Privacy Policy

We collect three categories of data:

• Account data you provide — when you sign in with Google, we receive your email address, name, and profile image via Google OAuth. When you sign in with email, we collect the email address you submit. A phone number is optional and only collected if you choose to provide one (for example, to receive a notification when your audit is ready).
• Klaviyo account data you connect — when you authorize Cortex via Klaviyo OAuth, we read your flows, metrics, events, campaigns, lists, and segments. Access is read-only. We never create, modify, or delete anything in your Klaviyo account.
• Usage and attribution data — your IP address, browser user agent, the pages you visit on cortex.11.agency, and Meta-issued cookies (_fbp, _fbc) used to attribute ad clicks.

• To run your audit — analyzing your Klaviyo flow coverage, pass-through rates, and estimated revenue.
• To sign you in — primarily via Google Sign-In (OAuth) or email magic link (sent through Resend). If you've provided a phone number, we may also send a sign-in link over SMS through GoHighLevel and Blooio.
• To deliver your PDF audit report by email when you request it.
• To measure ad performance — server-side conversion events sent to Meta's Conversions API. Personally identifiable information (email, phone) is hashed with SHA-256 before transmission.
• To diagnose errors and improve the product.

We do not sell your data. We share data only with the service providers required to operate Cortex:

• Supabase — database and authentication infrastructure.
• Vercel — application hosting and edge network.
• Google (Google LLC)— sign-in via Google OAuth. When you choose “Continue with Google,” Google shares your name, email address, and profile image with Cortex. Your use of Google Sign-In is subject to Google's own privacy policy and terms.
• Klaviyo — OAuth handshake to read your account data. Cortex stores access tokens; you can revoke them at any time from Klaviyo or from your Cortex account settings.
• Meta (Facebook/Instagram) — hashed email, phone, and event metadata for ad attribution via the Conversions API.
• Resend — transactional email delivery (magic links, audit reports).
• GoHighLevel and Blooio— CRM and SMS magic-link delivery. Used only if you've provided a phone number.
• PostHog — product analytics used to measure sign-in funnel drop-off and diagnose errors.

Each provider receives only the minimum data required for its function and is bound by its own privacy and security commitments.

• Klaviyo OAuth tokens — deleted immediately when you disconnect Klaviyo from the gear menu in Cortex.
• Audit reports — preserved on your account so you can revisit them. If you disconnect Klaviyo, your audit data is marked inactive but retained until you request deletion.
• Account profile (phone, email) — retained for as long as your account exists.
• Magic-link and event logs — retained for up to 12 months for fraud prevention and product analytics.

• Access or deletion — email raymond@11.agency from the address tied to your account, and we'll respond within 30 days. You can request a copy of your data, ask us to correct it, or ask us to delete it.
• Disconnect Klaviyo — at any time from the gear menu in Cortex. This deletes the OAuth token from our database.
• Stop SMS— if you've opted in to SMS by providing your phone number, reply STOP to any message from us to opt out.
• Opt out of ad tracking— disable third-party cookies in your browser, or use Meta's ad preference controls. Note that this does not affect server-side conversion events.

California residents have additional rights under the CCPA, including the right to know what personal information we've collected and the right to deletion. EU/UK residents have rights under the GDPR. Email us to exercise any of these rights.

We use first-party cookies for authentication (Supabase session) and third-party cookies from Meta (_fbp, _fbc) for ad attribution. We do not use cross-site advertising cookies beyond Meta's pixel.

All data is transmitted over TLS. Klaviyo OAuth tokens are stored encrypted at rest in Supabase. We use industry-standard authentication (magic links, no shared passwords for user accounts) and apply row-level security to ensure each user can only access their own data.

Cortex is built for businesses. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us data, email us and we will delete it.

We may update this policy as the product evolves. Material changes will be communicated by email or in-app notice. The “Last updated” date at the top reflects the most recent revision.

11 Agency
Email: raymond@11.agency