This Privacy Policy explains how Perfect Paradox Ltd handles personal data in connection with C0RTEX, our cloud-hosted, subscription AI customer-support chatbot service (the "Service"), and our website.
It is issued in compliance with:
The EU GDPR may also apply where we offer the Service to, or monitor, individuals in the EEA.
C0RTEX is a managed cloud service: we host an isolated Instance of C0RTEX for each Customer and operate it on their behalf. This means we handle personal data in two distinct capacities:
(a) As a data controller — for the limited personal data we collect to run our business and the Customer relationship (e.g. account, billing-contact, support, and website data). This Privacy Policy covers that processing.
(b) As a data processor — for the data inside a Customer's Instance ("Instance Data": the Customer's Knowledge Base, End User conversations, and derived embeddings). For that data, the Customer is the data controller and we process it on the Customer's documented instructions under the Data Processing Agreement (DPA). If you are an End User (e.g. a visitor chatting on a business's website), the business operating that Instance is the controller of your data; please consult that business's own privacy notice, and see Section 9 below for how we handle Instance Data as a processor.
| Category | Data | Purpose | Lawful basis |
|---|---|---|---|
| Account data | Name, email, organisation name, login credentials | Account creation and management | Contract (Art. 6(1)(b) UK GDPR) |
| Billing/transaction data | Billing contact, plan, transaction history, invoices (payment handled by Paddle) | Subscription billing and tax records | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for record-keeping |
| Support/communication data | Emails, support tickets, correspondence with our team | Providing customer support and improving the Service | Legitimate interests (Art. 6(1)(f)) |
| Website/usage data | IP address, browser type, pages visited, referral source, essential analytics | Operating, securing, and improving our website and Service | Legitimate interests (Art. 6(1)(f)) |
We do not sell your personal data, we do not use it for third-party advertising, and we do not use it to train general-purpose AI models.
We use the personal data in Section 2 to:
(a) provide, maintain, and improve the Service and our website;
(b) manage your account, subscription, and the free trial;
(c) communicate service notices, security alerts, and support responses;
(d) handle billing in conjunction with Paddle (our Merchant of Record), and meet tax/accounting obligations;
(e) protect against fraud, abuse, and security threats; and
(f) comply with legal obligations.
We do not carry out advertising profiling, sell or rent your data, or use account/support data for automated decision-making that produces legal or similarly significant effects.
We share personal data with service providers ("processors") who act on our instructions, and with payment and infrastructure providers, including:
| Recipient | Role | Data shared | Notes |
|---|---|---|---|
| Paddle (Paddle.com Market Ltd) | Merchant of Record / payments reseller | Billing contact, transaction data | Paddle is the seller of record and handles payment and VAT; subject to Paddle's own terms and privacy notice. Acts at controller level for billing |
| Hostinger (UAB Hostinger / Hostinger International Ltd) | Hosting of the Service and Instances | Account data; Instance Data (as sub-processor — see DPA) | European Union (Lithuania); UK adequacy (EU member state) |
| Anthropic PBC (Claude Haiku API) | Generation of chatbot responses | Query context derived from Instance Data | United States; UK International Data Transfer Agreement (IDTA) |
| Resend (Resend, Inc.) | Transactional email delivery (account and, where configured, Instance-related notifications) | Email address, message content | United States; UK IDTA / UK Addendum to EU SCCs. Acts as sub-processor for any Instance Data sent by email — see DPA |
We may also disclose personal data where required by law, regulation, or court order, or to establish, exercise, or defend legal claims.
We are based in the United Kingdom. Some recipients (e.g. Paddle, our LLM provider, and our transactional email provider) may process personal data outside the UK. Where we transfer personal data outside the UK, we rely on an appropriate safeguard, such as a UK adequacy regulation, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), together with a transfer risk assessment where required. Our hosting provider, Hostinger, is located in the European Union (Lithuania), which benefits from UK adequacy as an EU member state. Details of the specific mechanisms used for the Service are set out in the DPA.
| Category | Retention | Basis |
|---|---|---|
| Account data | Duration of subscription + 30 days (post-cancellation deletion) | Contract |
| Billing/transaction data | 6 years after the relevant tax year (UK statutory) | UK tax/accounting law |
| Support/communication data | 24 months from last contact | Legitimate interests |
| Website/usage data | Up to 26 months; anonymised/aggregated thereafter | Legitimate interests |
Retention of Instance Data (where we act as processor, including End User conversation logs) is governed by the DPA and the Customer's instructions; see Section 9.
Under the UK GDPR you have the rights to: access; rectification; erasure; restriction; data portability; objection (including to processing based on legitimate interests); and, where processing relies on consent, withdrawal of consent at any time. You also have the right to lodge a complaint with the ICO.
To exercise these rights in relation to data for which we are the controller, contact us at info@perfectparadox.co.uk. We will respond within one calendar month (extendable where permitted).
If your request concerns data inside a Customer's Instance (where we act as processor), we will direct you to the relevant Customer (the controller) and assist them as required by the DPA.
Our website uses strictly necessary cookies for core functionality and may use limited analytics cookies. Non-essential cookies are set only with your consent in accordance with PECR. You can manage your preferences through our cookie banner/settings. The embedded C0RTEX Widget uses only the storage strictly necessary to maintain a conversation session and does not set third-party advertising or cross-site tracking cookies on End Users' devices.
When we host a Customer's Instance, we process Instance Data — including End User conversations and personal data that End Users may include in chats — only to provide the Service and only on the Customer's documented instructions, under the DPA. In that context:
If you are an End User and have questions about how your chat data is used, please contact the business whose website you used the Widget on.
We implement appropriate technical and organisational measures, including encryption in transit (TLS 1.2+), encryption at rest for stored personal data (AES-256-GCM, via gocryptfs on per-client encrypted volumes), access controls on a least-privilege basis, logging, and a documented incident-response procedure. Further detail on measures applicable to Instance Data is in the DPA.
C0RTEX is a business-to-business product and is not directed at children. We do not knowingly collect personal data from children. Customers whose Instances may interact with End Users under 18 are responsible for compliance with applicable children's-data rules, including the ICO Age Appropriate Design Code where relevant.
We are developing SYN4PSE, a voice telephone receptionist product that will involve call handling, call recording, and speech-to-text transcription. When launched, SYN4PSE will be subject to additional privacy terms and consent requirements (including under PECR for call recording). This Privacy Policy will be updated, and additional notices provided, before SYN4PSE processing begins.
We may update this Policy from time to time. We will notify you of material changes by email or through the Service at least thirty (30) days before they take effect, where practicable. The "Last Updated" date indicates the latest revision.
Privacy contact
Perfect Paradox Ltd (Company Number NI739317)
36 Manse Gate, Newtownards, BT23 4DG, Northern Ireland, United Kingdom
Email: info@perfectparadox.co.uk
We have assessed that a statutory Data Protection Officer is not currently mandatory for our current processing; this will be reassessed upon SYN4PSE launch or the addition of health-sector clients. Privacy enquiries should be sent to the address above.
Supervisory authority
Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — https://ico.org.uk — Tel: 0303 123 1113. Our ICO registration reference is C1898593.