Privacy Policy

1. Who We Are

Coretus Technologies Private Limited ("Coretus", "we", "us", "our") operates coretus.com and provides software development and related services globally, to clients across multiple industries and regions.

• Controller: Coretus Technologies Private Limited
• Legal address: 507‑South Block, TwinStar, 150 ft Ring Road, Rajkot, Gujarat, 360005, India
• All privacy contacts (DPO/Grievance Officer):legal@coretus.com
• EU/EEA Art. 27 Representative: To be appointed (if no EU establishment). Contact:legal@coretus.com
• UK GDPR Representative: To be appointed (if no UK establishment). Contact:legal@coretus.com

For client projects, we typically act as a processor under a Data Processing Addendum (DPA). For our websites, marketing, HR, and business operations, we act as a controller.

2. Scope & Territories

This Policy applies when we act as controller. We honour applicable privacy laws including GDPR/UK GDPR, CPRA/CCPA and similar US state laws, Australia’s APPs, New Zealand Privacy Act 2020, Singapore PDPA, India’s DPDP Act 2023, UAE PDPL, and comparable laws. Where local law is stricter, it prevails.

3. Data We Collect

• Identity & Contact: name, title, company, work email, phone, country, timezone, language.
• Account: portal credentials (hashed), roles/permissions.
• Project/Business: requirements, files you provide, meeting notes, SOW/MSA references.
• Usage & Technical: IP, device/browser, pages viewed, session details, referrers/UTMs, approximate location (via cookies/SDKs—see Cookie Policy).
• Marketing Preferences: opt‑ins/outs, communication settings.
• Support & Communications: emails, chats, tickets, and call recordings where lawful and noticed.
• Careers: CV, cover letter, work history, education, portfolio links, interview records.
• Payments/Billing: billing and tax details; no full card numbers stored (handled by PCI‑compliant processors).
• Third‑Party Sources: business profile data from public sources/partners/events where lawful.

We do not intentionally collect special category data (GDPR Art. 9) unless instructed by a client as processor under a DPA.

4. Lawful Bases & Purpose Matrix (GDPR/UK GDPR)

Under India’s DPDP Act 2023, we process with consent or for legitimate uses permitted by law, applying purpose limitation, data minimisation, and reasonable security safeguards.

5. How We Use Personal Data

Operate, secure, and improve services; personalise (subject to choices); deliver transactional/service messages; measure performance; detect/prevent abuse; comply with legal obligations; enforce agreements.

6. Sharing & Disclosures

• Processors/Service Providers: hosting, analytics, communications, CRM, marketing, payments, security, recruiting (with DPAs/SCCs/UK Addendum as required).
• Advertising/Analytics Partners: measurement and (if consented) remarketing/lookalike audiences—see Cookie Policy.
• Professional Advisors and Legal/Safety disclosures.
• Business Transfers: in M&A/reorganisation, consistent with this Policy.

We do not sell personal information in the conventional sense. For CPRA, some ad disclosures may be deemed “sell” or “share”—you can opt‑out at /privacy/choices and via supported browser signals (GPC).

7. International Transfers

When data moves internationally (e.g., EEA/UK → India/US), we use lawful mechanisms: EU Standard Contractual Clauses (SCCs) and the UK Addendum/IDTA, plus supplementary safeguards where appropriate.

8. Retention

• Marketing leads: until opt‑out or after 24 months of inactivity.
• Client/project files: project term + 7 years (for legal/accounting).
• Support: 3 years.
• Careers: 12 months (unless consent for longer or law requires shorter).

9. Security

We implement technical and organisational measures appropriate to risk (encryption in transit, access controls, monitoring, backups, vendor diligence). No system is perfectly secure.

10. Data Breach Notification

We will notify the competent supervisory authority without undue delay and, where required by law, within statutory timelines (e.g., 72 hours under GDPR) after becoming aware of a personal data breach. Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay, unless an exemption applies.

11. Your Rights & Choices

Depending on your location, you may have rights to access, correct, delete, restrict, object, portability, and withdraw consent. Object to marketing anytime. To exercise rights, emaillegal@coretus.com. We may verify identity and respond within legal timelines.

• EU/UK: Full GDPR/UK GDPR rights; complain to your DPA (e.g., ICO).
• US (CPRA/CCPA): know/correct/delete; opt‑out of sale/share; limit sensitive data (we do not use SPI to infer traits); non‑discrimination.
• Australia/NZ, Singapore, India, UAE: comparable access/correction/erasure/objection rights under local law.

12. Automated Decision‑Making

We do not rely on solely automated decisions that produce legal or similarly significant effects. If this changes, we will provide required notices and options.

13. Marketing & Cookie Controls

Manage cookie preferences at /privacy/cookie-settings. Opt‑out of sale/share under CPRA at/privacy/choices. We honour Global Privacy Control (GPC) signals where applicable.

14. Changes

We may update this Policy; material changes will be communicated on the site or by email. See the “Last updated” date above.

15. Contact

Email: legal@coretus.com
Postal: 507‑South Block, TwinStar, 150 ft Ring Road, Rajkot, Gujarat, 360005, India
DPA requests: legal@coretus.com • Suggested DPA URL:/legal/dpa