Short version: COGSLOG collects only the data needed to provide our COGS tracking service. We do not sell your personal information to third parties. We use your invoice data only to operate the service for you.
1. Overview
COGSLOG ("we," "our," or "us") operates the COGSLOG cost tracking platform accessible at app.cogslog.com and this website at cogslog.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
COGSLOG is the data controller for personal information collected through the Service. Our contact information is at the bottom of this policy.
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.
2. Data We Collect
We collect the following categories of personal information:
2.1 Identifiers
- Name and email address — collected at account registration and used to identify your account, send notifications, and communicate with you about the Service
- Business name and business role — collected at onboarding to configure your Organization account
- IP address — collected automatically with each request for security, fraud prevention, and abuse detection
2.2 Commercial Information (Invoice and Business Data)
- Supplier invoices (PDF and image files) — uploaded by you for OCR processing and COGS tracking
- Invoice data — vendor name, invoice date, invoice number, line items, quantities, unit prices, totals, fuel surcharges, and other extracted fields
- Vendor information — vendor names, vendor-specific settings (field mappings, SKU formats, surcharge handling)
- Purchase amounts and cost totals — aggregated and analyzed to generate your COGS reports
- Category assignments and SKU catalog — your product categorization structure and unit-of-measure configurations
2.3 Internet and Network Activity
- Browser type and version — collected automatically via server logs
- Operating system — collected automatically via server logs
- Referring URLs — the page you were on before visiting our Service
- Pages visited and features used — to improve the Service and diagnose issues
- Timestamps of actions — for security auditing and support
2.4 Geolocation Information (Approximate)
- Country and region (derived from IP address) — used to determine applicable privacy laws and configure cookie consent requirements
We do not collect precise GPS location data.
2.5 Professional and Employment Information
- Business name and business type — collected at account setup
- Role within your organization — collected to configure appropriate access levels
2.6 Data You Do Not Need to Provide
We do not require, and ask that you do not upload, invoices or documents containing personal data of third parties beyond what is inherent in normal vendor invoices (e.g., vendor company name and address). Please do not upload documents containing Social Security numbers, health information, or other sensitive personal data.
3. How We Use Your Data
We use the personal information we collect for the following business purposes:
| Purpose | Description |
|---|---|
| Service delivery | Processing your invoices, generating analytics, managing your account, and providing all features of the COGSLOG platform |
| Invoice OCR processing | Transmitting uploaded invoice images and PDFs to the Anthropic Claude Vision API to extract structured invoice data (vendor, line items, amounts) |
| Account management | Creating and maintaining your account, managing subscriptions, communicating about account activity, and providing customer support |
| Analytics and reporting | Generating COGS reports, vendor comparisons, price trend analysis, and other analytics within your account (your data is never aggregated with other customers' data for analytics) |
| Service improvement | Analyzing usage patterns and feature adoption (in aggregate, without identifying individuals) to improve the Service |
| Security and fraud prevention | Detecting and preventing unauthorized access, abuse, and security threats |
| Legal compliance | Complying with applicable laws, regulations, court orders, and legal process |
| Communications | Sending transactional emails (account confirmations, password resets, invoices) and, if you opt in, product updates and announcements |
We do not use your invoice data or business data to train AI models, build advertising profiles, or share with data brokers.
4. Third Parties We Share Data With
We share data with the following categories of third-party service providers. We enter into data processing agreements with service providers where required by applicable law.
| Category | Provider | Data Shared | Purpose |
|---|---|---|---|
| Cloud Infrastructure | Amazon Web Services (AWS) | All Service data (hosted on AWS servers) | Hosting, database, file storage, email delivery |
| Authentication | Keycloak (self-hosted on AWS) | Name, email, account credentials | Identity and access management |
| OCR / AI Processing | Anthropic (Claude API) | Invoice images and PDFs (transmitted during OCR processing) | AI-powered invoice data extraction |
| Email Delivery | AWS Simple Email Service (SES) | Email address, email content | Transactional email delivery |
We do not share your personal information with advertising networks, data brokers, or social media platforms for marketing purposes.
We may share personal information if required by law, court order, or to protect the rights, property, or safety of COGSLOG, our users, or others.
In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the acquiring entity, subject to the same privacy commitments described in this policy. We will notify you before such a transfer.
5. Data Retention
We retain your personal information for as long as your account is active, or as needed to provide the Service. Specifically:
- Account data (name, email) — retained while your account is active and for 30 days after account termination
- Invoice data and uploaded files — retained while your account is active; exportable and deleted within 30 days of account termination
- Server logs and security data — retained for up to 90 days for security and debugging purposes
- Billing records — retained for 7 years as required by tax and accounting regulations
You may request deletion of your data at any time by contacting us. Some data may be retained longer where required by law or to resolve disputes.
6. Security
We implement commercially reasonable technical and organizational security measures to protect your data, including:
- All data transmitted to and from the Service uses TLS encryption
- Database access is restricted and authenticated
- Invoice files are stored with access controls on AWS S3
- Authentication is managed by a dedicated identity provider (Keycloak)
- Regular security reviews of our application and infrastructure
No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@cogslog.com.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to access — request a copy of the personal information we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your personal information
- Right to data portability — receive your data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we use your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at hello@cogslog.com with the subject line "Privacy Rights Request." We will respond within 45 days. We may need to verify your identity before fulfilling your request.
You also have the right to lodge a complaint with your local data protection authority if you believe we have violated applicable privacy laws.
8. California Privacy Rights (California Consumer Privacy Act)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.
8.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| CCPA Category | Examples We Collect | Collected? |
|---|---|---|
| A. Identifiers | Name, email address, IP address, user ID | Yes |
| B. Personal information (Cal. Civ. Code § 1798.80) | Name, email (no financial account numbers, SSNs, or payment cards) | Partial (name and email only) |
| C. Protected characteristics | Age, race, religion, gender, etc. | No |
| D. Commercial information | Supplier invoices, vendor names, purchase amounts, COGS records | Yes |
| E. Biometric information | Fingerprints, voice prints, etc. | No |
| F. Internet or other electronic network activity | Browser type, pages visited, IP address, usage logs | Yes |
| G. Geolocation data | Approximate location derived from IP address (country/region only) | Yes (approximate only) |
| H. Sensory data | Audio, visual, thermal information | No |
| I. Professional or employment-related information | Business name, role within organization | Yes |
| J. Non-public education information | Educational records | No |
| K. Inferences | Profile inferences drawn from personal information | No |
| L. Sensitive personal information | SSN, financial account numbers, health data, etc. | No |
8.2 Business Purposes for Processing
We use the personal information listed above for the following business purposes:
- Providing, maintaining, and improving the COGSLOG platform (Service delivery)
- Processing supplier invoice images through AI OCR to extract and structure cost data
- Generating COGS analytics, reports, and vendor intelligence for your business
- Managing your account, authenticating your identity, and providing customer support
- Detecting and preventing security threats and fraudulent activity
- Complying with legal obligations and responding to lawful government requests
- Sending transactional communications related to your account
8.3 Categories of Third Parties Data Is Disclosed To
In the preceding 12 months, we have disclosed personal information to the following categories of third parties for business purposes:
- Cloud infrastructure providers (Amazon Web Services) — for hosting, storage, and email delivery
- Authentication providers (Keycloak, self-hosted) — for identity management
- AI processing providers (Anthropic) — for invoice OCR and data extraction
We do not disclose personal information to third parties for cross-context behavioral advertising purposes.
8.4 Your California Privacy Rights
As a California resident, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it
- Delete: Request deletion of personal information we have collected about you (subject to certain exceptions)
- Correct: Request correction of inaccurate personal information
- Opt-Out of Sale or Sharing: Direct us not to sell or share your personal information (see Section 9)
- Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights — you will not receive a different level or quality of service
To submit a CCPA rights request, email hello@cogslog.com with the subject line "CCPA Rights Request." We will verify your identity and respond within 45 days (extendable to 90 days with notice).
You may designate an authorized agent to submit requests on your behalf. We require written authorization and may verify the agent's identity.
9. Do Not Sell or Share My Personal Information
COGSLOG does not sell your personal information. We do not sell, rent, or trade personal information to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising purposes.
We share data only with service providers who process it on our behalf under contract, as described in Section 4 (Third Parties). These service providers are contractually prohibited from using your data for their own purposes.
California residents may nonetheless submit an opt-out request by emailing hello@cogslog.com with the subject line "Do Not Sell My Personal Information." We will confirm that no sale is occurring and update any preferences on record.
10. GDPR Rights (European Union and United Kingdom)
If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with additional protections.
10.1 Data Controller
COGSLOG acts as the data controller for personal information collected through the Service. For questions about data processing, contact us at hello@cogslog.com.
10.2 Lawful Basis for Processing
| Processing Activity | Lawful Basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Invoice processing and COGS analytics | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention | Legitimate interests (Art. 6(1)(f)) — to protect our platform and users |
| Service improvement (aggregate analytics) | Legitimate interests (Art. 6(1)(f)) — improving our Service |
| Transactional emails (account, billing) | Contract performance (Art. 6(1)(b)) |
| Marketing and product updates | Consent (Art. 6(1)(a)) — opt-in only |
| Legal obligations (e.g., tax records) | Legal obligation (Art. 6(1)(c)) |
10.3 Your GDPR Rights
Under GDPR, you have the right to:
- Access (Art. 15): Request a copy of your personal data and information about how we process it
- Rectification (Art. 16): Request correction of inaccurate personal data
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances
- Data portability (Art. 20): Receive your data in a structured, commonly used format and have it transferred to another controller
- Object (Art. 21): Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
To exercise GDPR rights, email hello@cogslog.com with the subject line "GDPR Rights Request." We will respond within 30 days (extendable to 90 days for complex requests with notice).
You have the right to lodge a complaint with your local data protection authority (for EU residents) or the Information Commissioner's Office (for UK residents).
10.4 International Data Transfers
COGSLOG is based in the United States. If you are located in the EEA or UK, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers, including:
- EU Standard Contractual Clauses (SCCs) with our service providers where required
- Processing data only with service providers who comply with applicable transfer mechanisms
For more information about our data transfer safeguards, contact hello@cogslog.com.
11. Cookies and Tracking Technologies
COGSLOG uses the following types of cookies and similar technologies:
- Strictly necessary cookies: Required for authentication and session management. Cannot be disabled without breaking the Service.
- Functional cookies: Remember your preferences (such as display settings) to improve your experience.
- Analytics cookies: Collect aggregate usage statistics to help us understand how the Service is used. We do not use third-party advertising trackers.
You can manage cookie preferences through the Cookie Preferences link in our footer (Phase 5 implementation: cookie consent banner). You may also disable cookies through your browser settings, though this may affect Service functionality.
12. Children's Privacy
The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, please contact us at hello@cogslog.com and we will delete it promptly.
13. International Users
The Service is hosted in the United States. By using the Service from outside the United States, you consent to the transfer and processing of your data in the United States, which may have different data protection laws than your country. See Section 10.4 for information about GDPR transfer safeguards.
14. Policy Updates
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Effective Date" at the top of this page
- Notify registered users by email at least 14 days before changes take effect
- For changes that significantly expand how we use your data, obtain fresh consent where required by law
Your continued use of the Service after the effective date constitutes acceptance of the updated policy. Previous versions are available upon request.
15. Contact Us
For privacy-related questions, requests, or complaints, contact us:
- Email: hello@cogslog.com
- Subject line for rights requests: "Privacy Rights Request," "CCPA Rights Request," or "GDPR Rights Request" as applicable
- Response time: We will acknowledge your request within 5 business days and respond fully within 45 days
For general Terms of Service questions, see our Terms of Service.