Privacy Notice

Version: 1.0.0 Last updated: 2026-05-14

CoreLink ("we", "us", "our") processes personal data on behalf of our customers ("controllers") as a data processor under the GDPR, LGPD and applicable state-level US privacy statutes (CCPA/CPRA, VCDPA, etc.). This notice describes the categories of personal data we collect when you visit our public surfaces (website, marketing pages, support portal) or use the CoreLink Admin UI as an end user of a customer tenant.

1. Categories of personal data

• Identity data: name, email address, organization affiliation, locale preference.
• Authentication data: hashed session tokens, OAuth/OIDC subject identifiers from Identity Providers, MFA enrollment status.
• Usage telemetry: API endpoint, latency, response status, anonymized IP-network prefix (truncated to /24 for IPv4, /48 for IPv6).
• Support context: information you voluntarily disclose in support tickets.

2. Purposes and legal bases

We process the categories above to (a) provide the Service under our contract with you or your organization; (b) comply with legal obligations such as financial-record retention; and (c) pursue our legitimate interest in maintaining product reliability and security. Where consent is required, we collect it via the Cookie banner and the Consent management UI.

3. Retention

Personal data is retained only as long as needed for the purposes above. Default retention windows: authentication logs 90 days; audit trail 7 years (SOC 2 / SOX baseline); support tickets 3 years from closure.

4. Your rights

You may exercise the rights of access, rectification, deletion, restriction, objection, and portability granted by GDPR Articles 15–22, LGPD Articles 18–22, and analogous US-state statutes via the Data-Subject Request (DSR) flow in your account, or by emailing privacy@corelink.example. We respond within 30 days (45 under CCPA, with one 45-day extension permitted).

5. International transfers

CoreLink processes data in the EU and the US. Transfers from the EU/EEA to the US rely on the EU-US Data Privacy Framework and on Standard Contractual Clauses where applicable.

6. Sub-processors

The current list of sub-processors and their regions is published on the Sub-processors page. Material changes are announced at least 30 days in advance via in-app banner and email to administrators.

7. Contact

Data Protection Officer — dpo@corelink.example Postal address — CoreLink Privacy Team, 350 Mission St, Suite 1200, San Francisco, CA 94105, USA.