HQ Cortex

Privacy Policy

Effective date: April 13, 2026 · Last updated: April 13, 2026

HQ Cortex ("HQ Cortex," "we," "us," or "our") operates a manufacturing operations platform for independent brands. This Privacy Policy explains how we collect, use, and share information when you use the website, application, and related services (collectively, the "Service").

This policy describes the providers and data flows reflected in the current service. We intentionally avoid making broader claims than the product and operating model support today.

Definitions

  • "Personal Data" means information that can identify or reasonably relate to a person, such as name, email address, IP address, or account identifiers.
  • "Customer Data" means the business data you or your users enter into the Service, including instructions, ingredients, batches, suppliers, pricing, compliance records, and uploaded files.
  • "Organization" means the workspace or team account that uses the Service.
  • "Sub-Processor" means a third-party service provider that processes data on our behalf in connection with the Service.

1. Information We Collect

Account Data

When you create or access an account, we receive account and authentication information such as your name, email address, and identifiers from Clerk and any sign-in provider you use through Clerk, such as Google.

Organization & Workspace Data

We store workspace details such as organization name, membership, roles, permission assignments, and the records you create inside the product.

Customer Data

You may enter product instructions, ingredients, specifications, supplier information, inventory and batch records, quality data, and related operational information.

Uploaded Files

Files uploaded through the Service are stored using Vercel Blob. In the application, those uploads are associated with the user or organization context that created them.

Usage Data

We collect usage and operational data such as page visits, feature usage, timestamps, browser details, and request metadata needed to operate, troubleshoot, and improve the Service. This may come from application logs and analytics tooling such as Vercel Analytics.

2. How We Use Your Information

  • Provide, maintain, and secure the Service.
  • Authenticate users and manage organizations and permissions.
  • Store and retrieve the records and files you create.
  • Provide customer support and respond to product issues.
  • Operate AI-assisted features when you invoke them.
  • Understand product usage and improve the Service.
  • Comply with legal obligations and enforce our Terms.

3. AI-Powered Features & Data Processing

Some product features use Google Gemini to help with tasks such as chat assistance, label analysis, ingredient enrichment, equipment enrichment, and density-related workflows.

  • AI features are invoked by user actions inside the product.
  • Requests sent to the AI provider contain the prompt, attached files, or record context needed for that feature.
  • AI outputs may be stored in your workspace when the feature is designed to save the result.
  • We do not currently list OpenAI or Anthropic as production AI sub-processors for the shipped implementation in this codebase.

4. Data Sharing & Sub-Processors

We do not sell your Personal Data or Customer Data. We share data with service providers only as needed to operate the Service.

  • Authentication: Clerk for authentication, session handling, and organization membership.
  • Hosting and file storage: Vercel and Vercel Blob.
  • Database: PlanetScale for relational data storage.
  • Rate limiting and ephemeral cache: Upstash Redis to enforce request limits and store short-lived operational state.
  • AI processing: Google Gemini for the AI features described above.
  • Payments: Stripe and related billing tooling only if billing is enabled for your use of the Service.

Legal Disclosures

We may disclose information when required by law or when reasonably necessary to protect the Service, our users, or the public.

5. Data Retention

We retain account data and Customer Data for as long as needed to operate the Service, support customers, satisfy legal obligations, and maintain backups or logs. Exact retention periods may vary by system and provider, so we are not publishing fixed deletion deadlines for every category of data.

6. Cookies & Tracking Technologies

  • We use essential cookies or similar storage for authentication, session management, and core product behavior.
  • We may store product preferences such as theme or interface state.
  • We use product analytics and operational telemetry to understand usage and reliability. Some tooling may not rely on traditional browser cookies.

We do not use the Service to run third-party advertising networks or behavioral advertising.

Our Service does not currently respond to "Do Not Track" browser signals.

7. Your Rights & Choices

Controller and Processor Roles

For account, website, and operational data, HQ Cortex generally acts as a controller or business operator. For Customer Data you store in the Service on behalf of your organization, HQ Cortex generally acts as a service provider or processor.

Requests

Depending on your location and applicable law, you may have rights to request access, correction, deletion, restriction, objection, or export of your Personal Data. Privacy requests should be routed through the support or account contact associated with your workspace.

8. Data Security

We use a combination of application controls and managed service providers to protect data, including authenticated access, server-side permission checks, managed hosting, and HTTPS. For more detail on the current implementation, see our Security page.

No service can guarantee absolute security. If a security incident requires notification under applicable law, we will communicate with affected users and regulators as required.

9. International Data Transfers

HQ Cortex is currently operated using providers that primarily serve the application from the United States, and some providers may process data in other jurisdictions where they operate. If you need specific transfer terms, raise that requirement through your support or account contact.

10. Confidentiality of Customer Data

We treat Customer Data as confidential business information and do not disclose it to other customers. Access to customer workspaces inside the product is intended to remain scoped to the relevant user or organization context.

11. Children's Privacy

The Service is intended for business use and is not directed to children under 18. If you believe a minor has provided Personal Data to us, contact us through your support or account contact.

13. Data Processing Agreement

If your organization needs a Data Processing Agreement before using the Service, request it through your support or account contact. We do not currently publish a separate public mailbox for DPA intake.

14. Changes to This Policy

We may update this Privacy Policy as the product, providers, or legal requirements change. When changes are material, we will provide reasonable notice through the Service or through your account contact.

15. Contact Us

Privacy questions, data requests, and DPA requests should be sent through the support or account channel associated with your workspace. We do not currently publish separate monitored `privacy@hqcortex.com` or `dpo@hqcortex.com` inboxes on this page.