Back to Home

Privacy Policy

Last updated: April 8, 2026

Our Commitment to Privacy

CoreITsm is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, and protect your data when you use our enterprise IT service management platform. We act as both a data controller and processor depending on the context, and we comply with global data protection regulations including GDPR, CCPA, HIPAA, and LGPD.

Our Privacy Principles

  • Privacy by Design: Privacy considerations embedded in our platform architecture
  • Data Minimization: We collect only data necessary for our services
  • Transparency: Clear, accessible information about our data practices
  • Accountability: Regular audits and compliance monitoring
  • Security: Enterprise-grade protection for all personal data

Information We Collect

Account and Profile Information

When you register for an account, we collect:

  • Name, email address, and contact information
  • Job title, department, and organization details
  • Billing information and payment method details
  • Profile preferences and settings
  • User role and permissions
  • Authentication credentials and security tokens

Legal Basis: Contract necessity for service delivery; Consent for optional features

Service Usage Data

We automatically collect information about your use of our platform:

  • Incident, problem, and change management records
  • CMDB and asset management data
  • Service catalog and request information
  • Knowledge base and documentation access
  • Performance metrics and analytics data
  • IP address, browser type, and device information
  • Access logs and authentication events
  • User interaction patterns and feature usage

Legal Basis: Legitimate interest for service improvement and security; Contract necessity for service delivery

Customer Data

As an enterprise platform, we process customer data on behalf of our customers:

  • IT service tickets and support requests
  • Asset inventory and configuration data
  • User directory and access management data
  • Service level agreements and performance metrics
  • Change management and approval workflows
  • End-user personal data provided by customers

Legal Basis: We act as data processor based on customer instructions; Contract necessity

Communications Data

We collect communications data for service delivery:

  • Email communications and support tickets
  • Chat transcripts and support interactions
  • Phone call recordings (where consented)
  • Marketing communications preferences
  • Newsletter subscriptions and engagement

Legal Basis: Consent for marketing; Contract necessity for support communications

How We Use Your Information

Service Provision

Provide, maintain, and improve our ITSM platform and related services

  • Incident and problem management
  • Change and release management
  • Asset and configuration management
  • Service catalog and request fulfillment

Security & Compliance

Ensure platform security, prevent fraud, and comply with legal obligations

  • Fraud detection and prevention
  • Security monitoring and incident response
  • Regulatory compliance reporting
  • Audit trail maintenance

Analytics & Improvement

Analyze usage patterns, develop new features, and enhance user experience

  • Product development and optimization
  • User experience research
  • Performance analytics
  • A/B testing and feature experimentation

Communication

Respond to support requests, send important notifications, and provide customer service

  • Customer support and service delivery
  • Platform notifications and updates
  • Marketing communications (with consent)
  • Legal and regulatory notices

Data Protection and Security

Security Measures

We implement enterprise-grade security measures:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control with multi-factor authentication
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Compliance: Regular security audits and penetration testing
  • Backup: Encrypted daily backups with geographic distribution
  • Network Security: Firewalls, DDoS protection, and network segmentation
  • Data Loss Prevention: Automated monitoring and prevention controls
  • Employee Training: Regular security awareness and privacy training

Data Processing Agreements

For customers subject to GDPR or other data protection laws, we execute Data Processing Agreements (DPAs) that clearly define our responsibilities as a data processor. Our DPAs include:

  • Scope and purpose of processing
  • Security measures and obligations
  • Subprocessor management procedures
  • Data breach notification requirements
  • Audit rights and cooperation
  • Data subject rights assistance
  • International transfer mechanisms
  • Data deletion and return procedures

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Our retention periods include:

Data CategoryRetention PeriodLegal Basis
Account InformationUntil account deletionContract necessity
Service Usage Data2 years (analytics), 7 years (financial)Legitimate interest, Legal obligation
Support Communications3 years after closureContract necessity, Legal obligation
Marketing DataUntil consent withdrawalConsent

Data Breach Notification

Breach Detection and Response

We maintain comprehensive breach detection and response procedures:

  • 24/7 Monitoring: Continuous security monitoring and threat detection
  • Rapid Assessment: Immediate breach assessment and classification
  • Containment: Swift containment and remediation procedures
  • Documentation: Detailed breach register and incident logs

Notification Requirements

GDPR (72 Hours)

Notify supervisory authority within 72 hours of becoming aware of a breach that poses risk to individuals' rights and freedoms. Notify affected individuals without undue delay for high-risk breaches.

CCPA/CPRA (Reasonable Time)

Notify affected California residents in the event of a breach of unencrypted personal information that compromises security, confidentiality, or integrity.

HIPAA (60 Days)

Notify affected individuals, the Department of Health and Human Services, and sometimes the media within 60 days of a breach of unsecured PHI.

Breach Notification Content

Our breach notifications include:

  • Description of the breach and data categories affected
  • Estimated number of affected individuals
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommendations for affected individuals
  • Contact information for Data Protection Officer

Your Rights

Access Rights

  • Request a copy of your personal data
  • Know what personal data we have about you
  • Understand how we use your data
  • Request information about processing sources

Response Time: 30 days (GDPR), 45 days (CCPA)

Control Rights

  • Correct inaccurate or incomplete data
  • Request deletion of your data (where applicable)
  • Object to processing of your data
  • Restrict processing of your data
  • Withdraw consent at any time

Exceptions: Legal obligations, public interest, contractual requirements

Portability Rights

  • Export your data in a structured format
  • Transfer your data to another service
  • Request data in machine-readable format
  • Direct data transmission to other controllers

Format: CSV, JSON, XML, or other structured format

Marketing Rights

  • Opt out of marketing communications
  • Manage cookie preferences
  • Control targeted advertising
  • Request deletion of marketing data

CCPA: Opt-out of sale/sharing of personal information

How to Exercise Your Rights

To exercise your rights, please contact us at privacy@coreitsm.com. We will:

  • Verify your identity using appropriate authentication methods
  • Respond within the legally required timeframe
  • Provide your data in the requested format
  • Document all requests and responses

International Data Transfers

CoreITsm is a global platform and your data may be transferred to and processed in countries outside your own. We ensure appropriate safeguards are in place for international data transfers, including:

  • EU-US Data Privacy Framework: Certified adherence to DPF Principles
  • Standard Contractual Clauses: EU Commission-approved model clauses
  • Binding Corporate Rules: Internal data protection policies for intra-group transfers
  • Adequacy Determinations: Transfers to countries with adequate data protection laws
  • Transfer Impact Assessments: Regular assessments of transfer adequacy

Data Hosting Locations

Our primary data hosting locations include:

  • United States: Primary hosting with SOC 2 Type II certification
  • European Union: Local hosting for EU customers (GDPR compliance)
  • Canada: Hosting for North American customers with PIPEDA compliance
  • Australia: Regional hosting with Privacy Act compliance

Third-Party Services and Subprocessors

We may share your information with trusted third-party service providers who help us operate our platform. All subprocessors undergo rigorous security and privacy assessments.

Infrastructure Providers

Cloud hosting, database services, and content delivery networks

Examples: AWS, Google Cloud, Microsoft Azure

Security Services

Authentication providers, security monitoring, and threat detection

Examples: Okta, Cloudflare, Snyk

Analytics Services

Usage analytics and performance monitoring tools

Examples: Google Analytics, Mixpanel, Hotjar

Support Services

Customer support platforms and communication tools

Examples: Intercom, Zendesk, Twilio

Payment Services

Payment processing and billing services

Examples: Stripe, PayPal, Adyen

Subprocessor Management

We maintain a comprehensive subprocessor management program including:

  • Regular security and privacy assessments
  • Data Processing Agreements with all subprocessors
  • 30-day notice for new subprocessor additions
  • Right to object to new subprocessors
  • Continuous monitoring and compliance checks

Children's Privacy

Our platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information immediately.

Parental Rights

Parents or guardians may:

  • Review and delete their child's personal information
  • Refuse to permit further collection of their child's information
  • Request information about our collection practices
  • Contact us at privacy@coreitsm.com for children's privacy concerns

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the way we operate our business. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Updating the "Last updated" date
  • Sending email notifications for significant changes
  • Displaying in-app notices for material changes
  • Providing 30-day notice for material changes (where required by law)

Version History

We maintain a version history of our privacy policy including:

  • Previous versions available upon request
  • Change logs documenting modifications
  • Effective dates for each version
  • Summary of material changes

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Support:

Info@coreitsm.xyz

Technical support and account assistance

Mailing Address:

Rua Dr Antonio Jose de Almeida Nº2 9ºF 2780-089 Oeiras Portugal

Response Times:

We will respond to privacy inquiries within 5 business days and complete requests within legally required timeframes.

Regional Disclosures

European Residents (GDPR)

European residents have enhanced rights under the General Data Protection Regulation (GDPR), including rights to access, rectification, erasure, restriction of processing, data portability, and objection. Our GDPR compliance includes:

  • Data Protection Impact Assessments for high-risk processing
  • Record of Processing Activities (ROPA) maintenance
  • Data Protection Officer appointment and contact
  • EU-US Data Privacy Framework certification
  • Standard Contractual Clauses for international transfers

California Residents (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, and opt-out of the sale of personal information. Our CCPA/CPRA compliance includes:

  • "Do Not Sell or Share My Personal Information" opt-out
  • Financial incentives disclosure
  • Sensitive personal data restrictions
  • Automated decision-making disclosures
  • Contractual commitments to privacy rights

Brazilian Residents (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to access, correct, delete, and port their personal data. Our LGPD compliance includes:

  • National Authority for Personal Data Protection (ANPD) compliance
  • Data processing agent registration
  • Security incident reporting to ANPD
  • Impact assessments for high-risk processing
  • Data protection officer designation

Canadian Residents (PIPEDA)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including rights to access, correct, and withdraw consent for personal information. Our PIPEDA compliance includes:

  • Privacy Commissioner of Canada compliance
  • Meaningful consent collection
  • Reasonable security safeguards
  • Breach notification procedures
  • Complaint handling and resolution

Healthcare Data (HIPAA)

For customers processing Protected Health Information (PHI), we provide HIPAA-compliant services including:

  • Business Associate Agreements (BAAs)
  • Minimum necessary standard implementation
  • Administrative, physical, and technical safeguards
  • Breach notification within 60 days
  • HIPAA security training for staff

Accountability and Compliance

Compliance Program

We maintain a comprehensive privacy compliance program including:

  • Regular privacy impact assessments
  • Annual compliance audits and reviews
  • Staff training and awareness programs
  • Privacy by design and default principles
  • Continuous monitoring and improvement

Compliance Standards

We align our practices with leading industry standards and frameworks:

  • SOC 2 Type II: Security, availability, processing integrity, confidentiality, privacy
  • ISO 27001: Information security management system
  • EU-US DPF: Data Privacy Framework certification
  • CSA STAR: Cloud security alliance certification
  • PCI DSS: Payment card industry data security standard

Note: We are aligned with these certification requirements and follow their guidelines for security and privacy practices.

Audit and Reporting

We maintain comprehensive audit and reporting capabilities:

  • Real-time access logs and monitoring
  • Data processing activity tracking
  • Security incident logging and reporting
  • Compliance dashboard and metrics
  • Regular third-party security assessments