Privacy Policy
Last updated 30 June 2026
This Privacy Policy explains how Cortico collects, uses, shares and protects personal data, and the rights you have under the EU General Data Protection Regulation (GDPR). It works alongside our Terms of Service.
1. Our role and who we are
Cortico is operated by Jupiter Pro, a sole proprietorship (eenmanszaak) registered in the Netherlands (KvK no. 98055313, VAT NL005306417B76, Faas Wilkesstraat 485, 1095 MD Amsterdam). This policy explains how we handle personal data.
Cortico is a platform that schools and clubs use to manage their members and families. Our role under the GDPR depends on the data:
- For data a School manages about its members and families (Member Data), the School is the data controller and Cortico is the data processor. We process that data only on the School’s documented instructions. If you are a parent or member, please direct privacy requests to your School in the first instance, and we will help them respond.
- For data about the admins/instructors who sign up, our billing, security and the operation of our own business, Cortico is the controller.
Contact us about privacy at privacy@cortico.app.
2. Personal data we process
- School staff & admins: name, email, phone, hashed password, role, and billing details.
- Account holders & families (entered by Schools): account holder name, email, phone and billing information; and family members (including children) such as name, date of birth, optional email/phone, enrolment and attendance records.
- Health information: medical conditions, allergies and emergency contacts, where a School chooses to record them. This is special-category data (see below).
- Payment data: payments are processed by Stripe. We receive transaction metadata (such as amount, status and the last four digits of a card). We do not store full card numbers.
- Technical & usage data: IP address, device/browser information, log and diagnostic data, and essential cookies used to keep you signed in.
3. Children and special-category data
Cortico is designed to be used by Schools to administer programmes that often involve children. Children’s data and health data are provided by Schools (and the families they serve), and we process it only on the School’s instructions as their processor.
The School, as controller, is responsible for obtaining verifiable parental consent for children’s data and a valid Article 9 basis (such as explicit consent) for health/medical data. We do not knowingly collect children’s data directly from children without a School.
4. How we use data and our legal bases
- To provide the Service to Schools and their families: performance of a contract, and (for Member Data) the School’s instructions.
- To operate, secure and improve the platform, prevent abuse and debug: our legitimate interests in running a safe, reliable service.
- To bill and take payment and keep accounting records: performance of a contract and compliance with legal obligations.
- To send service and transactional messages (e.g. confirmations, reminders, security notices): contract and legitimate interests.
- To comply with law and respond to lawful requests: legal obligation.
5. Cookies
We use a small number of essential cookies (and similar storage) to keep you signed in and to operate the Service securely. We do not use advertising or cross-site tracking cookies.
6. Sharing and sub-processors
We do not sell personal data. We share it only with service providers (“sub-processors”) that help us run the Service, under contracts that require appropriate protection:
- Supabase: database, authentication and file storage hosting (EU region, Frankfurt).
- Stripe: payment processing.
- Resend: sending transactional email.
- Vercel: application hosting and content delivery.
We may also disclose data where required by law or a valid legal request, to protect rights and safety, or in connection with a merger, acquisition or sale of assets (with notice where required). An up-to-date list of sub-processors is available on request.
7. International transfers
Member Data is primarily hosted in the European Union (Supabase, Frankfurt). Some sub-processors (such as Stripe, Vercel and Resend) may process data outside the EEA. Where that happens, the transfer is protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.
8. How long we keep data
We keep personal data for as long as a School’s account is active and as needed to provide the Service. When a School deletes data or closes its account, we delete or return Member Data within a reasonable period, except where we must retain certain records to comply with legal obligations (for example, invoices and accounting records, which Dutch law generally requires us to keep for seven years).
9. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to withdraw consent where processing is based on consent.
If you are a member or parent, your School is usually the controller, so please contact your School to exercise these rights, and we will assist them. For data where Cortico is the controller, contact privacy@cortico.app.
You also have the right to lodge a complaint with a supervisory authority. In the Netherlands this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl), or the authority in your EU country of residence.
10. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit, hashed passwords, role-based access controls, tenant isolation (row-level security) and EU data hosting. No system is perfectly secure, but we work to protect your data and will notify the relevant parties of a personal-data breach as required by the GDPR.
11. For Schools: data processing agreement
Where Cortico processes Member Data on your behalf, we act as your processor under a Data Processing Agreement (DPA) that covers our obligations, sub-processors and security measures. To obtain or execute the DPA, contact privacy@cortico.app.
12. Changes to this policy
We may update this policy from time to time. For material changes we will provide reasonable notice (for example by email or in-app). The “last updated” date above shows when it last changed.
13. Contact
For any privacy question or request, email privacy@cortico.app.