Privacy Policy

Last updated: 26 September 2025

Thank you for taking the time to read this Privacy Policy. This Privacy Policy applies to the personally identifiable information that the University of Sydney (“the University,” “we”, “us,” or “our”) collects or receives through our interactions with you, your use of our website app.cogniti.ai, Cogniti software application, or other websites that we link this Privacy Policy to (“Site”), your use of any University service, application, platform, and other products that display or link to this Privacy Policy, your registration or attendance to any of our demonstrations, webinars, or other events related to Cogniti (collectively, “Services”).

This Privacy Policy describes the information that we collect, how we use it, how we protect it, and the choices you can make about your information. If you do not agree with any of the terms of this Privacy Policy, you should immediately stop using our Services and the Site.

This Privacy Policy does not apply to personal information that has been aggregated and anonymised where such information is no longer capable of identifying a specific individual.

Information We Collect

The University collects the following types of personally identifiable information in the manner described below.

1. Information You Provide to Us. You may voluntarily provide us with personally identifiable information, including: (a) your name, email address, and any other information that you provide when you access the Site or Services, register to use the Site or a Service, or fill out forms that we make available via the Site or Services; (b) information that you provide to us when you contact us, including when you communicate with any automated support service we may offer from time to time; or (c) any other information you voluntarily provide us while using the Site or Services, including documents, and document metadata.
2. Information We Collect Automatically. We automatically collect information that may personally identify you through tracking technologies (see the section “Cookies, Other Storage and Web Beacons” for more information). We collect the following types of information automatically through tracking technologies: Your Internet Protocol address; Domain name of your Internet service provider; Your approximate geographic location; The website you came from, the pages that you visit on the Site, and the time of your visit to the Site; Information about your Internet connection, browser, or similar kinds of information; and Aggregated information that cannot be used to specifically identify you when you use or visit the Site or a Service that may be combined with information that does identify you.‍

We may combine the information we collect from or about you with information that we receive from other sources and use it in the manner described in this Privacy Policy.

How We Use Your Information

Your personal information is not used to train artificial intelligence models.

The University uses the personally identifiable information that we collect for the following purposes:

1. The purposes for which you provided it, including, provide you a demo, the Site or the Service, invite you to an event, or provide you access to content related to the Services;
2. To administer and provide you with information about your account, including, updated Site or Service terms or for billing and accounting purposes;
3. To send you information about your relationship with us;
4. To inform you about upcoming events or webinars or new features, products, or services;
5. To develop new products, features and services;
6. To conduct research and development endeavours that aid understanding of usage and impact that aid Service development and improvement;
7. To process and respond to your inquiries or comments;
8. To personalise and enhance your experience using the Site and Services;
9. To manually review your documents for the purposes of improving the Services, including, but not limited to, the quality and completeness of your document metadata;
10. To generate and review reports and data about our user base and service usage patterns;
11. To deliver targeted communication to you relating to the Services;
12. To determine the effectiveness of our communications;
13. To compile aggregated and fully anonymised data for the purposes of improving and extending the Site or Services, including, but not limited to, securing the Site and Services;
14. For legal reasons, including to carry out our legal obligations and enforce our rights, investigate misuse or misconduct, protect you or other third parties, to monitor, detect and prevent fraud, malicious activity, or for other privacy or security-related concerns;
15. With your consent, to fulfill the purposes for which you provided the information, or in ways that we disclose to you when you provide the information; and
16. To administer, operate and improve the Site and Services and for internal business purposes.
17. To investigate and protect against fraudulent, harmful, unauthorised, or illegal activity.

How Your Information is Disclosed

Personally identifiable information may be disclosed to third parties in accordance with this Privacy Policy, and, if applicable, subject to the terms of your agreement with us if you are a Cogniti user. You may choose not to share certain information as described in the “Your Choices Regarding Your Information” section below.

1. Third-Party Service Providers. We may use third-party service providers and business partners to perform functions in connection with the Site or Services. Examples include running our Services on cloud providers, using account management ticketing products, and sending you email notifications via messaging providers. The categories of third parties we may share personal information with may include but are not limited to: Cloud Computing Services; Data Storage Service Providers; Performance Monitoring Tools; Testing Tools; Website Hosting Service Providers‍.
2. Business Partners. We may share your information with third party business partners, including referral partners, resale partners, or similar kinds of business partners.‍
3. Third Party Social Media or Analytics Services. We may use cookies, pixels, or other tracking technologies provided by third party providers, including, without limitation, Google or LinkedIn, these third parties may use the personally identifiable information that they receive from automatic tracking technology on our Site for their own purposes. Please see the section titled “Cookies, Other Storage, and Web Beacons” below and our Cookie Policy for more information.‍
4. Business Changes. If we become involved in a merger, acquisition, sale of assets, bankruptcy, reorganisation, dissolution, or other transaction or if the ownership of all or substantially all of our business otherwise changes, we may transfer your information to a third-party or parties in connection therewith.‍
5. For Legal Purposes. We reserve the right to investigate fraud, abuse, illegal activities, violation of our policies or terms and conditions, or security incidents. We may disclose information about you to third parties if we have a good faith belief that such disclosure is reasonably necessary to: Take action regarding suspected illegal activities; Enforce or apply this Privacy Policy, our policies or terms and conditions; Comply with the law or guidance and cooperate with government or law enforcement officials or private parties; Protect our rights, reputation, safety, and property, or that of users or other third parties; Respond to claims and legal process (for example, subpoenas); and/or Protect against legal liability.

Cookies, Other Storage, and Web Beacons

We, along with our third-party service providers, third party advertising, social media, or analytics service providers, and business partners, use cookies, web beacons, and other tracking technologies on the Site and Services. These technologies are used to deliver the features and functionality of the Service and the Site, including tracking, analytics and personalisation, and optimisation of the Site and Services. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy.

Security

While we have implemented security measures to protect the information we process, we cannot guarantee against loss, theft and unauthorised use, disclosure, or modification. No transmission over the Internet or email is ever fully secure or error free. You should use caution whenever submitting information online and take special care in deciding what information you provide us.

To the extent permitted under applicable law, we assume no liability or responsibility for disclosure of your information due to errors in transmission, unauthorised access by third parties, or other causes beyond our control. By using our Services, you acknowledge and accept that your use of our Services is ultimately at your own risk.

Please note that you are responsible for managing access to any accounts that you use to access our Services. Failure to limit access to your devices or browser might enable third parties to have unauthorised access to your personal information.

Links to Other Sites

This Privacy Policy applies only to the Site and Services. The Site may contain links to third-party websites that we do not own or operate. We do not guarantee that we have endorsed or reviewed any links to third-party websites. The policies and procedures we describe here do not apply to third-party websites. We cannot control nor are we responsible for the privacy practices or content of these third-party websites. We suggest contacting these websites directly for information on their privacy policies and practices.

Your Choices Regarding Your Information

You have choices regarding the use of information on our Site and Services. You may have additional rights, as explained below, if you are a resident of the European Economic Area, Switzerland, Canada, certain U.S. states.

1. Changing Your Information. You may log into the Service to modify certain profile information that you have provided at any time.
2. Email Communications. To change your information regarding certain email communications, please unsubscribe from the footer of that communication. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to support requests, or for other purposes related to providing the Service to you.
3. Cookies, Other Storage, and Web Beacons. Please see the “Cookies, Other Storage, and Web Beacons” section above.
4. Closing Your Account. Subject to the terms of your agreement with us, you may close your Cogniti account by contacting your account administrator or contacting us at cogniti@sydney.edu.au. Note that even if you request to close your Cogniti account, you may still have obligations under any subscription agreement with us.
5. Withdrawing Consent. If we have relied on your consent to process your personal information (which may be express and/or implied consent depending on the applicable law), you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us at cogniti@sydney.edu.au.

EU Data Subject Rights

If you are a resident of Switzerland, the United Kingdom, or a country within the European Economic Area (EEA), you may have rights under European data protection laws regarding the processing of your personal information. You have the right to access the personal information that we process, and, in some cases, you may have the right to ask that your personal information be corrected, erased, or transferred (subject to limitations under applicable law). You may also have the right to object to or request that we restrict the processing of your personal information. If we collect personal information based on your consent, you have the right to revoke your consent.

If your Personal Information has been submitted to us by a Cogniti user and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable Cogniti user directly.

Residents of the United Kingdom, any country within the EEA, or Switzerland may file a complaint with a data protection authority. The data protection authority will require you to first attempt to resolve any complaint with us. Any other dispute arising out of or related to this Privacy Policy will be handled in accordance with the dispute resolution process indicated in our terms of service or website terms, as applicable.

1. Lawful Basis. If you reside in the European Economic Area or Switzerland (collectively the “EU“), where we are the data controller we rely on the following lawful grounds under the General Data Protection Regulation, the United Kingdom General Data Protection Regulation, or the Swiss Data Protection Act (collectively referred to in this Privacy Policy as “GDPR“) to process (collect, store, and use) your personal information: (a) it is necessary for the performance of a contract with you; (b) our or a third-party’s legitimate business interest; (c) your consent; or (d) our vital interests. Our Cogniti users determine the lawful grounds for the processing of personal information submitted through their use of our Services and we limit such processing to our Cogniti users’ instructions.
2. Data Transfer Notice. We are located in Australia and transfer your personal information for processing in Australia. We make the transfer to Australia in the absence of an adequacy decision because it is necessary for the performance of a contract with you, or with your explicit consent. We also use model contractual clauses (or the then-lawful data transfer mechanism recognised under GDPR or other applicable law) with our Cogniti users to provide adequate protection for the transfer and processing of your personal information in Australia. We also use the model contractual clauses with our subprocessors to provide adequate protection for the transfer and processing of your personal information.
3. Individual Rights and Data Requests. Depending on your location, your jurisdiction, and subject to applicable law, you may have the rights below with regard to the Personal Information we control about you. We will respond to your requests within the appropriate timeline under applicable law:
   
   The right of access means that you have the right to request that we disclose what personal information we have collected, used and disclosed about you;
   
   The right of deletion means that you have the right to request that we delete personal information collected or maintained by us, subject to certain exceptions.
   
   The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights;
   
   You can also ask us to correct or update your personal information, object to the processing of your Personal Information, ask us to restrict processing of your personal information or request the portability of your personal information;
   
   While you cannot opt out of service-related emails if you are an account holder, as this is an essential part of the Services, you have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you, or you can contact us using the contact information below;
   
   If our lawful basis is your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent; and
   
   You have the right to complain to a data protection authority about our collection and use of your personal information.‍
4. Exercising Your Rights. We provide features in our Services to allow Cogniti users to respond directly to data subject requests to access, transfer, rectify or erase their personal information, or to restrict or object to the processing of their personal information. You may also contact us at cogniti@sydney.edu.au to request access to, transfer of, and rectification or erasure of your personal information, or restriction of processing, or to object to processing of your personal information, to the extent that we process such information on our own behalf. Please specify the nature of your request and the information that is the subject of your request. We may require you to submit additional information necessary to verify your identity and status as an EU data subject. If we are processing your personal information for a Cogniti user, we will forward your request to our Cogniti user and assist the Cogniti user in responding within 30 days. If you are a Cogniti user, we will respond to your request directly within 30 days. If we are processing your personal information based upon the lawful ground of your consent, you have the right to withdraw your consent for such processing at any time without affecting the lawfulness of processing based on consent before it is withdrawn. To withdraw consent, please email us at cogniti@sydney.edu.au.‍
5. Retention. At a minimum and to the extent allowed under applicable law, we will retain your personal information for as long as necessary for the purpose in which it was collected, such as to deliver a Service, perform our obligations under a contract, for our or a third party’s legitimate interest, or your consent.

US State Privacy Law Rights

California Resident Privacy Rights

If you are a California resident, the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with additional rights regarding your personal information. The rights outlined in this section do not apply to information exempted under the CCPA, including aggregated data, or to individuals who are not residents of California.

To the extent provided under the CCPA, and subject to applicable exceptions, California residents have a right to request information about our collection, use, and disclosure of their personal information. Specifically, California residents have the following rights:

1. The right to know the categories and specific personal information we have collected, the categories and sources from which we collected the personal information, the categories of third parties with whom we share personal information, and the business or commercial purpose for collecting or selling (if applicable) personal information;
2. The right to request a copy of the personal information that we collected during the past 12 months;
3. The right to opt out of sales of personal information or sharing personal information for cross-contextual behavioural advertising (in each case, where applicable and in accordance with CCPA);
4. The right to request that we delete the personal information that we have collected from you, subject to certain exceptions;
5. The right to correct inaccurate personal information that we maintain about you;
6. The right to limit the disclosure of your sensitive personal information, if we use or disclose sensitive personal information;
7. The right to request information about and opt out of automated decision making (if applicable); and
8. The right to exercise the rights described above free from discrimination or retaliation, as prohibited by the CCPA.

California privacy laws define a “sale” as disclosing or making available to a third party, personal information in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third party for purposes of cross-context behavioural advertising. We do not disclose personal information to third parties in exchange for monetary compensation. As defined by CCPA, we may “sell” or “share”: (a) Category A “Identifiers,” (b) “Personal Information, as Defined in the California Customer Records Law,” (c) Category D “Commercial information,” (e) Category F “Internet or Other Similar Network Activity Information,” and (f) Category K “Inferences Drawn from Other Personal Information,” to or with third-party analytics providers. We do not “sell” or “share” (as defined by the CCPA) sensitive personal information, nor do we “sell” or “share” any personal information about individuals who we know are under 16 years old.

We have collected the following categories of personal information in the past 12 months:

Category	Examples	Collected
A. Identifiers	Contact details, such as name, Internet Protocol address, email address	YES
B. Personal information categories listed in the California Customer Records statute	Name, contact information	YES
C. Protected classification characteristics under California or federal law	Gender, date of birth, race, disability	NO
D. Commercial information	Transaction information, purchase history related to Cogniti	YES
E. Biometric information	Fingerprints and voiceprints	NO
F. Internet or other similar network activity	Interactions with our website/applications and systems	YES
G. Geolocation data	Device location (not precise geolocation)	YES
H. Audio, electronic, visual, thermal, olfactory, or similar information	Images and audio, video or call recordings created in connection with our business activities	NO
I. Professional or employment-related information	Business contact details in order to provide you our Services at a business level or job with us	NO
J. Education Information	Records about students	YES
K. Inferences drawn from other personal information	Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s learning preferences and educational characteristics	YES
L. Sensitive Personal Information	Social security number, government issued ID, financial account information, health, genetics, or biometric information, precise geographic location, contents of electronic messages, information about race religion, or trade union membership, or sexual orientation.	NO

‍We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months: (a) Category A “Identifiers,” (b) Category B “Personal Information, as Defined in the California Customer Records Law,” (d) Category D “Commercial Information,” (e) Category F “Internet or Other Electronic Network Activity Information,” (f) Category I “Professional or Employment Information,” Please see the section “How Your Information is Disclosed” above for more information.

Exercising Your US Privacy Rights

California residents may exercise their CCPA rights by contacting us by email as indicated in the “Contact Us” section below. Your rights may only be exercised by you or by your designated agent. You may only submit a CCPA request to know twice within a 12-month period.

Your request must include enough information to allow us to reasonably verify that you are the person about whom we collected personal information or an authorised representative, which may include: (a) verifying your account information if you have an account with us; or (b) requesting two forms of identification that are reliable for verification purposes, unless the request includes sensitive information and, in which case, we may require three forms of verification and a signed declaration. The information included in your request must allow us to properly understand, evaluate, and respond to it.

We cannot respond to your request if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. If we cannot verify your identity or authority, we will not fulfill your request. We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.

You may submit a request through a designated agent. You must instruct that agent that they will need to state that they are acting on your behalf when making the request, have reasonably necessary documentation, and be prepared to provide the necessary personal information to identify you in our database.

Children

Our Services are not intended for minors under the age of 18 without parental or guardian consent. We do not knowingly collect information from children under 18. By using our Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to their use of our Services. If you are a parent or guardian and believe your child under the age of 18 has used our Services and provided personal information to us through our Services without your consent, please contact us immediately at cogniti@sydney.edu.au, and we will take reasonable measures to delete this information.

Data Retention

How long we retain your information depends on the type of data and the purpose for which we process the data. We will retain your information for the period necessary to fulfill the purposes outlined in this Privacy Policy and our agreement with you unless a longer retention period is required or permitted by applicable law.

Rights of Cogniti users

If you have purchased a subscription to a Service that is subject to and governed by a separate agreement between you and the University, to the extent that there’s a direct conflict between this Privacy Policy and the terms of that agreement, the terms of that agreement will control and supersede this Privacy Policy.

Changes to Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time and from time to time to ensure it’s easy to understand, aligns with our current practices and operations, and complies with continually evolving laws and regulations. Please review this Privacy Policy periodically, and especially before you provide any information. Your continued use of our Site and Services constitutes your agreement to this Privacy Policy and any updates to this Privacy Policy.

How to Contact Us

If you have any questions about our Privacy Policy or requests regarding your personal information, please email cogniti@sydney.edu.au.

Update history

We want to be as transparent as possible about this Privacy Policy.

• 12 September 2023: First version
• 14 February 2024: Under “How we use your information”, clarified that your information is not used to train artificial intelligence models.
• 26 September 2025: Provided more detail under “How we use your information”. Replaced “Sharing your information” section with “How Your Information is Disclosed” section that provides more detail. Expanded “Cookies, Other Storage, and Web Beacons” section and included a link to our Cookie Policy. Added “Links to Other Sites” section. Replaced “Privacy rights and choices” section with “Your Choices Regarding Your Information” section with more detail, and removed fee associated with personal information requests. Added “EU Data Subject Rights” and “US State Privacy Law Rights” sections. Added “Rights of Cogniti users” and “Changes to Privacy Policy” sections. Updated contact email to cogniti@sydney.edu.au