· Legal ·

Privacy Policy

Last updated: 9 July 2026

Controller

Rubber Ducky (Netherlands) is the data controller for Cortex (getcortex.org). Contact: hello@getcortex.org.

What we collect, and why

Account data — email, name, and avatar from Google sign-in — to operate your account (contract).

Your content — neurons, files, captures, and the projects/teams structure around them — because storing and searching it is the product (contract). Content is indexed and embedded so it can be found; it is never used to train AI models.

Billing data — plan, invoices, and payment status. Card details live with Revolut; we never see them (contract, legal obligation).

Usage data — privacy-friendly, cookieless product analytics via self-hosted Umami, plus AI-usage metering for your monthly credit budget (legitimate interest).

Processors we use

Data is shared only with processors needed to run Cortex:

  • Hosting & storage — our EU-based infrastructure (database, file storage, search index)
  • Revolut — payment processing for subscriptions
  • Moneybird — invoicing and bookkeeping
  • AI model providers (via OpenRouter) — only the content needed to answer a request is sent, only when AI features run; with your own provider key, your key’s terms apply
  • GitHub — only when you connect git sync, and only your synced repo
  • AWS SES — transactional email

We never sell personal data and run no advertising trackers.

Retention & deletion

Your data is kept while your account exists. Deleting your account starts a 30-day grace window, after which everything is permanently erased — content, embeddings, files, and analytics identifiers. Invoices are retained as long as Dutch tax law requires (7 years). You can export your full data as a ZIP at any time from Settings.

Your rights (GDPR)

You can access, correct, export, restrict, object to, or erase your personal data — most of it directly in the app, the rest via hello@getcortex.org. You may also complain to the Dutch supervisory authority (Autoriteit Persoonsgegevens).

Security

Content is encrypted in transit and at rest; stored provider keys are additionally encrypted with AES-256-GCM. See the security page for the full picture.

Changes

Material changes to this policy are announced by email or in-app before they take effect. See also the Terms of Service.