CortIQ ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect and use data when you use our analytics platform.
2. Data Controller
Company Name: CortIQ
Email: privacy@cortiq.se
3A. Security & Bot Detection (NO cookie banner required)
Strictly necessary
To protect you and our platform, we collect security data:
✓ ePrivacy Art. 5.3: "Strictly necessary" for security does NOT require consent
✓ GDPR Art. 6.1.f: Legitimate interest to protect website and users from threats
✓ All security data is stored anonymized and aggregated
✓ Used ONLY for security - never marketing
AI Agent Tracking: We are first to market with tracking AI agents (ChatGPT Browser, Perplexity Comet, Claude Browser). This counts as bot detection and security since we identify agents via User-Agent strings - no personal data is collected from AI agents.
3B. Server-Side Analytics & Server Logs (NO cookie banner required)
100% banner-free
We collect only aggregated, anonymized data via server logs and server-side analytics:
📋 Server Log Files (Access Logs)
Standard HTTP server logs for technical operation and security:
• Timestamp: When the request was made
• HTTP Method & URL: GET /products/product-123
• HTTP Status Code: 200 OK, 404 Not Found, 500 Error
• User-Agent: Browser & device type (bot detection)
• Referrer: Where the visitor came from
• IP Address → Country: Immediate anonymization (192.168.1.123 → "US" → IP deleted)
• Load Time: Performance monitoring
Retention: 7-30 days for operations, 90 days for security logs, then automatically deleted.
Aggregated statistics we create from server logs:
Page views per day/week (counts, no user IDs)
Most popular pages & products
Referrer sources (Google, Facebook, direct traffic)
Device type (mobile 45%, desktop 55%)
Browser type (Chrome 60%, Safari 25%, Firefox 15%)
Country/region distribution
Performance metrics (average load time)
Error frequency (404 errors, server errors)
Important - no personal tracking:
✓ No cookies are placed on your device
✓ IP addresses are anonymized immediately (→ country → IP deleted)
✓ No fingerprinting for tracking (only security fingerprinting for bot detection)
✓ No user ID or session tracking between visits
✓ Only aggregated, anonymous statistics (NO individual profiling)
✓ Data is NOT shared with third parties
Legal Basis: Legitimate interest (GDPR Art. 6.1.f) for technical operation & security monitoring + Strictly necessary (ePrivacy Art. 5.3) for system security. No cookie banner required because:
1. Server logs are technically necessary for operation
2. IP addresses are anonymized immediately (no personal identification)
3. No data is stored on the visitor's device
4. Used only for aggregated statistics & security
4. First-Party Data from Logged-In Users
Contractual basis
For logged-in users, we collect data necessary to provide the service:
Email address (from registration form)
CRM events (purchases, bookings, interactions)
User activity linked to your account
Data you consciously submit via forms
Platform usage to improve the service
Legal Basis:
• Contractual basis (GDPR Art. 6.1.b) - Necessary to provide the service
• Legitimate interest (GDPR Art. 6.1.f) - Improve platform based on user activity
Important: This does NOT require a cookie banner because you actively create an account and data is used only for contractual purposes (not marketing/tracking without consent).
5. Enhanced Analytics with Cookies (Requires consent)
With your approval
If you voluntarily accept cookies, we also collect:
Session ID (to track your session)
Click data (which elements you click on)
Scroll depth (how far you scroll)
Heatmap data (aggregated click data)
Form interactions (NOT the content)
Legal Basis (GDPR): Consent (Art. 6.1.a GDPR)
6. Cookies We Use
Necessary Cookies (Always active)
• cortiq_consent - Saves your cookie preferences (Lifetime: 1 year)
✓ Right of access (Art. 15 GDPR) - Request a copy of your data
✓ Right to erasure (Art. 17 GDPR) - Request deletion of your data
✓ Right to rectification (Art. 16 GDPR) - Correct inaccurate data
✓ Right to object (Art. 21 GDPR) - Object to processing
✓ Right to data portability (Art. 20 GDPR) - Get your data in structured form
How to exercise your rights:
1. Send an email to: privacy@cortiq.se
2. Include: Your name, email, and which right you want to exercise
3. We will respond within 30 days
8. Data Security
We use the following security measures:
🔒 Encryption: All data is transferred via HTTPS/TLS
🔒 IP anonymization: Automatic masking of IP addresses
🔒 Access control: Only authorized personnel have access
🔒 Supabase: Secure data storage in EU (GDPR-compliant)
9. Data Retention & Automatic Deletion
📋 Server Log Files
• Access logs (HTTP logs): 7-30 days
• Security logs (bot detection, DDoS): 90 days
• Error logs (debugging): 30 days
• IP addresses: Anonymized immediately at collection (never stored)
📊 Aggregated Analytics
• Cookie-free data (server-side): 90 days
• Enhanced analytics (with cookies): 365 days
• Aggregated statistics (dashboards): 24 months (no personal data)
🔒 Legal Records
• Cookie consent records: 2 years (legally required evidence per GDPR)
• Security incidents: 3 years (per security requirements)
Automatic deletion: All data is automatically deleted after these periods. You can request immediate deletion at any time by contacting privacy@cortiq.se.
10. What Does NOT Qualify as Banner-Free
We do NOT use the following techniques that would require a cookie banner:
❌ Google Analytics cookies (_ga, _gid, _gat)
❌ Facebook Pixel cookies (_fbp, _fbc)
❌ GA proxy with user identifiers (Client ID, IP storage)
❌ Device fingerprinting (Canvas, WebGL, font detection)
❌ Hash-based tracking (IP+UserAgent hash)
Important: All these methods require prior consent under the ePrivacy Directive, even if they run server-side or use your own domain.
11. Contact Us
Email: privacy@cortiq.se
Support: support@cortiq.se
Quick Guide: What's the Difference?
❌WITHOUT Cookies (100% Banner-Free)
Server-side + Server logs - Always active
• Server log files: Access logs, HTTP status, load times