Legal
Privacy Policy
Last updated: April 23, 2026
1. Overview
Corelyx is a visual AI automation platform. This policy explains how we process personal data when you create an account, configure workflows, connect third-party services, add model or API credentials, purchase a paid plan, or contact us about the product.
We do not sell personal data. We also do not load advertising trackers or non-essential analytics on the current site experience.
This page separates:
- core processors we engage to operate Corelyx itself, and
- optional connected services and model providers that only receive data when you explicitly enable them in a workflow.
2. Controller
The controller for the Corelyx service is Corelyx - sole-proprietor operation, incorporation pending.
Full provider-identification details, including the current legal address and VAT information used for the public site, are published in the Impressum.
3. Data Categories
Account and identity data
Email address, password hash if you use password login, and if you use Google Sign-In, the profile data Google returns to us such as name, email, and avatar.
Program and workflow data
Program schemas, prompts, node settings, execution modes, approvals, schedules, and version history you create inside Corelyx.
Run, approval, and operational data
Run status, node execution state, timestamps, token and cost metadata, approval records, and application logs needed to operate and troubleshoot the service.
Connection and secret data
Connection metadata plus encrypted OAuth tokens and API keys stored through Supabase Vault references so Corelyx can execute the integrations and model calls you configure.
Billing and plan data
Plan tier, Stripe customer or subscription references, checkout events, and legally required billing records.
4. Legal Bases
Art. 6(1)(b) GDPR - contract performance
Used where processing is necessary to create your account, authenticate you, host the product, run your automations, send transactional notices, and provide billing or support you requested.
Art. 6(1)(c) GDPR - legal obligation
Used where we must retain invoice, tax, accounting, or compliance records, or respond to valid legal requests.
Art. 6(1)(f) GDPR - legitimate interests
Used for security monitoring, abuse prevention, incident response, backups, fraud prevention, and service reliability where those interests are not overridden by your rights.
5. Core Processors
These providers operate the Corelyx product itself. They process personal data on our behalf so we can host the application, run workflows, send transactional notifications, and handle billing.
Supabase
Processor / infrastructure provider
Purpose
Database, authentication, encrypted secret storage, realtime features, and application data APIs.
Legal Basis
Art. 6(1)(b) GDPR for product operation; Art. 6(1)(f) GDPR for security, backups, and reliability.
Data Categories
Account data, auth identifiers, program definitions, connection metadata, encrypted secret references, approvals, runs, and logs.
Data Location
Project region chosen in Supabase. Supabase offers EU regions including Frankfurt (eu-central-1) and multiple non-EU AWS regions.
Transfer Notes
If the project or any subprocessors are outside the EEA, UK, or Switzerland, third-country transfer safeguards such as the Supabase DPA and SCCs should be in place.
Vercel
Processor / web hosting provider
Purpose
Hosts the Next.js frontend and server routes, serves static assets, and records deployment/runtime logs.
Legal Basis
Art. 6(1)(b) GDPR for hosting and delivery; Art. 6(1)(f) GDPR for security and uptime.
Data Categories
Request metadata, IP addresses, session-related requests, response logs, and application content rendered through the web app.
Data Location
Global CDN plus region-based compute. Vercel documents multiple compute-capable regions, and Functions default to iad1 (Washington, D.C., USA) unless configured otherwise.
Transfer Notes
Expect international transfers unless you intentionally keep all relevant compute and storage in-region. Use the Vercel DPA and transfer addenda where required.
Railway
Processor / runtime hosting provider
Purpose
Hosts the Python execution runtime that performs workflow steps against connected services and model providers.
Legal Basis
Art. 6(1)(b) GDPR for workflow execution; Art. 6(1)(f) GDPR for reliability and debugging.
Data Categories
Execution payloads, connector requests and responses, runtime logs, and temporary in-memory processing data.
Data Location
Selected Railway service region. Railway currently documents US West, US East, EU West (Amsterdam), and Singapore regions.
Transfer Notes
If the runtime is deployed outside the EEA, UK, or Switzerland, appropriate transfer safeguards must cover that deployment.
Inngest
Processor / orchestration provider
Purpose
Event delivery, retries, scheduling, approval timeout handling, and function-run orchestration.
Legal Basis
Art. 6(1)(b) GDPR for workflow orchestration; Art. 6(1)(f) GDPR for resilience and monitoring.
Data Categories
Event payloads, function metadata, retry state, timing data, and observability data sent through the Inngest integration.
Data Location
Provider-managed cloud location based on the configured Inngest project.
Transfer Notes
Treat Inngest as a third-country transfer risk until the configured region and contractual safeguards are confirmed in the Inngest account.
Resend
Processor / transactional email provider
Purpose
Sends approval, failure, and plan-related transactional emails from the web app.
Legal Basis
Art. 6(1)(b) GDPR for requested service notices; Art. 6(1)(f) GDPR for operational alerts.
Data Categories
Recipient email address, sender details, subject lines, and notification content.
Data Location
Resend allows email sending from multiple regions, but states that all account data, email metadata, logs, and API records are stored in the United States.
Transfer Notes
Use the Resend DPA and account-level safeguards for EU, UK, or Swiss personal data sent through transactional email.
Stripe
Processor and, in some contexts, independent controller
Purpose
Checkout, subscription billing, invoice generation, payment processing, fraud prevention, and billing event handling.
Legal Basis
Art. 6(1)(b) GDPR for paid plans and invoicing; Art. 6(1)(c) GDPR for legal retention; Art. 6(1)(f) GDPR for fraud prevention.
Data Categories
Billing contact data, plan and subscription identifiers, payment-related metadata, invoice records, and fraud-prevention signals.
Data Location
Provider-managed financial infrastructure. The exact storage or processing region depends on the Stripe account and legal entity setup and cannot be verified from this repository alone.
Transfer Notes
Stripe provides a DPA plus transfer mechanisms such as SCCs and DPF-related disclosures. Review the exact Stripe account region and transfer setup separately.
6. Connected Services
These services are only contacted if you connect them and build workflows that use them. Depending on the service and your own agreement with that service, the connected provider may act as an independent controller, a processor for your organization, or both.
Google API Services notice
If you connect Google services, Corelyx uses Google user data only to provide the Google-backed features you configure. We do not use Google user data for advertising or to train general AI models. You can revoke Google access in your Google account permissions or by disconnecting the integration in Corelyx.
Google (Google Sign-In, Gmail, Calendar, Docs, Drive, Sheets)
User-selected connected service / recipient
Purpose
Authenticate your account and execute the Google actions you explicitly configure in Corelyx.
Legal Basis
Art. 6(1)(b) GDPR because the processing is required to provide the login or automation flow you requested.
Data Categories
Google profile data for sign-in, plus the content and metadata from the Google services and scopes you authorize.
Data Location
Provider-managed. Processing location depends on your Google account, workspace settings, and Google's infrastructure.
Transfer Notes
Google may process data globally. Check your Google Workspace or Google Cloud terms if you require regional controls.
Slack
User-selected connected service / recipient
Purpose
Read Slack data or post messages, channels, and webhook events at your direction.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Workspace identifiers, channel metadata, message content, and any payload you instruct Corelyx to send or read.
Data Location
Provider-managed. Storage and processing depend on the connected Slack workspace and Slack's infrastructure.
Transfer Notes
Treat Slack as a separate recipient or service provider selected by you; review the Slack workspace's own data residency settings if required.
Notion
User-selected connected service / recipient
Purpose
Read, search, create, or update Notion pages and databases that you choose to expose to Corelyx.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Workspace metadata, page content, database rows, titles, rich text, and other objects in the shared Notion workspace.
Data Location
Provider-managed. Processing location depends on the connected Notion workspace and Notion's infrastructure.
Transfer Notes
If Notion data contains third-party personal data, you remain responsible for having an appropriate legal basis to send it.
GitHub
User-selected connected service / recipient
Purpose
Read repositories or create issues, pull requests, comments, and webhooks at your direction.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Repository metadata, issue or PR content, comments, code-adjacent metadata, and webhook payloads.
Data Location
Provider-managed. Processing location depends on the connected GitHub account or organization and GitHub's infrastructure.
Transfer Notes
GitHub is a separate service chosen by you. Review your GitHub organization settings and agreements if regional restrictions apply.
Airtable
User-selected connected service / recipient
Purpose
Read bases, records, and schemas or write new data into Airtable tables you authorize.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Base metadata, table schemas, records, fields, and webhook-related events.
Data Location
Provider-managed. Processing location depends on Airtable's infrastructure and any account-level residency features you have.
Transfer Notes
Consider Airtable a separate recipient of the data you instruct Corelyx to send there.
Asana
User-selected connected service / recipient
Purpose
Read or create projects, tasks, and related events in Asana at your direction.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Workspace identifiers, task content, assignee data, due dates, comments, and webhook events.
Data Location
Provider-managed. Processing location depends on Asana's infrastructure and the connected workspace.
Transfer Notes
If you automate HR, project, or customer data through Asana, you remain responsible for ensuring the connected workspace is lawfully configured.
HubSpot
User-selected connected service / recipient
Purpose
Read or update contacts and related CRM information you explicitly choose to process.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Contact records, emails, names, phone numbers, companies, CRM metadata, and webhook events.
Data Location
Provider-managed. Processing location depends on the connected HubSpot account and HubSpot's infrastructure.
Transfer Notes
CRM data often contains third-party personal data; ensure you have an appropriate basis before syncing or enriching it through Corelyx.
Microsoft / Outlook (Microsoft Graph)
User-selected connected service / recipient
Purpose
Read and send Outlook email or related Microsoft Graph data at your direction.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Mailbox metadata, message bodies, recipients, subject lines, attachments metadata, and related Microsoft account information.
Data Location
Provider-managed. Processing location depends on the connected Microsoft tenant and Microsoft's infrastructure.
Transfer Notes
Regional controls, if any, are determined by your Microsoft tenant rather than Corelyx.
Typeform
User-selected connected service / recipient
Purpose
Read form definitions, submissions, and webhook-triggered response data.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Form metadata, answer payloads, response identifiers, and any personal data collected in the connected form.
Data Location
Provider-managed. Processing location depends on Typeform's infrastructure and your account settings.
Transfer Notes
Form responses can be sensitive; only connect forms and fields you are authorized to process.
7. Model Providers
These providers are optional. Corelyx only sends prompts, workflow context, and selected inputs to them if you add the relevant API key or choose that provider inside a workflow.
Anthropic
User-selected model provider
Purpose
Inference for prompts, completions, structured outputs, and repair or planning steps that you configure.
Legal Basis
Art. 6(1)(b) GDPR because model calls happen only to provide the workflow behavior you request.
Data Categories
Prompts, system instructions, tool context, selected workflow data, model outputs, and usage metadata.
Data Location
Anthropic states that customer data is stored in the United States, while customer traffic may be routed through selected countries in the US, Europe, Asia, and Australia unless otherwise agreed.
Transfer Notes
This is a third-country transfer by default for EEA, UK, or Swiss users. Anthropic states its commercial terms include a DPA with SCCs.
Anthropic states it does not use commercial API data to train models by default and normally deletes API inputs and outputs within 30 days, subject to exceptions such as legal requirements or abuse enforcement.
OpenAI
User-selected model provider
Purpose
Inference for prompts, completions, structured outputs, and other model operations you configure.
Legal Basis
Art. 6(1)(b) GDPR.
Data Categories
Prompts, system instructions, selected workflow data, outputs, and usage metadata.
Data Location
Provider-managed. OpenAI documents US data residency by default and offers regional data residency options, including Europe, only for eligible API projects. No regional OpenAI project configuration is verifiable from this repository.
Transfer Notes
If EU data residency is not separately enabled in your OpenAI account, treat OpenAI processing as a third-country transfer risk that requires the relevant DPA and transfer safeguards.
OpenRouter
Platform LLM routing provider and optional user-selected provider
Purpose
Routes LLM calls made through the Corelyx platform key to the appropriate model endpoint. Also used directly if you configure your own OpenRouter key in a workflow.
Legal Basis
Art. 6(1)(b) GDPR — necessary for the AI execution service you have contracted.
Data Categories
Prompts, system instructions, selected workflow inputs, model outputs, provider routing metadata.
Data Location
Provider-managed global infrastructure. EU in-region routing is available only on OpenRouter enterprise accounts. Corelyx does not currently hold a signed enterprise agreement with OpenRouter.
Transfer Notes
Corelyx uses a platform-managed OpenRouter key for all platform key calls. No countersigned DPA is currently in place. Until a DPA is signed, do not route special-category personal data through the Corelyx platform key. Use your own Anthropic, OpenAI, or Google key instead.
Corelyx is pursuing an enterprise DPA with OpenRouter. This notice will be updated when one is in place.
8. International Transfers
Many infrastructure, billing, email, and AI providers used by or through Corelyx are based in the United States or use global infrastructure. That means personal data may be transferred outside the EEA, the UK, or Switzerland.
Where required, these transfers should be covered by provider DPAs, Standard Contractual Clauses, Data Privacy Framework participation where applicable, or equivalent safeguards. The exact transfer path depends on the providers you enable and the regions configured in those third-party accounts.
The exact transfer path depends on the services you enable, the provider contracts in place, and the regions configured in those third-party accounts.
9. Retention
Account and program data
Kept for the duration of your contract plus 7 years, as required by applicable tax and accounting law. You may delete your account at any time via account settings.
Email and workflow content
Content processed during workflow execution (e.g. email bodies) is used only to perform the automation you configured and is not stored beyond what is necessary for that processing.
Encrypted OAuth tokens and API keys
Deleted when you remove the corresponding connection or API key, or when your account is deleted. Account deletion automatically purges all associated Vault secrets before removing your user record.
Run history and application logs
Log data is retained for 90 days, after which it is deleted. Technical metadata such as IP addresses are anonymised after 7 days.
Billing and tax records
Retained for the periods required by applicable accounting, tax, and anti-fraud obligations.
Anonymised usage statistics
Aggregated, non-attributable usage data (no content) may be retained indefinitely for product improvement purposes. You may opt out in your account settings.
Provider-side logs
Third-party services and model providers may keep their own logs under their own retention schedules and contracts, which are outside Corelyx's direct control.
10. Security
- Traffic to the product is encrypted in transit with TLS.
- OAuth tokens and API keys are stored through Supabase Vault references and are not returned to the browser in normal API responses.
- Workflow ownership checks and row-level access controls are used to keep users scoped to their own resources.
- We minimize sensitive logging in the web layer and continue tightening deletion and retention flows where the audit found gaps.
11. Your Rights
Access (Art. 15 GDPR)
You can request confirmation of whether we process your personal data and ask for a copy of the data we control. We will respond within 30 days.
Rectification (Art. 16 GDPR)
You can correct inaccurate account data and ask us to fix or complete information that is wrong or incomplete.
Erasure (Art. 17 GDPR)
You can delete programs, connections, API keys, and your account directly in the product under Settings > Delete Account, or ask us to help complete deletion where external providers are involved.
Restriction and objection (Art. 18 & 21 GDPR)
You can object to processing based on legitimate interests or ask us to restrict processing where the GDPR permits it.
Portability (Art. 20 GDPR)
You can ask for a machine-readable export of the personal data we process for contract performance where the GDPR gives you that right.
Complaint
You can contact us first at privacy@corelyx.app. You also have the right to complain to the Austrian Data Protection Authority (Datenschutzbehörde): https://www.dsb.gv.at
Data Processing Agreement (B2B)
If you process personal data of your own customers or employees through the platform as part of your business, Corelyx acts as your processor (Art. 28 GDPR). A Data Processing Agreement (DPA) is available at /dpa and can be requested for signature at legal@corelyx.app.
13. Contact
Privacy requests and security issues
Email us at privacy@corelyx.app. For general legal contact details, see the Impressum.