Privacy Policy

1. Introduction

CoreSync Private ("we", "our", "us") operates a private spa experience and the CoreSync mobile application. This Privacy Policy describes how we collect, use, and protect your personal information.

2. Information We Collect

Account Information

• Phone number — used for account authentication via one-time passcode (OTP).
• Name and email — provided voluntarily during profile completion.

Booking and Service Data

• Booking dates, times, and preferences.
• Room control preferences (scenes, scent, device settings).
• Order history (add-on products, personal messages).

Payment Information

• Payment card details are processed securely by Stripe and are never stored on our servers. We retain only card brand and last 4 digits for display purposes.
• Wallet balance and transaction history.

Technical Data

• Device type and operating system (for app functionality).
• Biometric authentication tokens (stored locally on your device only).

3. How We Use Your Information

• To authenticate your identity and secure your account.
• To manage bookings and deliver spa services.
• To process payments for physical goods and services.
• To personalize your room experience (scenes, music, scent).
• To communicate important service updates.

4. Third-Party Services

• Stripe — secure payment processing. Stripe Privacy Policy.
• Cloudinary — media asset hosting. Cloudinary Privacy Policy.

We do not sell your personal data to third parties. We do not use third-party advertising SDKs, analytics platforms, or tracking tools.

5. Push Notifications

The CoreSync app may send push notifications for the following purposes:

• Booking confirmations and reminders.
• Order status updates.
• Important account or service alerts.

You can disable push notifications at any time through your device's system settings (iOS: Settings → Notifications; Android: Settings → Apps → CoreSync → Notifications). Disabling notifications does not affect your ability to use the app.

6. Biometric Authentication

The CoreSync app supports Face ID (iOS) and fingerprint authentication (Android). Biometric data is processed entirely by your device's operating system (Apple Secure Enclave / Android Keystore). CoreSync never receives, transmits, or stores biometric information. Authentication tokens are stored locally on your device only and are cleared upon account sign-out.

7. Analytics and Tracking

CoreSync does not use third-party analytics services, advertising networks, or cross-app tracking technologies. We do not share any data with advertising partners. No data is used to track you across apps or websites owned by other companies.

8. Apple App Privacy (App Store)

In accordance with Apple's App Store privacy requirements, the following data is collected:

Data Used to Track You

None. CoreSync does not track users across third-party apps or websites.

Data Linked to You

• Contact Info — phone number (required for authentication).
• Identifiers — user account identifier.
• Financial Info — wallet balance and transaction records (payment card details managed by Stripe).
• User Content — personal messages and preferences submitted via the Concierge.
• Purchase History — bookings and orders.

Data Not Linked to You

• Device type and OS version (used solely for app compatibility; not associated with your account).

9. Google Play Data Safety

In accordance with Google Play's Data Safety requirements:

• Data collected: phone number, name, email (optional), booking and order data, wallet balance and transactions.
• Data not collected: precise or approximate location, photos, videos, audio files, contacts, SMS/MMS, calendar data, health or fitness data, browsing or search history, web cookies, app activity outside CoreSync.
• Data sharing: payment data shared with Stripe (PCI-compliant processor); media assets hosted via Cloudinary. No data sold to third parties.
• Data encryption: all data transmitted over TLS; data at rest encrypted.
• Data deletion: users can request deletion of all personal data directly within the app (Profile → Delete Account) or by contacting privacy@coresync.com.
• Independent security review: not currently verified by an independent party.

10. GDPR — Rights of EU Residents

If you are a resident of the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access — obtain a copy of your personal data.
• Right to Rectification — correct inaccurate data.
• Right to Erasure — request deletion of your data ("right to be forgotten").
• Right to Restriction — restrict processing of your data.
• Right to Data Portability — receive your data in a structured, machine-readable format.
• Right to Object — object to processing based on legitimate interests.
• Right to Withdraw Consent — where processing is based on consent, withdraw it at any time.

The legal basis for processing your data is: performance of a contract (booking and service delivery), legitimate interests (account security), and your consent (optional profile data, notifications). To exercise your rights, contact us at privacy@coresync.com.

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to Know — request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to Delete — request deletion of personal information we have collected from you.
• Right to Opt-Out — we do not sell personal information; this right does not currently apply.
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a request, contact us at privacy@coresync.com.

12. Data Security

All data is transmitted over encrypted connections (HTTPS/TLS). Passwords are hashed using industry-standard Argon2 algorithm. Payment data is processed in PCI-compliant environments by Stripe.

13. Data Retention

We retain your account data for as long as your account is active. Booking and transaction records are kept for legal and accounting purposes. You may request deletion at any time.

14. Your Rights

• Access — view your personal data through the app.
• Correction — update your profile information.
• Deletion — delete your account and all associated data from the app's Profile section.
• Portability — request a copy of your data by contacting us.

15. Account Deletion

You can delete your account directly within the CoreSync app (Profile → Delete Account). This permanently removes your personal data, booking history, and wallet information from our systems.

16. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes through the app or by email.

18. Contact Us

If you have questions about this Privacy Policy or your personal data, please contact us at privacy@coresync.com.