Privacy Policy
Last updated: February 28, 2026
1. Introduction
This Privacy Policy ("Policy") describes how CortexSales ("Company", "we", "us") collects, uses, stores, and protects personal data when you use the CortexSales platform, website, APIs, and related services (the "Service"). This Policy applies to all users of the Service, including visitors to our website. We are committed to protecting your privacy and processing personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and all applicable data protection legislation.
2. Data Controller
CortexSales acts as the Data Controller for personal data collected through the Service. For questions about data processing or to exercise your rights, contact our Data Protection contact at: john@cortexsales.com. CortexSales, Vilnius, Lithuania.
3. Personal Data We Collect
We collect the following categories of personal data: (a) Account Information: name, email address, company name, job title, and phone number provided during registration; (b) Billing Information: company billing address and payment details, processed by our third-party payment processor; (c) Usage Data: feature usage, session duration, pages visited, actions performed, and interaction patterns; (d) Device and Technical Data: IP address, browser type, operating system, device identifiers, and referring URLs; (e) Communication Data: content of emails composed through the Service, campaign configurations, and prospect research data uploaded by you; (f) Log Data: server logs including timestamps, API calls, error reports, and performance metrics. We do not intentionally collect sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, or biometric data).
4. Legal Basis for Processing (GDPR)
We process personal data under the following legal bases: (a) Performance of Contract: processing necessary to provide the Service as agreed in our Terms of Service; (b) Legitimate Interest: analytics, security monitoring, fraud prevention, and service improvement, where our interests do not override your fundamental rights; (c) Consent: marketing communications and optional cookies, which you may withdraw at any time; (d) Legal Obligation: processing required to comply with applicable laws, regulations, or court orders. Where we rely on legitimate interest, we conduct balancing tests to ensure your rights are protected.
5. How We Use Personal Data
We use personal data for the following purposes: (a) to provide, maintain, and improve the Service; (b) to process transactions and manage your account; (c) to send transactional communications (account notifications, security alerts, billing); (d) to analyze usage patterns and improve user experience; (e) to detect, prevent, and address security threats and fraud; (f) to enforce our Terms of Service and Acceptable Use Policy; (g) to comply with legal obligations; (h) to send marketing communications (only with your consent). We do not use Customer Data to train machine learning models. AI features process data in real-time and do not retain training data from customer communications.
6. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data to third parties. We may share data with: (a) Service Providers: infrastructure providers (hosting, CDN), payment processors, email delivery services, and analytics tools, all bound by Data Processing Agreements; (b) Legal Requirements: when required by law, court order, or governmental authority; (c) Business Transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected users; (d) With Your Consent: when you explicitly authorize sharing with a third party. All third-party service providers are vetted for security and GDPR compliance.
7. International Data Transfers
Your data may be processed in countries outside your jurisdiction. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms. You may request a copy of the applicable transfer safeguards by contacting us at john@cortexsales.com.
8. Data Security
We implement industry-standard technical and organizational measures to protect your personal data, including: (a) Encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit; (b) Access Controls: role-based access control (RBAC), multi-factor authentication, and least-privilege principles; (c) Infrastructure: multi-tenant architecture with complete logical isolation between customer organizations; (d) Monitoring: continuous security monitoring, intrusion detection, and automated alerting; (e) Logging: all access to personal data is logged for audit purposes, with logs retained for 12 months; (f) Personnel: all employees with access to personal data are bound by confidentiality agreements. No system can guarantee absolute security. We will notify affected users and relevant authorities of any data breach within 72 hours as required by GDPR.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy: (a) Account Data: retained while your account is active plus 30 days after termination; (b) Billing Data: retained for 7 years as required by tax and accounting regulations; (c) Usage and Log Data: retained for 12 months for analytics and security purposes; (d) Communication Data: retained according to your organization’s configured retention settings; (e) Marketing Preferences: retained until you withdraw consent. Upon account termination, you may request immediate deletion of all personal data (except data required by law). Deletion requests are processed within 30 days.
10. Cookies and Tracking Technologies
We use the following categories of cookies: (a) Strictly Necessary: authentication tokens, session management, and security cookies (cannot be disabled); (b) Functional: language preferences and user interface customization; (c) Analytics: privacy-friendly, first-party analytics to understand usage patterns (no cross-site tracking, no advertising profiles). We do not use third-party advertising cookies or tracking pixels. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect your ability to use the Service.
11. Your Rights
Under GDPR, CCPA/CPRA, and other applicable laws, you have the following rights: (a) Right of Access: request a copy of the personal data we hold about you; (b) Right to Rectification: request correction of inaccurate or incomplete data; (c) Right to Erasure: request deletion of your personal data (subject to legal retention requirements); (d) Right to Restriction: request that we limit processing of your data; (e) Right to Data Portability: receive your data in a structured, commonly used, machine-readable format (JSON, CSV); (f) Right to Object: object to processing based on legitimate interest, including profiling; (g) Right to Withdraw Consent: withdraw consent at any time for processing based on consent; (h) Right to Non-Discrimination: exercising your rights will not result in discriminatory treatment. California residents additionally have the right to know what personal information is collected, sold, or disclosed. To exercise any of these rights, contact us at john@cortexsales.com. We will respond within 30 days (or as required by applicable law).
12. Children’s Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly. If you believe we have collected data from a child, please contact us immediately at john@cortexsales.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated at least 30 days in advance via email to the address associated with your account. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Supervisory Authority
If you are located in the European Economic Area and believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local Data Protection Authority (DPA). We encourage you to contact us first so we can address your concern directly.
15. Contact Information
For questions, complaints, or requests regarding this Privacy Policy or our data processing practices, please contact us at: john@cortexsales.com. CortexSales, Vilnius, Lithuania.