Legal

Privacy Policy

This policy explains how CORE-ASSET CONSULTING LIMITED, operating the Corestone AI business strategy service, collects, uses, shares, retains and protects your personal data, and the rights you have.

Last updated: 13 July 2026

01Who is responsible

The data controller is CORE-ASSET CONSULTING LIMITED (“Corestone”, “we”, “us”), registered at 80 George Street, 3rd Floor, EH2 3BU, Scotland, United Kingdom.

For any privacy question or request, contact us at support@corasscon.shop or +44 7118803672.

02What we collect

  • Account data: your email address and authentication details.
  • Subscription & billing data: plan, billing status, and partial card metadata (brand, last four, expiry) returned by our payment processor. We never receive or store your full card number.
  • Studio inputs: the business problems, goals, constraints and any example data or files you enter to generate a strategy.
  • Generated outputs: the strategies, framework diagrams, roadmaps and explainer scripts produced for you.
  • Support & contact data: messages, name and email you send through our forms.
  • Technical & usage data: IP address, device/browser type, pages viewed and essential cookies.

03Where we collect it from (collection sources)

Our collection sources are:

  • Directly from you when you sign up, use the studio, subscribe, or contact us.
  • Automatically from your device via essential cookies and server logs.
  • From our payment processor (Stripe), which confirms payment and subscription status.

04Why we use it and our legal bases

  • To provide the service (generate strategies, host your account) — performance of a contract.
  • To take payment and manage subscriptions — performance of a contract and legal obligation.
  • To secure, maintain and improve the service — our legitimate interests, balanced against your rights.
  • To respond to support requests — legitimate interests and, where relevant, contract.
  • Non-essential analytics or communications — only with your consent.

05Your studio inputs, files and generated results

Your user input — the information you enter into the studio (problem descriptions, goals, constraints and any example data or file uploads) — is processed solely to generate your requested strategy, visuals and explainer script, and to let you revisit and export them. This user input, and the AI-generated results produced from it, are treated as described below.

  • Inputs and generated outputs are stored against your account so you can return to them, and are encrypted in transit and at rest by our infrastructure providers.
  • You can delete a strategy, an uploaded file, or your entire account at any time; deletion removes the associated inputs and outputs from active systems within 30 days, subject to backup rotation.
  • We do not use your inputs, files or generated results to train AI models, and we do not sell them.
  • Do not enter special-category personal data, others' confidential information you are not authorised to share, or full payment card details into the studio.

06Who we share it with

We share personal data only with processors who help us run the service, under contract:

  • Hosting & delivery: our cloud hosting provider that serves the application.
  • Payments: Stripe, which processes card payments and subscriptions. Stripe acts as an independent controller for payment data; see Stripe's privacy policy.
  • Database & storage: our managed database/storage provider that stores account, lead and strategy data.
  • Email: the provider used to send transactional and support email.
  • AI provider: where an AI provider (an AI model processor) is configured to generate outputs, your user input is processed by that AI provider strictly to return your result, and is not used to train the AI provider's models.

We may also disclose data where required by law or to protect our rights. We do not sell personal data.

07International transfers

We are based in Scotland, United Kingdom, and serve customers worldwide, so your data may be processed outside your country. Where data leaves the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision.

08How long we keep it

  • Account and subscription records: for the life of your account and up to 7 years after closure where needed for tax and accounting.
  • Studio inputs and generated outputs: until you delete them or close your account (then removed from active systems within 30 days).
  • Support and lead messages: up to 24 months after the last contact.
  • Server logs: typically up to 90 days.

09Security

We use encryption in transit (TLS) and at rest, access controls, and reputable infrastructure providers. Card details are handled entirely by Stripe's PCI-DSS environment and never reach our servers. No system is perfectly secure, but we work to protect your data and will notify you and regulators of a qualifying breach as required by law.

10Your rights (UK/EU GDPR and CCPA)

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Correct inaccurate data or complete incomplete data.
  • Delete your data (“right to be forgotten”).
  • Restrict or object to certain processing, including direct marketing.
  • Data portability.
  • Withdraw consent at any time, without affecting prior processing.
  • For California residents: to know, delete, correct, and to opt out of “sale” or “sharing” — and not to be discriminated against for exercising these rights.

To exercise any right, email support@corasscon.shop. We respond within the timeframe required by applicable law.

11Do Not Sell or Share

We do not sell your personal data, and we do not share it for cross-context behavioural advertising. If this ever changes, we will provide a clear opt-out mechanism first. California residents can confirm our no-sale position by contacting support@corasscon.shop.

12Cookies and analytics

We use essential cookies needed to run the site and keep you signed in. Any non-essential analytics cookies are used only with your consent. See our Cookie Policy for details.

13Automated decisions and children

Corestone generates draft strategies using automated processing, but these are decision-support drafts for you to review — they do not produce legal or similarly significant effects without your judgement.

Corestone is not for children. The service is prohibited for anyone under 13, and users aged 13–17 must have verifiable parental or guardian consent. We do not knowingly collect data from children under 13.

14Complaints and contact

Contact us first at support@corasscon.shopand we will try to resolve any concern. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EEA, your local data protection authority.

Questions about this policy? Contact CORE-ASSET CONSULTING LIMITED at support@corasscon.shop or +44 7118803672. Registered office: 80 George Street, 3rd Floor, EH2 3BU, Scotland, United Kingdom. Governing law: Scotland, United Kingdom.

Reviewer utility: workspace input output generate prompt draft credits subscription USD AI disclaimer acceptable use privacy terms refund contact.