Privacy Policy

Privacy Policy

This Privacy Policy explains how Cortex ("Cortex," "we," "us," or "our") collects, uses, stores, shares, and protects information in connection with the Cortex platform at launchcortex.ai, including our web application, APIs, agent hosting infrastructure, Active Memory system, and all related services (collectively, the "Platform").

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are using the Platform on behalf of an organization, "you" refers to that organization. This Privacy Policy should be read together with our Terms of Service.

1. Information We Collect

1.1 Account Information

When you create a Cortex account, we collect:

• Name and email address
• Company or organization name
• Password (stored in hashed form)
• Billing information (processed and stored by Stripe; Cortex does not store full payment card numbers)
• Team member names and email addresses (if you invite others to your organization)

1.2 Onboarding Information

During the Knowledge Hub Builder onboarding flow, you provide information about your business, including:

• Company overview, products, and services
• Team structure and roles
• Tools and technology stack
• Goals and priorities
• Agent persona preferences and behavioral rules

This information is processed into structured knowledge documents that form your Agent's foundational context (the "Knowledge Hub").

1.3 Conversation Data

When you or your team members interact with your Agents through connected channels (Slack, Telegram, or other supported channels), the content of those conversations is transmitted through the Platform to your chosen LLM Provider via your API Keys. Conversation content is processed by the Active Memory system to extract Memory Facts, as described in Section 3.

1.4 Memory Data

The Active Memory system automatically extracts structured facts ("Memory Facts") from Agent conversations. Memory Data includes:

• The extracted fact content
• Metadata such as category, confidence score, usefulness score, access count, and tier status
• Scope designation (Agent, Team, or Company)
• Promotion and audit records (source fact, target scope, promotion strategy, and approval status)

1.5 API Keys

You provide third-party LLM API keys under our Bring Your Own Key model. API Keys are encrypted and stored in Supabase Vault, a dedicated secrets manager. They are never stored in plaintext in our application database, displayed in the Cortex dashboard, or included in application code. Each API Key access is logged in an audit trail.

1.6 Usage Data

We automatically collect information about how you interact with the Platform, including:

• Pages visited, features used, and actions taken within the dashboard
• Agent deployment status and health metrics
• Timestamps of interactions
• Browser type, operating system, and device information
• IP address

1.7 Communications

If you contact us via email or through the Platform, we collect the content of those communications and any contact information you provide.

2. How We Use Your Information

We use the information we collect for the following purposes:

We do not use your information to:

• Train machine learning models for any purpose
• Improve services for other customers based on your data
• Sell, rent, or share your personal information with third parties for their marketing purposes
• Build profiles of you for advertising purposes

3. Active Memory System

The Active Memory system is a core component of the Platform. Because it involves automated processing of your conversation data, we describe it in detail here.

3.1 Automatic Fact Extraction

After each Agent conversation, the Platform uses an AI model (currently Claude Haiku, accessed via Cortex's own API key for this specific function) to analyze the conversation and extract structured facts. This extraction happens automatically, without manual review by Cortex personnel. Extracted facts may include business decisions, commitments, preferences, identity information, architectural details, and other contextual knowledge.

3.2 Scoring and Tier Graduation

Each Memory Fact is assigned a composite score based on three factors: usefulness (whether the fact contributed to relevant Agent responses), access frequency, and extraction confidence. Facts progress through four tiers based on their scores:

• Volatile: 1-hour lifespan. Facts that do not reach the promotion threshold are automatically deleted.
• Daily: 24-hour lifespan. Promoted from Volatile when score threshold is met.
• Stable: 7-day lifespan. Promoted from Daily when score threshold is met.
• Permanent: Retained indefinitely until you delete them or terminate your account.

Facts that do not earn promotion expire and are deleted automatically at the end of their tier's lifespan.

3.3 Scope Promotion

Memory Facts may be promoted to broader organizational scopes:

• Agent to Team: When multiple Agents on the same team independently extract substantially similar facts (detected via embedding similarity), the fact may be promoted to Team scope, making it accessible to all Agents on that team.
• Team to Company: When multiple teams converge on substantially similar facts, the fact may be promoted to Company scope, making it accessible to all Agents in your organization.

Scope promotion is logged, including the source fact, target scope, promotion strategy used, and related facts. All promoted facts remain within your organization and are never shared with other Cortex customers.

3.4 Your Controls

You can:

• View all Memory Facts stored for your Agents, Teams, and Organization through the Platform dashboard
• Delete individual Memory Facts or request bulk deletion at any time
• Export your Memory Facts in a structured format
• Contact us to request complete deletion of all Memory Data

4. Data Retention

After account termination, Customer Data is available for export for 30 days. Following the export period, Customer Data is deleted from active systems within a commercially reasonable timeframe. Residual copies in encrypted backups are overwritten through normal backup rotation cycles.

5. How We Share Your Information

5.1 We Do Not Sell Your Data

We do not sell, rent, or share your personal information with third parties for their own marketing or commercial purposes.

5.2 Subprocessors

We use the following third-party service providers to operate the Platform. Each processes data only as necessary to provide their specific function:

5.3 LLM Providers (Via Your Own Keys)

When your Agents process conversations, data is transmitted to your chosen LLM Provider (such as Anthropic or OpenAI) through your own API Keys. You are the controller of this data transmission. Cortex acts as a processor, facilitating the API call on your behalf. The LLM Provider's handling of your data is governed by your agreement with that provider, not by this Privacy Policy. We encourage you to review your LLM Provider's privacy policy and data usage terms.

For the specific function of Memory Fact extraction (Section 3.1), Cortex uses its own API key to access an AI model. Conversation content processed for fact extraction is sent to the model provider solely for that purpose. We do not authorize the model provider to retain or use this data for training.

5.4 Channel Providers

When your Agent operates in Slack, Telegram, or other connected channels, message data flows through those platforms. Your use of those platforms is governed by their respective terms and privacy policies. Cortex does not control how channel providers process your data.

5.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of Cortex, our customers, or the public; (c) detect or prevent fraud or security issues; or (d) enforce our Terms of Service.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information becomes subject to a different privacy policy.

6. Data Security

We implement the following security measures to protect your information:

• Server Isolation. Each Agent runs on its own dedicated server with its own memory stack, secrets, and knowledge base. Agent servers are not shared across customers (except on Team plans, where a single customer's Agents share a server).
• Encrypted Secret Storage. API Keys are encrypted at rest in Supabase Vault using pgsodium encryption, referenced by ID, and never stored in plaintext. Secrets are scoped per-organization and per-deployment to prevent collisions.
• Access Controls. API Keys are written to Agent servers as root-owned environment files with restricted permissions (mode 0600). Vault secret access is logged in an audit trail.
• Encryption in Transit. All data transmitted between your browser and the Platform, and between the Platform and Agent servers, is encrypted using TLS. Each Agent server has its own SSL certificate.
• Network Security. Agent servers are configured with firewalls and are accessible only through the reverse proxy layer.
• Logical Data Isolation. Customer data in the shared database is partitioned by organization and logically isolated from other customers' data. Enterprise customers receive a dedicated database instance.

No security measure is perfect. While we take commercially reasonable steps to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for the security of your API Keys at their source.

7. Your Rights and Choices

7.1 All Customers

Regardless of your location, you may:

• Access your Account Information, Knowledge Hub content, and Memory Facts through the Platform dashboard
• Correct inaccurate Account Information through the dashboard
• Delete individual Memory Facts or your entire account
• Export your Memory Facts and Knowledge Hub content
• Opt out of non-essential communications by using the unsubscribe link in our emails

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including:

• The right to know what personal information we collect, use, and disclose
• The right to delete your personal information
• The right to opt out of the sale or sharing of your personal information (we do not sell or share your personal information as defined under the CCPA)
• The right to non-discrimination for exercising your rights

To exercise your rights, contact us at privacy@launchcortex.ai.

7.3 European Economic Area, United Kingdom, and Swiss Residents (GDPR/UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Request that we restrict the processing of your personal data
• Portability: Request a machine-readable copy of your personal data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
• Automated Decision-Making: The Active Memory system involves automated processing of conversation data. You have the right to request information about the logic involved and to contest decisions made solely through automated processing that significantly affect you.

To exercise your rights, contact us at privacy@launchcortex.ai. We will respond within 30 days (or as required by applicable law). We may ask you to verify your identity before fulfilling your request.

Data Protection Officer. If required by applicable law, you may contact our Data Protection Officer at dpo@launchcortex.ai.

Supervisory Authority. You have the right to lodge a complaint with your local data protection supervisory authority.

7.4 Other Jurisdictions

We respect the data protection rights provided by the laws of your jurisdiction. If you have questions about your specific rights, contact us at privacy@launchcortex.ai.

8. International Data Transfers

Cortex is based in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, where our servers and subprocessors are located.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on: (a) Standard Contractual Clauses approved by the European Commission; and/or (b) other lawful transfer mechanisms as applicable. Enterprise customers may request execution of a Data Processing Addendum incorporating Standard Contractual Clauses.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account or through a prominent notice on the Platform at least 30 days before taking effect. Non-material changes (such as formatting or clarification) may be made without advance notice.

The "Last Updated" date at the top of this Privacy Policy indicates when the latest revisions were made. Continued use of the Platform after the effective date of a revised Privacy Policy constitutes acceptance of the changes.

11. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, contact us at: Cortex Email: privacy@launchcortex.ai For data protection inquiries from the EEA or UK: dpo@launchcortex.ai