Cortical.io Data Privacy Notice

Last updated and effective date: February 13, 2024

1. General

1.1. This Data Privacy Notice provides information on data processing activities of Cortical.io AG, Mariahilfer Strasse 4, 1070 Vienna, Austria (“Cortical.io” or “Controller” or “we”/”us”/”our”) regarding your personal data when you use our Services (Cortical.io Developer Portal) and/or visit our Website and informs you about the rights you have in connection with your personal data.

1.2. This Data Privacy Notice serves to fulfill the information obligations according to the General Data Protection Regulation (“GDPR”).”) and other applicable local data protection laws.

2. Controller & Contact Details

2.1. Cortical.io is the Controller in the meaning attributed to that term in the GDPR and other applicable local data protection laws regarding the processing of your personal data as described in this Data Privacy Notice.

2.2. Cortical.io can be contacted as follows:

Postal address: Mariahilfer Strasse 4, 1070 Vienna, Austria
E-mail-address: dataprotection@cortical.io

2.3. We offer a highly efficient intelligent document processing solution with natural language understanding technology via an Application Programming Interface (API). As regards personal data that might be contained in text you process using our software, you are the controller of this personal data. Cortical.io is the Processor in the meaning attributed to that term in the GDPR and other applicable local data protection laws; the data processing is based on a respective Data Processing Agreement concluded between you and Cotrical.io pursuant to Article 28 GDPR and the relevant provisions of applicable local data protection laws.

3. Our data processing activities

In the following sections, we will inform you what we do with your personal data, especially (i) for which purpose we process your personal data, (ii) under which legal basis we do so and (iii) how long we store your personal data. Information on our processing activities related to our Website can be found below in section 7.

3.1. Registration (User Account)

(a) You can set up a User Account by filling out the registration form on our Website. For setting up your User Account, the following personal data is required:

Name
E-mail address
Password

We will send you a registration confirmation to the E-mail address you have provided; this will contain a link to activate your User Account (“double-opt-in”).

We need this data in order to enlist you as a customer/user and to set up the prerequisites for enabling you to subscribe/use to our Services.

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract / initiation of a contract).

(b) We also process data generated through your registration or use of your User Account:

User ID
Date of registration/activation
Applicable version of General Terms and Conditions
Provided version of Data Privacy Notice
Provided version of Data Processing Agreement
Direct Marketing Consent – Y/N
Subscription to our Services – Y/N
Changes of registration data
Account usage data (e.g., logfiles)

We need this data in order to enlist you as a customer and to set up the prerequisites for enabling you to use/subscribe to our Services. We also need this data for evidentiary, accountability and data security purposes and for direct marketing purposes (i.e., to know whether or not we are allowed to send you direct marketing messages). Your contact data can also be used for communication between you and us regarding non-marketing related matters relating to our Services to enable you to use our service smoothly and comfortably.

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract / initiation of a contract), Article 6 (1) (c) GDPR (legal obligation, in particular controller obligations under the GDPR such as Article 5 (2) or Article 32 GDPR) and Article 6 (1) (f) (legitimate interests) – we have a legitimate interest to document legally relevant information such as, e.g., (i) that you have agreed to our General Terms and Conditions and to which version, (ii) that we are allowed/not allowed to send you direct marketing messages. In case of the status of your User Account, we have a legitimate interest to process login activities to ensure data security, e.g., prevent/detect illegal activities (e.g., cyber-attacks) and to recognize inactive accounts (inactivity triggers deletion, see below).

(c) Generally, we store your data as long as you have a User Account with us plus 60 days (for administrative purposes). If you do not have a Subscription to our Services (or your Subscription has ended), you can delete your User Account at any time; generally, the data will be deleted after 60 days (see below for instances with a longer retention period). If you do not have a Subscription to our Services (or your Subscription has ended) and you do not delete your User Account, we will keep your User Account running for 18 months, so that you do not have to register again in case you decide to purchase a or renew your Subscription (this is both in our and in your interest). If your User Account is inactive for 18 months, we will send you an E-mail informing you that your account will be deleted, if you (i) do not click on the do-not-delete-link in the E-mail or (ii) log into your User Account in the next 30 days. If you have an active Subscription to our Services, you can delete your User Account at the end of your Subscription; generally, the data will be deleted after 60 days (for administrative purposes) (see below for instances with a longer retention period).

(d) Setting up a User Account is a prerequisite for subscribing to/using our Services.

3.2. Subscription (Free Subscription Plan, Chargeable Subscription Plan)

(a) After registration, you can subscribe to our Services. You can choose between a Free Subscription Plan and a Chargeable Subscription Plan.

In case you opt for a Free Subscription Plan, you have to provide the following data:

Name
Email address
Password

In case you opt for a Chargeable Subscription Plan, you have to provide the following data:

Payment information and method
Address
Company name (if applicable)
Company address (if applicable)
VAT number (if applicable)
Chosen subscription plan
Chosen subscription period

We need the registration data listed above in section 3.1 as well as this data in order to provide you with and charge you for our Services.

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract).

(b) We also process data generated by you through your use of your Subscription:

Date of subscription
Subscription usage data (e.g., number of used Requests of our Services)
Subscription changes (incl date of change, date of effectiveness)
Payment (including date and balance)
Invoice data

We need the registration data listed above in section 3.1 as well as this data in order to provide you with and charge you for our Services and to be able to give you up-to date information about the consumption of our Services.

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract) and additionally Article 6 (1) (f) GDPR (legitimate interests – both we and you have a legitimate interest to document the consumption of our Services – e.g., spent/still available Requests per Subscription/billing period). We also need to process payment/invoice data to fulfill legal obligations, namely invoice and accounting obligations (Article 6 (1) (c) GDPR).

(c) Generally, we store your data as long as you have a Subscription to our Services plus 60 days (for administrative purposes). Data we have to store due to statutory retention obligation will be stored for as long as legally required (accounting records, receipts and invoices: 7 years, pursuant to the Austrian Federal Tax Code BAO and the Austrian Corporate Code UGB). Furthermore, if at the end of your Subscription we need the data for the establishment, exercise or defense of legal claims, we will retain the data for as long as we need it for this purpose (generally, no longer than 3 years).

(d) Making a Subscription and providing the above data is a prerequisite for using our Services.

3.3. Excursus: Text uploaded by you

As regards personal data that might be contained in text that you process using our software endpoints, Cortical.io is acting as a Processor (see above).

The texts are only temporarily stored for as long as is technically required to provide our Services. The result of our Service, i.e., the output you receive after using an available Request from your Subscription, is also only temporarily stored for as long as it is technically required to provide our Services. Both the submitted text as well as the output you receive are not available afterwards, i.e., you have to make sure to store them yourself locally.

You can customize our Services to your needs with example documents (training data). Cortical.io is acting as a Processor for this data.

In order to improve our Services, the following data are stored about the application of our Services to the text you are processing:

Duration of processing of the text
Number and size of requests

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract) and Article 6 (1) (f) (legitimate interests) – we have a legitimate interest to improve our Services.

This data is deleted after 60 days.

3.4. Customer support

Cortical.io offers technical support relating to our Services. For this purpose – provided you make use of our technical support – we process the following data:

Name
E-mail address
Communication data (your request, our response, potential follow-ups, etc.)
Other data required to resolve customer issue (e.g., logfiles)

The legal basis for this data processing is Article 6 (1) (b) GDPR (performance of a contract). The legal basis for this data processing is also Article 6 (1) (f) GDPR (legitimate interests) – we have a legitimate interest to help our customers / to maintain customer satisfaction and improve our Services.

The data are stored for 18 months after your request has been resolved and are then deleted, unless the data is needed for the establishment, exercise or defense of legal claims (we will retain the data for as long as we need it for this purpose (generally, no longer than 3 years)).

Providing the above data is a prerequisite for receiving customer support services.

3.5. Direct marketing

(a) Newsletter / E-mail marketing

You can subscribe to our newsletter to get information related to our services (e.g., new features, offers, etc.). If you do so, we process the following data to provide you with our newsletter and to evaluate our newsletter:

Name
E-mail address
Subscription data (time and date of subscription)
Interaction data (time of opening the newsletter, interaction with content of/links in the newsletter)

The legal basis for this data processing is Article 6 (1) (a) (consent). You can withdraw your consent at any time, either by following the “unsubscribe”-link at the end of every newsletter or by giving us a respective withdrawal notice (for more information on consent and withdrawal of consent, please see below).

We store the data for the duration of your subscription to the newsletter. The data can be used longer than that in anonymized form (i.e., in a form where it is not possible to trace the data back to you) for statistical/analytical purposes to evaluate our newsletter.

We use a processor for our newsletters; for more information see below under “recipients of personal data”.

(b) Surveys / Product testing

We may conduct surveys on our Services or enable customers to test new products. If you participate in such surveys of product testing, we process the following data:

Name
E-mail address
Survey/product testing response
Date of survey

The legal basis for this data processing is Article 6 (1) (a) (consent). You can withdraw your consent at any time by giving us a respective withdrawal notice (for more information on consent and withdrawal of consent, please see below).

We store the data for 18 months. The data can be used longer than that in anonymized form (i.e., in a form where it is not possible to trace the data back to you) for statistical/analytical purposes to evaluate our newsletter.

Providing the above data is a prerequisite for participating in the survey or product testing; for more information see below under “recipients of personal data”.

We use Google Forms as processor for our surveys and product testing.

(c) Other marketing activities

We also use advertising and remarketing services on our Website. For details, please see section 7 below.

4. Recipients of personal data (incl. international data transfer)

Insofar as it is necessary for the pursuit of the abovementioned data processing purposes, we share your abovementioned data with the following (categories of) recipients:

Mailchimp: For our newsletters, we use Mailchimp. Mailchimp is an E-mail marketing sending service provided by The Rocket Science Group LLC d/b/a Mailchimp (an Intuit group company), USA. For more information, please visit their data privacy policy: https://www.intuit.com/privacy/statement/. The data transfer is subject to Standard Contractual Clauses (see https://mailchimp.com/legal/data-processing-addendum/).

Google Forms: For our surveys, we use Google Forms, a service by Google Inc., a company based in the US. The data transfer is subject to Standard Contractual Clauses. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en.

Amazon Web Services (AWS): Our cloud provider is Amazon Inc., a company based in the US. The data transfer is subject to Standard Contractual Clauses. For more information on the privacy practices of Amazon, please visit https://aws.amazon.com/privacy/.

Stripe: We use the services of Stripe Inc., a company based in the US, as a payment service provider. The data transfer is subject to Standard Contractual Clauses. For more information on the privacy practices of Stripe, please visit https://stripe.com/privacy.

HubSpot: For our CRM, we use the services of HubSpot, a company based in the US. The data transfer is subject to Standard Contractual Clauses. For more information on the privacy practices of HubSpot, please visit their Privacy policy: https://legal.hubspot.com/privacy-policy.

Tyk.io: We use the services of Tyko.io (API Management Platform & API Gateway), a company in the UK. The data transfer is subject to the adequacy decision of the European Commission concerning the UK. For more information on the privacy practices of Tyk.io, please visit https://tyk.io/privacy-policy/.

Legal advisors: For the establishment, exercise or defense of legal claims, it can be necessary to share data with legal advisors.

Tax advisors: For the fulfilment of invoice and accounting obligations, it can be necessary to share data with tax advisors.

Courts, administrative authorities, other public authorities: For the establishment, exercise or defense of legal claims or for the fulfillment of legal obligations (information obligations), it can be necessary to share data with Courts, administrative authorities or other public authorities.

Affiliates: We may share your data – as far as necessary for the above purposes – with our affiliates. Affiliates include subsidiaries, joint venture partners or other companies that we control or that are under common control with us. A list of affiliates can be found here:

  • Cortical.io USA, Inc.

Prospective buyers: We may share or transfer your data – as far as necessary – in connection with or during negotiations of any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company.

We also use services of third-party vendors on our Website. For details, please see the Website-specific part of this Data Privacy Notice below.

5. Your data rights

5.1. Under the GDPR and certain applicable local data protection laws, you have certain rights regarding your personal data. Depending on your country of residence, you may have the following rights with regard to your personal data: the right to request from Cortical.io access to (Article 15 GDPR) and rectification (Article 16 GDPR) or erasure (Article 17 GDPR) of personal data, restriction of processing (Article 18 GDPR) and the right to data portability (Article 20 GDPR).

5.2. Right to object (Article 21 GDPR): Where we base our processing activities on legitimate interests (Article 6 (1) (f) GDPR), you have the right to object at any time to the processing of your personal data, on grounds relating to your particular situation. Upon such objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. Where we process your personal data based on legitimate interests (Article 6 (1) f GDPR) for the purpose of direct marketing, we will in any case no longer process your personal data for this purpose upon your objection (no balancing of interests required).

5.3. Where we base our processing activities on your consent (Article 6 (1) (a) GDPR), you have the right to withdraw your consent at any time. Such withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5.4. You can exercise the above rights by contacting us – see the contact details provided above.

5.5. If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with the competent supervisory authority (e.g., the supervisory authority in the Member State of your place of habitual residence, of your place of work or of the place of the alleged infringement). The Austrian supervisory authority is the Datenschutzbehörde (Data Protection Authority), Barichgasse 40-42, 1030 Vienna, Austria; Tel: +43 1 52 152-0; E-mail: dsb@dsb.gv.at..

6. Your choices

If you have established a User Account, you may access, update, and correct your personal data by logging in to your User Account.

To stop receiving, or opt-out of, promotional email communications from us, click on the "unsubscribe" link or follow the relevant opt-out instructions within the marketing communication. If you opt-out of receiving marketing emails, we will still send you transactional emails, such as to respond to your requests or communicate with you about your account.

You can manage your cookie and tracking preferences as described in the Tracking Technologies and Cookies section of this Data Privacy Notice.

7. No automated decision-making

7.1. Your personal data is not subject to automated decision-making (Article 22 GDPR).

8. Website

8.1. When you visit our Website, the following data is automatically collected (usage data):

Your device’s Internet Protocol address (e.g., IP address)
Browser type
Browser version
The pages of our Website that you visit
The time and date of your visit
The time spent on the pages of our Website
Unique device identifiers
Other diagnostic data.

When you access the Website by or through a mobile device, the following data is automatically collected:

The type of mobile device you use
Your mobile device unique ID
The IP address of your mobile device
Your mobile operating system
The type of mobile Internet browser you use
Unique device identifiers
Other diagnostic data.

We may also collect information that your browser sends whenever you visit our Website.

We process this data for technical/functional purposes. The legal basis for this data processing is Article 6 (1) (f) (legitimate interests) – We have a legitimate interest in the functionality and optimization of our Website.

We retain the data for 18 months.

8.2. Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on our Website and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze our Website. We only use these technologies with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR). You can withdraw your consent at any time. The technologies we use are:

Cookies or Browser Cookies: A cookie is a small file placed on your device. Cookies which are technically necessary for the functioning of our Website do not require consent; the legal basis for setting them is Article 6 (1) (f) GDPR (legitimate interest – we have a legitimate interest in the functionality of our Website. Cookies which are not technically necessary for the functioning of our Website will only be placed with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR), which we obtain via our Cookie Banner. Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your device when you go offline, while session cookies are deleted as soon as you close your web browser. We use both session and persistent cookies. For more information on the specific cookies, please visit our Cookie Policy on our Website. You do not have to give us your consent. However, not accepting Cookies may affect your browsing experience. You can withdraw your consent at any time, e.g., by clicking on “Cookie Settings” at the bottom of any page on our Website and then changing your settings accordingly. You can also instruct your browser to refuse all cookies or to indicate when a Cookie is being sent.

Web Beacons: Certain sections of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

8.3. Third-party vendor tools

The service providers we use may have access to your personal data generated through your visit of our Website. These third-party vendors collect, store, use, process and transfer information about your activity on our Website in accordance with their Privacy Policies. These tools will only be used with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR), which you can withdraw at any time.

(a) Analytics

We use third-party service providers to monitor and analyze the use of our Website. We only use these analytic tools with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR). You can withdraw your consent at any time.

Google Analytics: Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Website. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. Besides withdrawing your consent, you can install the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

LinkedIn: LinkedIn conversion tracking (LinkedIn Insight Tag). This service might collect personal data like device information; tracker; usage data. For more information on the privacy practices of LinkedIn, please visit their privacy policy: https://www.linkedin.com/legal/privacy-policy

Google Ads: Google Ads conversion tracking. This service might collect personal data like device information; tracker; usage data. For more information on the privacy practices of Google, please visit their privacy policy: https://policies.google.com/privacy

HubSpot: This service might collect personal data like device information; tracker; usage data. For more information on the privacy practices of HubSpot, please visit their Privacy policy: https://legal.hubspot.com/privacy-policy

We retain this data for 18 months.

(b) Advertising

We use service providers to show advertisements to you to help support and maintain our Website. The following tools and technologies are only used with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR). You can withdraw your consent at any time.

Google AdSense & DoubleClick Cookie: Google, as a third-party vendor, uses cookies to serve ads on our Website. Google’s use of the DoubleClick cookie enables it and its partners to serve ads to our users based on their visit to our Website or other websites on the Internet. Besides withdrawing your consent, you can disable the use of the DoubleClick Cookie for interest-based advertising by visiting the Google Ads Settings web page: http://www.google.com/ads/preferences/

LinkedIn advertising: This service might collect personal data like device information; tracker; usage data. For more information on the privacy practices of LinkedIn, please visit their privacy policy: https://www.linkedin.com/legal/privacy-policy

We retain this data for 18 months.

(c) Remarketing

We use remarketing services to advertise to you after you visited our Website. We and our third-party vendors use cookies and non-cookie technologies to help us recognize your device and understand how you use our Website so that we can improve our Website to reflect your interests and serve you advertisements that are likely to be of more interest to you. The cookies and non-cookie technologies will only be used with your consent (Section 165 of the Austrian Telecommunications Act 2021, Article 6 (1) (a) GDPR). You can withdraw your consent at any time.

These third-party vendors collect, store, use, process and transfer information about your activity on our Website in accordance with their Privacy Policies and to enable us to:

Measure and analyze traffic and browsing activity on our Website
Show advertisements for our products and/or services to you on third-party websites or apps
Measure and analyze the performance of our advertising campaigns

Some of these third-party vendors may use non-cookie technologies that may not be impacted by browser settings that block cookies. Your browser may not permit you to block such technologies. You can use the following third-party tools to decline the collection and use of information for the purpose of serving you interest-based advertising:

The EDAA’s opt-out platform http://www.youronlinechoices.com/.

The NAI’s opt-out platform: http://www.networkadvertising.org/choices/
The DAA’s opt-out platform: http://optout.aboutads.info/?c=2&lang=EN

Besides withdrawing your consent, you can avoid personalized advertising by enabling privacy features on your mobile device such as Limit Ad Tracking (iOS) and Opt Out of Ads Personalization (Android). See your mobile device help system for more information.

We may share information, such as hashed email addresses (if available) or other online identifiers collected on our Website with these third-party vendors. This allows our third-party vendors to recognize and deliver you ads across devices and browsers. To read more about the technologies used by these third-party vendors and their cross-device capabilities please refer to the Privacy Policy of each vendor listed below. The third-party vendors we use are:

Google Marketing Platform: For more information on the privacy practices of Google, please visit their privacy policy: https://policies.google.com/privacy

LinkedIn Website Retargeting: For more information on the privacy practices of LinkedIn, please visit their privacy policy: https://www.linkedin.com/legal/privacy-policy

HubSpot CRM platform: For more information on the privacy practices of HubSpot, please visit their Privacy policy: https://legal.hubspot.com/privacy-policy

We retain the data for 18 months.

8.4. International data transfer

The abovementioned third-party vendors are US companies. The data transfer to them is based on the Standard Contractual Clauses of the European Commission; further information can be obtained on their respective websites.

9. Links to other websites

Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

10. "Do Not Track" Preferences

Our Website and the Services do not monitor for or behave differently if your browser or device transmits a “Do Not Track” or similar message.

Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. There is no consensus among industry participants as to what "Do Not Track" means in this context. Like many websites and online services, Cortical.io does not currently alter our practices when we receive a "Do Not Track" signal from a visitor’s browser except as specifically required by law. For information about "Do Not Track" please visit All About DNT.

11. Children's Privacy

The Website and our Services are not intended for use by anyone younger than the age of 18 or under the applicable legal age of the relevant country. We do not knowingly collect personal data from children younger than the age of 18 without the consent of a parent or legal guardian, as required under applicable law. If you learn or believe that a child under the age of 18 has provided us with personal data, please contact us using the methods provided in this Data Privacy Notice above.

12. How We Protect Personal Data

We have implemented what we believe to be reasonable and appropriate security measures designed to prevent personal data from being lost, used, accessed, altered, or disclosed in an unauthorized or unlawful way. If you have reason to believe that your personal data is no longer secure, please let us know by contacting us using the methods provided in this Data Privacy Notice.

13. California "Shine the Light" Disclosure

The California “Shine the Light” law gives residents of California the right under certain circumstances to opt-out of the sharing of certain categories of personal data with third parties for their direct marketing purposes. Cortical.io does not currently share or disclose personal data with third parties for their own direct marketing purposes.

14. Notice to US Residents of Nevada

Under Nevada law, Nevada “consumers” (individuals who are seeking or acquiring goods/services for personal, family, or household purposes) may opt out of the sale of covered personal data. Cortical.io does not sell covered personal data of Nevada consumers as defined under applicable Nevada law. Nevada residents may submit an opt-out request by sending their request to the email address or mailing address specified in this Data Privacy Notice, along with their full name, complete mailing address (including street address, city, state, and zip code), email address (so that we can contact you, if needed, in connection with the request) and confirmation that they are a Nevada resident.

15. Changes to this Data Privacy Notice

We may update our Data Privacy Notice from time to time. We will notify you of any changes by posting the new Data Privacy Notice on this page. We will let you know via E-mail and/or a prominent notice on our Website and update the “Last updated” date on this Data Privacy Notice. If we make any material changes, we will provide you with notice, such as via E-mail, and as required under applicable law.