Cortexia Privacy Policy
Version 0.1 Last updated: 23 May 2026 Effective: 23 May 2026
This Privacy Policy explains how Revontulet AS handles personal data in connection with Cortexia, the analysis platform we operate at https://cortexia.co. It is written to meet Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), as implemented in Norway through the Personal Data Act (Personopplysningsloven).
If you read nothing else, read the box.
Plain-language summary.
- We are Revontulet AS in Oslo. We are the data controller for the personal data described here.
- We process the data you give us to run Cortexia, to bill you, to keep the Service secure, to comply with law, and to improve the Service.
- Where you put personal data into Cortexia about other people (typically as an organisation customer), we act as a processor for that data, on your instructions, governed by our Data Processing Agreement.
- You have rights over your personal data, including access, correction, deletion, and the right to complain to the Norwegian Data Protection Authority (Datatilsynet).
- We do not sell your personal data.
1. Who we are
The data controller is:
Revontulet AS Håkon Melbergs vei 16, 1783 Halden, Norway Org. no. 933 793 133 Email: privacy@cortexia.co
We have not appointed a Data Protection Officer. We have considered the criteria in GDPR Article 37 and concluded that a DPO is not required at this time: our core activity is providing analytical tooling, not large-scale systematic monitoring of individuals or large-scale processing of special categories of data. We will reassess as the Service and organisation grow. For any privacy question, contact privacy@cortexia.co.
2. What this Policy covers and what it does not
This Policy covers personal data that Revontulet AS processes as a controller, which means data we decide the purposes and means of processing for. That is mainly:
- personal data about people who visit cortexia.co,
- personal data about people who create or hold a Cortexia account,
- personal data about people at our customer organisations who interact with us about billing, support, contracts or sales,
- personal data about people who contact us by email or other channels.
It does not cover personal data that you (as an organisation customer) put into Cortexia about your own data subjects (for example, content you ingest, data subjects analysed in your queries, or anyone identifiable in your outputs). For that data, you are the controller and we are the processor; how we handle it is governed by our Data Processing Agreement.
3. What personal data we process and why
The table below sets out, for each category of personal data we process as controller, the purpose, the legal basis under GDPR Article 6(1), and how long we keep it.
| Category of data | Examples | Purpose | Legal basis (GDPR Art. 6(1)) | Retention |
|---|---|---|---|---|
| Account data | Name, work email, organisation, role, password hash, authentication factors | Create and operate your account; authenticate access | (b) Contract: necessary to provide the Service you signed up for | For as long as the account exists, plus 30 days |
| Billing data | Billing name, billing address, VAT number, payment method token, invoice history | Bill you and meet bookkeeping duties | (b) Contract for billing; (c) Legal obligation for accounting records | Account life + 5 years after the calendar year of the last transaction, per Norwegian Bookkeeping Act (Bokføringsloven) § 13 |
| Usage data | Pages visited, features used, queries submitted (metadata only), timestamps, IP address (truncated for analytics), device and browser metadata. Analytics are collected via a self-hosted Matomo instance in cookieless mode (see Section 8) | Operate, secure and improve the Service; detect and prevent abuse | (f) Legitimate interests in running a secure, reliable service; balanced against your rights | 13 months in identified form, then aggregated or deleted |
| Support and communications | Emails, support tickets, transcripts of any chat support | Respond to you and keep a record of the interaction | (b) Contract for support; (f) Legitimate interest in retaining a record of communications | 3 years after the last interaction |
| Marketing data (only where you opt in) | Email address, language preference, opt-in record | Send you newsletters or product updates you asked for | (a) Consent | Until you withdraw consent, plus 30 days |
| Sales and prospect data | Business contact details from organisations exploring Cortexia | Sales conversations and contracting | (f) Legitimate interest in B2B sales; for outbound contact to individuals, (a) Consent where required by Markedsføringsloven § 15 | 24 months after the last meaningful interaction |
| Security and audit logs | Authentication events, suspicious-activity flags, IP address | Detect, investigate and respond to security incidents; meet obligations under GDPR Article 32 | (f) Legitimate interest in security; (c) Legal obligation where applicable | 12 months, longer if needed for an active investigation |
Where we rely on legitimate interests under Article 6(1)(f), we have carried out a balancing test for each purpose and concluded that our interest does not override your fundamental rights and freedoms. We will share the balancing assessment summary on request to privacy@cortexia.co.
Where we rely on consent under Article 6(1)(a), you may withdraw it at any time without affecting the lawfulness of processing before the withdrawal. See Section 7.
4. Where the data comes from
Most personal data we hold about you comes from you directly (when you create an account, fill in a form, contact us, or use the Service). For sales and prospect data, we may also collect business contact details from publicly available sources (your organisation's website, LinkedIn profile, public-tender publications). When you log in using a third-party identity provider, we receive the data points required to authenticate you.
5. Who we share data with
We share personal data only as needed for the purposes set out above, and only with categories of recipients listed here:
- Our personnel. Employees and contractors of Revontulet AS who need access to do their jobs, bound by confidentiality.
- Sub-processors. Third-party service providers who process personal data on our behalf, under written contracts that meet GDPR Article 28. Our current sub-processor list is published at https://cortexia.co/legal/sub-processors and includes our hosting provider, our identity provider, our email and support tools, our payment processor, and the third-party model providers Cortexia relies on. We give 30 days' notice before adding or replacing a sub-processor on the list; customers on organisation accounts may object as set out in the DPA.
- Authorities. Law-enforcement, regulators, or courts, where we are legally required to disclose or where disclosure is necessary to establish, exercise or defend legal claims.
- Professional advisers. Lawyers, auditors and accountants, under their professional duties of confidence.
- Successors. In connection with a merger, acquisition, financing, reorganisation or sale of substantially all assets, on the condition that the successor is bound by terms no less protective than this Policy.
We do not sell personal data, and we do not share personal data with advertising networks for behavioural advertising.
6. International transfers
Cortexia is hosted in the EEA (Hetzner, Germany/Finland). Some of our sub-processors may process personal data outside the EEA, including in the United States. Where that is the case, we rely on one or more of the transfer mechanisms permitted under GDPR Chapter V, in order of preference:
- an adequacy decision under Article 45 (for example, the EU-US Data Privacy Framework for certified US recipients);
- the European Commission's Standard Contractual Clauses under Article 46(2)(c), combined with a Transfer Impact Assessment and any supplementary measures we identify as necessary;
- binding corporate rules where available; or
- another lawful basis permitted by Articles 46 or 49.
Our sub-processor list at https://cortexia.co/legal/sub-processors notes for each provider the country of processing and the transfer mechanism used. You can request a copy of the relevant safeguards by emailing privacy@cortexia.co.
7. Your rights
Under GDPR Articles 15 to 22 and Norwegian law, you have the following rights in respect of personal data we hold about you as controller:
- Access (Art. 15): a copy of your personal data and information about how we process it.
- Rectification (Art. 16): correct inaccurate data or complete incomplete data.
- Erasure (Art. 17): have your personal data deleted in the situations the article lists.
- Restriction of processing (Art. 18): require us to limit processing in defined cases.
- Data portability (Art. 20): receive personal data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Object (Art. 21): object to processing based on Article 6(1)(f), including for direct marketing. We will stop unless we can show compelling legitimate grounds that override your rights.
- Withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
- Not be subject to solely automated decisions with legal or similarly significant effects (Art. 22). We do not currently make any such decisions about you using personal data we hold as controller; if that changes, we will update this Policy and meet the Article 22 safeguards.
To exercise any of these rights, email privacy@cortexia.co. We will respond within one month, extendable by a further two months for complex requests, in line with GDPR Article 12(3). We may need to verify your identity before responding.
You have the right to lodge a complaint with a supervisory authority, in particular the Norwegian Data Protection Authority (Datatilsynet) at postkasse@datatilsynet.no, or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
8. Cookies and similar technologies
cortexia.co uses only strictly necessary cookies, used to deliver the Service you requested (for example, to keep you logged in or to remember your preferences). These do not require consent.
We do not use analytics cookies, advertising cookies, or third-party tracking cookies on cortexia.co.
For usage analytics we use a self-hosted instance of Matomo running in cookieless mode on our own infrastructure within the EEA. In this configuration Matomo does not set any cookies, does not use browser fingerprinting for cross-session tracking, and does not share data with any third party. Visitor data is aggregated and cannot be used to identify individual users across sessions. Because no cookies or equivalent persistent identifiers are used, no consent is required for this processing under ePrivacy Directive Article 5(3) and its Norwegian implementation.
9. Security
We take appropriate technical and organisational measures to protect personal data, in line with GDPR Article 32 and recognised standards. Measures include encryption in transit and at rest, role-based access controls, audit logging, least-privilege provisioning, vulnerability scanning, regular review of sub-processors, staff training, and an incident-response process.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours where required by Article 33 and notify affected individuals without undue delay where required by Article 34. For customers using Cortexia as a processor, breach-notification timing to the controller is set out in the DPA.
No system is perfectly secure. Tell us at security@cortexia.co if you suspect any compromise of your account or our Service.
10. Children
The Service is not intended for children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact privacy@cortexia.co and we will take appropriate steps.
11. Changes to this Policy
We may update this Policy as our processing or applicable law changes. When the change is material, we will give you reasonable advance notice by email or in the Service before the change takes effect. The "Last updated" date at the top reflects the current version. Earlier versions are available on request.
12. Contact
For any privacy question, request or complaint about our handling of personal data:
privacy@cortexia.co Revontulet AS, Håkon Melbergs vei 16, 1783 Halden, Norway