Privacy is the whole product.
Cortext's entire pitch falls apart if you can't trust us with what you import. This Policy tells you exactly what we collect, what we don't, and what you can do about it.
Your memories are yours. We don't train on them, we don't sell them, and you can delete all of it at any time. The rest of this page is the formal version of that sentence.
Who this policy applies to
This Privacy Policy (“Policy”) describes how Cortext (“Cortext,” “we,” “us”) collects, uses, stores, discloses, and protects information when you use our services at cortext.ai, app.cortext.ai, and the Cortext API (together, the “Services”).
By using the Services, you agree to the practices described in this Policy. If you do not agree, please stop using the Services and, if applicable, delete your account.
What we collect
We collect three categories of information:
a. Information you provide
- Account data — name, email, password hash, authentication provider identifiers.
- Memory content — the conversation imports, uploaded documents, and user-asserted facts that form your Cortext memory layer.
- Billing data — if you subscribe to a paid plan, we rely on our payment processor; we receive the last four digits and expiration of your card but never the full number.
- Correspondence — messages you send us via the contact form, email, or support channels.
b. Information we observe
- Usage telemetry — API endpoints called, response codes, approximate request durations. Never the request or response bodies.
- Device and log data — IP address (truncated to /24 within 24 hours), user-agent, referrer, timestamps.
c. Information from third parties
- Model providers — when you link Cortext to OpenAI, Anthropic, Google, or another provider, we receive the identifiers and metadata the provider shares for that integration. We do not receive your conversations with that provider unless you explicitly import them.
How we use your information
We use the information described above for the following purposes:
- Delivering the Services — authenticating you, building your memory layer, generating and injecting contexts into models you speak with.
- Operational telemetry — understanding reliability, debugging incidents, and improving performance.
- Security — detecting abuse, fraud, credential stuffing, and unauthorized access.
- Direct account communication — billing, security, and material changes to the Services or this Policy.
- Legal compliance — responding to lawful requests, enforcing our Terms, defending claims.
We do not train machine-learning models on your memory content. We do not sell your data. We do not rent, trade, or share your memory content with advertisers. Full stop.
How long we keep it
- Memory content — retained until you delete it individually or close your account. Deletion is propagated across hot storage within 10 seconds and across backups within 30 days.
- Account data — retained for the lifetime of the account, then purged 30 days after account closure.
- Usage telemetry and logs — 90 days, after which they are aggregated and the raw records are deleted.
- Billing records — retained for 7 years to comply with tax and financial regulation.
Your rights
You have the following rights, exercisable at any time:
- Access — you may view every memory Cortext holds about you from within the product at any time.
- Portability — request a full export in standard JSON. Downloads complete within 5 minutes for most accounts.
- Correction — edit any memory in place. Changes are immediate.
- Deletion — delete individual memories, segments, or the entire account. Deletion is unconditional.
- Objection — residents of the EEA, UK, and similar jurisdictions may object to processing based on legitimate interests.
Email privacy@cortext.ai to exercise any right. We aim to respond within 7 days and to fulfill within 30.
How we protect it
Cortext uses industry-standard technical and organizational measures to protect your information. These include encryption in transit (TLS 1.3), encryption at rest (AES-256), single-sign-on and MFA for all staff with data access, and per-environment network isolation.
No method of transmission or storage is 100% secure. We monitor for intrusions continuously and will notify affected users within 72 hours of confirming a breach that affects their data.
For a more detailed technical account, see the Security page.
International transfers
Cortext's primary data centers are located in the United States and the European Union. If you reside in a jurisdiction whose laws require that personal data be transferred under a specific mechanism, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent frameworks for the UK and Switzerland.
Children's privacy
Cortext is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact privacy@cortext.ai and we will delete it promptly.
Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect and will post the updated Policy to this page with a revised “Last updated” date.
Contact
If you have any questions about this Policy or how Cortext handles your data, please reach out:
- Privacy inquiries — privacy@cortext.ai
- Security disclosures — security@cortext.ai
- General — Contact form