ONIBack to Cortex

Privacy Policy

Effective date: March 8, 2026

ONI ("we," "us," or "our") operates ONI Cortex, a managed MCP (Model Context Protocol) retrieval service available at cortex.oni.bot. This Privacy Policy describes how we collect, use, store, and protect your information when you use our service.

By using ONI Cortex, you agree to the practices described in this policy. If you do not agree, please do not use our service.

1. Information We Collect

Account Information

When you create an ONI Cortex account, we collect:

  • Name and email address
  • Password (hashed; we never store plaintext credentials)
  • Organization or team name (if applicable)

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other sensitive payment data on our servers. We retain only a Stripe customer identifier and basic transaction metadata (plan type, billing dates, invoice amounts) necessary for account management.

Uploaded Content

ONI Cortex lets you upload code, documentation, and other data ("Content") for indexing and retrieval. This Content is stored in our systems so we can provide the service. We treat your uploaded Content as confidential and do not access it except as necessary to operate, maintain, or improve the service, or as required by law.

Usage and Technical Data

We automatically collect:

  • API usage logs (endpoints called, request timestamps, response status codes)
  • IP addresses
  • API key identifiers (e.g., oni_live_*, oni_test_*) associated with requests
  • Browser user-agent strings when accessing the dashboard
  • Error logs and performance metrics

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain ONI Cortex
  • Index your uploaded Content into vector embeddings for MCP-based retrieval
  • Process billing and manage your subscription via Stripe
  • Authenticate API requests and enforce per-tenant data isolation
  • Monitor service health, debug issues, and improve performance
  • Communicate with you about your account, service updates, or security notices
  • Comply with legal obligations

We do not sell your personal information. We do not use your uploaded Content to train machine learning models.

3. Data Storage and Security

Your data is stored across the following systems, all hosted on Oracle Cloud Infrastructure in the United States:

  • PostgreSQL — user accounts, subscription data, and usage records
  • Qdrant vector database — indexed vector embeddings of your uploaded Content
  • Server logs — API access logs and application logs

We implement industry-standard security measures including encryption in transit (TLS), API key authentication, per-tenant data isolation (multi-tenant architecture with strict collection scoping), and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specifically:

  • Account data — retained until you delete your account
  • Uploaded Content and vector embeddings — retained until you delete the content or your account
  • API usage logs — retained for up to 90 days for operational purposes
  • Billing records — retained as required by applicable tax and financial regulations

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

5. Third-Party Services

We use the following third-party services to operate ONI Cortex:

  • Stripe — payment processing. Stripe collects and processes your payment information under its own Privacy Policy.
  • Oracle Cloud Infrastructure — cloud hosting (US region). Oracle acts as a data processor under its Privacy Policy.

We do not currently use third-party analytics, advertising, or tracking services. If this changes, we will update this policy accordingly.

6. Cookies and Local Storage

ONI Cortex uses only essential cookies and local storage necessary for the service to function:

  • Session cookies for authentication and maintaining your login state
  • CSRF tokens for security

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under most jurisdictions.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access

You can request a copy of the personal data we hold about you.

Correction

You can update your account information at any time through the ONI Cortex dashboard, or by contacting us.

Deletion

You can request deletion of your account and all associated data. You may also delete individual collections and uploaded Content at any time through the API or dashboard.

Data Portability

You can request an export of your data in a structured, machine-readable format.

Objection and Restriction

You can object to or request restriction of certain processing activities where applicable under law.

To exercise any of these rights, contact us at privacy@oni.bot. We will respond to verified requests within 30 days.

8. GDPR Compliance (European Economic Area)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance — processing necessary to provide the ONI Cortex service you signed up for
  • Legitimate interests — service security, fraud prevention, and service improvement
  • Legal obligations — compliance with applicable laws and regulations
  • Consent — where required, such as for optional communications

Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses and other appropriate safeguards for cross-border data transfers where required.

You may lodge a complaint with your local data protection authority if you believe your rights under the GDPR have been violated.

9. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to know — you can request details about the categories and specific pieces of personal information we have collected
  • Right to delete — you can request deletion of your personal information
  • Right to opt-out — we do not sell personal information, so this right does not apply. We also do not "share" personal information for cross-context behavioral advertising
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

10. Children's Privacy

ONI Cortex is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@oni.bot.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and, where required by law, the relevant supervisory authorities within 72 hours of becoming aware of the breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on our website prior to the change becoming effective. The "Effective date" at the top of this page indicates when this policy was last revised.

Continued use of ONI Cortex after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@oni.bot

Website: oni.bot