Privacy Policy

CORA is operated by Artificial Innovations Oy, a Finnish limited liability company headquartered in Helsinki. We are the data controller for personal data you provide when visiting our marketing site or signing up for the product.

Contact: support@hellocora.co.

We collect three categories of data:

1. Account data. When you create a workspace: your name, work email, company name, and the workspace name you choose.
2. Business memory. Content you give CORA to learn from — your website, uploaded documents, meeting transcripts, and data from integrations you connect (e.g. Slack, Notion). This is your data; you retain ownership.
3. Usage data. Service logs, request metadata, agent run history, and aggregate metrics. Used to operate the service, investigate incidents, and bill correctly.

We do not knowingly collect special-category personal data (health, political views, etc.). Please do not upload such data into business memory without a clear lawful basis.

• To deliver the service you signed up for.
• To run agent tasks you request, using the business memory you provided.
• To bill, support, and communicate about the service.
• To improve reliability, security, and performance.
• To meet legal and accounting obligations under Finnish law.

We do not train shared models on your business memory. Your memory is isolated per workspace and used only for your agent runs.

We process personal data on the following bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)) — for the account and workspace you create with us.
• Legitimate interest (Art. 6(1)(f)) — for service logs, security, fraud prevention, and product improvement.
• Legal obligation (Art. 6(1)(c)) — for accounting, tax, and statutory record-keeping.
• Consent (Art. 6(1)(a)) — for optional analytics and marketing communications, where applicable.

We rely on a small number of trusted vendors to run the service. Where business memory is processed by a sub-processor, we contract for EU residency and zero-retention where available. The current working list is published in our Data Processing Agreement. We notify customers in advance of changes that affect their data.

Full EU data residency is available. Customer workspaces, business memory, and agent execution run inside the European Union. Backups stay in the EU. International transfers, if any, rely on Standard Contractual Clauses and supplementary measures as required by the Schrems II ruling.

• Account data: for the lifetime of your account plus 30 days after deletion, then anonymised or removed.
• Business memory: until you delete it, or until the workspace is permanently deleted (30 days after closure).
• Usage logs: 90 days, then aggregated or removed.
• Invoicing records: retained for the period required by Finnish accounting law (currently 6 years).

Under the GDPR you have the right to access, rectify, delete, restrict, port, and object to the processing of your personal data. To exercise these rights, email support@hellocora.co. We aim to respond within 30 days.

You can also lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

The marketing site (getcora.co) uses a minimal set of first-party cookies for session continuity and aggregated analytics. We do not run third-party advertising trackers. The product (hellocora.app) uses cookies necessary for authentication and workspace isolation.

We may update this policy as the service evolves. Material changes will be announced by email to workspace owners at least 14 days before they take effect. The current version, with its "last updated" date, is always available at this URL.

Questions or requests: support@hellocora.co.