Anonymisation in the browser

Identifying content stays on your device.

Names, NHS numbers, dates, postcodes, phone numbers, and email addresses are detected and replaced with placeholders in your browser before any content is sent for processing, with the mapping back to the real names encrypted under your password and held only on your device, and the draft coming back from the model has the real names put back in by your browser rather than reconstructed anywhere inside Cogent's own systems.

Try it free Trust Centre
03Anonymisation in the browser

Identifiers never leave the device.

Eight categories of identifying content are detected and replaced with placeholders in your browser before anything is sent for drafting, with the mapping back encrypted under your password and held only on the device you signed in from. Cogent itself cannot read the names, and if the database were ever accessed without permission, the identifiers a clinician most cares about would not be in it.

Raw on device Masked, sent to model Restored on return 0 detected 0 sent in clear 0% local mapping
On your device
Sara W. attended session 12. Reviewed last week's experiment with her partner Lucy. NHS number 943 476 5919. Lives in G77 5RR. Email [email protected]. Next session 19 May 2026.
Sent to UK-hosted model
PERSON_1 attended session 12. Reviewed last week's experiment with her partner PERSON_2. NHS number NHS_1. Lives in POSTCODE_1. Email EMAIL_1. Next session DATE_1.
02The problem

Putting your client's name into someone else's tool is not a decision you can responsibly make.

Most consumer AI tools are happy to take whatever you paste, and their terms of service rarely make hard commitments about what happens next, which leaves the question of where a client's name ends up, whether in a training set, a debugging log, or a vendor's analytics, quietly transferred from the AI company to the clinician with the registration to protect. Cogent Clinic was built so that the question never needs to be answered in the first place, because the identifying details are removed from anything the AI is ever shown.

03How it works

The five steps that move identifying content from your screen to the model and back, with the third one carrying the weight.

Your browser does the work the cloud should not, so detection and encryption both happen locally before any content moves anywhere it could be read.

  1. 01

    You write or transcribe in the browser.

    You can type your shorthand, paste a longer note, or run live in-session transcription, and at this stage everything is still sitting on your device with nothing having moved.

  2. 02

    Cogent spots identifiers and highlights them for you.

    Names, NHS numbers, postcodes, UK phone formats, email addresses, and dates are detected by a tokeniser running in your browser, never on a server, and you confirm what has been identified before anything is sent anywhere.

  3. 03

    Identifiers are replaced with placeholders, and the mapping is encrypted on your device.

    Sara becomes [PERSON_1], the NHS number becomes [NHS_1], Lucy becomes [PERSON_2], and the mapping between the placeholders and the real names is encrypted under a key derived from your password and stored only on your device, with Cogent never holding a copy, so if Cogent's own database were ever accessed without permission the names that connect to those placeholders would not be in it.

  4. 04

    Only the placeholder version reaches the AI.

    The UK-hosted AI service drafts the document from the placeholder version, with your content contractually excluded from any training set, and the placeholder text itself is not retained once the draft has been returned.

  5. 05

    Real names are put back in your browser, not anywhere on the server.

    The draft returns with the placeholders still in place, and your browser uses the local mapping to put the real names back in for you to read, while the version Cogent holds on the server keeps only the placeholders, leaving you to sign off as the author of record.

04What this means

You stay the controller, and Cogent operates only as a processor that cannot read the names.

In data-protection terms your clients are your data subjects and you are their controller, while Cogent operates as your processor for the placeholder version of the content only, and the real names are not present in Cogent's systems in any readable form.

  1. 01

    Identifying content does not leave your device unencrypted.

    Cogent's own database never holds the real names in readable form, because the only thing that ever leaves your browser is the placeholder version of what you wrote.

  2. 02

    If Cogent's own infrastructure were accessed without permission, the most that could be exposed is pseudonymised draft text.

    The names, NHS numbers, dates, and addresses that a clinician most cares about are not in those records to be read.

  3. 03

    The AI provider is contractually prohibited from using your content to train any model.

    The placeholder version is processed once for the drafting and not retained afterwards, so nothing about a session flows into the model's future behaviour.

  4. 04

    Hosting, storage, and AI processing all run inside the United Kingdom.

    The one exception is live session transcription, which runs in Dublin under the UK Addendum to the EU SCCs, and the full Data Processing Agreement sets out the controller-processor relationship in detail.

Try it on this week's work.

The free tier covers ten generations a month with no card to start and no time limit on the trial, so you only upgrade when Cogent has earned at least the cost of a session in time saved.

Start free
No card · no demo call · no waitlist