cortex-gateway

Home › Privacy

Privacy

TL;DR

This website sets no cookies and runs no client-side tracking. The hosted demo asks for an email address to sign you in, keeps a pseudonymized audit trail, and deletes inactive accounts automatically. Everything is hosted in the EU. The same data-minimization posture the gateway advertises is applied to this site.

The website (cortex-gateway.dev)

The hosted demo (mcp. and auth.cortex-gateway.dev)

The demo exists so you can evaluate the gateway with a real OAuth 2.1 flow. It collects the minimum that flow requires:

DataPurposeRetention
Email addressMagic-link sign-in and account identityDeleted after 90 days without sign-in (with all tokens, sessions and consents)
OAuth artifacts (codes, tokens, consents)Operating the OAuth 2.1 flowExpired items removed within 7 days of expiry; all removed with the account
Gateway audit trailDemonstrating pseudonymized auditing (hashed identifiers, no raw email)90 days
Demo notes (write tools)Demonstrating scope tieringIn-memory only — gone on restart, never stored in a database

Deletion happens automatically (daily job). To have your demo account removed sooner, open an issue on GitHub — no need to include your email publicly; a maintainer will follow up.

Processors and hosting

If you self-host Cortex Gateway

This page covers this website and demo only. A self-hosted deployment stores everything on your own infrastructure — that is the point of the project — and its privacy posture is yours to define.

Last updated: 2026-07-05. Material changes to this page will appear in the repository history.