Privacy Policy

January 2026

I. Overview

Please get a picture of how we process your personal data when you visit our website, use our routing services, or otherwise have a business relationship with us. We refer to these collectively as our "Services" in this policy (Art 13, Art 14 GDPR; section 165 para 3 TKG [“Austrian Telecommunication Act”]).

II. What data do we process when you use our Services and who may receive your data?

When using our Services, the following data may be processed of the users of the Services as well as employees of the user:

Log-In data (e.g. name, e-mail)
Services preferences (e.g. settings)
Data put into the routing system (e.g. prompts & meta data)
Documents and personal data required in a business relationship (eg. invoices, billing address)
Data required in the course of maintenance (request volume)
Screening (clients)/Incident tickets in case of maintenance
Date, time and duration of access.

The processing of this data is necessary to provide, manage, and secure the operation of our Services and to ensure their functionality from a technical point of view. The collection of some of this data is partly carried out via technical cookies. These technical cookies are only used to the extent necessary (section 165 Abs 3 TKG). The processing of this data is justified by our legitimate interest in the operation of our Services as well as contractual and legal obligations (Art 6 para 1 lit b, c and f GDPR).

In order to operate our Services, it is necessary to disclose your information to different categories of recipients. We distinguish between sub-processors that carry out AI inference and those that provide essential Facility and Support Services, such as user authentication, payment processing, and hosting.

Upstream Inference Providers

When you use our generative AI routing capabilities, your data is processed by one or more of the following sub-processors, based on your configuration and our routing logic.

Recipients of the data	Purpose	Legal justification	Legal Entity	Processing location(s)	Basis for transfer to third country*	ZDR**
Scaleway SAS	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	France	France	Within the EU	Yes
Nebius B.V.	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Netherlands	Finland	Within the EU	Yes
Mistral AI SAS	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	France	EEA	Within the EEA	Yes
OVH SA	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	France	France	Within the EU	Yes
STACKIT GmbH & Co. KG	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Germany	Germany	Within the EU	Yes
IONOS SE	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Germany	Germany	Within the EU	Yes
Microsoft Ireland Operations Limited	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Ireland	EEA	EU-US Data Privacy Framework	No
Google Cloud EMEA Limited	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Ireland	EEA	EU-US Data Privacy Framework	Yes
Amazon Web Services EMEA SARL	AI Inference	Contractual obligation (Art 6 para 1 lit b GDPR)	Luxembourg	EEA	EU-US Data Privacy Framework	Yes

Facility Service Sub-processors

To provide essential functions for our platform, such as managing your user account, processing payments, and hosting our application, we use the following providers. These services are necessary for the establishment and fulfillment of our contractual relationship with you or are based on our legitimate interest in operating a secure and performant service.

Recipients of the data	Purpose	Legal justification	Legal Entity	Processing location(s)	Basis for transfer to third country*
Scaleway SAS	Hosting the routing service	Legitimate interest (Art 6 para 1 lit f GDPR)	France	France	Within the EU
OVH SA	Hosting the routing service	Legitimate interest (Art 6 para 1 lit f GDPR)	France	France	Within the EU
Auth0, Inc.	User authentication	Contractual necessity (Art 6 para 1 lit b GDPR)	USA	EEA (Storage) & USA (Access)	EU-US Data Privacy Framework (regarding Non-HR Data)
Stripe Payments Europe, Ltd.	Payment processing	Contractual necessity (Art 6 para 1 lit b GDPR)	Ireland	Global (EEA, USA)	EU-US Data Privacy Framework
Sendinblue SAS (Brevo)	CRM and transactional email delivery	Legitimate interest (Art 6 para 1 lit f GDPR), contractual necessity (Art 6 para 1 lit b GDPR)	France	EU	Within the EU

III. Overview of cookies

We use technical cookies to recognize you and store temporary data of the website visitor. We only use cookies to the extent necessary to communicate with you via the website. These cookies are activated as soon as you visit our website.

The following cookies are used on our website on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR).

Name of the Cookies	Remuneration periode	Seat of the recipient	Purpose of the data transfer
__stripe_mid (Stripe)	1 year	USA	Fraud prevention and risk assessment (Machine ID).
__stripe_sid (Stripe)	30 minutes	USA	Fraud prevention and security (Session ID).
appSession (Auth0)	Session / 1 Year	USA	Maintains your active session and authentication state.
did / did_compat (Auth0)	1 Year	USA	Device identification for security and anomaly detection.

IV. For what purposes do we process your data when we have a business relationship or you use our Services?

In the course of our business relationship, we process personal data based on contractual obligations, legal obligations and our legitimate interests. Specifically, we process your data for the following purposes:

for the purpose of providing the Services, specifically the routing of API requests to third-party providers based on service preferences, and the aggregation of usage metadata (e.g., timestamps, token volume) required for metering and billing;
for the purpose of commercial administration, including the generation of invoices based on usage logs, processing and managing your business case, and necessary correspondence with you;
all of your data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices;
for the purpose of law enforcement;

The processing of your data serves the initiation, maintenance and handling of our business relationships. If you do not provide us with this data, we will unfortunately not be able to provide you with the Services.

The processing of your data can also be based on consent (Art 6 para 1 lit a GDPR). This consent can be revoked at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

V. How long do we store your data?

We will only store your data for as long as is necessary for the purposes for which we collected your data. We distinguish between the semantic content of your requests and the operational data required to process them:

Transient payload content (prompts & completions)

Retention: Zero (0) Days.
Details: The actual text inputs and model outputs contained in your API requests are processed solely in volatile memory for routing purposes. This content is not written to persistent storage and is discarded immediately after transmission. Once the payload is transmitted to an inference provider, the data becomes subject to the provider's data retention policy. To ensure your privacy requirements are maintained downstream, we provide technical filters that allow you to restrict routing to providers that match your specific retention criteria.

Usage logs (operational metadata)

Retention: 12 Months
Details: We store operational metadata (e.g., timestamps, model selection, token counts, error codes, and request configurations) using pseudonymous User IDs that are strictly separated from your personal account details. This ensures that technical monitoring is decoupled from your identity by default. These logs are used solely for system stability and debugging.

Business & account records

Retention: Stored for the duration of your active account relationship.
Details: Aggregated invoices, contracts, and accounting proofs required by Austrian tax law (Section 132 BAO).

VI. Collection of data from other sources

In the course of a business relationship or the initiation thereof, it is naturally necessary to conduct research on the business partner. This is done exclusively to the extent required for this purpose. In this context, data may be retrieved and processed from the following sources:

Source of data	Purpose	Legal justification	Location	Processed data
Google, LLC	Single sign in	Consensus (Art 6 para 1 lit a GDPR)	USA	Google-ID to register
Microsoft	Single sign in	Consensus (Art 6 para 1 lit a GDPR)	USA	Microsoft-ID to register.
LinkedIn Inc.	Single sign in	Consensus (Art 6 para 1 lit a GDPR)	USA	LinkedIn-ID to register.
Github Inc.	Single sign in	Consensus (Art 6 para 1 lit a GDPR)	USA	Github-ID to register.

VII. Does automated decision-making and/or profiling take place (Art 13 (2) lit f GDPR)?

No automated decision-making or profiling takes place in our company.

VIII. What rights do you have with regard to data processing?

We would like to inform you that you have the right, provided that the legal requirements are met:

You have the right to request information about which of your data is processed by us (see in detail Art 15 GDPR).
You have the right to request the correction or completion of incorrect or incomplete data concerning you (see in detail Art. 16 of the GDPR).
The right to have your data deleted (see in detail Art 17 GDPR).
The right to object to processing of your data that is necessary to protect our legitimate interests or those of a third party (see in detail Art 21 of the GDPR). This applies in particular to the processing of your data for advertising purposes.
You have the right to receive the transfer of the data provided by you in a structured, common and machine-readable format.

If we process your data on the basis of your consent, you have the right to revoke this consent at any time by e-mail. This will not affect the lawfulness of the data processing carried out up to this point (Art 7 para 3 GDPR).

IX. Do you have a right to complain?

If, contrary to our expectations, there is a violation of your right to lawful processing of your data, please contact us by mail or e-mail. We will make every effort to process your request promptly. You also have the right to lodge a complaint with the supervisory authority responsible for data protection matters. In Austria, this is the: Data protection authority (“Datenschutzbehörde”) based in Vienna, Austria.

X. Opportunity to get in contact

If you have any further questions about the processing of your data, please feel free to contact our data protection coordinator using the contact details below.

XI. Controller

The Controller in the sense of Art 4 Z 7 GDPR is:

Cortecs GmbH
Althanstraße 4, Floor 6
1090 Vienna, Austria
E-Mail: office@cortecs.ai
Tel: +43 680 3230395

* "Third Country" includes all countries other than (1) the Member States of the European Union and (2) the Member States of the European Economic Area, which means, in addition to the EU Member States, Iceland, Liechtenstein and Norway.

**"ZDR" denotes Zero Data Retention. In the absence of an explicit policy from the provider, a conservative assumption of 'No ZDR' is applied.