Cortex
Book a call

Legal

Privacy Policy

Last updated: May 4, 2026

We're a small team. We try to handle your data the way we'd want ours handled. This page is the plain-English version of what we collect, why, and what you can do about it. Email hello@crimsonflux.ai if anything's unclear.

Who we are

"Cortex" refers to the website at crimsonflux.ai and the marketing engagements operated by Operator Pvt Ltd, registered in Bangalore, India. We are the data controller for this site.

What we collect on this site

This is a static marketing site. By default, visiting it leaves only the request data your browser sends to our hosting provider (Vercel) — IP, user-agent, referrer, requested path, response status. We do not set tracking cookies. We do not run third-party advertising tags.

If you click Book a strategy call, you'll be taken to Calendly. Calendly's own privacy practices apply once you're there. Same for mailto: links — they open your email client; we don't intercept anything in transit.

Why we collect it

  • Operate the site. Logs let us debug outages and prevent abuse. We do not enrich them with third-party identity data.
  • Talk to you. If you email us or book a call, we keep that conversation thread and any meeting notes for as long as we're in touch.
  • Run engagements. If you become a client, the data you give us during onboarding (ICP, target titles, products, competitive context) is used inside our internal Cortex platform to generate your weekly packages — and nowhere else.

Who we share it with

Sub-processors we use to run the business:

  • Vercel — hosting and edge logs.
  • Cloudflare — DNS and edge security (if/when configured).
  • Google Workspace — email (Gmail) and document storage.
  • Calendly — meeting scheduling.
  • Anthropic, Google Vertex AI, OpenAI — model providers used during package generation. Client material sent to model providers is processed under each provider's enterprise data terms (no training on customer data).
  • Stripe / Razorpay — payments (when applicable).

We do not sell your data. We do not share data with advertising networks. Engagement clients can request the full sub-processor list and signed DPAs by emailing hello@crimsonflux.ai.

How long we keep it

  • Web logs — 30 days at the edge, then aggregated.
  • Email threads — for the duration of our relationship + 24 months, then archived to read-only storage.
  • Engagement workspace data — for the contracted term + a 90-day grace period for export, then deleted on request.

Your rights

Depending on where you live (GDPR, CCPA, India DPDP Act), you have rights to access, correct, port, restrict, or delete the data we hold about you. The simplest path is to email hello@crimsonflux.ai with your request — we'll respond within 30 days.

Security posture

Workstation-level full-disk encryption, password manager + hardware-key 2FA on all admin accounts, principle of least privilege on all sub-processor consoles. The marketing site is static and serves no sensitive data; the engagement workspace runs in our private VPC. Sub-processor security policies (SOC 2, ISO 27001) for the providers above are available on request. We are not yet SOC 2 certified ourselves — that audit is on the roadmap as the engagement business scales.

Changes

Material changes to this policy will be posted here with an updated "Last updated" date. Engagement clients are notified by email at least 14 days before changes that materially affect their data.

Contact

Email hello@crimsonflux.ai. Postal: Operator Pvt Ltd, Bangalore, India (full address available on request).