Skip to main content

Privacy Policy

Effective 2026-05-05 · Last updated 2026-05-05

This page mirrors docs/PRIVACY_POLICY.md — the canonical, counsel-reviewable version.

1. Who we are

Cortex is an AI Second Brain SaaS at loftbrain.ai. We ingest content you provide, extract knowledge with large language models, and let you chat with, search, and act on that knowledge through agentic skills.

For GDPR purposes, the controller of your personal data is Cortex / loftbrain.ai. Privacy contact (de-facto DPO): privacy@loftbrain.ai.

2. What we collect

The minimum needed to run Cortex:

  • Identity — email + optional display name
  • Authentication — WorkOS session metadata + MFA factors (managed by WorkOS)
  • Content you ingest — URLs, files, transcripts, your prompts
  • Generated knowledge — LLM-generated summaries, entities, claims, embeddings
  • Activity — login times, ingest events, scope grants for security audit
  • Billing — Stripe customer ID + last-4 of card (PAN never stored by us)
  • Diagnostics — Core Web Vitals + sanitised error reports (no PII)

We do NOT collect: date of birth, age, gender, ethnicity, postal address, government IDs, health/biometric data, precise geolocation, browsing history outside Cortex, or cross-site advertising profiles.

3. Lawful basis (GDPR Art. 6)

  • Performance of contract — providing the service, transactional emails
  • Legitimate interests — security monitoring, error reporting (no fingerprinting)
  • Legal obligation — compliance with court orders, subpoenas
  • Explicit consent — for any future analytics or marketing cookies (none today)

4. Encryption + security

Every API key you bring is encrypted at rest with Fernet (per-tenant keys, rotatable from fly secrets). HTTPS end-to-end with HSTS preload. Strict CSP enforcing with per-request nonces. Tenant-scoped database cursor enforces per-user isolation as defense in depth.

5. Bring-Your-Own-Key (BYOK)

The tier model is BYOK by default. The free tier provides $2 of managed quota on a Cortex-owned key for evaluation; everything beyond that runs on your own Anthropic / OpenAI / Gemini / Composio credentials. We never train on your content and never send your content to a model not listed in your active provider chain.

6. Sub-processors (who we share data with)

Anthropic (Claude), Google (Gemini, Workspace integrations via Composio), OpenAI (Whisper + embeddings), Composio (OAuth proxy to your Slack / GitHub / Notion / Drive / Calendar / Linear), WorkOS (auth), Stripe (billing), Vercel (frontend hosting), Fly.io (backend hosting), Cloudflare (DNS), Sentry (errors), Axiom (logs).

Each sub-processor's privacy policy is linked in docs/PRIVACY_POLICY.md §4.

We do NOT share data with advertising networks, analytics providers, affiliate networks, data brokers, or governments (except where legally compelled).

7. International transfers

Most of our infrastructure is in the United States. For users in the EU/UK, transfers to US sub-processors rely on Standard Contractual Clauses (SCCs) and, where available, the EU-U.S. Data Privacy Framework certification of the sub-processor.

8. Retention

Account + content + chat: until you delete. Activity log: 30 days after account deletion. Web Vitals: 30 days. Sentry errors: 90 days. Stripe customer record: per Stripe + tax-law obligations (typically 7 years).

9. Your rights

GDPR + CCPA give you the right to access, rectify, erase, port, restrict, and object to processing of your personal data. You can:

  • Export everything via /settings → Sessions → Export my data
  • Delete everything via /settings → Sessions → Delete my account
  • Manage cookies via the footer link
  • Lodge a complaint with your local supervisory authority (EU/UK)

We respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA), with one possible 30-day extension for complex requests.

10. Children

Cortex is not directed at children under 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect data from anyone under that age.

11. Changes

Material changes: we email registered users at least 30 days before the change takes effect, post a banner on loftbrain.ai, and bump the "Last updated" date.

12. Contact

Privacy / data subject requests: privacy@loftbrain.ai. Security: security@loftbrain.ai. Legal: legal@loftbrain.ai.