Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Core M8 Ltd (“Corem8”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our cloud-based field service management platform at corem8.io and our marketing website at corem8.com.

1. Data Controller

The data controller responsible for your personal data is:

Core M8 Ltd

Registered in England & Wales

Data Protection Officer contact: privacy@corem8.com

2. What We Collect

2.1 Personal Information

Name, email address, phone number, and postal address that you provide during registration or while using the service.

2.2 Business Information

Company name, trading name, billing address, VAT number, and other business details you provide.

2.3 Job Data

Customer addresses, job notes, photographs, appointment times, and other data you enter when managing jobs through Corem8.

2.4 Financial Data

Payment amounts, payment methods, invoice details, and transaction history. We do not store credit or debit card numbers — these are handled exclusively by Stripe.

2.5 Usage Data

Pages visited, features used, session duration, click patterns, and other interaction data that helps us improve the platform.

2.6 Device Data

Browser type and version, operating system, IP address, device type, screen resolution, and referring URLs.

3. How We Collect Your Data

3.1 Directly from You

When you register for an account, fill in forms, create jobs, upload photos, or contact our support team.

3.2 Automatically

Through cookies, analytics tools, and server logs when you browse our website or use the platform.

3.3 From Third Parties

Clerk (authentication data when you sign in), Stripe (payment confirmation and subscription status), and any third-party services you choose to connect (e.g., Xero, QuickBooks, Facebook).

4. Legal Basis for Processing (GDPR Article 6)

4.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide you with the Corem8 service, manage your account, process payments, and deliver the features you have subscribed to.

4.2 Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate business interests, including improving the platform, preventing fraud, ensuring security, and understanding how our service is used. We always balance our interests against your rights.

4.3 Consent (Article 6(1)(a))

Where you have given explicit consent, such as opting in to marketing communications, connecting third-party services like Facebook, or enabling optional analytics cookies. You may withdraw consent at any time.

4.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, including UK tax law requirements for retaining financial records.

5. How We Use Your Data

To provide, maintain, and improve the Corem8 platform
To process your subscription payments and manage billing
To send transactional emails (account confirmations, invoices, password resets)
To send marketing communications (only with your consent, and you can unsubscribe at any time)
To provide AI-powered features (job summaries, customer communication drafts) using anonymised data
To sync your data with third-party services you have connected (Xero, QuickBooks, Facebook, Google)
To detect and prevent fraud, abuse, and security incidents
To comply with legal obligations
To analyse usage patterns and improve user experience (using aggregated, anonymised data where possible)

6. Third-Party Processors

We share your data with the following third-party processors, each of whom processes data on our behalf and under our instructions:

Provider	Purpose	Location
Clerk	Authentication & user management	US
Supabase	Database hosting	US
Stripe	Payment processing	US / EU
Google	Maps API, Ads API, Analytics	US
Meta / Facebook	Login, Graph API (social posting)	US
Anthropic	AI features (Claude API)	US
Xero	Accounting sync	AU / UK
QuickBooks (Intuit)	Accounting sync	US
SendGrid (Twilio)	Transactional email delivery	US
Twilio	SMS notifications (coming soon)	US
Vercel	Platform hosting & CDN	US

7. Facebook Data

If you choose to connect your Facebook account to Corem8, we access the following data:

Your Facebook Page name and Page ID
The ability to create and publish posts on your Facebook Page on your behalf

We do not access:

Your personal Facebook profile information
Your friend lists
Your private messages
Your personal photos or content beyond what you explicitly share with Corem8

You can revoke Corem8's access to your Facebook account at any time by visiting Facebook Settings → Apps and Websites and removing Corem8. Revoking access will stop all Facebook-related features within your Corem8 account.

8. Data Retention

8.1 Account Data

Retained while your account is active and for 12 months after you request deletion, to allow for account recovery and to resolve any outstanding issues.

8.2 Financial Records

Retained for 7 years after creation, as required by UK tax law (HMRC requirements).

8.3 Usage Logs

Server logs, analytics data, and access logs are retained for 90 days and then automatically deleted or anonymised.

9. International Transfers

Your data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area, including the United States, where our infrastructure providers (Supabase, Clerk, Stripe, Vercel) operate servers.

Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
Ensuring our processors maintain appropriate technical and organisational security measures

10. Your Rights Under GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure — request deletion of your personal data (subject to legal retention requirements)
Right to restrict processing — request that we limit how we use your data
Right to data portability — receive your data in a structured, commonly used, machine-readable format
Right to object — object to processing based on legitimate interests or for direct marketing
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
Right to lodge a complaint— with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, contact us at privacy@corem8.com. We will respond within 30 days.

11. Cookies

We use cookies and similar technologies to operate our platform and improve your experience. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

12. Children

Corem8 is a business-to-business service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@corem8.com and we will delete the data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email (sent to the address associated with your account) before the changes take effect. We encourage you to review this page periodically.

14. Contact

If you have any questions about this Privacy Policy or how we handle your data, contact us:

Email: privacy@corem8.com

General enquiries: hello@corem8.com

Entity:Core M8 Ltd, registered in England & Wales