Legal
Version 1.3 · Effective date: April 17, 2026
Last updated: April 18, 2026
Data Controller: CoreLab Creative · info@corelabcreative.com
CoreLab Creative ("CoreLab", "we", "our", "us") operates the design services subscription platform available at its main domain and associated subdomains (the "Platform"). As the data controller, CoreLab determines the purposes and means of processing personal information collected through the Platform.
This Privacy Policy applies to:
This policy does not apply to third-party websites that the Platform may link to.
When you create an account with CoreLab, we collect:
| Field | Purpose | Required |
|---|---|---|
| Email address | Unique account identifier and communications | Yes |
| Password (securely stored via hash) | Authentication — never stored in plain text | Yes |
| Full name | Identification and personalized communications | Yes |
| Company/organization name | Workspace creation | Yes |
| Selected subscription plan | Service configuration and billing | Yes |
| Custom offer token | Access to individually negotiated plans | No |
Once registered, users have associated: display name on the Platform, email address linked to the account, profile picture (when authenticated via Google), and language preference stored in user metadata.
When creating a design request, we collect: title and description of the work, request type and priority, estimated deadline (optional), associated project (optional), custom fields depending on the request type, attachments (up to 10 MB per file), as well as timestamps for the first staff response and request resolution.
The history of status changes for each request (including the responsible user, previous and new status, and reason for change when applicable) is also recorded.
CoreLab does not store payment card data. Processing is handled entirely by Stripe. What CoreLab stores in its own database:
Payment method details visible to the user (brand, last 4 digits, expiry) are obtained directly from the payment processor in real time and are not persisted in CoreLab's database.
For each registered organization: name, URL identifier derived from the name, custom domain (if applicable), logo (if applicable), workspace settings, and membership relationships (which users belong to the organization and with which role).
Uploaded files are stored in a private storage system. The following file metadata is recorded: original name, internal storage path, size, file type, uploading user, associated request or resolution, and upload date.
Permitted types: Images (PNG, JPEG, GIF, WebP), documents (PDF, TXT, DOC/DOCX, XLS/XLSX, PPT/PPTX), compressed files (ZIP). Maximum size: 10 MB per file.
When using the website's contact form: name, email address, message, selected language, and the source URL of the request (automatically detected — not entered by the user).
The internal audit system automatically records: the user who performed the action, the organization involved, the type of action executed, the affected resource, additional relevant context, IP address, browser type and HTTP client, and the action timestamp.
| Purpose | Data Involved | Legal Basis |
|---|---|---|
| Provision of subscription service | Account, profile, requests, comments, files data | Contract performance (Art. 6.1.b GDPR) |
| Authentication and identification | Email, hashed password, session tokens, MFA factors | Contract performance / Legitimate interest |
| Billing and collection | Subscription data, payment processor identifiers | Contract performance / Legal obligation |
| Transactional communications | Email, name, ticket/invitation data | Contract performance |
| Team invitation management | Invitee email, assigned role | Legitimate interest of the controller |
| Internal security audit | IP, browser type, action performed, resource | Legitimate interest (security) |
| Fraud detection and prevention | IP, access patterns, activity history | Legitimate interest |
| Technical support | Ticket data, attachments, comments | Contract performance |
| Service improvement | Aggregated and anonymized usage data | Legitimate interest |
| Compliance with legal obligations | Those required by applicable regulations | Legal obligation (Art. 6.1.c GDPR) |
CoreLab shares personal data only with the following providers, as data processors, under agreements that ensure adequate levels of protection:
Our infrastructure provider stores all application data (user accounts, organizations, subscriptions, requests, comments, attachments, activity logs). Data is hosted on servers with encryption at rest and in transit.
Payments are processed through a PCI-DSS certified processor. The client's email, organization name, and subscription metadata are shared. CoreLab never sends payment card data directly — users enter it on a form hosted by the payment processor.
The recipient's email address, name, and email content are shared (may include organization name, plan name, ticket title and status, invitation URLs).
Only when the user chooses to authenticate with Google. CoreLab receives the user's email, name, and profile picture through the standard OAuth flow.
Loading typography from Google's CDN means the browser makes a request to Google's servers, which may include the IP address and browser type. For more information: Google Fonts Privacy FAQ.
CoreLab does not sell personal data to third parties under any circumstances.
| Data Category | Retention Period |
|---|---|
| Active account data | While the account is active |
| Cancelled account data | 90 days after cancellation, then deletion or anonymization |
| Activity logs | 2 years |
| File attachments | During subscription + 30 days post-cancellation |
| Unaccepted invitation tokens | 7 days (automatic expiry) |
| Billing data | Per applicable accounting obligations (generally 5–7 years) |
Upon requesting deletion: profile data is deleted or anonymized; tickets and associated files may be retained in anonymized form for workspace record integrity; payment processor data is retained per tax obligations; a confirmation email is sent.
| Right | Description |
|---|---|
| Access | Obtain confirmation of whether your data is processed and a copy thereof |
| Rectification | Correct inaccurate or incomplete data |
| Erasure ("right to be forgotten") | Request deletion of your personal data |
| Portability | Receive your data in structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Restriction | Request temporary restriction of processing |
| Non-automation | Not be subject to decisions based solely on automated processing |
| Withdrawal of consent | Withdraw at any time when processing is based on consent |
To exercise any of these rights: info@corelabcreative.com with subject [PRIVACY]. We will respond within a maximum of 30 days.
CoreLab implements the following technical and organizational measures:
See the Cookie Policy for detailed information.
No third-party tracking cookies or advertising cookies are used.
The Platform is directed exclusively to users aged 18 or older, or to legal representatives of business entities. CoreLab does not intentionally collect personal data from minors. If we identify that data has been collected from a minor without parental consent, we will proceed with its immediate deletion.
In the event of material changes, active users will be notified by email at least 14 days in advance. Continued use of the Platform after the effective date implies acceptance of the changes.
If you believe that the processing of your data infringes applicable regulations, you may lodge a complaint with the competent authority in your jurisdiction:
| Region | Supervisory Authority |
|---|---|
| European Union | Supervisory authority of the Member State of residence |
| Spain | Spanish Data Protection Agency — aepd.es |
| United Kingdom | Information Commissioner's Office (ICO) — ico.org.uk |
| Brazil | National Data Protection Authority (ANPD) |
| Mexico | National Institute of Transparency (INAI) |
| Argentina | Agency for Access to Public Information (AAIP) |
| Colombia | Superintendence of Industry and Commerce (SIC) |
| Chile | Council for Transparency |
| Peru | National Data Protection Authority (MINJUS) |
| Canada | Office of the Privacy Commissioner (OPC) |
| USA (California) | California Privacy Protection Agency (CPPA) |
| USA (other states) | Attorney General of state of residence |
This section applies exclusively to California residents and supplements the rights in §7.
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, IP address, user identifier | Yes |
| Commercial information | Subscription and payment history, subscribed plan | Yes |
| Internet activity | Session logs, browser type, platform action history | Yes |
| Approximate geolocation | Inferred from IP address | Yes (indirect) |
| Professional information | Company name, role/position in organization | Yes |
| Inferred preferences | Preferred language, interface theme, tutorial status | Yes |
| Sensitive personal information | Password (hashed), MFA factors | Yes |
CoreLab does not sell or share its users' personal information with third parties for advertising purposes. No California residents' data has been sold or shared in the last 12 months.
| Right | Description |
|---|---|
| Know | Request information about categories of data collected, sources, purposes, and third parties |
| Delete | Request deletion, subject to legal exceptions |
| Correct | Request correction of inaccurate data |
| Opt-out of sale/sharing | Not applicable in practice — CoreLab does not sell or share data |
| Non-discrimination | CoreLab will not discriminate for exercising these rights |
| Limit sensitive data | CoreLab already complies with this by design: only uses sensitive data to provide the service |
Exercise: info@corelabcreative.com — Subject: [CCPA] - description. Response within 45 days (extendable to 90 with notice).
Processing of data of UK residents is governed by UK GDPR (Data Protection Act 2018). The same rights as in §7 apply with the same response timelines. Data transfers are carried out under mechanisms approved by the ICO, including the UK IDTA where applicable. Supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk.
Processing of Canadian residents' data complies with PIPEDA's ten principles: accountability, identifying purposes, consent, limiting collection, limiting use, retention and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance.
For Quebec residents, Quebec Law 25 (in effect since 2023) additionally applies. Contact to exercise rights: info@corelabcreative.com — Subject: [PIPEDA].
CoreLab acknowledges and respects the rights established by the following state laws: VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), MCDPA (Montana), ICDPA (Iowa), MCDPA (Minnesota).
Universal commitments: CoreLab does not sell personal data under any state definition, does not use data for behavioral advertising, does not carry out profiling with significant effects, honors opt-out signals (including GPC), and responds to requests within 45 days (extendable to 90).
If a request is denied, the individual may appeal within 30 days. CoreLab will resolve the appeal within 60 additional days and inform the right to complain to the state Attorney General. Exercise: info@corelabcreative.com — Subject: [PRIVACY-US] - [State] - description.
GPC (Global Privacy Control): CoreLab detects and respects the GPC signal. Since CoreLab does not sell or share data for advertising purposes, its activation does not alter Platform behavior — these commitments already apply to all users by default.
DNT (Do Not Track): CoreLab registers this signal. Since no advertising tracking cookies or behavioral analytics systems are used, there is no practical difference between users with or without DNT enabled.
CoreLab acts as a Data Fiduciary under the Digital Personal Data Protection Act 2023. Processing is based on free, specific, and informed consent granted at registration. The data principal may withdraw it at any time, which may result in service termination if the data is necessary for its provision.
Rights: access to information, correction and erasure, grievance redress mechanisms, and nomination of a representative. In the event of a security breach, CoreLab will notify the Data Protection Board of India and affected data principals. Contact: info@corelabcreative.com — Subject: [DPDPA] - description.
CoreLab complies with the 13 applicable Australian Privacy Principles (APPs): transparent management, collection limited to declared purposes, notification at time of collection, use restricted to primary purposes, no unsolicited direct marketing, cross-border disclosure under safeguards, no use of Australian government identifiers, maintenance of accurate data, appropriate security measures, and right of access and correction.
To exercise rights or submit complaints: info@corelabcreative.com — Subject: [PRIVACY-AU] - description. If the complaint is not satisfactorily resolved, it may be escalated to the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au.
CoreLab Creative
Email: info@corelabcreative.com
Suggested subject: [PRIVACY] - brief description
Version 1.3 — Last updated: April 18, 2026. Coverage: GDPR · UK GDPR · LGPD · ePrivacy · CCPA/CPRA · VCDPA · CPA · CTDPA · UCPA · TDPSA · OCPA · MCDPA · ICDPA · PIPEDA · Loi 25 · DPDPA 2023 · Privacy Act 1988 (Australia)