Privacy Policy

1. Data We Do NOT Collect

In accordance with our Zero-Trust architecture, Cortex MCP stores all sensitive data locally on your machine. We do NOT collect, access, transmit, or have any capability to access:

• Your Source Code - Any code, scripts, configuration files, or file contents
• AI Conversations - Your prompts, queries, or AI-generated responses
• Context Content - The actual content stored in your Cortex context files (.md files)
• Project Structure - Directory layouts, file names, or repository structure
• Personal Documents - Any documents, notes, or files you work with
• Business Information - Proprietary business logic, trade secrets, or confidential data
• Decryption Keys - Your encryption keys for cloud sync (you control these exclusively)

2. Data We Collect

We collect the minimum data necessary to provide, maintain, and improve the Service:

2.1 Account Information

When you create an account through GitHub OAuth, we collect:

• GitHub username
• Email address associated with your GitHub account
• GitHub profile avatar URL
• GitHub user ID (unique identifier)
• Account creation timestamp

2.2 License and Subscription Data

• License key (stored in hashed format)
• Subscription tier (Free, Pro, or Premium)
• Subscription status (active, expired, trial)
• Payment transaction IDs (processed by Paddle)
• Device identifier for license binding (non-Premium tiers)
• License verification timestamps

2.3 Technical Data

• IP address (for security and fraud prevention)
• Browser type and version
• Operating system
• Device type (desktop/mobile)
• Referring website
• Pages visited on our website

2.4 AI Client Environment Information

When you use Cortex MCP through an AI development tool, we may collect basic information about your development environment to ensure compatibility and provide better support:

• AI Client Name: The name of the AI tool you're using (e.g., "Claude Code CLI", "Claude Desktop", "Cline", "Continue")
• AI Client Version: The version number of your AI tool
• MCP Protocol Version: The Model Context Protocol version in use

What This Does NOT Include: We do not collect information about which AI models you use, what prompts you write, or any content you generate with AI tools.

3. MCP Interaction Metadata Collection

3.0 Telemetry Collection Levels (Opt-in)

Cortex offers three levels of telemetry collection. By default, NO telemetry is collected (NONE level). You must explicitly opt-in during installation or in your account settings.

3.1 What MCP Interaction Metadata Includes

When you opt-in to metadata collection, we may collect:

• Tool Usage Patterns:
  • Which MCP tools are used (e.g., create_branch, search_context, update_memory)
  • Frequency of tool invocations
  • Sequence patterns of tool usage
• Feature Utilization Metrics:
  • Number of branches created
  • Number of contexts stored
  • Search frequency and result counts (not search terms)
  • Context loading patterns
• Performance Data:
  • Response times for operations
  • Operation success/failure rates
  • Resource utilization metrics
• Error and Diagnostic Data:
  • Error types and error codes (not error messages containing your data)
  • Crash reports (sanitized to remove personal data)
  • Feature compatibility issues
• Session Information:
  • Session duration
  • Session frequency
  • Time of day usage patterns (aggregated)

3.2 What MCP Interaction Metadata Does NOT Include

• The content of your context files or branches
• Your actual search queries or search terms
• File names, project names, or directory structures
• Any text you type or generate
• Your AI conversation content
• Any personally identifiable information within your work

4. Commercial Use of Aggregated Data

4.1 Aggregation and Anonymization Process

Before any commercial use, MCP Interaction Metadata undergoes:

• Aggregation: Individual data points are combined with data from many users
• Anonymization: All personally identifiable information is removed
• Statistical Processing: Data is transformed into statistical summaries
• K-Anonymity: We ensure no individual can be identified from aggregated data

4.2 Permitted Commercial Uses

Aggregated, anonymized MCP Interaction Metadata may be used for:

• Internal Product Development:
  • Improving Cortex MCP features and performance
  • Developing new features based on usage patterns
  • Identifying and fixing common issues
• Industry Analytics and Reports:
  • Publishing industry insights about AI development tool usage
  • Creating benchmark reports
  • Contributing to academic research (anonymized)
• Dataset Licensing:
  • Creating and licensing datasets for AI/ML research
  • Providing training data for AI model development
  • Supporting academic and commercial AI research
• Commercial Sale to Third Parties:
  • Selling aggregated usage pattern datasets
  • Licensing anonymized behavioral analytics
  • Providing market intelligence to business customers

4.3 Commercial Use Restrictions

We commit to the following restrictions on commercial use:

• We will never sell individual-level data that could identify you
• We will never sell your actual content, code, or conversations
• We will never reverse-engineer aggregated data to identify individuals
• Third-party purchasers are contractually prohibited from attempting re-identification
• All data sales are subject to data protection agreements

5. How We Use Your Data

5.1 Account and Service Provision

• Creating and managing your account
• Processing subscription payments through Paddle
• Verifying license keys and tier access
• Providing customer support

5.2 Communication

• Sending transactional emails (receipts, license keys)
• Important service announcements and security notices
• Subscription renewal reminders
• Product updates (with opt-out option)

5.3 Legal Bases for Processing (GDPR)

6. Data Sharing and Disclosure

6.1 Service Providers

We share data with trusted service providers who assist us:

• Paddle - Payment processing (Merchant of Record)
  • Receives: Name, email, payment information
  • Purpose: Process payments, handle taxes, issue invoices
• GitHub - OAuth authentication
  • Receives: OAuth access credentials
  • Purpose: Verify identity during login
• Cloud Infrastructure - Server hosting
  • Receives: Encrypted data, technical logs
  • Purpose: Host our web services

6.2 Third-Party Data Purchasers

As described in Section 4, we may sell aggregated, anonymized MCP Interaction Metadata to:

• AI research organizations
• Technology companies
• Market research firms
• Academic institutions

6.3 Legal Requirements

We may disclose data when required by law:

• To comply with valid legal process (subpoenas, court orders)
• To protect our rights, property, or safety
• To protect users or the public from harm
• In connection with a merger, acquisition, or sale of assets

7. Cloud Sync (Premium Feature)

Premium subscribers can optionally synchronize contexts across devices:

8. Data Retention

9. Your Rights and Choices

You have the following rights regarding your data:

• Access: Request a copy of personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your account and personal data
• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request limitation of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for optional data collection at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

10. Opt-Out Mechanisms

10.1 Initial Consent Process

When you first install or configure Cortex MCP, you will be presented with a clear consent prompt allowing you to choose your telemetry level:

╔════════════════════════════════════════════════════════════╗
║  Cortex Telemetry Settings                                 ║
╚════════════════════════════════════════════════════════════╝

Cortex can collect anonymous usage statistics to improve the service.
All data is stored locally and only transmitted with encryption.

Choose your telemetry level:

1. [NONE] No data collection (Default)
   - Complete privacy
   - Zero telemetry

2. [BASIC] Technical information only
   ✓ AI Client name/version
   ✓ Cortex version
   ✓ Tool usage counts (aggregated)
   ✗ No usage patterns
   ✗ No content

3. [FULL] Detailed analytics
   ✓ All BASIC data
   ✓ Feature usage patterns
   ✓ Performance metrics
   ✗ Still no content

Selection (1/2/3): [Default: 1] _
                

10.2 Changing Telemetry Settings

You can change your telemetry level at any time:

• Web Dashboard: Visit Settings → Privacy → Telemetry Level
• CLI Command: cortex telemetry set none|basic|full
• Email Request: Contact [email protected] to change settings and delete existing data

10.3 Data Deletion

You can request deletion of collected telemetry data:

• CLI Command: cortex telemetry clear - Deletes local telemetry data
• Web Dashboard: Settings → Privacy → "Delete My Telemetry Data"
• Email Request: We will delete your identifiable telemetry data within 30 days

10.2 Marketing Communications

• Click "Unsubscribe" in any marketing email
• Update preferences in your account dashboard
• Contact us to remove from all marketing lists

Note: You cannot opt out of transactional emails (receipts, security notices, license information).

11. Security Measures

We implement comprehensive security measures:

• Encryption in Transit: TLS 1.3 for all communications
• Encryption at Rest: AES-256 encryption for stored data
• Access Controls: Role-based access with principle of least privilege
• Security Monitoring: 24/7 intrusion detection and monitoring
• Regular Audits: Periodic security assessments and penetration testing
• Secure Development: Security-first development practices
• Incident Response: Documented procedures for security incidents

12. International Data Transfers

Our servers are located in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US.

For transfers from the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses approved by the European Commission
• Your explicit consent where applicable

13. Children's Privacy

Cortex MCP is not intended for users under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it promptly. If you believe a child has provided us data, please contact us immediately.

14. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to Know: Categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: Direct us not to sell your personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under GDPR:

• All rights listed in Section 9
• Right to lodge a complaint with your local Data Protection Authority
• Right to withdraw consent at any time

Data Controller: Cortex MCP
Contact: [email protected]

16. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes:

• We will update the "Last updated" date at the top
• We will notify you by email for significant changes
• We will display a prominent notice on our website
• For material changes to MCP Interaction Metadata collection or commercial use, we will request renewed consent

17. Contact Information