GDPR Compliance

When you connect your eCommerce store to ExecCortex, we process your store customers' personal data on your instructions. Categories of personal data processed include:

• Identifiers: names, email addresses, phone numbers
• Location data: delivery addresses, billing addresses
• Transaction data: order history, purchase amounts, product selections
• Behavioral data: cart abandonment events, browsing patterns (where tracked by your store)
• Communication data: message history where you use ExecCortex messaging features

We process this data only to deliver the ExecCortex services you have configured — analytics, reporting, automation, and AI insights. We do not process your customers' data for our own marketing, profiling, or any purpose not authorized by you.

Where your store collects personal data from EU/UK residents, you are the Data Controller and bear primary responsibility for GDPR compliance, including:

• Informing customers about data collection and processing in your store's privacy policy
• Obtaining valid legal bases for collecting and processing customer personal data
• Obtaining consent for marketing communications before sending via ExecCortex
• Honoring data subject rights requests from your customers (see Section 5)
• Maintaining records of processing activities

ExecCortex provides tools to support your compliance obligations, including data export, selective deletion, and consent flag fields — but the responsibility for lawful data collection and processing lies with you as the Controller.

As your Data Processor, we process your customers' data under your instruction and authority. As Data Controller of our users' data, ExecCortex relies on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing required to deliver the ExecCortex platform to subscribed users
• Legitimate interests (Article 6(1)(f)): Platform security, fraud detection, and product improvement based on aggregated analytics
• Legal obligation (Article 6(1)(c)): Compliance with applicable law, including tax and financial reporting
• Consent (Article 6(1)(a)): Marketing communications — you may withdraw at any time

Under GDPR, individuals have the following rights over their personal data:

• Right of access (Article 15): Individuals can request a copy of their personal data
• Right to rectification (Article 16): Individuals can request correction of inaccurate data
• Right to erasure (Article 17): Individuals can request deletion of their data, subject to legal retention requirements
• Right to restriction of processing (Article 18): Individuals can request a temporary pause on processing
• Right to data portability (Article 20): Individuals can receive data in a machine-readable format
• Right to object (Article 21): Individuals can object to processing based on legitimate interests
• Rights related to automated decision-making (Article 22): Individuals can request human review of solely automated decisions

For rights requests from your store customers, you (as Controller) are responsible for responding. ExecCortex provides you with the tools to fulfill those requests — including data export, targeted deletion, and suppression list management — accessible from your dashboard Settings.

For rights requests from ExecCortex users (account holders), contact privacy@execcortex.com. We respond within 30 days.

ExecCortex is headquartered in the United States. By default, data is processed in AWS US-East-1. For EU/UK users, we rely on European Commission Standard Contractual Clauses (SCCs — decision 2021/914) as the transfer mechanism for international data transfers.

Enterprise plan customers may opt into EU data residency (AWS eu-west-1, Ireland). EU residency processes and stores all Customer Data within the EEA. Contact sales@execcortex.com to enable EU residency.

Our sub-processors that operate outside the EEA are subject to SCCs or other approved transfer mechanisms. Full sub-processor details are in our DPA (/legal/data-processing).

Our standard DPA is available at /legal/data-processing. It covers:

• Scope and duration of processing
• Subject matter and nature of processing
• Processor obligations and instructions
• Sub-processor authorization and notice
• Technical and organizational security measures
• Breach notification obligations
• Data subject request support
• Return or deletion of data on termination
• Audit rights
• Standard Contractual Clauses (for EEA/UK transfers)

Executing the DPA: For paid plan customers, the standard DPA is incorporated by reference into these Terms. Enterprise customers requiring a countersigned DPA may request one from dpo@execcortex.com.

We engage sub-processors to deliver the platform. Each sub-processor is subject to a data processing agreement providing equivalent data protection standards. We provide 30 days' advance notice before engaging new sub-processors that will process Customer Data.

Current sub-processors processing Customer Data include:

• Amazon Web Services (AWS) — cloud infrastructure, storage, and compute
• Cloudflare — edge delivery, DDoS protection, and WAF
• Stripe — payment processing (billing data only)
• OpenAI / Anthropic / Google DeepMind — AI inference (only where you have enabled AI features and your data is sent for inference)
• Sentry — error monitoring and crash reporting (stack traces, session context)

You may object to a new sub-processor within the 30-day notice period. If we cannot accommodate the objection, you may terminate without penalty.

In the event of a personal data breach affecting Customer Data, ExecCortex will:

• Notify affected controllers without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide information on the nature of the breach, categories and approximate number of records affected, likely consequences, and mitigation measures taken
• Maintain an internal breach register

You, as Controller, are responsible for notifying your customers and relevant supervisory authorities where required under GDPR Article 33 and 34.

ExecCortex has appointed a Data Protection Officer (DPO) responsible for GDPR compliance. You may contact our DPO at:

Email: dpo@execcortex.com

Our DPO monitors compliance, advises on GDPR obligations, and serves as the point of contact for supervisory authorities.

If you are an EU or UK resident and believe ExecCortex has not adequately addressed your GDPR concern, you have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.