Privacy Policy

Contexta operates an intelligent memory layer for AI agents — graph-backed memory, declarative reactivity, and full provenance on every fact. This policy describes how the entity operating Contexta at https://contexta.ai(“we”, “us”) processes personal data of customers, end users, and visitors.

We collect three categories of data:

• Account data. Name, work email, organization, billing address, and authentication metadata you provide when you create an account or subscribe to a paid tier.
• Usage data. API request paths, latencies, IP addresses, user agents, namespace identifiers, and aggregate counters we use to meter consumption, route traffic, and debug failures.
• Customer content. The data your agents ingest into a namespace — facts, edges, packets, embeddings, and the bi-temporal provenance attached to each. We treat this as the most sensitive class of data we hold and encrypt it at rest with per-namespace keys.

We use personal data to operate the service:

• Authenticate users and route API requests to the correct namespace.
• Meter and bill usage against your contracted tier.
• Deliver webhooks, transactional email, and product announcements.
• Investigate abuse, security incidents, and platform reliability issues.
• Improve the service using namespace-stripped, aggregated telemetry. We never train models on customer content without an explicit written opt-in.

We do not sell, rent, or trade personal data. We share it only with vetted subprocessors who help us run the service (infrastructure, billing, error tracking, transactional email) and only under data-processing agreements that bind them to terms at least as strict as our own. The current list is published at /legal/subprocessors; we notify customers 30 days before activating new subprocessors.

Under the GDPR, the UK GDPR, the CCPA, and equivalent regimes, you have the right to:

• Access the personal data we hold about you and obtain a copy.
• Correct data that is inaccurate or incomplete.
• Delete data subject to lawful exceptions. Our POST /v1/forget API exposes surgical deletion that retracts the underlying graph edges in minutes while preserving a non-destructive audit trail of what was forgotten and why.
• Port your data in a machine-readable format (JSONL/Parquet exports of facts, edges, and packets).
• Object to or restrict certain processing, and to lodge a complaint with your local supervisory authority.

To exercise any right, email privacy@contexta.ai. We acknowledge within one business day and complete within 30 days, or sooner where regulation requires.

We isolate every customer namespace, encrypt data at rest with per-namespace Data Encryption Keys, and operate a non-destructive audit ledger you can query. A full description of controls — incident response, vulnerability management, access reviews, and our compliance roadmap (SOC 2 in progress, HIPAA-ready, ISO 27001 scoping) — lives at /security.

Each memory layer carries its own retention window. Working memory expires within 1 hour. Episodic memory expires after 90 days. Semantic, procedural, and archival memory persist until you retract them. Account and billing records are retained for the longer of your account lifetime plus 7 years (tax) or as required by law.

The right-to-be-forgotten endpoint POST /v1/forget is a first-class product capability, not a ticket queue: it retracts edges in minutes, hard-purges payloads per your retention policy, and emits an audit entry you can prove to a regulator.

We operate in us-east-1 and eu-west-1. EU and UK personal data transferred outside the EEA or UK is protected by the European Commission's Standard Contractual Clauses (the 2021 modular SCCs) and the UK International Data Transfer Addendum, supplemented by encryption in transit and at rest plus the technical and organizational measures described at /security.

We use a small set of strictly-necessary cookies to keep you signed in and remember your theme preference, plus privacy-preserving analytics that do not perform cross-site tracking or device fingerprinting. You can disable analytics at any time from the cookie banner or your account settings.

Contexta is a B2B developer platform. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, email privacy@contexta.ai and we will delete it.

We will post material changes to this page and update the “Last updated” stamp at the top. For changes that materially expand how we use customer data, we will email account administrators at least 30 days before the change takes effect.