Privacy Policy
Last updated: June 2026
This Privacy Policy explains how Core Contracts ("we", "us", "our") collects, uses, and protects your personal data when you use our website and services. We are committed to handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.Who We Are
Core Contracts is a provider of legal document templates for landlords in England. We are the data controller for the personal data described in this policy. You can contact us about anything in this policy at support@corecontracts.co.uk.
2.What Data We Collect
We collect the following categories of personal data:
- Account data — your email address and an encrypted password, used to create and secure your account.
- Agreement data — the details you enter into the agreement builder, such as landlord and tenant names, the property address, rent and deposit amounts. This data is needed to produce your tenancy agreement and to let you retrieve it later.
- Payment data — payments are processed by Stripe. We never see or store your full card details; we receive only confirmation of payment and a transaction reference.
- Usage data — anonymised analytics about how the website is used, collected via Google Analytics (see our Cookie Policy).
3.How and Why We Use Your Data
- To provide the service (contract performance) — creating your account, generating your tenancy agreement PDF, and storing it so you can download it again.
- To process payments (contract performance) — passing your order to Stripe for secure payment processing.
- To communicate with you (legitimate interest / contract) — account emails such as email confirmation, password resets, and purchase receipts. We do not send marketing emails without your consent.
- To improve the website (consent / legitimate interest) — aggregated analytics that tell us which pages are read and where visitors encounter problems.
4.Who We Share Data With
We share data only with the service providers needed to operate Core Contracts:
- Supabase — hosts our database and authentication system, storing your account and agreement data.
- Stripe — processes payments. Stripe is a PCI-DSS Level 1 certified payment processor.
- Netlify — hosts this website.
- Google Analytics — provides anonymised usage statistics.
We do not sell your personal data to anyone. Where a provider processes data outside the UK, transfers are protected by appropriate safeguards such as the UK International Data Transfer Agreement or adequacy regulations.
5.How Long We Keep Your Data
We keep your account and purchased agreements for as long as your account remains active, so you can re-download your documents whenever you need them. If you ask us to delete your account, we will remove your personal data within 30 days, except for transaction records we must retain for tax and accounting purposes (up to 6 years).
6.Your Rights
Under UK GDPR you have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Object to or restrict our processing of your data.
- Receive your data in a portable format.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email support@corecontracts.co.uk. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
7.Security
All traffic to Core Contracts is encrypted with TLS. Passwords are stored only as salted, one-way hashes. Access to agreement data is restricted to your authenticated account through database row-level security.
8.Changes to This Policy
If we make material changes to this policy, we will update the date at the top of this page and, where appropriate, notify you by email.