Privacy Policy

Effective date: 10 March 2026 Last updated: 10 March 2026
DRAFT — Subject to legal review before publication.

1. Introduction

Cortiva Ltd ("we", "us", "our") operates Cortiva HQ, a commercial agent management platform. This Privacy Policy explains what personal data we collect, how we use it, and your rights.

2. Data Controller

Cortiva Ltd is the data controller for personal data processed in connection with your use of Cortiva HQ. For data processed by your agents on your behalf, you are the data controller and we are the data processor (see our Data Processing Agreement).

3. Data We Collect

3.1 Account Data

  • Name, email address, company name
  • Billing address and payment method (processed by our payment provider)
  • Role and team membership

3.2 Usage Data

  • Feature usage and interaction events (anonymised)
  • Agent deployment counts and operational metrics
  • Error logs and performance telemetry

3.3 Support Data

  • Support tickets and correspondence
  • Feedback and survey responses

3.4 Cookies and Analytics

  • Session cookies (essential for authentication)
  • Analytics cookies (optional — see our Cookie Policy)

4. How We Use Your Data

We use personal data to:

  • Provide and maintain the Service
  • Process payments and manage subscriptions
  • Send service-related communications (outage notices, billing)
  • Improve the Service through aggregated, anonymised analytics
  • Respond to support requests
  • Comply with legal obligations

We do not sell personal data to third parties.

5. Legal Basis (GDPR)

PurposeLegal basis
Providing the ServicePerformance of contract
Billing and paymentsPerformance of contract
Service communicationsLegitimate interest
Analytics (anonymised)Legitimate interest
Marketing (opt-in only)Consent
Legal complianceLegal obligation

6. Data Sharing

We share personal data only with:

  • Payment processors (Stripe) — to process subscription payments
  • Infrastructure providers (cloud hosting) — to operate the Service
  • Legal authorities — when required by law

All third-party processors are bound by data processing agreements.

7. Data Retention

  • Account data: retained for the duration of your account, plus 30 days after closure.
  • Usage telemetry: aggregated and anonymised within 90 days.
  • Support correspondence: retained for 2 years after resolution.
  • Billing records: retained for 7 years (legal requirement).

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest (AES-256), access controls, and regular security reviews.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where consent is the legal basis)

To exercise these rights, contact [email protected].

10. International Transfers

If we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Children

The Service is not directed at individuals under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We will notify you of material changes at least 30 days before they take effect.

13. Contact

Data Protection Officer: [email protected]

If you are unsatisfied with our handling of your data, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.