Privacy Policy

This Privacy Policy explains how NAHNOVA ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Corthex platform ("Service") available at www.corthex.app. We are committed to processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG, "UAVG"), and other applicable data protection legislation.

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, profile image (if provided), and organization name. This data is managed through our authentication provider, Clerk.

2.2 Organization & Bot Data

We store your organization settings, bot configurations (name, description, system prompt, model preferences, branding settings), and API key metadata (hashed keys, names, usage timestamps).

2.3 Knowledge Base Content

Documents you upload (PDFs, DOCX files, URLs, plain text) are parsed, chunked, and converted to vector embeddings. The original text chunks and their embeddings are stored in your isolated database partition.

2.4 Conversation Data

Chat messages between users and your AI assistants are stored to enable conversation history and analytics. This includes message content, timestamps, and the AI model used.

2.5 Billing Data

Payment information (card details, billing address) is collected and processed exclusively by Stripe. We do not store your full payment card details on our servers. We retain your subscription status, plan tier, and billing cycle information.

2.6 Usage & Technical Data

We automatically collect IP addresses (for rate limiting and security), browser type and version, page views and navigation patterns, feature usage metrics, error logs, and performance data.

2.7 End-User Data (Widget Users)

When end-users interact with your embedded AI assistant widget, we collect their chat messages, IP address (for rate limiting only), and conversation metadata. We do not require end-users to create an account.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including account management, bot deployment, knowledge ingestion, chat functionality, and billing.
• Legitimate interest (Art. 6(1)(f)): Analytics, fraud prevention, security monitoring, service improvement, and error tracking. We have assessed that these interests do not override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Tax and financial record-keeping obligations under Dutch and EU law.
• Consent (Art. 6(1)(a)): Where required, such as for non-essential cookies or marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

• Providing and maintaining the Service
• Processing your knowledge base documents into vector embeddings for AI-powered retrieval
• Facilitating AI-powered conversations via our multi-provider system
• Processing payments and managing subscriptions
• Generating usage analytics and dashboards for your organization
• Enforcing rate limits and usage quotas per your subscription plan
• Detecting, preventing, and addressing security incidents
• Monitoring application errors and performance
• Complying with legal obligations
• Communicating service updates, security alerts, and billing notifications

5. Third-Party Data Processors

We share your personal data with the following categories of third-party processors, each bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR:

"SCCs" refers to Standard Contractual Clauses approved by the European Commission for international data transfers (see Section 7).

6. AI & Data Processing

Corthex uses third-party AI models to provide its core functionality. When you or your end-users send a chat message:

• The message is sent to one of our AI providers (Google Gemini, Groq, OpenAI, or DeepSeek) along with relevant context retrieved from your knowledge base.
• AI providers process data to generate responses only. Your data is not used to train or improve their models.
• Document text is processed by Google Gemini to generate vector embeddings (numerical representations) for similarity search. The embeddings are stored in our EU-hosted database.
• No automated decision-making with legal or similarly significant effects (Art. 22 GDPR) is performed.

7. International Data Transfers

Your primary data is stored in the European Union (Supabase, eu-west-1 region). However, certain processors are located outside the EEA. For these transfers, we rely on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, executed with each non-EEA processor.
• Supplementary measures including encryption in transit (TLS 1.2+) and at rest, access controls, and data minimization.
• Transfer Impact Assessments (TIAs) conducted for each non-EEA processor to evaluate the legal framework in the recipient country.

For DeepSeek (China-based), we conduct enhanced due diligence and supplementary measures. This provider is only used when explicitly selected; it is not a default model.

8. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
• Knowledge base content: Retained until you delete the source or bot. Permanently removed within 30 days of deletion.
• Conversation history: Retained for the lifetime of the bot. Deleted when the bot or organization is removed.
• Billing records: Retained for 7 years after the end of the fiscal year in which the transaction occurred, as required by Dutch tax law (Algemene wet inzake rijksbelastingen).
• Server logs & error data: Retained for up to 90 days for debugging and security purposes.
• Rate limiting data: Automatically expires within minutes (sliding window).

9. Your Rights Under the GDPR

As a data subject under the GDPR and UAVG, you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17):Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Restrict processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, email info@nahnova.com. We will respond within 30 days (extendable by 60 days for complex requests, per Art. 12(3) GDPR). We may request identity verification before processing your request.

10. Cookies & Tracking Technologies

Corthex uses the following cookies and tracking technologies:

• Strictly necessary cookies: Authentication session cookies (Clerk), CSRF protection tokens. These are essential for the Service to function and do not require consent.
• Analytics: Vercel Web Analytics and Speed Insights collect anonymized page view and performance data. These are privacy-friendly and do not use persistent identifiers.
• Error monitoring: Sentry may collect session replay data (sampled at 5%) for error reproduction. This data is anonymized and retained for up to 90 days.

We do not use advertising cookies, social media trackers, or cross-site tracking pixels. We do not sell your data to third parties.

11. Children's Privacy

Corthex is a B2B platform designed for businesses and professionals. We do not knowingly collect personal data from children under 16 years of age (the Dutch age of digital consent per Art. 8 GDPR and the UAVG). If we discover that we have collected data from a child under 16, we will delete it promptly. Please contact us at info@nahnova.com if you believe a child has provided us with personal data.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest
• Row-Level Security (RLS) policies on all database tables ensuring strict multi-tenant data isolation
• API key hashing (SHA-256): we never store plaintext API keys
• Rate limiting to prevent abuse and brute-force attacks
• Webhook signature verification (Svix) for all incoming webhooks
• Regular security monitoring via Sentry error tracking
• Principle of least privilege for database and service access

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account or through a prominent notice on the Service. Continued use of the Service after such notification constitutes acceptance of the updated policy. We encourage you to review this page periodically.

14. Contact & Complaints

For privacy-related questions or to exercise your rights:

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):