← Back to Cortexa

Privacy Policy

Effective date: May 8, 2026

This Privacy Policy describes how Cortexa (“we,” “us,” or “our”) collects, uses, and protects information when you use the Cortexa platform at cortexa.sh, including our APIs, MCP server, and related services (the “Service”).

We are committed to protecting your privacy and handling your data transparently. We only collect what is necessary to provide and improve the Service.

1. Information We Collect

1.1 Account Information

When you sign in via Google OAuth, we receive your name, email address, and profile picture from Google. When you create an account with email and password, we store your email address and a one-way password hash. We do not receive or store your Google password or plaintext account password.

1.2 Usage Data

We collect information about how you interact with the Service, including:

  • Session activity (queries submitted, tools used, features accessed)
  • Credit consumption and billing events
  • Device and browser information (user agent, screen resolution)
  • IP address and approximate geographic location
  • Timestamps and session duration

1.3 Research Content

When you use Cortexa, we process and store the content you provide and generate, including:

  • Research queries and conversation history
  • Uploaded files and library items
  • Analysis code and execution results
  • Generated briefs, presentations, and exports

This content is stored to provide the Service (session persistence, history, and collaboration). It is private to your account by default. If you choose to share an item with an organization workspace you belong to, it becomes accessible to the members of that organization; you can make it private again at any time.

1.4 Payment Information

Payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full credit card number. Stripe provides us with a payment token, last four digits, card brand, and billing address for record-keeping. See Stripe’s Privacy Policy for details on how they handle payment data.

2. How We Use Your Information

We use collected information to:

  • Provide the Service: authenticate you, run research queries, store sessions, execute analysis, and deliver results.
  • Process payments: manage subscriptions, track credit usage, and handle billing.
  • Improve the Service: analyze usage patterns (in aggregate) to identify bugs, optimize performance, and develop new features.
  • Communicate: send transactional emails (billing receipts, account notifications) and, with your consent, product updates.
  • Enforce our Terms: detect and prevent abuse, fraud, or violations of our Terms of Service.

3. What We Do NOT Do

  • We do not sell your data. Period. We will never sell, rent, or trade your personal information or research content to third parties.
  • We do not train AI models on your data. Your research queries, uploaded files, analysis code, and generated outputs are not used to train or fine-tune our AI models or any third-party models.
  • We do not share your content with other users unless you explicitly create a public share link.
  • We do not serve ads. The Service is funded by subscriptions, not advertising.

4. Data Sharing

We share information only in these limited circumstances:

  • Service providers: We use trusted infrastructure providers (Vercel for hosting, Neon for database, Stripe for payments, and Google for OAuth authentication) that process data on our behalf under contractual obligations to protect it.
  • AI model providers: Research queries are sent to large language model providers (e.g., Anthropic, OpenAI) to generate responses. These providers process your query content but do not retain it for training. We select providers with strong data-use commitments.
  • External data sources: When Cortexa queries scientific databases (PubMed, arXiv, etc.), your research queries or derived search terms may be transmitted to those APIs. These are public query APIs and do not receive your account information.
  • Legal requirements: We may disclose information if required by law, court order, or governmental request, or to protect rights, safety, or property.

5. Data Storage and Security

  • Infrastructure: Data is stored on Neon Postgres (database) and Vercel Blob (file storage), both hosted in the United States.
  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest.
  • Access controls: Production systems use role-based access controls, environment isolation, and audit logging.
  • Retention: We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and research content within 30 days, except where retention is required by law or for legitimate dispute resolution.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete your account and associated data.
  • Export your research sessions and generated content.
  • Object to certain processing activities.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at support@cortexa.sh. We will respond within 30 days.

7. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising trackers or cross-site tracking cookies. Analytics, when used, are privacy-respecting and aggregated.

8. Children’s Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

9. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We apply appropriate safeguards to protect data transferred across borders, consistent with applicable data protection laws.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

To exercise your CCPA rights, contact us at support@cortexa.sh.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:

  • Contract performance: to provide the Service you requested.
  • Legitimate interest: to improve the Service, prevent abuse, and communicate about your account.
  • Consent: where required (e.g., marketing communications).

You may contact us to exercise your rights under GDPR, including the right to lodge a complaint with your local data protection authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 15 days before taking effect. The “Effective date” at the top reflects the latest version.

13. Contact

Questions or concerns about this Privacy Policy? Contact us at support@cortexa.sh.

Terms of ServiceSupportHome