Privacy Policy

Last updated: February 2026

1. What Data We Collect

Waitlist signups: When you join our waitlist, we collect your full name, company name, job title, work email address, and approximate batches per year.

Application usage: When you use the BatchCortex platform, we collect usage data including login timestamps, actions performed, batch data you create, and sensor readings processed. We also collect your email address and profile information as part of your account.

2. How We Use Your Data

  • Service delivery: To provide, maintain, and improve the BatchCortex platform
  • Communication: To respond to your inquiries, send product updates, and communicate about your waitlist status or pilot
  • Product development: To understand how users interact with our platform and improve the product

3. Data Storage

All data is stored on Supabase infrastructure in Stockholm, Sweden. We use industry-standard encryption for data at rest and in transit. Application data is hosted in compliance with EU data residency requirements.

4. Data Retention

  • Waitlist data: Retained until you request deletion or your data is no longer needed for the waitlist program
  • Application data: Retained per individual customer agreement. GMP batch records may be subject to regulatory retention requirements

5. Your Rights

Under the EU General Data Protection Regulation (GDPR), you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request data portability
  • Object to processing of your data
  • Withdraw consent at any time

To exercise any of these rights, contact us at vilmer@batchcortex.com.

6. Third-Party Processors

We do not sell your data to third parties. Ever. We use the following service providers to operate BatchCortex. Each processes data on our behalf under strict data processing agreements.

  • Supabase (EU — Stockholm) — Database hosting, authentication, and data storage. All production data resides in Stockholm, Sweden.
  • Mistral AI (France) — AI report generation. Batch sensor data and anomaly events are processed to generate GMP deviation reports and Annual Product Quality Reviews (PQR). Mistral AI is EU-incorporated and all processing stays within the EU.
  • Twilio (EU — Ireland) — SMS and voice call delivery for escalation alerts. All traffic is routed through Twilio's Ireland region (IE1). Phone numbers and alert content are processed only when the user has given explicit consent.
  • Sentry (EU — Frankfurt) — Application error monitoring. Technical error data only, no personal data is transmitted.
  • Resend (EU — Ireland) — Email delivery for transactional emails (waitlist confirmations, escalation notifications).
  • Vercel (EU — Frankfurt) — Website and application hosting. All serverless functions are pinned to the Frankfurt region.
  • PostHog (EU — Frankfurt) — Product analytics. Used to understand how users interact with the platform. All data is processed through PostHog's EU cloud instance (eu.i.posthog.com). No data is sent to US infrastructure.

All BatchCortex data is stored and processed exclusively within European Union infrastructure. No batch data, sensor readings, or GMP records are transferred to or stored in non-EU jurisdictions. Our sub-processors maintain EU data residency and are bound by EU Standard Contractual Clauses (SCCs) approved by the European Commission. While some sub-processors are incorporated in the United States — meaning theoretical legal exposure under US CLOUD Act and FISA Section 702 exists — all data processing occurs within EU borders under EU law. We are actively evaluating fully EU-incorporated alternatives for all infrastructure services as part of our sovereignty roadmap. See our EU AI Act page for the full migration timeline.

7. Contact

For any privacy-related questions or requests, contact: vilmer@batchcortex.com