Data Privacy
Your code is yours.
Your data is yours.
Period.
AI companies have a trust problem. Many use customer data to train their models, store inputs indefinitely, or share information with third parties. We do none of that.
This page explains exactly what data we collect, how we process it, where it goes, and what we never do. No legal jargon. Plain language.
Last updated: January 2026
Our commitments
We do not train on your code
Your source code, prompts, and generated outputs are never used to train, fine-tune, or improve our AI models. This is not a default setting you need to opt out of. It is how we operate. It is in our terms of service and in every enterprise contract we sign.
We do not sell your data
We do not sell, license, or share your data with third parties for any purpose — not for advertising, not for analytics, not for model training. Your data exists to serve you and only you.
We do not store your source code
When you use Cordenex, your code is processed to generate responses and then discarded. We do not retain copies of your source files, your project structure, or the code we generate for you. On self-hosted plans, your code never leaves your infrastructure at all.
We minimize what we collect
We collect only what is necessary to operate the service — account information, usage metrics, and error logs. We do not collect telemetry about your codebase, your file contents, or your development patterns unless you explicitly opt in.
We give you control
You can export your data, delete your account, and request removal of all associated information at any time. Enterprise customers can self-host the entire system, meaning we never see any of your data in the first place.
How Cordenex processes your code
When you use Cordenex, code needs to be analyzed to generate useful responses. Here is exactly what happens at each step.
You run a command
You type a Cordenex command in your terminal — a code generation request, a debug command, or a refactoring instruction.
Local context is gathered
Cordenex reads relevant files from your project locally on your machine. It identifies file structure, dependencies, and patterns needed to generate an accurate response. This scanning happens entirely on your device.
A minimal payload is sent
Only the context necessary for the specific request is sent to our processing servers — not your entire codebase. The payload is encrypted in transit using TLS 1.3. On self-hosted plans, this step happens on your own infrastructure and nothing is sent externally.
The response is generated
Our system processes the request and generates the code, explanation, or debug analysis. The response is sent back to your terminal, encrypted in transit.
Everything is discarded
After the response is delivered, the input context and generated output are deleted from our servers. We do not retain copies. We do not log the content of requests or responses. Only metadata — timestamp, request type, response time — is kept for operational purposes.
What we collect and what we do not
We collect
- Account information — name, email, organization
- Billing information — processed by Stripe, we do not store card numbers
- Usage metrics — number of commands, request types, response times
- Error logs — when something fails, we log the error type (not your code)
- Device metadata — OS, CLI version, for compatibility and debugging
- Opt-in analytics — only if you explicitly enable telemetry
We never collect
- Your source code or file contents
- Your project structure or directory listings
- The content of your prompts or commands (after processing)
- Generated code outputs (after delivery)
- Your Git history, commits, or branches
- Environment variables, secrets, or API keys
- Browsing data, keystrokes, or screen content
- Data from other applications on your machine
AI model training
This is the question most developers and organizations care about the most, so we will be very specific.
Our position on training
- Your code inputs are not used to train our models
- Your generated outputs are not used to train our models
- Your prompts and commands are not used to train our models
- Your usage patterns are not used to train our models
- No customer data of any kind is used for model training
- This applies to all plans — free, paid, and enterprise
- This is contractually guaranteed in our terms of service
- Enterprise customers receive this commitment in their MSA
Our models are trained on publicly available, properly licensed datasets. We maintain a clear separation between our training pipeline and our production systems that handle customer data. These systems do not connect to each other.
If this ever changes — and we do not anticipate that it will — we would notify every customer in advance and require explicit opt-in consent. We would never retroactively apply a policy change to data that was collected under different terms.
Data handling by plan
| Free / Pro | Enterprise (cloud) | Enterprise (self-hosted) | |
|---|---|---|---|
| Code leaves your machine | Minimal context only | Minimal context only | No |
| Code stored on our servers | Never | Never | N/A — your servers |
| Used for model training | Never | Never | Never |
| Encryption in transit | TLS 1.3 | TLS 1.3 | Your configuration |
| Data residency options | US by default | US, EU, APAC | Your choice |
| Audit logging | Basic | Full with export | Full — local |
| Data deletion on request | Yes | Yes | You control it |
| Third-party sub-processors | Listed below | Listed below | None |
Sub-processors
These are the third-party services that process some portion of your data when you use Cortiqa cloud products. Self-hosted enterprise deployments do not involve any third-party sub-processors.
| Provider | Purpose | Data involved | Location |
|---|---|---|---|
| AWS | Infrastructure and compute | Encrypted request processing | US, EU |
| Stripe | Payment processing | Billing information only | US |
| Vercel | Web application hosting | Website traffic only | US |
| Postmark | Transactional email | Email address, message content | US |
Security practices
Encryption
All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Encryption keys are managed through AWS KMS with regular rotation.
Access control
Internal access to production systems follows the principle of least privilege. All access is logged. No employee can access customer data without explicit authorization and a documented reason.
Infrastructure
Our production infrastructure runs on AWS with VPC isolation, security groups, and network access control lists. All services are containerized and deployed through audited CI/CD pipelines.
Monitoring
We monitor for unauthorized access attempts, unusual traffic patterns, and system anomalies around the clock. Alerts trigger automated responses and human review.
Incident response
We maintain a documented incident response plan. In the event of a security incident, affected customers are notified within 72 hours with a clear description of what happened, what data was involved, and what we are doing about it.
Testing
We conduct regular penetration testing through independent security firms. Our codebase undergoes automated vulnerability scanning on every deployment. We maintain a responsible disclosure program for external security researchers.
Compliance
GDPR
CompliantWe are fully GDPR compliant. We offer data processing agreements (DPA) to all customers. EU data residency is available on enterprise plans. Users can exercise their rights to access, rectification, erasure, and portability at any time.
SOC 2 Type II
In progressWe are currently undergoing SOC 2 Type II certification. We expect to complete the audit by Q3 2026. Our security controls already align with SOC 2 requirements.
HIPAA
Available on EnterpriseFor healthcare organizations, we offer HIPAA-compliant configurations on enterprise self-hosted plans. Business Associate Agreements (BAA) are available upon request.
FERPA
CompliantOur education products comply with FERPA regulations. Student data is protected and is only accessible to the student and their designated instructor.
CCPA
CompliantCalifornia residents have the right to know what personal information we collect, request deletion, and opt out of data sales. We do not sell personal information.
ISO 27001
On roadmapISO 27001 certification is planned for 2027. Our information security management practices are being structured to align with ISO 27001 requirements.
Your rights
Access your data
Request a copy of all personal data we hold about you. We will provide it in a standard, machine-readable format within 30 days.
Delete your data
Request deletion of your account and all associated data. We will process the request within 30 days and confirm when it is complete.
Export your data
Download your account data, usage history, and any stored preferences in JSON format at any time through your account settings.
Correct your data
If any personal information we hold is inaccurate, you can update it directly in your account settings or request a correction from our team.
Restrict processing
You can request that we restrict the processing of your data while we address a concern or verify information. We will comply within 30 days.
Object to processing
You can object to specific types of data processing. We will cease that processing unless we have compelling legitimate grounds to continue.
Common questions
Does Cordenex send my entire codebase to your servers?
No. Cordenex only sends the minimal context required for a specific request — relevant file snippets, not your entire project. On self-hosted enterprise plans, nothing leaves your infrastructure.
Can your employees read my code?
No. Customer code is not accessible to our employees. Our production systems are designed so that request content is processed and discarded without human access. No employee can view the content of your requests or responses.
What happens to my data if I cancel my subscription?
Your account data is retained for 30 days in case you change your mind. After that, it is permanently deleted. You can request immediate deletion at any time. Source code is never stored, so there is nothing to delete on that front.
Do you use cookies or trackers on your website?
Our website uses essential cookies only — for authentication and preferences. We do not use advertising trackers, social media pixels, or third-party analytics that track individuals. We use privacy-respecting, aggregate analytics only.
How do you handle government data requests?
We will challenge any request that is overly broad, vague, or lacks proper legal authority. We will notify affected customers unless legally prohibited from doing so. We publish a transparency report annually with aggregate numbers of requests received.
Is the free plan treated differently from paid plans?
No. The same privacy commitments apply to all plans — free, paid, and enterprise. Free users receive the same data protections as enterprise customers. We do not monetize free users through data collection.
Can I run Cordenex completely offline?
On enterprise self-hosted plans with air-gapped deployment, yes. Cordenex can run entirely within your network with no external connectivity. This requires hosting your own model infrastructure.
Questions about how we
handle your data?
If anything on this page is unclear, or if you have a specific concern about how your data is handled, reach out. We will give you a direct, specific answer — not a form response.