1. Overview and Purpose

TwinCoreTech Ltd ("TwinCoreTech", "we", "us", or "our") is committed to protecting the privacy, confidentiality, and security of personal data entrusted to us. This Privacy Policy explains in detail how we collect, receive, use, store, disclose, transfer, and otherwise process personal data in connection with our business operations, including the provision of our software-as-a-service (SaaS) and operations-as-a-service (OaaS) solutions, our website, and related activities.

2. Who We Are

TwinCoreTech Ltd is a company incorporated in England and Wales.

Bromley Old Town Hall 30 Tweedy Road Bromley England BR1 3FE

Website: https://www.twincoretech.com

Privacy contact: privacy@twincoretech.com

Depending on the processing activity, TwinCoreTech may act as a Data Controller, Data Processor, or Joint Controller.

3. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed by TwinCoreTech in connection with:

• Visitors to our websites and digital platforms
• Users of our SaaS and OaaS solutions
• Employees, contractors, and authorised users of our clients
• Prospective customers and business contacts
• Suppliers, partners, and professional advisers
• Job applicants and candidates
• Any other individuals whose personal data we process in the course of our business

Where we process personal data solely on behalf of a client as a Data Processor, the client’s privacy notice governs that processing; this policy applies only where required by law.

4. How We Collect Personal Data

We collect personal data through a variety of means, including:

• Directly from individuals (e.g. when you contact us, register for an account, or communicate with us)
• Through our clients, where we process personal data on their behalf
• Automatically through the use of our platforms (e.g. logs, audit trails, usage data)
• From publicly available sources
• From third-party service providers and partners

5. Roles and Responsibilities Under Data Protection Law

5.1 When We Act as a Data Controller

We determine the purposes and means of processing personal data for activities such as:

• Our website and marketing activities
• Sales and business development
• Account administration
• Analytics relating to our own services
• Recruitment and supplier management

5.2 When We Act as a Data Processor

We process personal data on behalf of clients in accordance with their instructions (e.g. when providing SaaS or OaaS solutions), governed by a Data Processing Agreement.

5.3 Joint Controllership

In limited scenarios, we jointly determine purposes and means with a client; responsibilities are allocated contractually.

6. Categories of Personal Data We Process

6.1 Identity and Contact Data

• Name
• Job title and role
• Employer or organisation
• Business email address
• Telephone number

6.2 Account and Authentication Data

• User identifiers
• Login credentials (stored in hashed or encrypted form)
• Access permissions and roles
• Authentication tokens

6.3 Usage, Activity, and Audit Data

• System usage records
• Timestamps and access logs
• Activity history within our platforms
• Audit and evidential records generated through platform use

6.4 Technical Data

• IP addresses
• Device identifiers
• Browser type and version
• Operating system information
• Application and error logs

6.5 Communications Data

• Emails and correspondence
• Customer support tickets
• Meeting notes and call records (where applicable)

6.6 Commercial and Financial Data

• Contractual information
• Invoicing and billing details
• Payment-related records (processed via third-party providers)

6.7 Marketing and Preferences Data

• Marketing preferences
• Subscription choices
• Consent records

We do not intentionally collect or process special category personal data unless expressly required by a client and subject to appropriate safeguards.

7. Purposes for Which We Use Personal Data

• Providing, operating, and maintaining our platforms and services
• Managing user access, authentication, and authorisation
• Monitoring, logging, and securing our systems
• Responding to enquiries and providing customer support
• Performing contractual obligations
• Invoicing, billing, and financial administration
• Developing, improving, and testing our products and services
• Conducting analytics and business intelligence
• Sending marketing and promotional communications
• Complying with legal, regulatory, and contractual obligations
• Protecting our legal rights and preventing fraud or misuse

8. Lawful Bases for Processing

• Performance of a contract
• Compliance with a legal obligation
• Legitimate interests, including operating, securing, and improving our business and services (balanced against individual rights and freedoms)
• Consent, where required by law

9. Data Sharing and Disclosure

We may disclose personal data to:

• Our employees and contractors on a need-to-know basis
• Cloud hosting, infrastructure, analytics, communications, and IT service providers
• Professional advisers such as lawyers, accountants, and insurers
• Regulators, law enforcement, and public authorities where legally required
• Parties involved in a corporate transaction (subject to safeguards)

All third parties must process data on our instructions under appropriate confidentiality and data protection obligations.

10. International Data Transfers

Where personal data is transferred outside the UK/EEA, we implement safeguards such as:

• UK International Data Transfer Agreements (IDTA)
• Adequacy decisions
• Other lawful transfer mechanisms

11. Use of Artificial Intelligence and Automated Processing

We use AI and automation technologies, including large language models such as ChatGPT, Gemini, and similar tools, to support functionality, automation, analytics, and insight generation.

• AI tools are used with human oversight.
• We do not engage in solely automated decision-making with legal or similarly significant effects without safeguards.
• Client data used with AI is subject to contractual and technical controls.

12. Cookies and Similar Technologies

Our websites use cookies and similar technologies, including:

• Strictly necessary cookies
• Analytics cookies
• Marketing and advertising cookies

These help operate the site, understand usage, and improve user experience. See our Cookie Policy for details.

13. Data Retention

We retain personal data only as long as necessary for the purposes outlined and to meet legal obligations.

Indicative Retention Periods

• Client and account data: contract duration plus up to six years
• Financial records: seven years
• Security, audit, and system logs: 12–24 months

14. Security Measures

We implement technical and organisational measures, including:

• Encryption in transit and at rest
• Role-based access controls
• Multi-factor authentication
• Logging and monitoring
• Secure backups and recovery procedures
• Incident response and escalation processes

15. Personal Data Breaches

We maintain procedures to identify, investigate, and respond to personal data breaches. Where required, we notify the UK Information Commissioner's Office within 72 hours and affected parties without undue delay.

16. Your Rights

Individuals have rights under UK GDPR, including:

• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights relating to automated decision-making

To exercise your rights, contact us at privacy@twincoretech.com.

17. Children's Data

Our services are not directed at children, and we do not knowingly process personal data relating to children.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The most current version will always be available on our website.

19. Complaints and Supervisory Authority

Individuals may lodge a complaint with the UK Information Commissioner's Office (ICO). We encourage you to contact us first.

• ICO website: https://ico.org.uk
• ICO helpline: 0303 123 1113