Optimisation cognitive des équipes en temps réel et apprentissage hyper-personnalisé grâce aux neurosciences

Hub

Juridique · Protection des données

Politique de confidentialité

S'applique à edcortex.com, hub.edcortex.com et pro.edcortex.com · Dernière mise à jour : 5 juillet 2026

This Privacy Policy explains how EdCortex SAS collects, uses, shares, and protects personal data when you visit our website or use the EdCortex platform. It is a legally binding notice provided under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the French Data Protection Act (Loi Informatique et Libertés), and — where relevant to our AI systems — the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, "AI Act").

Data Controller

EdCortex SAS — SIREN 928 578 541 (SIRET 928 578 541 00015), registered office in Paris, France. Our UK affiliate acts as controller for users contracting through that entity. Contact: contact@edcortex.com.

01 Scope & our role

This Policy covers three services (together, the "Services"): our public website (edcortex.com), the EdCortex Hub (hub.edcortex.com), and EdCortex Pro (pro.edcortex.com), which deliver our Upskill (adaptive learning) and BrainGuard (cognitive-health and wellbeing) modules.

Our GDPR role depends on the relationship:

  • We act as data controller for our website visitors, prospects, newsletter subscribers, and individuals who create a direct EdCortex account.
  • We act as data processor when an employer or organisation ("Client") deploys the Services to its own employees or learners. In that case the Client is the controller, and we process personal data on its documented instructions under a Data Processing Agreement (Article 28 GDPR). Employees should consult their employer's privacy notice for controller-level details.

02 Personal data we collect

CategoryExamples
Identity & accountName, work email, employer, role, authentication data (via our identity provider), language preference.
Usage & technicalIP address, device/browser data, log events, feature interactions, pages viewed. We keep the minimal server logs needed to operate and secure the Services.
Learning & competencyAssessment responses, skills and competency mapping (e.g. against ESCO/O*NET/Lightcast frameworks), progress, learning-profile classification.
Cognitive-health & wellbeing (special category)Responses to validated psychometric instruments (e.g. COPSOQ-III, BAT-23, WAI) and derived burnout / psychosocial-risk / work-ability indicators.
CommunicationsEnquiries, support requests, newsletter subscription.

03 Special-category (health) data

Article 9 GDPR

Some wellbeing and cognitive-health indicators produced by BrainGuard qualify as data concerning health — a special category under Article 9 GDPR that receives heightened protection.

We process this data only where a lawful condition under Article 9(2) applies — in practice, your explicit consent (Article 9(2)(a)), or, where a Client is controller, the condition it has established and documented. This data is aggregated or pseudonymised wherever feasible. Individual-level wellbeing results are never disclosed to an employer in a way that identifies a specific employee; employers receive only anonymised, aggregated group insights above a minimum cohort threshold. You may withdraw consent at any time without affecting the lawfulness of prior processing.

04 Legal bases for processing

PurposeLegal basis (Art. 6 / Art. 9)
Providing and securing the Services; account managementContract — Art. 6(1)(b)
Adaptive learning, competency mappingContract — Art. 6(1)(b); consent where applicable — Art. 6(1)(a)
Cognitive-health & wellbeing monitoringExplicit consent — Art. 6(1)(a) + Art. 9(2)(a)
Security, abuse prevention, product improvementLegitimate interests — Art. 6(1)(f)
Newsletter / marketingConsent — Art. 6(1)(a)
Legal and accounting obligationsLegal obligation — Art. 6(1)(c)

05 Automated processing & profiling

The Services use algorithmic and AI models to personalise learning, map competencies, and generate wellbeing indicators. This involves profiling within the meaning of Article 4(4) GDPR.

We do not use these systems to make solely automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. Outputs are decision-support: they inform learning recommendations and voluntary wellbeing insights, and material decisions remain subject to human judgement. Where meaningful human involvement is not present in a given use, we will rely on an applicable Article 22(2) exception and provide you the right to obtain human intervention, express your point of view, and contest the outcome. You can request an explanation of the logic involved via contact@edcortex.com.

06 Artificial-intelligence transparency & safeguards

EU AI Act — Article 5 & Article 50

EdCortex does not operate any prohibited AI practice under Article 5 of the AI Act.

No workplace emotion recognition. Article 5(1)(f) of the AI Act prohibits AI systems that infer emotions of individuals in the workplace or educational settings from biometric data. EdCortex does not infer emotions from biometric data. BrainGuard derives wellbeing and psychosocial-risk indicators exclusively from validated self-report questionnaires completed voluntarily by the individual — not from facial expressions, voice, physiological signals, or any other biometric input. This places our processing outside the scope of that prohibition.

AI transparency (Art. 50). Where you interact with an AI system or receive AI-generated recommendations, you are informed of that fact within the Services. AI-generated content is identified as such where required.

Governance. We maintain human oversight, testing, and documentation for our AI models, and review the classification of our systems (including any high-risk assessment) as the AI Act's provisions phase into application.

07 How we share data

We do not sell personal data. We share it only with:

  • Sub-processors who help us run the Services under Article 28 contracts — including cloud infrastructure and AI-inference hosting (Amazon Web Services, EU/Paris region eu-west-3), authentication, database hosting, and analytics providers. A current sub-processor list is available on request.
  • Your employer/Client, where it is the controller — limited to learning progress and aggregated, non-identifying wellbeing insights as described in Section 03.
  • Authorities or advisers where required by law.

08 International transfers

Personal data is hosted and processed within the European Union (AWS eu-west-3, Paris). Where a limited transfer outside the European Economic Area is unavoidable (e.g. a support vendor), we rely on an adequacy decision or on Standard Contractual Clauses with supplementary safeguards. Details are available on request.

09 Retention

  • Account data: for the life of your account and up to 12 months after closure, unless a longer period is legally required.
  • Learning & wellbeing data: per the Client's documented retention instruction, or on our own account, until you withdraw consent or close your account, then deleted or anonymised.
  • Server logs: typically up to 12 months.
  • Accounting records: as required by French law (generally 10 years).

10 Security

We apply appropriate technical and organisational measures — including encryption in transit and at rest, access controls, pseudonymisation of special-category data, and regular review — proportionate to the sensitivity of the data. No system is perfectly secure, but we work to protect your data against unauthorised access, alteration, or loss.

11 Your rights

Under the GDPR you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time
  • Not be subject to solely automated decisions

To exercise any right, contact contact@edcortex.com. We respond within one month. If your data is processed by us as a processor on behalf of your employer, we will direct your request to the relevant controller.

You also have the right to lodge a complaint with the French supervisory authority, the CNIL (www.cnil.fr), or your local data-protection authority.

12 Children

The Services are intended for professional and adult users and are not directed at children. We do not knowingly collect personal data from anyone under 15 (the age of digital consent in France). If you believe a minor has provided data, contact us and we will delete it.

13 Cookies & analytics

Our website uses strictly necessary cookies and, subject to your consent, analytics cookies. On your first visit you can accept or refuse non-essential cookies, and you can change your choice at any time via our cookie settings. We honour browser signals where legally required. See our cookie banner for the full list of cookies and their purposes.

14 Data breaches

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours where required, and inform affected individuals without undue delay where the risk is high, in accordance with Articles 33–34 GDPR.

15 Contact & changes

For any privacy question or to exercise your rights: contact@edcortex.com, EdCortex SAS, Paris, France.

We may update this Policy to reflect legal or operational changes. Material changes will be signalled on this page, and the "last updated" date revised. Your continued use of the Services after an update constitutes acceptance of the revised Policy.