Skip to sign-in
Cohortino

Access cohorts, projects, applications, and team work from one calm place.

Secure access

Sign in

Sign in to your account and continue to the workspace.

Forgot password?

or Create account

Secure access

Create account

Create an account for Cohortino access. You will need to activate it before your first sign-in.

Legal information Read: Terms of Service , Privacy Policy and Cookies and sessions.

Terms of Service

LEGAL INFORMATION

This text uses general information and marked placeholders where legal or operational details must be completed by the operator.

0. Document status and operating notes

These Terms of Service describe the Cohortino Phase 1 web application described in the project materials: a PHP/MariaDB, server-rendered operational workspace for programme staff, administrators, mentors, experts, reviewers, and selected project-team users working with Marc Impact Programme operations.

Unconfirmed legal and operating facts are intentionally left as placeholders. The operator completes the contracting entity, company identifiers, address, legal contact, governing law, court venue, liability limits, processor list, support commitments, and retention periods before publication.

1. Parties, service operator, and scope

These terms are intended to govern access to and use of Cohortino by authorized users. Cohortino is not a public social platform, public application form, marketplace, employment service, payment service, or file-hosting service in Phase 1.

  • Service operator: [LEGAL_ENTITY_NAME], company ID [LEGAL_ENTITY_ID], registered at [REGISTERED_ADDRESS].
  • Legal contact: [LEGAL_CONTACT_EMAIL]. Data protection contact: [DPO_CONTACT_EMAIL_OR_PRIVACY_CONTACT].
  • Programme and partner roles, including any controller/processor or joint-controller allocation between the operator center, programme owner, BABEL, and other partners, must be confirmed in [PROGRAMME_PARTNER_ROLE_MATRIX].

2. What Cohortino provides

Cohortino supports practical programme operations: importing application data from BABEL CSV files, reviewing applications, converting selected applications into projects, assigning mentors and experts, tracking development plans, activities, deliverables, external links, risks, and operational history.

  • Phase 1 uses manual, synchronous BABEL CSV import with preview and confirmation.
  • Phase 1 stores external resource links rather than uploaded media or file content.
  • Phase 1 uses manual external email outside Cohortino and does not provide in-platform bulk email sending.
  • Phase 1 does not include AI functionality, automated scoring, automated reminders, background jobs, formal report exports, transcript storage, native application forms, or a separate expert-support booking workflow.

3. Accounts, access, and eligibility

Access is for authorized users only. An account may be created, invited, activated, deactivated, or permissioned by an authorized administrator or approved account flow. The public presence of an account form does not create a right to access Cohortino.

  • Users must provide accurate account details and keep credentials confidential.
  • Users must not share passwords, session access, activation links, reset links, or accounts with another person.
  • Users must promptly report suspected unauthorized access, mistaken disclosure, or compromised credentials to [SECURITY_CONTACT_EMAIL].
  • The minimum age or role eligibility rules for user accounts must be confirmed in [ACCOUNT_ELIGIBILITY_POLICY].

4. Acceptable use and user responsibilities

Users may use Cohortino only for approved programme operations and only within the role, scope, and permissions granted to them. Navigation visibility is not permission to access or reuse data outside the authorized purpose.

  • Do not attempt to bypass authentication, authorization, role scope, CSRF protections, rate limits, or technical controls.
  • Do not upload, paste, import, or link unlawful, malicious, misleading, excessive, or irrelevant content.
  • Do not enter special-category personal data, criminal-offence data, payment-card data, passwords, secrets, or private third-party data unless a documented programme purpose and legal basis has been approved.
  • Do not export, copy, screenshot, or disclose application answers, evaluation notes, contact details, internal notes, project risk data, or reports except as authorized.
  • Do not use Cohortino to provide legal, tax, investment, medical, employment, or regulated professional advice.

5. Programme data, confidentiality, and records

Cohortino contains confidential programme, venture, project, application, mentor, expert, reviewer, and contact information. Users must treat this information as confidential and use it only for authorized programme purposes.

  • Application data may include BABEL answers, applicant contact details, project descriptions, team information, financial and funding information, impact metrics, SDG alignment, attachments represented as links, and consent/acknowledgement answers imported from BABEL.
  • Project data may include venture names, legal names, websites, project categories, mentor assignments, expert sessions, development-plan items, risks, deliverables, activities, attendance, external links, and operational notes.
  • Review and evaluation data may include assigned reviewer, rating, summary, lifecycle status, selection status, and conversion history.
  • Technical audit and app activity logs may record security, session, permission, import, write-action, and business-history events for accountability and troubleshooting.

6. External systems, links, and third-party materials

Cohortino may reference external systems and resources, including BABEL, Google Drive, calendar links, website links, social links, recordings, presentations, folders, forms, or other programme resources. Cohortino permissions do not grant access rights inside those external systems.

  • Users must verify that they are allowed to open, share, repair, or reuse any external link.
  • External systems remain governed by their own terms, privacy notices, access controls, and availability.
  • Broken, stale, inaccessible, missing, or review-needed links should be handled through the responsible programme workflow.

7. Communications and notifications

Phase 1 operational email is handled outside Cohortino through normal external mailboxes. Cohortino may display contact/context data according to ACL, but it does not itself send, template, or log operational email in Phase 1 unless later approved.

  • Account activation and password reset flows may use technical email if enabled in the environment.
  • Any future in-platform email, reminders, or bulk communications require separate approval and updated legal notices.
  • Users remain responsible for checking message recipients and confidentiality before sending external email.

8. Availability, support, and changes

Cohortino is an operational application and may be unavailable during maintenance, errors, local development, hosting incidents, database issues, or security events. Any production service level, support hours, incident escalation, backup commitment, or restore target must be confirmed in [SERVICE_LEVEL_AND_SUPPORT_POLICY].

  • Development preview behavior must not be treated as production security, availability, or data behavior.
  • The operator may update, restrict, suspend, or change features to maintain security, compliance, data integrity, or programme operations.
  • Formal report/export capability, AI, native application forms, uploads, automated reminders, and media processing are outside Phase 1 unless separately approved.

9. Intellectual property and user content

Cohortino software, UI, configuration, documentation, and system-controlled labels belong to [LEGAL_ENTITY_NAME] or its licensors, subject to any separate development or licensing agreement. User-entered programme content remains subject to the rights of the contributing organization, programme partners, or other rights holders.

  • Users grant the operator the rights needed to host, display, process, secure, back up, audit, and operate user-entered content for approved programme purposes.
  • Users must not enter content they are not authorized to share with the programme.
  • Publication consent, reporting-safe use, and success-story reuse require separate confirmed programme rules in [PUBLICATION_AND_REPORTING_POLICY].

10. Disclaimers and liability placeholders

Cohortino supports operational coordination and record keeping. It does not replace professional judgement, legal review, investment due diligence, tax advice, security review, accessibility review, or programme governance.

  • Any warranty disclaimer must be reviewed and approved for the governing law in [GOVERNING_LAW_AND_COURTS].
  • Any liability cap, excluded damages, indemnity, force-majeure clause, and consumer/non-consumer distinction must be supplied by counsel in [LIABILITY_TERMS].
  • Nothing in this text limits liability where such limitation is not permitted by applicable law.

11. Suspension, deactivation, and retention after access ends

Accounts may be suspended, deactivated, or permission-limited when access is no longer needed, when a user changes role, after a suspected security incident, or where required for programme governance. Deactivation does not automatically delete business records that are needed for programme operations, audit, legal obligations, or dispute handling.

  • Retention periods must be confirmed in [RETENTION_SCHEDULE].
  • Data export, handover, correction, deletion, and archive responsibilities must be confirmed in [DATA_EXIT_AND_ARCHIVE_POLICY].
  • Soft-deleted or archived records may remain restricted in the database where needed for integrity, audit, or legal reasons.

12. Governing law, disputes, and contact

The governing law, venue, language hierarchy, complaint path, and dispute escalation process are not confirmed in the repository and must be inserted by counsel.

  • Governing law and courts: [GOVERNING_LAW_AND_COURTS].
  • Legal notices should be sent to [LEGAL_CONTACT_EMAIL] with copy to [PROGRAMME_OPERATIONS_CONTACT_EMAIL] where appropriate.

Privacy Policy

LEGAL INFORMATION

This text uses general information and marked placeholders where legal or operational details must be completed by the operator.

0. Document status and legal placeholders

This Privacy Policy describes the Cohortino Phase 1 operational workspace. It is based on the repository documentation and implemented data model, with placeholders for details the operator completes for the production setup.

Where repository facts are missing, placeholders are used: [LEGAL_ENTITY_NAME], [LEGAL_ENTITY_ID], [REGISTERED_ADDRESS], [DPO_CONTACT_EMAIL_OR_PRIVACY_CONTACT], [SUPERVISORY_AUTHORITY], [PROCESSOR_LIST], [RETENTION_SCHEDULE], [TRANSFER_MECHANISM], and [PROGRAMME_PARTNER_ROLE_MATRIX].

1. Controller identity and contact

The controller or service operator for Cohortino must be confirmed by legal review. Depending on programme contracts, some data processing may involve separate controllers, joint controllers, or processors.

  • Controller/operator placeholder: [LEGAL_ENTITY_NAME], company ID [LEGAL_ENTITY_ID], registered at [REGISTERED_ADDRESS].
  • Privacy contact: [DPO_CONTACT_EMAIL_OR_PRIVACY_CONTACT].
  • Supervisory authority: [SUPERVISORY_AUTHORITY_NAME_AND_CONTACT].
  • Programme partner/controller allocation: [PROGRAMME_PARTNER_ROLE_MATRIX].

2. Sources of personal data

Cohortino may process personal data from several operational sources. The exact source mix depends on enabled programme workflows and user permissions.

  • Direct account input, including name, email, password setup, account activation, password reset, and profile details.
  • Administrator or programme-staff input, including roles, permissions, cohort scope, project assignments, mentor/expert registry data, and operational notes.
  • BABEL CSV imports, including application records, applicant contact fields, imported answers, consent/acknowledgement answers, and attachment/link references.
  • Operational use of Cohortino, including login/session events, audit events, review entries, status changes, activities, attendance, deliverables, external links, and development-plan updates.

3. Categories of personal data and confidential data

Cohortino is designed for programme operations and may contain both personal data and confidential business or programme information.

  • Account and profile data: full name, first name, last name, email, preferred language, account status, authentication metadata, and password hashes.
  • Role and access data: roles, permission scopes, cohort/project assignments, ACL decisions, and permission-change history.
  • Application data: applicant name, email, phone, LinkedIn/profile links, role in organization, organization legal name and legal form, project or venture name, websites/social links, team data, business model, impact description, SDG alignment, revenue, funding, growth plans, support needs, and imported consent/acknowledgement answers.
  • Programme and project data: projects, cohorts, venture organizations, project categories, mentors, experts, project team contacts, risks, deliverables, development-plan items, activities, attendance, and external links.
  • Review and evaluation data: assigned reviewer, rating, evaluation summary, review status, application lifecycle, selection status, conversion state, and related activity history.
  • Mentor/expert registry and collaboration data: expertise tags, organizations, capacity, assignments, person ratings, session notes, and project collaboration context.
  • Security and audit data: login attempts, rate-limiting events, session metadata, CSRF-protected write events, import diagnostics, technical audit logs, and app activity logs.

4. Purposes and legal bases

The final legal bases must be confirmed by counsel and may differ by programme role, user type, and contract. This text identifies the expected processing purposes for review.

  • Account access, authentication, session security, password reset, and abuse prevention - likely contract performance, legitimate interests, and/or legal obligation depending on the user relationship: [LEGAL_BASIS_ACCOUNT_SECURITY].
  • Programme administration, cohort setup, BABEL import, application review, project conversion, mentor/expert assignment, activities, deliverables, and development-plan tracking - [LEGAL_BASIS_PROGRAMME_OPERATIONS].
  • Review, selection, risk monitoring, closeout, and programme reporting readiness - [LEGAL_BASIS_REVIEW_REPORTING].
  • Manual external communication support and display of contact/context data to authorized users - [LEGAL_BASIS_COMMUNICATIONS].
  • Security logging, technical audit, business activity history, incident response, and data integrity - likely legitimate interests and/or legal obligation: [LEGAL_BASIS_AUDIT_SECURITY].
  • Legal claims, compliance, accounting, grant/programme governance, and dispute handling - [LEGAL_BASIS_LEGAL_COMPLIANCE].

5. Sensitive data and data minimization

Cohortino does not intentionally require special-category personal data for normal Phase 1 operation. However, free-text application answers, notes, links, attachments referenced from BABEL, diversity/team answers, impact descriptions, or user-entered comments may accidentally reveal sensitive information.

  • Users should avoid entering unnecessary special-category data, criminal-offence data, health data, financial account secrets, identity-document scans, passwords, or private third-party information.
  • Programme staff should review import mappings, notes, and external links for minimization where practical.
  • Any deliberate processing of special-category data requires documented legal basis, necessity assessment, access controls, and retention decision in [SPECIAL_CATEGORY_DATA_POLICY].

6. Recipients and access controls

Cohortino access is controlled by account, role, permission action, scope, data category, and target entity. Navigation visibility is not the security boundary; server-side ACL checks remain authoritative.

  • Authorized programme administrators, programme/community managers, reviewers, mentors, experts, and project-team users may see data according to their role and scope.
  • Programme partners, operator centers, reporting stakeholders, or funders may receive data only where approved in [PROGRAMME_PARTNER_ROLE_MATRIX] and [REPORTING_EXPORT_POLICY].
  • Processors/subprocessors may include hosting, database, backup, email/SMTP, monitoring, support, and infrastructure providers listed in [PROCESSOR_LIST].
  • External systems linked from Cohortino, such as BABEL, Google Drive, calendars, websites, or social platforms, are governed by their own access controls and privacy notices.
  • Sensitive data should not be exposed through exports or reports without separate export permission and audit requirements.

7. International transfers

The repository does not confirm hosting region, processor locations, support access, or cross-border transfer mechanisms. These must be completed before production use.

  • Hosting and support locations: [HOSTING_REGION_AND_SUPPORT_LOCATIONS].
  • Transfer safeguards, adequacy decision, standard contractual clauses, or other mechanism: [TRANSFER_MECHANISM].

8. Retention and deletion

The repository explicitly states that a legal retention workflow is not part of Phase 1. Therefore the final retention schedule must be inserted by legal and programme governance before publication.

  • Account and session/security data: [RETENTION_PERIOD_ACCOUNT_SECURITY].
  • Application import data and BABEL source records: [RETENTION_PERIOD_APPLICATION_IMPORT].
  • Project, venture, mentor/expert, activity, deliverable, development-plan, and closeout data: [RETENTION_PERIOD_PROGRAMME_RECORDS].
  • Technical audit log and app activity log: [RETENTION_PERIOD_AUDIT_LOGS].
  • Backups, archives, soft-deleted records, and legal-hold exceptions: [RETENTION_PERIOD_BACKUPS_ARCHIVES_LEGAL_HOLD].

9. Security measures

Cohortino Phase 1 includes a security baseline, but final production controls must be validated against the actual deployment and support model.

  • Password authentication with modern PHP password hashing and no remember-me in Phase 1.
  • Secure session handling with 30-minute idle timeout, 12-hour absolute lifetime, session ID rotation after login and permission changes, HttpOnly cookies, SameSite=Lax, and secure cookies when served over HTTPS.
  • CSRF protection for state-changing requests, server-side validation, context-aware output escaping, parameterized SQL, and separate technical audit and business activity logs.
  • Role/scope ACL controls for protected actions and sensitive data categories such as imported application data, review/evaluation data, contact details, reporting/export data, and sensitive configuration.

10. Data subject rights

Depending on the legal basis and applicable law, individuals may have rights over their personal data. The operator must provide a practical request process before publication.

  • Right to request access to personal data.
  • Right to request rectification of inaccurate or incomplete data.
  • Right to request erasure or restriction where legally available.
  • Right to object to processing based on legitimate interests where applicable.
  • Right to data portability where processing is based on consent or contract and carried out by automated means.
  • Right to withdraw consent where consent is the legal basis, without affecting earlier lawful processing, and right to complain to [SUPERVISORY_AUTHORITY_NAME_AND_CONTACT].

11. Cookies, sessions, and browser storage

Cohortino uses essential session technology for authentication and security. The current implementation also uses browser localStorage for selected UI preferences such as list page size. See the Cookie/Session Notice for details.

12. Automated decision-making, profiling, and AI

Phase 1 does not include AI functionality, automated weighted scoring, automated selection decisions, automated reminders, or autonomous database actions.

  • Application lifecycle, review, selection, conversion, mentor assignment, risk handling, and closeout remain human operational workflows in Phase 1.
  • Any future AI or automated decision support requires separate governance, legal basis, transparency, audit, and privacy review before enablement.

13. Questions, complaints, and changes

The final published notice should identify how users and programme participants can ask privacy questions, exercise rights, or raise complaints.

  • Privacy contact: [DPO_CONTACT_EMAIL_OR_PRIVACY_CONTACT].
  • Security incident contact: [SECURITY_CONTACT_EMAIL].
  • This notice should be updated when processors, purposes, legal bases, retention periods, exports, AI, email automation, uploads, or deployment model change.

Cookie/Session Notice

LEGAL INFORMATION

This text uses general information and marked placeholders where legal or operational details must be completed by the operator.

0. Document status

This Cookie/Session Notice describes the current Cohortino Phase 1 implementation as visible in the repository, with placeholders for the production domain, cookie name, hosting configuration, analytics decision, and browser-storage behavior.

No non-essential analytics, advertising, marketing, social-media tracking, or third-party tracking scripts were identified in the current implementation. If any are added later, this notice and any consent mechanism must be updated first.

1. What technologies are used

Cohortino currently uses essential session technology and limited browser storage to provide secure account access and stable interface behavior.

  • Essential session cookie: [PHP_SESSION_COOKIE_NAME] or the session name configured by the PHP runtime.
  • Browser localStorage keys for selected UI preferences, currently including Cohortino list page-size preferences such as cohortino:page-size:[scope].
  • Standard server logs and technical audit events may record request/security metadata where needed for service operation and abuse prevention.

2. Essential session cookie

The session cookie is required to keep a user signed in, apply CSRF protection, enforce authorization, rotate sessions after login or permission changes, and expire inactive sessions.

  • Purpose: authentication, session continuity, security, CSRF support, and access-control enforcement.
  • Duration: session cookie with Cohortino idle timeout of 30 minutes and absolute authenticated-session lifetime of 12 hours.
  • Security settings: path /, HttpOnly, SameSite=Lax, Secure when the request is served over HTTPS.
  • Legal basis/status: essential for the requested secure service; no separate opt-in is expected for this cookie, subject to legal review in [COOKIE_LEGAL_BASIS].

3. Browser localStorage

Cohortino uses localStorage only for limited interface preferences in the current JavaScript layer. This storage is not used for authentication and should not contain sensitive programme data.

  • Current purpose: remember list page-size preference for the browser and scope.
  • Current keys: cohortino:page-size:[scope].
  • Duration: until the user clears browser storage or the application changes the stored preference behavior.

4. Non-essential cookies and analytics

The current repository implementation does not show non-essential analytics, advertising, marketing, social-media tracking pixels, heatmaps, or third-party embedded trackers.

  • Any future analytics or tracking requires legal approval, processor review, updated notice text, and an appropriate consent or opt-out mechanism where required.
  • Any future integration should identify provider name, purpose, cookie/storage names, duration, transfer locations, and consent behavior in [NON_ESSENTIAL_COOKIE_TABLE].

5. Managing cookies and storage

Users can control cookies and localStorage through their browser settings. Blocking the essential session cookie will prevent sign-in or protected workspace use.

  • Deleting the session cookie signs the user out or ends the current session.
  • Deleting localStorage resets remembered UI preferences such as list page size.
  • Users should sign out on shared devices and report suspected unauthorized access to [SECURITY_CONTACT_EMAIL].

6. Contact and updates

This notice should be updated whenever the session configuration, storage behavior, analytics, consent mechanism, hosting domain, or third-party integrations change.

  • Cookie/privacy contact: [DPO_CONTACT_EMAIL_OR_PRIVACY_CONTACT].
  • Technical/security contact: [SECURITY_CONTACT_EMAIL].