Privacy Policy
Privacy and Data Protection Policy
1. Data Controller and General Purpose
This Privacy Policy (the “Policy”) sets forth the data protection practices of CoreHub Global (the “Company”) and governs the collection, processing, and storage of personal and sensitive data. The Company operates in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU 2016/679).
The Company acts as a Data Controller in respect of information collected via its digital platforms and as a Data Processor when performing services under a Master Service Agreement (MSA) for its commercial clients.
2. Categories of Personal Data Processed
The Company collects and processes data only to the extent necessary to provide its professional services. These categories include, but are not limited to:
Identity Data: Legal names, corporate identifiers, professional titles, and government-issued identification where required for regulatory compliance.
Contact Data: Registered business addresses, operational locations, primary electronic mail addresses, and telephonic contact numbers.
Technical Data: Internet Protocol (IP) addresses, browser telemetry, session duration, and device-specific identifiers captured via automated cookies and server logs.
Commercial and Utility Data: Technical infrastructure identifiers (including MPAN and MPRN), consumption metrics, historical billing records, and liability status documentation.
Property Data: Legal titles, leasehold documentation, and statutory safety certification records relevant to the provision of compliance services.
3. Legal Basis for Processing (Article 6 Compliance)
Pursuant to Article 6 of the UK GDPR, the Company processes personal data under the following lawful bases:
Performance of a Contract: Processing required to fulfill obligations under a service agreement or to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation: Processing necessary for compliance with statutory mandates, including tax law, anti-money laundering (AML) regulations, and safety reporting.
Legitimate Interests: Processing necessary for the protection of the Company’s network security, the prevention of fraud, and the pursuit of commercial recovery for clients, provided such interests are not overridden by the data subject’s fundamental rights.
4. Data Retention and Statutory Limitations
The Company adheres to a strict Data Retention Schedule. Personal data shall be retained only for as long as necessary to fulfill the purposes for which it was collected.
Operational Data: Typically retained for a period of seven (7) years following the termination of a business relationship to satisfy statutory limitation periods and HMRC requirements.
Prospective Data: Data collected for inquiries shall be purged after twenty-four (24) months of inactivity unless explicit consent for further retention is obtained.
5. Disclosure to Third Parties
The Company may disclose personal data to third-party “Sub-Processors” or external authorities under strictly defined conditions:
To Regulatory Authorities (e.g., Ofgem, local government bodies) as required by law.
To Technical Partners (e.g., Meter Operators, Utility Suppliers) essential for the execution of Change of Tenancy or billing dispute resolution.
To Legal and Professional Advisors for the purpose of risk management and litigation.
6. International Data Transfers and Safeguards
In instances where data is processed outside the United Kingdom or the European Economic Area (EEA), the Company ensures that such transfers are governed by International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) as approved by the Information Commissioner’s Office (ICO), ensuring an equivalent level of data protection.
7. Security and Data Integrity Protocols
The Company employs enterprise-grade security measures, including but not limited to:
Encryption at Rest and in Transit: Utilizing AES-256 and TLS 1.2+ protocols.
Access Control: Strict Role-Based Access Control (RBAC) to ensure data is only accessible to authorized personnel.
Network Defense: Perimeter firewalls, intrusion detection systems (IDS), and regular vulnerability assessments.
8. Rights of the Data Subject
Under current data protection legislation, data subjects possess the following non-absolute rights:
The Right of Access: To obtain confirmation and copies of data held.
The Right to Rectification: To correct inaccurate or outdated information.
The Right to Erasure: To request deletion where there is no overriding legal basis for retention.
The Right to Object: To halt processing based on legitimate interests or for direct marketing.
9. Contact and Supervisory Authority
For any matters relating to data privacy, data subjects may contact the Company’s Data Protection Lead at info@corehubglobal.com. Data subjects also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.