Privacy policy

Thank you for using Cortena, a service provided by Cortena B.V. ("we," "us," or "our"). We value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), where applicable.By accessing or using the Service, you agree to the practices described in this Privacy Policy.

1. Purpose

To explain what personal data we process, why we process it, and what rights individuals have.

2. Scope

This policy applies to:

• website visitors
• platform users
• contacts who communicate with Cortena (support, sales, procurement)

3. Roles (GDPR)

In most cases:

• Customer is the Controller
• Cortena is the Processor

4. Personal Data We Process

4.1 Data You Provide

• name, email, job title, company name
• messages and support requests
• content you upload or provide in the platform (e.g., invoices, guidelines/instructions)

4.2 Data From Integrations (If Enabled)

• accounting and export-related data (e.g., DATEV, Exact Online)
• bank transaction references (via PSD2 provider where enabled)
• inbound invoice emails (if customer routes invoices by email)

4.3 Technical and Usage Data

• device/browser information, IP address
• security and operational logs
• website usage data (where applicable)

5. Why We Process Data

We process data to:

• provide and operate the service
• perform automation tasks you enable (extraction, matching, analysis, export)
• maintain security and reliability
• provide customer support
• meet legal obligations where applicable

6. Legal Bases (GDPR)

Depending on context:

• contract performance
• legitimate interests (security, reliability)
• consent (e.g., marketing where applicable)
• legal obligations

7. Sharing of Data

We share data only with:

• authorized Cortena personnel (restricted access)
• approved sub-processors needed to provide the service (see Sub-processors)

8. International Transfers

Core application data is stored and processed in Germany.

Some sub-processors may process limited data in other jurisdictions (e.g., inbound email routing or banking connectivity). Where transfers outside the EU/EEA occur, Cortena applies appropriate safeguards where required (e.g., Standard Contractual Clauses).

9. Retention

We retain personal data only as long as needed for:

• providing the service
• security and auditability
• support and operational purposes
• legal obligations

As a general guideline, customer data is retained for up to 90 days following the end of a subscription, after which it is securely deleted or anonymised in accordance with our Data Deletion Procedure. See also the Backup Retention Policy.

10. Security

We apply encryption, restricted access, secure development practices, and audit logging. See "Security Measures".

11. Your Rights

Depending on jurisdiction:

• access, correction, deletion
• restriction, portability, objection

Request via: dpo@cortena.ai

We may verify identity and authority.

12. Updates

We may update this policy and communicate significant changes.

13. Contact

• Compliance / DPA: compliance@cortena.ai
• DPO / Privacy (GDPR): dpo@cortena.ai
• Support: support@cortena.ai
• Company: Cortena B.V., Stationsplein 45, D3.118, 3013 AK Rotterdam, Netherlands