Privacy Policy

We collect information in several categories:

Account Information

• Name and email address when you register
• Business name, store URL(s), and industry
• Billing information (card details are tokenized and held by Stripe — we never store raw card numbers)
• Profile photo (optional)
• Team member details if you invite colleagues

eCommerce Store Data (synchronized from your connected platforms)

• Orders: order IDs, amounts, line items, discounts, taxes, shipping, status, timestamps
• Customers: names, email addresses, phone numbers, addresses, purchase history, cohort attributes
• Products: SKUs, titles, variants, prices, inventory levels, categories
• Fulfillments, refunds, and return records
• Abandoned checkouts and cart events

Analytics and Advertising Data (synchronized from connected ad and analytics platforms)

• Campaign performance data from Google Ads, Meta Ads, and TikTok Ads
• Session, conversion, and traffic data from Google Analytics 4
• Keyword and search impression data from Google Search Console
• Email performance metrics from Gmail, Klaviyo, and Mailchimp
• Social engagement data from Instagram and Facebook Pages

Usage and Telemetry Data

• Pages visited, features used, and time spent in the platform
• Browser type, operating system, screen resolution, and device type
• IP address (used for rate limiting and fraud detection, not for building behavioral profiles)
• Session identifiers and crash reports

Communications

• Support tickets and live chat transcripts
• Email correspondence with our team
• Feedback, survey responses, and feature requests

Directly from you: when you create an account, connect a store, configure integrations, or contact support.

Automatically: through browser cookies, log files, and our telemetry SDK embedded in the platform.

From third-party platforms: via authorized OAuth tokens and API keys that you provide. We only pull the data scopes you explicitly authorize during the OAuth flow.

From our payment processor: Stripe shares billing metadata (payment status, plan tier, invoice dates) with us.

We use collected data to:

• Deliver the core ExecCortex service — unifying your store, ad, and analytics data into a single dashboard
• Generate AI-powered insights, anomaly alerts, and weekly executive reports
• Power automation features including WhatsApp, email, and SMS workflows you configure
• Authenticate users, prevent fraud, and enforce rate limits
• Process billing and manage subscription lifecycle
• Provide customer support and troubleshoot issues
• Send product updates, security notices, and service announcements (you can opt out of marketing emails)
• Improve the platform through aggregated and anonymized usage analysis
• Comply with legal obligations

We do not sell your data. We do not use your store's customer data to build profiles for advertising. AI model training, if any, is performed on fully anonymized and aggregated data only — never on identifiable customer records from your store.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing are:

• Contract performance: Processing necessary to deliver the platform you have subscribed to
• Legitimate interests: Product improvement, fraud prevention, and platform security — in each case balanced against your rights
• Legal obligation: Compliance with tax, financial, and data protection law
• Consent: Where explicitly requested (e.g., marketing emails) — you may withdraw consent at any time

Where we rely on legitimate interests, you have the right to object. Contact privacy@execcortex.com to exercise this right.

We share your information only in the following circumstances:

Service providers and sub-processors: We engage vetted third-party vendors to operate the platform. Each sub-processor is contractually bound to our data protection standards. Our full sub-processor list is available at /legal/data-processing. Current sub-processors include:

• AWS / Cloudflare — cloud hosting and edge delivery
• Stripe — payment processing
• OpenAI / Anthropic / Google — AI inference (where you have enabled AI features)
• SendGrid / Postmark — transactional email delivery
• Sentry — error monitoring

Legal requirements: We disclose data if required by law, court order, or government authority, or where necessary to protect the rights and safety of ExecCortex or its users.

Business transfers: In connection with a merger, acquisition, or sale of assets, user data may be transferred. We will provide advance notice and you retain the right to delete your account before any transfer.

With your consent: For any other purpose not described here, we will ask for your explicit consent first.

ExecCortex connects to third-party platforms (Shopify, Meta, Google, WhatsApp, etc.) using credentials you authorize. Each integration is governed by the relevant platform's own terms and privacy policies. We act as a consumer of their APIs on your behalf and are bound by their developer policies.

When you revoke an OAuth authorization from a third-party platform, ExecCortex will stop receiving new data from that source within 24 hours. Historical data already synchronized is retained according to our data retention policy unless you request deletion.

ExecCortex is primarily a read-only analytics platform. We pull data from your connected stores and ad/analytics platforms — we do not modify your store's products, orders, or customer records. The only outbound operations are messaging sends (WhatsApp, SMS, email) and data exports (Google Sheets, file exports) that you explicitly configure and trigger.

Account data is retained for the lifetime of your active subscription. When you cancel or your subscription expires:

• You have a 30-day grace period to export your data
• After 30 days, account data and synchronized store data are permanently deleted from our systems
• Anonymized, aggregated telemetry data may be retained for product analytics purposes
• Billing records are retained for 7 years to meet financial and tax compliance requirements

You may request data export at any time from Settings → Data Export or by emailing privacy@execcortex.com. Exports are provided in JSON or CSV format within 5 business days.

We use a minimal set of first-party cookies and local storage:

• Session cookies: Required for authentication and platform functionality. Expire when you close your browser or after 24 hours of inactivity.
• Preference cookies: Store UI preferences (theme, date range, sidebar state). Persist for 12 months.
• Security cookies: CSRF tokens to protect against cross-site request forgery. Session-scoped.

We do not use third-party advertising or tracking cookies. We do not share browser fingerprints with advertisers. Our marketing website uses Plausible Analytics, a privacy-preserving analytics platform that does not use cookies and does not collect personally identifiable information.

You may disable cookies in your browser settings, but doing so will prevent you from logging in to the platform.

ExecCortex is headquartered in the United States. If you are accessing the platform from the EEA, UK, or other jurisdictions with data transfer restrictions, be aware that your data may be transferred to and processed in the United States.

For EEA and UK users, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers. Enterprise plan customers may request EU data residency, which processes and stores EU user data within AWS eu-west-1 (Ireland).

Our Data Processing Agreement (available at /legal/data-processing or on request) includes the appropriate EU-approved SCCs for controller-to-processor transfers.

ExecCortex is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@execcortex.com and we will promptly delete such information.

Depending on your jurisdiction, you have some or all of the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure ('right to be forgotten'): Request deletion of your personal data
• Right to data portability: Receive your data in a machine-readable format
• Right to restrict processing: Ask us to pause processing while a dispute is resolved
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is consent-based, withdraw at any time without penalty
• Right not to be subject to automated decision-making: We do not use fully automated decisions that produce legal or similarly significant effects

To exercise any of these rights, email privacy@execcortex.com with the subject line 'Privacy Rights Request'. We will respond within 30 days (or the statutory period applicable in your jurisdiction). We may ask you to verify your identity before acting on the request.

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt out of the sale or sharing of personal information — note: ExecCortex does not sell personal information
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

To submit a California rights request, email privacy@execcortex.com or use the 'Privacy Rights Request' form in your account Settings.

We implement technical and organizational measures to protect your data. See our Security page (/legal/security) for full details. In summary: AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, annual third-party penetration testing, and a responsible disclosure program.

In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of the breach, as required by GDPR. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by displaying a prominent notice on the platform at least 30 days before the change takes effect. The 'Last updated' date at the top of this policy will reflect the most recent revision.

Your continued use of ExecCortex after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the platform and may request deletion of your data.

Privacy inquiries: privacy@execcortex.com

Data Protection Officer: dpo@execcortex.com

Mailing address: ExecCortex, Inc., Legal Department, [Address]

If you are an EU resident and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your national data protection authority (Supervisory Authority).