logo

Privacy Policy

This Privacy policy outlines how Cortextual Inc. (“Cortextual”) collects, uses, and protects your personal information when you use our service. By using Cortextual, you agree to the practices described below.

This Privacy Policy is addressed to individuals outside our organisation with whom we interact in our course of business, including users of our services, customers, personnel of corporate customers and vendors, and visitors to our premises (together, "you"). Please note that not all provisions of this Privacy Policy will apply to you and your personal data, as this will depend on your specific relationship with Cortextual.

This Privacy Policy may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data, or changes in applicable law. We encourage you to read this Privacy Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Privacy Policy.

1. Information we collect

To improve your experience, we may ask for personally identifiable information (“Personal Data”). This information is used only to deliver and enhance our services.

Some third-party services used by Cortextual may also collect information that could identify you.

We do not seek to collect or otherwise process sensitive personal data in the ordinary course of our business.

We take every reasonable step to ensure that your Personal Data that we process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Policy.

We take every reasonable step to ensure that your Personal Data is only processed for the minimum period necessary for the purposes set out in this Privacy Policy.

2. Collection of personal data

We collect or obtain personal data about you from the following sources:
  • Data provided to us: we obtain Personal Data when such data is provided to us (e.g. where you contact us via email or via our Cortextual app, or by any other means, or when you provide us with your business card).
  • Data we obtain in person: we obtain Personal Data during meetings, at conferences, during visits from sales or marketing representatives, in person interviews or at events we attend.
  • Collaborations: we obtain Personal Data when you collaborate with us in research or in an advisory/consultancy capacity.
  • Relationship data: we collect or obtain Personal Data in the ordinary course of our relationship with you (e.g. we provide a service to you).
  • Data you make public: we collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g. we may collect information if you make a public post about us).
  • Site data: we may collect or obtain Personal Data when you visit our website or use any features or resources available on or through the Cortextual app.
  • Registration details: we collect or obtain Personal Data when you use, or register to use our services.
  • Content and advertising information: if you interact with any third party content or advertising on the website or the Cortextual app (including third party plugins and cookies) we may receive Personal Data from the relevant third party provider of that content or advertising.

3. Categories of Personal Data we process

We process the following categories of Personal Data about you:
  • Personal details: given name(s); preferred name.
  • Contact details: email address.
  • Consent records: records of any consents you have given, together with the date and time; means of consent and any related information (e.g. the subject matter of the consent).
  • Purchase details: records of purchases and prices; and consignee name, email address.
  • Data relating to your use of our services: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to the Cortextual app; username; password; security login details; and usage data.
  • Content and advertising data: records of your interactions with our online advertising and content, records of advertising and content displayed on pages displayed to you, and any interaction you may have had with such content or advertising (e.g. mouse hover, mouse clicks, any forms you complete in whole or in part).
  • Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.

Please note that not all of the above will apply to you, as it will depend on your relationship with Cortextual.

Log data

In the event of an error, we may collect data (referred to as "Log data") from your device. This may include your IP address, device name, operating system version, app configuration, time and date of use, and other statistics.

Cookies

Cookies are small files stored on your device that help websites function effectively.

We do not use cookies directly, but third-party tools integrated into our service may use them. You can choose to accept or reject cookies via your browser settings. Refusing cookies may limit some functionalities.

Please check the Cookie Policy for more information.

Google data

When you connect your Google account to our app, we use the standard OAuth 2.0 authorisation flow recommended by Google. This allows you to grant permission for our application to access your Gmail and/or Google Drive data.
Once authorised, our system may access:

Your Gmail inbox to retrieve email messages
Your Google Drive to retrieve authorised files only (please note that our system won't request full Google drive access)
This data is used only to build your personal knowledge base within our platform. Our retrieval-augmented generation (RAG) system scans and learns from this data to provide personalised and relevant results.
All retrieved data is securely stored in our protected local database and encrypted S3 storage. Access is restricted to our API infrastructure only. We do not share or disclose your Gmail or Drive data with any third parties. The data is used exclusively to improve your experience within the app.

Disconnecting or deleting a connected Google account

You are in full control of your connected Google accounts:

Disconnecting a Google account:

When you disconnect your Google account, we immediately delete the associated access and refresh tokens from our database. You can choose to keep the files and emails that were already synced to your account.

Deleting a connected Google account:

If you choose to delete a connected Google account, all data associated with that connection will be permanently deleted. This includes any previously synced files from Google Drive and messages from Gmail.

4. Third-party service providers

We may work with third parties to:
  • Deliver and improve our service
  • Perform service-related tasks
  • Assist in analytics

These providers may have access to your information only to carry out these tasks on our behalf. They are bound by confidentiality and data protection obligations.

5. Purposes of processing and legal bases for processing

The purposes for which we process Personal Data, subject to applicable law, and the legal bases on which we perform such processing, are as follows:

Provision of services. Providing our products, or services; providing promotional items upon request; and communicating with you in relation to the services.
  • The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of providing our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
Compliance checks. Fulfilling our regulatory compliance obligations and other legal restrictions.
  • The processing is necessary for compliance with a legal obligation; or
  • The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of fulfilling our regulatory and compliance obligations (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business. Operating and managing our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our services; and notifying you of changes to our services.
  • The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of providing our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
Communications and marketing. Communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; enabling your choice to opt-out or unsubscribe, where applicable.
  • The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
Management of IT systems. Management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.
  • The processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Financial management. Sales; finance; audits; and vendor management.
  • We have a legitimate interest in carrying out the processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
Surveys. Engaging with you for the purposes of obtaining your views on our services.
  • We have a legitimate interest in carrying out the processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
Security. Physical security of our premises; electronic security (including login records and access details).
  • The processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Improving our services. Identifying issues with our services; planning improvements to our services; and creating new products or services.
  • We have a legitimate interest in carrying out the processing for the purpose of improving our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

6. International transfer of Personal Data

[section to be included additionally]

7. Data security and accuracy

Insofar as you are able, please ensure that any Personal Data that you send to us is sent securely.

We have implemented appropriate technical and organisational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, from the point of collection to the point of destruction, in accordance with applicable law.

Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk and you are responsible for ensuring that any Personal Data that you send to us are sent securely.

We take every reasonable step to ensure that:
  • Your Personal Data that we process is accurate and, where necessary, kept up-to-date; and
  • Any of your Personal Data that we process that is inaccurate (having regard to the purposes for which it was processed) is erased or rectified without delay;
  • From time to time we may ask you to confirm the accuracy of your Personal Data.

8. Links to other sites

Our service may include links to external websites. We are not responsible for the content or privacy practices of these third-party sites. Please review their privacy policies separately.

9. Children’s privacy

Cortextual does not knowingly collect personal data from children under the age of 13. If we discover that such data has been provided, we will delete it immediately. If you're a parent or guardian and believe your child has shared personal information with us, please contact us.

10. California Privacy Acts disclosures

[section to be included additionally]

11. Direct marketing

[section to be included additionally]

12. Your legal rights

[section to be included additionally]

13. Data processing using Artificial Intelligence

Cortextual as a deployer processes user inputs and connected cloud data via AI-powered features only with user authorization. Personal data is used strictly for the purposes of delivering and improving the service. We apply data minimization principles, collecting only what is necessary for functionality. We implement technical and organizational measures (encryption, access controls, monitoring) to protect personal data. AI outputs are monitored to reduce risks of harmful or discriminatory outcomes. Human oversight is maintained, and you as a user may override or discontinue AI outputs at any time. If personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or other safeguards under the applicable legislation. We apply additional technical measures (encryption, minimization) to ensure equivalent protection.

14. Contact Us

For the purposes of this Privacy Policy, the relevant Controller is:
  • Cortextual Inc., 150 S. State Street, Salt Lake City, UT 84111, USA, or any of its affiliated entities.

If you have any questions or suggestions regarding this privacy policy, contact us at: support@cortextual.com.