CCPA/CPRA. Your continued use of Cogsr after the review period constitutes acceptance of the updated Policy.
14. Privacy Contact
For privacy questions, requests, or complaints, contact us at:
Legal Entity: 1596929 B.C. Ltd. (doing business as Cogsr), British Columbia, Canada
Email: support@cogsr.com
For California-specific requests, please include “California Privacy Request” in your subject line. For privacy rights appeals, please include “Privacy Rights Appeal” in your subject line.