Privacy Policy

Version 1.0 · Effective March 26, 2026

1. Introduction and Data Controller

This Privacy Policy explains how Recons Ltd ("Recons Ltd", "we", "us", or "our"), a company incorporated in England and Wales with its registered office in London, United Kingdom, collects, uses, shares, and protects your personal data when you use the MyCorr service ("Service").

Recons Ltd is the data controller for the personal data we collect directly from you in connection with your use of the Service. Where you store personal data of third parties in the Service, you are the data controller for that data and Recons Ltd acts as a data processor on your behalf (see Section 13).

This policy applies to all users of the Service worldwide. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA) as applicable.

2. Information We Collect

We collect the following categories of personal data:

(a) Account Information: your name and email address, obtained through Google OAuth when you sign in to the Service.
(b) User-Generated Content: database schemas, table data, model configurations, and any other data you upload, create, or store through the Service. This content is controlled by you and may contain personal data of third parties.
(c) Usage Data: session metadata, including when multiplayer collaboration sessions start and end. This data is used solely for system monitoring and service improvement.
(d) Technical Data: IP address, browser type and version, device information, and operating system. This data is collected automatically by our web servers.
(e) Cookie Data: session authentication cookies necessary for the operation of the Service (see Section 10).

3. How We Collect Information

We collect personal data in the following ways:

Directly from you: when you sign in via Google OAuth, create content, or contact us.
Automatically: through cookies, server logs, and session monitoring when you use the Service.
From third parties: your name and email address from Google when you authenticate via Google OAuth.

4. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

(a) Performance of a Contract (Article 6(1)(b)): processing necessary to provide you with the Service, including account creation, authentication, data storage, and collaboration features.
(b) Legitimate Interests (Article 6(1)(f)): processing necessary for our legitimate interests, including service security, system monitoring, performance optimisation, and service improvement. Our legitimate interests do not override your fundamental rights and freedoms.
(c) Consent (Article 6(1)(a)): where you have given specific consent for certain processing activities, such as optional features or communications. You may withdraw consent at any time.
(d) Legal Obligation (Article 6(1)(c)): processing necessary to comply with applicable laws, regulations, or legal processes.

5. How We Use Your Information

We use your personal data for the following purposes:

To provide, operate, and maintain the Service.
To authenticate your identity and manage your account.
To enable real-time collaboration features, including multiplayer sessions.
To monitor and improve the performance, security, and reliability of the Service.
To communicate with you about your account, including service updates and security notices.
To respond to your requests and provide customer support.
To comply with applicable laws and legal obligations.
To enforce our Terms of Service and protect our rights.

We do not use your personal data for automated decision-making or profiling. We do not use your Content to train machine learning models.

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

We share personal data with the following categories of service providers (subprocessors) who assist us in operating the Service:

(a) Google Cloud Platform (Google LLC): cloud infrastructure hosting, authentication (OAuth), Google Sheets integration, and cloud storage. Data is hosted in Google Cloud Frankfurt (europe-west3), European Union.
(b) Postmark (ActiveCampaign LLC): transactional email delivery for service-related communications.
(c) Infrastructure providers: database and caching services operated on our cloud infrastructure.

All subprocessors are bound by data processing agreements and are required to protect your personal data in accordance with applicable data protection laws.

We may also disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. International Data Transfers

Your personal data is hosted on Google Cloud Platform in Frankfurt, Germany (europe-west3), within the European Union.

If you access the Service from outside the European Union or United Kingdom, your data will be transmitted to and stored on servers in the EU. The UK has an adequacy decision with the European Union, permitting data transfers between the UK and EU without additional safeguards.

For transfers to jurisdictions outside the EU/UK that do not have an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office.

8. Data Retention

We retain your personal data as follows:

(a) Account data (name, email): retained for as long as your account is active. Upon account deletion, your account data is deleted within 30 days.
(b) User-generated content (schemas, table data): retained for as long as your account is active. Upon account deletion, your content is deleted in accordance with our data lifecycle policies.
(c) Session metadata: retained for 7 days for system monitoring purposes, then automatically deleted.
(d) Server logs (including IP addresses): retained for 30 days for security and debugging purposes, then automatically deleted.
(e) Backup data: retained for up to 30 days after the original data is deleted, then purged.

We may retain certain data for longer periods where required by applicable law or to resolve disputes.

9. Your Rights

Depending on your location, you have the following rights regarding your personal data:

Right of Access: you may request a copy of the personal data we hold about you.
Right to Rectification: you may request that we correct inaccurate or incomplete personal data.
Right to Erasure: you may request that we delete your personal data, subject to certain exceptions.
Right to Restriction: you may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability: you may request a copy of your personal data in a structured, commonly used, machine-readable format.
Right to Object: you may object to our processing of your personal data based on legitimate interests.
Right to Withdraw Consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority.

California Residents (CCPA)

Right to Know: you may request information about the categories and specific pieces of personal data we have collected about you.
Right to Delete: you may request that we delete the personal data we have collected from you, subject to certain exceptions.
Right to Opt-Out: we do not sell your personal data. If this changes, we will provide a clear opt-out mechanism.
Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.

Exercising Your Rights

To exercise any of these rights, please contact us at support@mycorr.app. We will respond to your request within 30 days (UK/EU GDPR) or 45 days (CCPA). We may request verification of your identity before processing your request.

You may also export your data directly from the Service using the built-in export features.

10. Cookies

We use only essential cookies necessary for the operation of the Service:

Session Cookie: an authentication cookie that identifies your logged-in session. This cookie is set when you sign in via Google OAuth and expires when your session ends or after 7 days of inactivity.

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies. We do not use any web beacons, pixel tags, or similar tracking technologies.

Because we use only strictly necessary cookies, no cookie consent banner is required under UK or EU law.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit using TLS/HTTPS.
Encryption of data at rest.
Fine-grained access controls using role-based authorisation.
Regular security reviews and monitoring.
Access to personal data limited to authorised personnel on a need-to-know basis.
Secure authentication via Google OAuth (we do not store passwords).

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

12. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe we have collected data from a child under 16, please contact us at support@mycorr.app.

13. Data Processing Terms

This section sets out the terms under which Recons Ltd processes personal data on your behalf when you act as a data controller by storing personal data of third parties in the Service.

(a) Roles: when you store personal data of third parties in the Service, you are the data controller and Recons Ltd is the data processor. You determine the purposes and means of processing; we process such data only on your documented instructions.
(b) Scope of Processing: we process your third-party data solely to provide, maintain, and secure the Service. We do not access, use, or disclose such data for any other purpose unless required by applicable law.
(c) Security Measures: we implement appropriate technical and organisational measures as described in Section 11 to protect all data processed through the Service.
(d) Sub-Processing: we engage the subprocessors listed in Section 6 to assist in providing the Service. We will notify you of any changes to our subprocessors by updating Section 6 of this Privacy Policy. You may object to a new subprocessor by ceasing to use the Service.
(e) Breach Notification: in the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay, and in any event within 72 hours of becoming aware of the breach, providing the nature of the breach, the categories of data affected, and the measures taken to address it.
(f) Audit Rights: upon reasonable written request and subject to appropriate confidentiality obligations, we will make available to you information necessary to demonstrate our compliance with these data processing terms.
(g) Data Return and Deletion: upon termination of your account, you may export your data using the built-in export features of the Service. Following your request for account deletion, we will delete all data processed on your behalf in accordance with the retention periods set out in Section 8.
(h) Data Protection Impact Assessments: upon reasonable request, we will provide you with information necessary to carry out a data protection impact assessment.

14. Your Obligations When Storing Third-Party Data

If you use the Service to store, process, or manage personal data of third parties (for example, customer records, employee data, or contact information), you acknowledge and agree that:

You are the data controller for such data and bear full responsibility for compliance with all applicable data protection laws.
You must have a lawful basis for collecting and processing such data.
You must inform the relevant data subjects about the processing of their data, including the fact that their data is stored using the Service.
You must respond to and fulfil any data subject requests (access, deletion, rectification, etc.) relating to such data.
You must not store special category data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.) or criminal offence data in the Service unless you have ensured compliance with the additional requirements of applicable data protection law.
Recons Ltd acts as a data processor only and accepts no responsibility or liability for your compliance with data protection laws regarding third-party data you store in the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date at the top of this policy and notify you through the Service. Material changes will require you to review and re-accept the updated policy before continuing to use the Service.

We encourage you to review this Privacy Policy periodically.

16. Contact

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise any of your data protection rights, please contact us at:

Recons Ltd London, United Kingdom support@mycorr.app

For data protection matters, you may also contact the UK Information Commissioner's Office (ICO) at ico.org.uk.