Your data
Privacy policy
This policy explains what information Agentic Design uses, why it is needed, and the choices available to you.
Last updated: 15 July 2026
Who is responsible for your data
KORTEXYA SAS, 2 T Chemin des Juifs, 57070 Mey, France, is the data controller for Agentic Design. Privacy questions and rights requests can be sent to contact@kortexya.com. See the legal notice for full company details.
Information we process
- Account data: email address, name if provided, authentication identifiers, and account preferences.
- Subscription data: plan, billing status, Stripe customer and subscription references, and transaction metadata. We do not receive your full card number.
- Product data: learning progress, saved projects, workshop activity, evaluations, prompts, or audit material you choose to store.
- Support data: messages and the contact details you use when asking for help.
- Technical data: IP address, browser/device details, timestamps, security events, and server logs needed to operate and protect the service.
- Usage analytics: page views, coarse performance measurements, and bounded product-event properties used to produce aggregate reports when analytics is enabled. Search text, prompt text, AI output, API keys, and raw error messages or stack traces are not intentionally sent to analytics.
AI requests and your API key
Text submitted to an AI-powered tool is sent to the model provider selected for that request. Managed requests may be processed by Anthropic or OpenRouter and the model provider identified in the product. OpenRouter requests explicitly require routes that deny provider data collection and support zero data retention; the request fails if no compliant route is available. Direct provider processing remains subject to that provider's terms. Do not submit confidential or personal data unless you are authorised to do so.
If you use your own provider key, the key is kept in account-scoped browser session storage and is sent with the request when needed. Agentic Design does not intentionally save that key in its database or application logs. Signing out, switching accounts, closing the browser session, or removing it in Settings clears the browser copy.
Why we use information
- To create and secure your account and deliver the service you requested (performance of our contract).
- To process subscriptions, keep financial records, and meet tax or accounting duties (contract and legal obligations).
- To prevent abuse, diagnose failures, and improve reliability (our legitimate interests in operating a secure service).
- To answer support requests (contract and legitimate interests).
- To send optional communications or use non-essential tracking only where consent is required and obtained.
Service providers and transfers
We use service providers only as needed to run Agentic Design. These may include Supabase (authentication and data infrastructure), Stripe (payments), Plausible (analytics), Resend (transactional email), OVHcloud (hosting), and Anthropic or OpenRouter (AI inference). Their own policies govern data they process as independent controllers; otherwise they act under contractual instructions.
Some providers may process data outside the European Economic Area. Where required, we rely on an adequacy decision or approved contractual safeguards. Contact us for information about the safeguards relevant to your data.
Retention and deletion
Our default retention schedule is: account and stored product data for the life of the account; technical and security logs for up to 12 months from the event; support correspondence for up to three years after the request closes; and invoices, transaction records, and associated accounting evidence for up to 10 years where French tax or accounting law requires it. A documented security incident, dispute, or legal hold may require the relevant records to be kept longer, but only for that purpose.
You can request account deletion by emailing contact@kortexya.com from your account address. After identity verification, account and product records are deleted or irreversibly anonymised, except for the limited records described above. Encrypted backup copies are isolated from normal use and expire through the backup rotation within 90 days. If a provider must retain data for us, the same deletion instruction and applicable retention exception are passed to that provider.
Cookies and browser storage
Agentic Design uses essential cookies for authentication and security, local browser storage for non-secret preferences, and account-scoped session storage for an optional bring-your-own API key. Plausible is configured as a privacy-focused analytics service and is not used for behavioural advertising. We do not intentionally use third-party advertising cookies.
Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or transfer your personal data; object to processing based on legitimate interests; and withdraw consent at any time. You may also complain to the CNIL or your local data-protection authority. Exercising a right is free unless a request is manifestly unfounded or excessive.
Changes to this policy
We will update the date above when this policy changes. If a change materially affects how we use account data, we will provide an appropriate notice in the service or by email.