Privacy Policy

Corlix ("we", "our", or "us") acknowledges the importance of your privacy and is legally committed to protecting your personal data. This Privacy Policy governs your use of the Corlix platform and explains how we collect, safeguard, and disclose information that results from your use of our Service. By accessing the Service, you consent to the data practices described in this policy.

For the purposes of the Data Protection Act 2018 and the UK GDPR, Corlix is the Data Controller. This signifies that we are the entity responsible for determining the purposes and means of processing your personal data. We have appointed a Data Protection Officer (DPO) framework within our organization to ensure strict adherence to these regulations.

To facilitate your understanding of this policy, specific terms are defined as follows: Personal Data refers to any information relating to an identified or identifiable living individual. Processing denotes any operation or set of operations performed on such data, including collection, recording, storage, adaptation, or destruction. A Data Subject is any living individual who is the subject of Personal Data held by an organization. A Third Party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

We collect and process various categories of data to provide our Service effectively. Identity Data includes your first name, last name, username, or unique identifier. Contact Data comprises your email address and, where applicable for billing, your physical address.

The core utility of our Service relies on Document Data. This encompasses the digital files, images, and PDFs you upload as "Certificates." We acknowledge that these documents may contain sensitive Personally Identifiable Information (PII) such as license numbers, home addresses, and professional qualifications. We apply heightened security protocols to this category of data.

We also collect Technical Data, including your Internet Protocol (IP) address, browser type, time zone setting, operating system, and platform. Furthermore, we may process Aggregated Data. We may use your data to create anonymized, aggregated statistics (e.g., "Corlix users tracked 10,000 documents this year"). You acknowledge that such Aggregated Data is not Personal Data and shall belong exclusively to Corlix.

We will only use your personal data when the law allows us to. Most commonly, we rely on the Performance of a Contract as our lawful basis. This applies when we process your data to register you as a new customer and to provide the certificate tracking and reminder services you have subscribed to. Without this processing, we cannot fulfill our contractual obligations to you.

We also rely on Legitimate Interests to process Technical Data for the purposes of fraud prevention, network security, and service optimization. We ensure that we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.

For processing related to non-essential cookies and third-party analytics, we rely on your explicit Consent. You have the right to withdraw consent to marketing or analytics at any time by adjusting your cookie preferences or contacting us.

We may use your Identity and Contact Data to form a view on what we think you may want or need, or what may be of interest to you. You will receive marketing communications from us if you have requested information from us or purchased services from us and, in each case, you have not opted out of receiving that marketing. This is known as the "Soft Opt-in" under the Privacy and Electronic Communications Regulations (PECR).

You can ask us to stop sending you marketing messages at any time by following the unsubscribe links on any marketing message sent to you or by contacting us at any time. Please note that opting out of marketing messages does not opt you out of receiving essential service messages, such as certificate expiry alerts, security updates, or changes to our policies.

Our website utilizes cookies to distinguish you from other users. A cookie is a small file of letters and numbers that we store on your browser. We use Strictly Necessary Cookies which are essential for the operation of our website, such as managing your secure login session via Supabase Auth.

We also utilize Analytical Cookies, specifically Google Analytics 4 (GA4). In strict adherence to UK law, we do not deploy these optional analytics cookies unless you have provided affirmative consent via our Cookie Banner.

Do Not Track (DNT): Some web browsers have a "Do Not Track" feature. Because these features are not yet uniform, we do not currently respond to DNT signals, but we offer the manual opt-out mechanisms described above.

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. We utilize AES-256 encryption for all data at rest within our AWS infrastructure and TLS 1.3 encryption for all data in transit.

Our database architecture enforces Row-Level Security (RLS) policies. This ensures that the database engine itself restricts access to data rows based on the authenticated user's identity, mathematically preventing cross-tenant data leakage. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know.

While our primary data residency is within the United Kingdom (AWS London), we utilize specific third-party subprocessors. Where we transfer your data to service providers in the United States (such as Google or Lemon Squeezy), we rely on the UK Extension to the EU-US Data Privacy Framework (DPF). This framework ensures that US-based organizations provide a standard of protection for personal data that is equivalent to that of the UK GDPR.

Controller vs Processor: Please note that for financial transactions, Lemon Squeezy acts as an independent Data Controller. When you enter payment information, you are providing it directly to them. Corlix does not store or process your full credit card number.

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for. By law, we have to keep basic information about our customers (including Contact, Identity, and Transaction Data) for six years after they cease being customers for tax purposes (HMRC).

For active accounts, data is retained for the duration of the subscription. Upon account deletion, your personal data and uploaded documents are permanently removed from our production systems within 30 days.

We do not use automated decision-making or profiling (as defined in Article 22 of the UK GDPR) that produces legal effects concerning you or similarly significantly affects you. All decisions regarding your account status are made by human intervention or standard logic rules (e.g., non-payment leads to suspension) rather than AI profiling.

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

We have established strict procedures to deal with any suspected personal data breach. In the event of a breach that is likely to result in a risk to your rights and freedoms, we are legally mandated to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

Under the UK GDPR, you have the right to Request access to your personal data, Request correction of inaccurate data, and Request erasure of your personal data where there is no good reason for us continuing to process it.

You also have the right to Object to processing where we are relying on a legitimate interest, and the right to Request restriction of processing. You will not have to pay a fee to access your personal data, provided your request is not clearly unfounded, repetitive, or excessive.

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us immediately so that we can take necessary actions to remove such data from our systems.