Privacy Policy

1. Scope of this policy

This policy covers personal data that CoreLattice processes as a controller — for example, data we collect through our website, sales and marketing activities, support channels, and recruiting. Where CoreLattice processes personal data on behalf of a customer in connection with the Service, we act as a processor under our customer’s instructions; that processing is governed by the customer’s agreement with us and our Data Processing Addendum (DPA).

2. Data we collect

We collect the following categories of personal data:

• Account & identity data. Name, business email, job title, employer, password hash, and similar credentials needed to create and secure an account.
• Contact & communication data. Messages you send us, demo requests, sales correspondence, support tickets, and newsletter preferences.
• Usage & device data. IP address, browser type, device type, operating system, referring URLs, pages viewed, time on page, and other telemetry collected through cookies and similar technologies.
• Customer-provided data. Personal data your organization or its end users submit to the Service for processing — e.g., identity attributes, transaction records, and risk signals processed for KYC, KYB, fraud, and AML use cases. This data is processed on behalf of our customer.
• Recruitment data. Information you provide when applying for a role, including CV, work history, and references.

3. How we use personal data

We use personal data to:

• provide, maintain, secure, and improve the Service;
• respond to inquiries, demo requests, and support tickets;
• send transactional and account-related communications;
• send marketing communications you have opted into (you can unsubscribe at any time);
• analyze website and product usage to improve performance and user experience;
• detect, prevent, and investigate fraud, abuse, and security incidents; and
• comply with legal obligations and enforce our agreements.

4. Legal bases (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract. To provide the Service to you or your organization.
• Legitimate interests. To run, secure, and improve our business — for example, product analytics, fraud prevention, and direct B2B marketing — balanced against your rights.
• Consent. For non-essential cookies, marketing emails where required, and any processing where consent is the appropriate basis. You can withdraw consent at any time.
• Legal obligation. To comply with applicable laws, regulations, and lawful requests from authorities.

5. How we share data

We share personal data with:

• Service providers and sub-processors who help us operate the Service (cloud hosting, monitoring, customer support, analytics, email delivery) under written contracts that require appropriate safeguards.
• Customers — where we act as a processor, the customer controls how the data is used.
• Affiliates and group companies on the same terms as this policy.
• Professional advisors (lawyers, auditors, insurers) as needed.
• Authorities when required by law, regulation, or valid legal process.
• Counterparties to a corporate transaction (e.g., due diligence, financing, merger, or acquisition) under appropriate confidentiality.

We do not sell personal data.

6. Sub-processors

We maintain a current list of sub-processors that process personal data in connection with the Service. The list is available on request by contacting [email protected]. Customers can subscribe to receive notice of changes to the sub-processor list.

7. International transfers

We and our sub-processors may process personal data in countries other than your own, including the United States, the United Kingdom, the European Economic Area, and India. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss SCC adaptations, or other lawful transfer mechanisms.

8. Data retention

We retain personal data only as long as needed to fulfill the purposes described in this policy, comply with legal and regulatory requirements, resolve disputes, and enforce our agreements. Customer data processed by the Service is retained per the customer’s configuration and contract; default retention periods are documented in our DPA.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Controls include encryption in transit and at rest, access controls, logging and monitoring, secure development practices, vendor due diligence, and a documented incident response process. No system is perfectly secure; if you believe an account has been compromised, contact us immediately.

10. Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, the right to data portability, and the right to withdraw consent. You may also have the right to lodge a complaint with a supervisory authority. To exercise a right, email [email protected]. We will respond within the timeframe required by applicable law.

If we process your personal data on behalf of a customer (for example, as part of identity verification or transaction monitoring), please contact that customer directly; we will support them in responding.

11. Children’s data

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page and, where appropriate, communicated by email or in-app notice. The date at the top reflects the most recent revision.

13. Contact us

CoreLattice AI Pvt Ltd
Registered office address available on request
Email: [email protected]