Privacy Policy

The points below summarize the policy in plain language. They do not replace the full text, but they describe how Corteksa actually behaves.

• We do not sell personal data and we do not share it with third parties for their own advertising.
• We do not track you across other companies’ apps or websites. The iOS application does not request App Tracking Transparency permission.
• Your workspace data belongs to your organization.MOONTIJ acts as a data processor for the data you put into Corteksa.
• Mobile permissions are opt-in and purposeful.The app asks for camera, photo library, microphone, contacts, location, and biometrics only when you use a feature that needs them.
• You can export or delete your data at any time from the workspace or by emailing legal@corteksa.com.

1. Who we are

Corteksa is a Software-as-a-Service customer relationship management platform owned and operated by MOONTIJ LLC, a limited liability company organized under the laws of the State of New Mexico, United States of America (NM Entity ID 7422415), with its registered office at 2201 Menaul Blvd NE, STE A, Albuquerque, NM 87107, USA. MOONTIJ LLC is the legal entity responsible for the Service and is the data controller of the limited personal data we collect about Corteksa account holders and website visitors. For the personal data that customers enter into their Corteksa workspaces about their own clients, contacts, leads, or employees, MOONTIJ LLC acts as a data processor on behalf of the customer.

2. What this policy covers

This policy applies whenever you:

• visit www.corteksa.com or any Corteksa subdomain;
• register for, configure, or access a Corteksa workspace;
• install or use the Corteksa application on iOS or Android;
• integrate Corteksa with a third-party service such as a messaging channel or calendar;
• communicate with our sales, support, or legal teams.

3. Applicable laws

Corteksa is designed to comply with, and is interpreted in light of, the following frameworks:

• GDPR (Regulation (EU) 2016/679) for users in the European Union and European Economic Area;
• UK GDPR and Data Protection Act 2018 for users in the United Kingdom;
• CCPA / CPRA for California residents;
• PDPL (Personal Data Protection Law of the Kingdom of Saudi Arabia) for users in Saudi Arabia;
• COPPA (United States) for the protection of children under 13;
• The Apple App Store Review Guidelines and the Google Play Developer Program Policies, in particular their privacy, permissions, and data-disclosure requirements.

4. Definitions

• Personal Data — information relating to an identified or identifiable individual.
• Processing — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• Customer — the organization that has subscribed to Corteksa and owns the workspace.
• End User — an individual employee, contractor, or agent invited to a Corteksa workspace by the Customer.
• Data Controller — the entity that determines the purposes and means of processing.
• Data Processor — the entity that processes personal data on behalf of a Controller.
• Customer Data — the records, contacts, files, and messages a Customer or End User uploads to their workspace.

5. Account information

• Full name, email address, and (optionally) phone number;
• Company name, job title, and department;
• Username and password (passwords are stored as one-way salted hashes; we never store passwords in plain text);
• Profile photo, if you choose to upload one.

6. Workspace and usage data

• Workspace name, subdomain, and configuration settings;
• User roles, permissions, and authentication logs;
• Activity logs such as logins, feature usage, and timestamps;
• IP address, device type, operating system, and browser or app version;
• Mobile device identifiers used solely for push-notification delivery (APNs token on iOS, FCM token on Android).

7. Customer Data

Customer Data is the content that a Customer or its End Users enter into a Corteksa workspace. It may include:

• Contact information of leads, customers, partners, and employees;
• Sales pipeline data, deal records, project records, and custom record types;
• Notes, documents, attachments, and generated contracts or invoices;
• Messages exchanged through integrated channels (WhatsApp, Instagram, Messenger);
• Custom fields and metadata defined by the Customer.

MOONTIJ processes Customer Data only as instructed by the Customer and only to provide, secure, and support the Service.

8. Communication data

• Email correspondence with our support, sales, and legal teams;
• In-app messages, feedback forms, and support tickets;
• Recordings or transcripts of voice messages you choose to send through the platform.

9. Payment data

Payments are processed by third-party payment service providers. MOONTIJ receives only billing metadata such as the billing address, the masked card identifier (last four digits and brand), the transaction amount, and the invoice history. We do not store full card numbers, expiry dates, or CVV codes on our infrastructure.

10. Sources of data

• Directly from you when you register, configure your workspace, or contact us.
• Automatically through cookies, application logs, and usage analytics.
• From your workspace administrator when you are invited as an End User.
• From third-party integrations when you authorize Corteksa to read from or write to another service.

11. Lawful bases for processing

We rely on the following lawful bases under GDPR and equivalent frameworks:

• Performance of a contract — to deliver the Service you or your organization have subscribed to;
• Consent — for non-essential cookies, marketing communications, and optional integrations;
• Legitimate interests — to keep the Service secure, prevent fraud, improve our product, and communicate with active customers;
• Legal obligation — to comply with tax, accounting, and other regulatory requirements.

The Corteksa mobile applications for iOS and Android are companion clients of the Corteksa platform. The list below describes every device-level permission the apps may request, why each one is needed, and the consequence of declining it. You can change any of these permissions at any time from your device’s system settings.

12. Permissions and their purposes

13. On-device data and local storage

The app caches the records, messages, and attachments you have opened recently so the experience remains responsive with limited connectivity. This cache is stored in the app’s sandboxed container on your device. On iOS, authentication tokens are stored in the iOS Keychain. On Android, they are stored in the Android Keystore. The cache and stored tokens are cleared when you sign out or uninstall the app.

14. App Tracking Transparency (iOS)

Corteksa does not track you across other companies’ apps or websites. The Corteksa iOS application therefore does not request App Tracking Transparency permission and does not access the Identifier for Advertisers (IDFA). We do not use the SKAdNetwork advertising-attribution framework.

15. Children and the mobile apps

The Corteksa mobile applications are business tools intended for use by individuals 16 years of age and older, or 13 years of age and older with verifiable consent from a parent or legal guardian where permitted by law. The apps are not directed to children, are not included in any “Kids” category, and do not contain advertising directed at children.

16. Account deletion from the apps

In line with Apple App Store and Google Play requirements, you can request deletion of your account directly from within the mobile apps under Settings → Account → Delete account, or by emailing legal@corteksa.com. Deletion is processed within 30 days, subject to legal retention obligations described in Section 25.

The following table mirrors the categories declared for the Corteksa iOS application in Apple App Store Connect. It is reproduced here so that App Store reviewers and users can verify the correspondence between the in-product declaration and this Privacy Policy.

17. Purposes of processing

• Service delivery — to create accounts, host workspaces, deliver messages, and provide CRM functionality.
• Authentication and security — to verify identity, detect abuse, and protect accounts from unauthorized access.
• Customer support — to respond to inquiries and resolve technical issues.
• Billing and accounting — to process subscription fees and issue invoices.
• Product improvement — to analyze aggregate usage patterns and develop new features.
• Legal and regulatory compliance — to meet our obligations under applicable laws.

18. Automated processing and AI features

Corteksa offers optional AI-assisted features such as Cortex AI, the WhatsApp-driven assistant that can create tasks or update records, as well as suggestions, lead scoring, and workflow automation. These features operate only on the Customer Data of the workspace in which they are invoked, do not produce decisions with legal effect, and can be disabled by the workspace administrator. AI outputs are never used to train models that are exposed to other Customers.

19. Cookies and similar technologies

On our websites we use a small number of cookies:

• Essential cookies — required for authentication, security, and basic site functionality.
• Preference cookies — to remember your locale, theme, and other display settings.
• Analytics cookies — to understand which pages are useful and improve them. These are loaded only with your consent in jurisdictions where consent is required.

You can control cookies through your browser settings. The mobile apps do not use cookies.

20. Marketing communications

We may send you product announcements and educational content if you are an active customer or have opted in. You can opt out at any time by clicking the “unsubscribe” link in any marketing email, updating preferences in your account, or contacting support@corteksa.com.

21. Sharing with third parties

MOONTIJ does not sell personal data. We share data only with the following categories of recipients, each bound by a written data processing agreement:

• Cloud infrastructure providers that host the platform, its databases, and backups.
• Payment processors that handle subscription billing.
• Communication providers that deliver email, SMS, push notifications (Apple Push Notification service on iOS, Firebase Cloud Messaging on Android), and the messaging channels you integrate.
• Customer-support and ticketing tools we use to respond to inquiries.
• Professional advisers such as auditors, accountants, and lawyers when reasonably required.
• Legal authorities when required by law or to protect our rights, our users, or the public.
• Successor entities in the event of a merger, acquisition, or sale of assets, with notice to affected users.

A current list of the sub-processors we engage is available on request to legal@corteksa.com.

22. International transfers

Personal data may be transferred to and processed in countries other than your country of residence, including the United States. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the United Kingdom’s International Data Transfer Addendum, and adequacy decisions, supplemented by technical and organizational measures such as encryption in transit and at rest.

23. Ownership of Customer Data

Customers retain ownership of all Customer Data they upload to Corteksa. MOONTIJ acts solely as a data processor of that data and processes it only on the Customer’s documented instructions.

24. Aggregated and anonymized data

We may generate aggregated, de-identified statistics about how Corteksa is used (for example, the number of workspaces created in a month). Aggregated data cannot reasonably be used to identify an individual and is not considered personal data.

25. Retention

• Active accounts — retained for the duration of the subscription.
• Terminated accounts — Customer Data is deleted within 30 days of termination unless the Customer requests an earlier deletion.
• Backups — purged within 90 days of deletion of the live data.
• Billing records — retained for up to seven years to comply with tax and accounting laws.
• Support and security logs — retained for up to two years.

26. Deletion and account removal

You may delete your account at any time from Settings → Account → Delete account in the web application or the mobile apps, or by emailing legal@corteksa.com. Once a deletion request is processed, all associated personal data is removed from live systems within 30 days and from backups within 90 days, except for records we must retain to comply with legal obligations.

27. Portability and export

You have the right to export your data in a structured, machine-readable format. Self-service export is available inside the workspace for the most common record types. For a complete export, contact support@corteksa.com and we will fulfil the request within 30 days.

28. Data residency

Customer Data is stored in geographically distributed data centers operated by our infrastructure providers. Enterprise customers may request specific data-residency configurations subject to availability and additional fees.

29. Rights of data subjects

Depending on your jurisdiction, you have some or all of the following rights:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure — to request deletion of your data.
• Right to restrict processing — to limit how we use your data.
• Right to data portability — to receive your data in a portable format.
• Right to object — to certain processing activities, such as direct marketing.
• Right to withdraw consent — where processing is based on consent.
• Right to lodge a complaint — with your local data-protection authority. In Saudi Arabia, this is the Saudi Data and AI Authority (SDAIA).
• Right not to be subject to solely automated decisions — with legal or similarly significant effect.

30. How to exercise your rights

We may ask for additional information to verify your identity before fulfilling a request, in order to protect the data of the individual to whom the request relates.

31. Customer responsibilities

Where you act as the data controller of the data you process inside Corteksa, you are responsible for obtaining any necessary consents, providing the required notices to your End Users, responding to data-subject requests they direct to you, and complying with applicable data-protection laws. MOONTIJ will support you with reasonable cooperation as part of the Service.

32. Region-specific notes

European Union, EEA, and United Kingdom. You have the full set of GDPR / UK GDPR rights listed above. For complaints, you may contact your national supervisory authority.

California. Under the CCPA and CPRA, California residents have the right to know what personal information is collected, to access and delete it, to correct it, and to opt out of the sale or sharing of personal information. MOONTIJ does not sell or share personal information for cross-context behavioral advertising.

Saudi Arabia. Under the PDPL, you have the right to be informed, to access your data, to request correction or deletion, and to object to processing. Complaints may be filed with the Saudi Data and AI Authority (SDAIA).

33. Security program

MOONTIJ maintains an Information Security Program aligned with the principles of ISO/IEC 27001 and SOC 2. The controls below describe how we protect your data in practice.

34. Technical safeguards

• Encryption in transit using TLS 1.2 or higher;
• Encryption at rest using AES-256 for production databases and backups;
• Multi-factor authentication for administrative access;
• Network controls including firewalls, isolated subnets, and intrusion detection;
• Vulnerability management including regular dependency scans and periodic penetration testing;
• Secure development including code review, automated testing, and a defined release process.

35. Organizational measures

• Mandatory security and privacy training for all staff;
• Background checks for employees with access to production data;
• Confidentiality and non-disclosure agreements for all personnel and contractors;
• A documented incident-response plan with defined roles and escalation paths.

36. Access control

• Principle of least privilege for all internal access;
• Regular access reviews and prompt revocation when roles change;
• Role-based access control inside every workspace, configurable by the Customer.

37. Incident response

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours of becoming aware of it, and we will inform affected users without undue delay.

38. Third-party links and services

Corteksa may contain links to, or integrations with, third-party websites and services. Their privacy practices are governed by their own policies, which we encourage you to review.

39. Children’s privacy

Corteksa is a business tool and is not directed to children. We do not knowingly collect personal data from children under 13 (or under 16 in jurisdictions where that higher threshold applies). If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

40. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through email to registered users, in-app notifications, or a prominent notice on our website. The effective date at the top of this page reflects the most recent update.

41. Contact information

For any question, request, or complaint relating to this Privacy Policy or to the way MOONTIJ processes personal data, please contact us:

42. Governing law

This Privacy Policy is governed by the laws of the State of New Mexico, United States of America, without regard to its conflict-of-laws principles, except where a mandatory provision of the law of your country of residence applies. Disputes are resolved in accordance with the dispute-resolution provisions of the Corteksa Terms of Service.

43. Acknowledgement

By using Corteksa, you acknowledge that you have read, understood, and agreed to be bound by this Privacy Policy. This Privacy Policy constitutes a binding agreement between you and MOONTIJ LLC with respect to the processing of personal data.