Privacy Policy

Effective date: 2024-01-01

Summary

We designed this policy to be clear, enforceable, and aligned with major privacy frameworks (GDPR, CCPA/CPRA, LGPD, PIPEDA). Cortexta collects only what is necessary to deliver the service, gives you control over your data, and implements technical and organizational measures to protect it.

Data we collect

Account data: name, email, authentication identifiers.
Usage data: app interactions, device/browser metadata (for security and reliability).
Content you provide: tasks, notes, documents, calendar metadata, uploaded files.
Payment data: processed by our PCI‑compliant processor; we do not store full card numbers.

How we use data

Provide and improve the service (including AI features like extraction, prioritization, and scheduling).
Secure the service (fraud prevention, abuse detection, incident response).
Support and communications (account changes, service announcements, billing).
Compliance with law and enforcement of our Terms.

Legal bases (GDPR)

Contract performance (Art. 6(1)(b)) for core processing necessary to deliver Cortexta.
Legitimate interests (Art. 6(1)(f)) for security, product improvement, and fraud prevention, balanced with your rights.
Consent (Art. 6(1)(a)) where required (e.g., marketing emails).
Legal obligation (Art. 6(1)(c)) for compliance requests.

Data minimization and retention

We only collect the minimum data needed. Optional integrations are opt‑in.
Retention: account data is retained while your account is active; content data is retained until you delete it or for as long as necessary to provide the service; backups are time‑limited.
Deletion: upon request or account closure, we delete active data within 30 days and logs/backups according to our backup rotation schedule.

Security

Encryption in transit (TLS 1.2+) and at rest for sensitive data.
Access controls, least‑privilege, and audited administrative access.
Segregated environments, vulnerability management, and incident response procedures.
Third‑party sub‑processors are vetted for security and privacy posture.

AI processing and RAG

Your content may be processed to provide AI features (task extraction, prioritization, suggestions).
For hosted models, we implement strict data handling; for third‑party models, we restrict data sharing and disable provider training on your inputs where possible.
Enterprise plans can opt for private models and dedicated RAG indexes; no data is used to train models outside your tenant.

International transfers

Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and additional technical measures.

Sub‑processors

We maintain an up‑to‑date list of sub‑processors and their purposes. We contractually require appropriate data protection, confidentiality, and security.

Your rights

Access, correction, deletion, portability, restriction, and objection (as applicable).
California residents: rights under CCPA/CPRA, including opt‑out of “sale”/“sharing” (we do not sell personal data).
EU/UK residents: right to lodge a complaint with a supervisory authority.

Children

We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided personal data, contact us to remove it.

Data requests and law enforcement

We require valid legal process for any data disclosure, notify users unless legally prohibited, and challenge overbroad requests.

Data breaches

We maintain incident response procedures and will notify affected users and authorities as required by law.

Changes to this policy

We may update this policy to reflect changes to our practices. We will post the updated policy with a revised effective date and, where required, notify you.