Privacy Policy

Last updated: March 25, 2026

Core Aces Limited ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website at coreaces.com (the "Site") or use our services.

Core Aces Limited is a company registered in England and Wales. We act as the data controller for the personal data described in this policy.

1. Information we collect

Information you provide directly

• Name, email address, and phone number (via our contact form)
• Company name and website URL
• Message content and project details you share with us
• Account registration details (if you create an account)

Information collected automatically

• IP address, browser type, operating system, and device information
• Pages visited, time spent on pages, and referring URLs
• Cookies and similar tracking technologies (see our Cookie Policy)

Information from third parties

• Google Analytics (website usage data)
• Advertising platforms (Meta Pixel, Google Ads conversion data) when you interact with our ads

2. How we use your information

We use your personal data for the following purposes:

• To respond to your enquiries and provide our marketing services
• To send you proposals, reports, and project-related communications
• To improve our website, services, and user experience
• To send marketing communications (only with your explicit consent)
• To comply with our legal obligations
• To analyse website traffic and performance via Google Analytics

3. Legal basis for processing

Under UK GDPR, we rely on the following legal bases:

• Consent - when you submit a contact form, subscribe to communications, or accept cookies
• Contractual necessity - to deliver services you have engaged us to provide
• Legitimate interest - to improve our services, website analytics, and business development, where this does not override your rights
• Legal obligation - to comply with applicable laws, regulations, and legal processes

4. Data sharing

We do not sell your personal data. We may share data with:

• Service providers - email (Google Workspace), analytics (Google Analytics), email/SMS marketing (Klaviyo), CRM tools
• Advertising platforms - Google Ads, Meta, TikTok (for campaign tracking and optimisation on your behalf)
• Professional advisers - accountants, lawyers, auditors as required
• Legal authorities - if required by law, regulation, or legal process

All third-party providers are bound by data processing agreements and are required to protect your data in accordance with UK GDPR.

5. International data transfers

Some of our service providers (e.g. Google, Klaviyo) may process data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, or transfers to countries with an adequacy decision.

6. Data retention

• Contact form submissions - retained for 24 months after last communication
• Client project data - retained for 6 years after contract completion (for legal and accounting purposes)
• Website analytics data - retained for 14 months (Google Analytics default)
• Marketing consent records - retained for as long as the consent is valid, plus 12 months

7. Your rights

Under UK GDPR, you have the right to:

• Access - request a copy of the personal data we hold about you
• Rectification - request correction of inaccurate data
• Erasure - request deletion of your data ("right to be forgotten")
• Restriction - request that we limit how we use your data
• Portability - receive your data in a structured, machine-readable format
• Object - object to processing based on legitimate interest or direct marketing
• Withdraw consent - at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@coreaces.com. We will respond within one calendar month.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/TLS), access controls, and regular security reviews. No method of transmission over the internet is 100% secure, but we take reasonable steps to protect your information.

9. Children

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

10. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.

11. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: privacy@coreaces.com
• General enquiries: hello@coreaces.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.