1 Scope & Who We Are

This Policy applies to cortex.lk, our plugin stores, client portals, and official payment links operated by CorteX Solutions (“Cortex”, “we”, “us”). We process personal data in line with the Sri Lanka Personal Data Protection Act, No. 9 of 2022 (PDPA) and, where applicable, the EU GDPR and similar laws.

2 What We Collect

• Identity & Contact – name, email, phone, billing/shipping address.
• Account Data – username, hashed password, role, preferences.
• Order & Licensing – product IDs, license keys, activation counts, invoices.
• Payment Metadata – payment status, method, masked card brand/last4 (we do not store full card numbers).
• Device & Usage – IP address, browser/OS, pages viewed, referrer, timestamps, approximate location.
• Support & Communications – emails, chat messages, attachments, logs/screenshots you send us.
• Cookies & Similar Tech – see “Cookies” below.

3 How We Use Data

• Provide Services – process orders, deliver license keys/downloads, maintain accounts.
• Support – troubleshoot, handle tickets, notify about fixes/updates.
• Improve – analytics to improve UX, performance, security.
• Communications – transactional emails (orders, renewals). Marketing emails only with consent and easy opt-out.
• Security & Fraud Prevention – detect, prevent, and investigate abuse or violations.
• Compliance – tax/accounting/legal obligations and enforcement of our Terms.

4 Legal Bases

• Contract – to fulfill purchases, subscriptions, and support.
• Legitimate Interests – to secure our systems, prevent fraud, improve services.
• Consent – marketing cookies/emails where required; you may withdraw at any time.
• Legal Obligation – accounting, taxation, and law-enforcement requests.

5 Cookies & Similar Technologies

• Strictly Necessary – site security, checkout, session.
• Analytics – traffic, performance (e.g., Google Analytics).
• Functional – preferences, language.
• Marketing – only with consent where required (e.g., Meta/Google ads pixels).

Manage via browser settings or our Cookie Settings. Blocking some cookies may impact functionality.

6 Analytics & Advertising

We may use analytics (e.g., Google Analytics) and, where enabled, limited advertising pixels to measure conversions. These providers may set cookies and receive pseudonymous identifiers and usage data. See their privacy policies for details. You can opt-out where available or via cookie settings.

7 Payments

Payments are processed by third-party gateways such as PayHere and/or Onepay. They act as independent controllers/processors for card/QR data and are responsible for PCI-DSS compliance. We receive payment confirmations and limited metadata (e.g., status, masked card info) and do not store full card numbers.

8 Sharing & Disclosures

• Service Providers – hosting/CDN, email delivery, CRM/helpdesk, analytics, payment gateways, cloud storage, license server.
• Legal – to comply with law, enforce terms, protect rights, respond to lawful requests.
• Business Transfers – in a merger, acquisition, or asset sale, data may be transferred with appropriate safeguards.

9 International Transfers

We may store or process data on servers located outside Sri Lanka. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) to protect your data.

10 Data Retention

• Account data – while your account is active and for a reasonable period thereafter.
• Orders & invoices – at least [7 years] for accounting/tax purposes.
• Support tickets – typically [24 months] after closure, unless longer is required for legal/security reasons.

11 Security

We implement reasonable technical and organizational measures (encryption in transit, access controls, backups). However, no method is 100% secure; we cannot guarantee absolute security.

12 Your Rights

Depending on your jurisdiction (including Sri Lanka PDPA / EU GDPR), you may have rights to:

• Access – request a copy of your personal data.
• Rectify – correct inaccurate or incomplete data.
• Erase – request deletion where applicable.
• Restrict/Object – processing for certain purposes.
• Data Portability – receive a machine-readable copy.
• Withdraw Consent – at any time, where processing is based on consent.
• Complain – to the relevant Data Protection Authority.

To exercise rights, email privacy@cortex.lk with the subject “Data Request”. We may request verification. We aim to respond within 30 days.

13 Children

Our services are not directed to children under 16. If you believe a child provided personal data, please contact us to delete it.

14 Changes to this Policy

We may update this Policy from time to time. The “Last updated” date will change, and updates take effect upon posting on this page.

15 Contact

Questions or requests? Contact our privacy team at privacy@cortex.lk. For billing matters: billing@cortex.lk. Postal: [Add your address].