Privacy Policy

Last updated: March 2026

I. Data Controller & Overview

The data controller for this website is Maximilian Schütz (contact details see Legal Notice). As Cortex Support operates as a SaaS solution processing data on behalf of e-commerce merchants, we additionally conclude a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with our customers.

The appointment of a data protection officer is not required, as fewer than 20 persons are regularly involved in the automated processing of personal data.

II. Infrastructure & Data Storage

Supabase (Database & Hosting): We use Supabase for data storage. The database is physically located in Frankfurt, Germany. We have concluded a DPA and a Transfer Impact Assessment. No special categories of personal data are stored.

Vercel: The web application is hosted by Vercel Inc. (USA). Data transfer is based on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

Server Log Files: When you visit our website, Vercel automatically collects technical data (IP address, date and time, browser type, operating system, pages visited). This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest in secure and stable website operation) and is not merged with other data sources.

III. Legal Basis for Processing

We process personal data on the following legal bases pursuant to Art. 6(1) GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary for the provision of our SaaS services (account management, message processing, invoice retrieval).
  • Legal obligation (Art. 6(1)(c)): Retention of invoicing and transaction data in accordance with German tax law (§ 147 AO, § 257 HGB).
  • Legitimate interest (Art. 6(1)(f)): Website operation, server log files, rate limiting, security measures, and improvement of our services.
  • Consent (Art. 6(1)(a)): Where applicable, e.g. for voice call processing. You may withdraw your consent at any time with effect for the future (Art. 7(3) GDPR).

IV. Cookies & Local Storage

This website uses only technically necessary cookies. No tracking, analytics, or marketing cookies are used.

  • Session cookies (Supabase Auth): Required for user authentication in the dashboard. Deleted at the end of the session.
  • cortex_locale: Stores the selected UI language (en/de). Duration: 1 year.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in providing a functional website). No consent is required for technically necessary cookies (§ 25(2) TDDDG).

V. Data Flows & Sub-Processors

To provide our services, we forward data to the following sub-processors:

AI Analysis: Texts and images are transmitted to Google (Gemini API, USA) and Anthropic (Claude API, USA) for processing. The data is used solely for analysis and is not used to train the providers' models in accordance with their enterprise policies.

Voice Bot (Vapi.ai): When using the phone service, audio data and transcripts are processed by Vapi Inc. (USA). The legal basis is the caller's consent or our legitimate interest in efficient support handling.

Rate Limiting (Upstash): To protect against abuse, we use Upstash Inc. (USA) for distributed rate limiting. User identifiers are processed temporarily to enforce request limits.

Logistics & ERP: We retrieve data from DHL (tracking), marketplaces (Amazon SP-API, eBay, Kaufland) and ERP systems (Billbee, Easybill).

Notifications: Escalation notifications are transmitted via webhooks to Discord (USA).

VI. Data Transfers to Third Countries

Some of our sub-processors are based in the USA. Data transfers to these providers are carried out on the basis of the EU-US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. This applies to: Vercel, Google (Gemini API), Anthropic (Claude API), Vapi.ai, Upstash, and Discord.

VII. Categories of Data Processed

Visual Data: We analyze damage photos uploaded by buyers for claims processing.

Communication Data: We process chat logs, email messages, and voice recordings (voice bots).

VIII. Automated Decision-Making

We use AI systems (Google Gemini, Anthropic Claude) to generate draft responses and analyze customer inquiries. These AI-generated drafts are suggestions only and do not constitute automated decisions with legal or similarly significant effects pursuant to Art. 22 GDPR. A human review step is always available before any action is taken.

IX. Data Retention

We store personal data only for as long as necessary for the respective purpose or as required by law:

  • Account and usage data: For the duration of the contractual relationship, then deleted within 30 days unless legal retention periods apply.
  • Chat logs and voice recordings: Stored for 90 days, then automatically deleted.
  • Invoicing data: Retained for 10 years in accordance with German tax law (§ 147 AO).

X. Obligation to Provide Data

The provision of personal data (e.g. email address, name) is required for the conclusion and performance of the SaaS contract. Without this data, we cannot provide our services. There is no legal obligation to provide data for the mere use of the website.

XI. Your Rights

You have the following rights under GDPR with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time (Art. 7(3) GDPR)

To exercise your rights, please contact us via the details in our Legal Notice.

XII. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. You may contact the supervisory authority in the EU member state of your residence, your place of work, or the place of the alleged infringement.