Privacy Policy
Last updated: 9 July 2026
Controller
Rubber Ducky (Netherlands) is the data controller for Cortex (getcortex.org). Contact: hello@getcortex.org.
What we collect, and why
Account data — email, name, and avatar from Google sign-in — to operate your account (contract).
Your content — neurons, files, captures, and the projects/teams structure around them — because storing and searching it is the product (contract). Content is indexed and embedded so it can be found; it is never used to train AI models.
Billing data — plan, invoices, and payment status. Card details live with Revolut; we never see them (contract, legal obligation).
Usage data — privacy-friendly, cookieless product analytics via self-hosted Umami, plus AI-usage metering for your monthly credit budget (legitimate interest).
Processors we use
Data is shared only with processors needed to run Cortex:
- Hosting & storage — our EU-based infrastructure (database, file storage, search index)
- Revolut — payment processing for subscriptions
- Moneybird — invoicing and bookkeeping
- AI model providers (via OpenRouter) — only the content needed to answer a request is sent, only when AI features run; with your own provider key, your key’s terms apply
- GitHub — only when you connect git sync, and only your synced repo
- AWS SES — transactional email
We never sell personal data and run no advertising trackers.
Retention & deletion
Your data is kept while your account exists. Deleting your account starts a 30-day grace window, after which everything is permanently erased — content, embeddings, files, and analytics identifiers. Invoices are retained as long as Dutch tax law requires (7 years). You can export your full data as a ZIP at any time from Settings.
Your rights (GDPR)
You can access, correct, export, restrict, object to, or erase your personal data — most of it directly in the app, the rest via hello@getcortex.org. You may also complain to the Dutch supervisory authority (Autoriteit Persoonsgegevens).
Security
Content is encrypted in transit and at rest; stored provider keys are additionally encrypted with AES-256-GCM. See the security page for the full picture.
Changes
Material changes to this policy are announced by email or in-app before they take effect. See also the Terms of Service.