Privacy Policy
Last updated: [REPLACE WITH DATE OF YOUR LAST POLICY REVIEW]
1. Information We Collect
We collect information you provide directly (account details, payment information) and information generated through your use of the Platform (agent traces, API logs, usage metrics). We also collect standard web analytics data including IP addresses, browser type, and referring URLs.
2. How We Use Your Information
We use your information to: (a) provide and maintain the Service; (b) process transactions; (c) send service-related communications; (d) improve the Platform; (e) comply with legal obligations. We do not sell your personal data to third parties.
3. Agent Data and Traces
Reasoning traces, tool call logs, and agent outputs submitted to the Platform are your property. We process this data only to provide the Service. Trace data is encrypted at rest and in transit. You may delete your trace data at any time.
4. Data Retention
We retain account data for the duration of your account plus 30 days after deletion. Trace data retention depends on your plan: 7 days (Starter), 30 days (Pro), or 1 year (Enterprise). You may request earlier deletion.
5. Data Security
We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 in transit, infrastructure designed against SOC 2 Type II and ISO 27001 controls, and regular penetration testing. Access to production systems is restricted, audited, and gated on hardware-backed authentication.
6. Third-Party Services
We use third-party services for payment processing, cloud infrastructure, customer support, product analytics, and error monitoring. These sub-processors are bound by data processing agreements, are reviewed annually, and a current list is available on request. We do not share more data than necessary for each service.
7. Your Rights
Depending on your jurisdiction, you have the right to access your data, the right to request correction or deletion, the right to restrict certain processing, the right to object to processing, the right to data portability, the right to withdraw consent, the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects (GDPR Art. 22; you may request human review, contest the decision, and express your point of view), and the right to lodge a complaint with a supervisory authority. Contact privacy@cortex.ai to exercise these rights.
8. Your Rights — California & US State Privacy Laws
If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, Oregon, or another US state with a comprehensive consumer-privacy law, you have the following rights, subject to certain exceptions: Right to Know / Access — you may request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. Right to Delete — you may request deletion of the personal information we have collected from you, subject to our legal retention obligations. Right to Correct — you may request correction of inaccurate personal information we maintain about you. Right to Opt Out of Sale or Sharing — we do not sell your personal information for money. If we share personal information for cross-context behavioural advertising, you may opt out at any time via our "Do Not Sell or Share My Personal Information" page (linked in the footer where applicable). We also recognise the Global Privacy Control (GPC) signal as an opt-out, as described in our Do Not Track and Global Privacy Control section. Right to Limit Use of Sensitive Personal Information — where we process sensitive personal information, you may direct us to limit its use to that which is necessary to provide the Service. Right to Non-Discrimination — we will not discriminate or retaliate against you for exercising any of these rights. To exercise these rights, contact us at privacy@cortex.ai or use the "Do Not Sell or Share My Personal Information" page. We may need to verify your identity before responding, and you may use an authorised agent. We respond to verifiable requests to know, delete, or correct within 45 days (extendable by a further 45 days where reasonably necessary). Requests to opt out of sale or sharing, or to limit the use of sensitive personal information, are honoured as soon as feasible and no later than 15 business days, consistent with our Do Not Sell or Share My Personal Information page.
9. Do Not Track and Global Privacy Control
We honour Global Privacy Control (GPC) where legally required. We do not currently respond to Do Not Track (DNT) browser signals because no common technical standard defines how websites should interpret them.
10. International Transfers
Your data may be processed in regions outside your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU data transfers.
11. Cookies
We use essential cookies for authentication and session management. Optional analytics cookies are used only with your consent. You can manage cookie preferences in your browser settings.
12. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email or in-app notification at least 14 days before they take effect. Continued use of the Service constitutes acceptance.