Skip to main content
Cube5
Trust Center

Cube5 Cortex Privacy Policy

This Privacy Policy explains how Cube5 SAS processes personal data when you access and use Cube5 Cortex.
← Back to Trust Center

This Privacy Policy explains how Cube5 SAS (“Cube5”, “we”, “us”) processes personal data when you access and use Cube5 Cortex (the “Service”). Controller contact: legal@cube5.ai

1) Who we are (data controller)

Controller: Cube5 SAS (France)
Contact: legal@cube5.ai

When an organization provides you access

If Cube5 Cortex is provided to you by an organization (for example, your employer or a client of Cube5), that organization may act as controller for some processing activities, and Cube5 may act as a processor on its behalf. In such cases, the organization's own privacy notice also applies.

2) What this policy covers

This policy covers personal data processed when:

  • You create an account and authenticate to the Service.
  • You use the Service (including security and operational logging).
  • You contact us for support.

3) Personal data we process

A. Account and identity data

  • Email address
  • Name (if provided via your identity provider)
  • Organization/tenant information (e.g., company domain)

B. Technical and usage data

  • Device and browser information
  • Log data (timestamps, feature usage, error logs)
  • IP address (typically in server logs)

C. Content you submit to the Service

  • Documents, files, prompts, and other inputs you upload or enter
  • Generated outputs (reports/pages) and associated metadata

D. Support communications

  • Information you share when contacting support (messages, screenshots, logs you provide)

4) Purposes and legal bases (GDPR Art. 6)

Provide the Service (account creation, authentication, access control)

Legal basis: Performance of a contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).

Secure the Service (fraud prevention, incident detection, audit and security monitoring)

Legal basis: Legitimate interests (Art. 6(1)(f)); and where applicable compliance with legal obligations (Art. 6(1)(c)).

Operate and improve the Service (debugging, performance, reliability)

Legal basis: Legitimate interests (Art. 6(1)(f)).

Customer support and communications

Legal basis: Performance of a contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).

5) Controller vs. processor roles

A. Cube5 as a controller

Cube5 acts as a controller for personal data processed for Cube5's own purposes, including security, abuse prevention, fraud detection, service reliability, and corporate administration.

B. Cube5 as a processor for customer organizations

Where an organization uses the Service for its business purposes and uploads content that includes personal data, Cube5 typically acts as a processor on behalf of that organization. Requests regarding personal data in that organization's content should generally be addressed to that organization first.

6) How Cube5 Cortex is secured

  • Authentication via Firebase/Google Identity Platform.
  • Role-based access control (RBAC) and tenant isolation.
  • Secure storage and access controls for uploaded files (e.g., signed URLs).

7) Sharing and recipients

We do not sell your personal data. We may share personal data with:

  • Service providers (sub-processors) who help us host and operate the Service. They act under contract and on our instructions.
  • Authorities where required by law or to protect rights, safety, and security.

A current list of sub-processors is available at trust-center/sub-processors.

8) International transfers

Some service providers may process data outside the EEA/UK. When this happens, we implement appropriate safeguards as required by GDPR (for example, Standard Contractual Clauses (EU 2021/914) and supplementary measures where applicable).

9) Data retention

We keep personal data only as long as necessary for the purposes described above. As a baseline for test access, Cube5 retains account and usage data only for the duration of the testing phase and deletes it within 90 days after the end of the access period, unless a longer period is required for security, support, or legal reasons.

10) Your rights (GDPR)

Subject to applicable law, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your data
  • Restrict or object to processing (including processing based on legitimate interests)
  • Data portability
  • Withdraw consent (where processing is based on consent)

To exercise your rights, contact: legal@cube5.ai. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés).

11) Cookies and similar technologies

Cube5 Cortex may use cookies or similar technologies that are necessary for authentication and core application functionality. If additional analytics or marketing cookies are used in a specific deployment, they will be described in a dedicated cookie notice and, where required, managed via consent.

12) AI and content handling

Outputs and human review

The Service may generate outputs from prompts and other inputs. Outputs may be inaccurate or incomplete and should be reviewed by a human before being relied upon for important decisions.

Model training

Cube5 does not use Customer Content (including documents, prompts, and outputs) to train general-purpose models for other customers.

Logging and observability

To secure and operate the Service, Cube5 may process limited metadata and logs. Customers may be able to configure logging and retention settings in some deployments.

13) Children

The Service is not intended for children and is designed for business users.

14) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “last updated” date.

Last updated: April 15, 2026