For personal data relating to your business's own customers and contacts, you are the "Controller" (you decide why and how it is processed) and CoreTV LLC is the "Processor" (we process it on your documented instructions to provide the service). For data about your own account and our direct relationship with you, CoreTV LLC acts as Controller under our Privacy Policy.

We process personal data only to provide and support the services you have engaged us for — hosting and operating your site or app, capturing and routing leads, running your chatbot or AI receptionist, sending the email/SMS workflows you configure, and related support. Processing lasts for the term of your services plus any limited retention described below.

Depending on what you configure, this may include: identifiers and contact details (names, emails, phone numbers), lead and enquiry details, appointment and booking data, call and chat transcripts, and usage/analytics data. Data subjects are typically your customers, prospects, and site visitors. You agree not to route special-category or highly sensitive data through the services unless expressly scoped and agreed.

We will: process personal data only on your documented instructions; ensure people authorized to process it are bound by confidentiality; implement appropriate technical and organizational security measures; assist you, taking into account the nature of processing, with data-subject requests and your own compliance obligations; and make available the information reasonably needed to demonstrate compliance.

CoreTV LLC uses vetted subprocessors to deliver the services — for example, cloud hosting and database providers, email/SMS delivery, payment processing, and AI model providers. We require subprocessors to offer data-protection terms consistent with this DPA and remain responsible for their performance. A current list is available on request, and we will give notice of intended changes so you can object.

We maintain measures appropriate to the risk, including encryption in transit (SSL/TLS), access controls and least-privilege, network and dependency hardening, monitoring, and regular backups with restore procedures. Security is reviewed and updated as the threat landscape changes.

We provide tooling and reasonable assistance so you can respond to data-subject requests — access, correction, deletion, portability, and objection — within the timeframes the law requires. Where a request reaches us directly about your data, we refer it to you as Controller.

If we become aware of a personal-data breach affecting data we process for you, we will notify you without undue delay and provide the information reasonably available to help you meet your notification obligations.

On termination, and at your choice, we will return or delete the personal data we process for you, except where retention is required by law. Routine backups are cycled out on our standard schedule.

Where personal data is transferred across borders, we rely on a lawful transfer mechanism appropriate to the destination and the data involved, and require our subprocessors to do the same.