Privacy Policy

1) Scope

This Policy explains how we collect, use, disclose, and protect personal information when you use Contextus (web app, dashboard, APIs, SDKs, MCP adapters, and IDE plugins), visit our sites, or interact with us.

2) What we collect

We collect information in these categories:

• Account & contact – name, email, password hash, organization, role, billing email.
• Plan/billing – plan tier (Free/Pro/Enterprise), subscription status, invoices, and payment tokens processed by our payment processor (e.g., Stripe). We do not store full payment card numbers.
• Product usage – API keys, feature flags, quotas, rate-limit events, endpoint names, timestamps, response codes, token counts, and error telemetry.
• Content you send us – prompts, context, documents, snippets, and metadata required for semantic ranking, trimming, redaction and evaluation.
• Device & technical – IP address, user-agent, OS, device IDs, referrers; cookie and local-storage identifiers.
• Support & communications – messages you send to us (email, in-product forms).
• Marketing preferences – opt-in/opt-out status.

3) How we use information (purposes)

• Provide and secure the services – authentication, API key issuance, quotas, rate limiting, abuse detection.
• Context engineering features – semantic ranking, chunking, trimming/redaction, previews, analytics, and evaluation runs.
• Improve and research – aggregated product metrics (e.g., token savings, latencies), UX experiments, model quality analysis (using de-identified data where possible).
• Billing and account management – subscriptions, invoicing, tax, fraud prevention.
• Legal compliance – security, audits, and responding to lawful requests.

GDPR lawful bases (where applicable)

Depending on the specific processing, we rely on: contract (to deliver the service), legitimate interests (e.g., security, product analytics compatible with user expectations), consent (e.g., non-essential cookies/marketing), and legal obligation.

4) Cookies & similar tech

We use strictly necessary cookies (login/session, security) and, with consent, analytics and preference cookies. You can change preferences at any time in our cookie settings.

5) Children's privacy

Contextus is not for children under 13 and we do not knowingly collect their data. If we learn a child under 13 used the service, we will delete their data.

6) Sharing & disclosures

We share personal information with:

• Service providers/processors – cloud hosting, email, analytics, payments (e.g., Stripe), logging, and security vendors—bound by contracts to process data only on our instructions.
• Enterprise customers – if you're a user under your employer's plan, admins may see usage and configuration for your tenant.
• Legal & safety – to comply with law or protect rights and safety.
• Business transfers – in a merger, acquisition, or financing (with appropriate protections).

We will maintain a live Sub-processors list at /legal/subprocessors.

7) International transfers

We may transfer data to countries with different laws. Where required, we use Standard Contractual Clauses (SCCs) approved by the European Commission for cross-border transfers.

8) Retention

We retain data only as long as necessary for the purposes above, then securely delete or anonymize it. Typical (illustrative) ranges:

• Auth & security logs: 30–90 days
• API usage/quotas: 12–24 months
• Billing/financial records: 7 years (or statutory period)

Actual periods appear in our internal retention schedule and may vary to meet legal obligations, resolve disputes, or enforce agreements.

9) Security

We employ layered security: encryption in transit, least-privilege access, audit logging, firewalls/WAF, vulnerability management, and regular backups. No method is 100% secure; please keep your credentials safe.

10) Your rights

EU/UK (GDPR): rights to access, rectify, delete, restrict/oppose processing, portability, and to withdraw consent without affecting prior processing. You may also complain to your data protection authority.

Canada (PIPEDA): access and rectification, and principles such as limiting collection and accountability apply.

California (CPRA/CCPA): rights to know/access, delete, correct inaccurate information, and to limit use/disclosure of sensitive personal information; also non-discrimination for exercising rights.

We do not sell personal information or share it for cross-context behavioral advertising.

Exercising your rights

Email privacy@coreledger.ca (or info@coreledger.ca). We may need to verify your identity and respond within the required timeframes. You may use an authorized agent where permitted.

11) AI/Model-specific disclosures

• Content you send is processed to build embeddings, rank chunks, apply policy rules (redaction/weights), and fit within token budgets.
• For managed models or third-party LLM providers (if used), we ensure contractual protections and restrict providers to processor roles.
• We do not use your private prompts/contexts to train third-party foundation models without explicit notice and opt-in.

12) Marketing

We send service/transactional emails. With consent, we may send product updates or newsletters. You can opt out anytime via the email footer.

13) Changes

We will post updates here and change the "Last updated" date. Material changes will be highlighted in-product or by email where appropriate.