Skip to the main content.
Start Now Sign In
Start Now Sign In

Core Privacy Policy

Last Updated: June 16, 2025

Welcome to Core, a customer portal platform provided by Onsharp, Inc. (“Onsharp,” “we,” “us,” or “our”).

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit or use www.coreportal.io, app.coreportal.io, or any tenant‑specific Core portal (together, the “Service”).

For broader corporate practices that apply to all Onsharp offerings, please also review the Onsharp Global Privacy Policy at www.onsharp.com/privacy. If anything in that global policy conflicts with this Core‑specific notice, this notice prevails for Core data.

Contact us at privacy@onsharp.com or write to:

Onsharp, Inc. – Privacy Team
PO Box 1585
Fargo, ND 58107

 

1. Scope

This Privacy Policy applies to visitors, customer administrators, and end‑users who access a Core portal. It does not apply to third‑party websites or services that integrate with Core (for example HubSpot or Stripe).

 

2. Information We Collect

We collect the following account data that you provide when you sign up for Core:

  • First and last name
  • Business email address
  • Company name
  • Password (stored only as a hash)

We collect data from the following CRM objects in HubSpot when you connect your HubSpot account to Core:

  • Tickets
  • Quotes
  • Contacts
  • Companies
  • Deals
  • Deal Pipelines
  • Engagements
  • Notes
  • Users
  • Owners
  • Forms


We collect the following data that is generated automatically:

  • IP address
  • Browser
  • Device information
  • Approximate location (if your browser shares it)
  • Pages viewed and actions taken inside Core (portal activity logs)

We collect the following data related to files and uploads:

  • Documents exchanged through Core, stored in Amazon S3

We collect the following billing data:

  • Billing contact details
  • Payment tokens
  • Invoices
  • Last four digits of a card (handled by Stripe)

We obtain the following data related to your marketing preferences:

  • Your newsletter and communication opt‑in or opt‑out choices

We do not knowingly collect children’s data, health data, or full payment‑card numbers.

 

3. Cookies & Tracking

Core uses essential session cookies. Analytics cookies are loaded only through each customer’s own HubSpot tracking code; advertising cookies appear only if a customer enables them. Where required, a cookie banner lets EEA/UK users opt‑in to analytics or advertising cookies and lets California users opt‑out of any “sale” or “sharing” of personal information. A valid Global Privacy Control (GPC) signal is honored as a do‑not‑sell/share request.

 

4. How We Use Information and Our Legal Bases (EEA/UK)

  • Provide, secure, and maintain the Service – performance of a contract
  • Sync HubSpot data in the portal – legitimate interest
  • Send transactional messages (invitations, password resets, billing alerts) – performance of a contract
  • Process payments – performance of a contract and legal obligation
  • Improve and debug the Service – legitimate interest
  • Send newsletters or product updates – consent (or soft opt‑in where allowed)
  • Comply with law, enforce terms, and prevent fraud – legal obligation or legitimate interest


5. How We Share Information

We do not sell personal information for money. We disclose data only to:

  • Amazon Web Services (USA) – application hosting and S3 file storage
  • SMTP2Go (USA) – transactional email delivery
  • Stripe (USA) – payment processing
  • Sentry (USA) – error monitoring
  • Kroll and Red Canary (USA) – 24 × 7 threat detection and response
  • HubSpot tracking script – loaded with each customer’s HubSpot ID for analytics inside their own portal


Sub‑processors are bound by written agreements that satisfy GDPR Article 28 and the California Privacy Rights Act. We may also disclose information to comply with legal requests, to enforce our agreements, or during a business transfer such as a merger.

 

6. Data Retention

  • If you delete an object in HubSpot, Core deletes the corresponding data as soon as practicable, typically within 24 hours.
  • If the HubSpot integration is interrupted (token expiry or other temporary error), Core retains the last‑synced data for up to 90 days while we notify your account administrators and await reconnection.
  • If you cancel your Core subscription, we delete or anonymize all Core‑side data other than billing records within 30 days.
  • Billing and invoicing records handled by Stripe are retained for 7 years to meet tax and accounting obligations.
  • Encrypted database backups are taken nightly, stored in the same AWS region, and retained for 7 days.
  • We do not create separate backups of files stored in S3. Those files benefit from Amazon S3’s built‑in multi‑Availability‑Zone redundancy.


7. International Data Transfers

Core is hosted in the United States. When personal data of EEA or UK residents is transferred to the U.S., we rely on the EU Standard Contractual Clauses (2021/914/EU) and the UK International Data Transfer Addendum. Onsharp currently has no establishment or Article 27 representative in the EU or UK.


8. Security Measures

  • TLS 1.2/1.3 encryption in transit and AES‑256 encryption at rest
  • Role‑based access control with least‑privilege IAM
  • Multi‑factor authentication for administrative accounts
  • Continuous monitoring with AWS CloudWatch, Sentry, Kroll, and Red Canary
  • Nightly encrypted database backups in AWS with 7‑day retention
  • Amazon S3 provides automatic multi‑AZ redundancy for stored documents
  • Logical data separation per tenant and detailed audit logs


No security method is perfect; if we discover a breach, we will notify affected customers and regulators as required by law.


9. Your Privacy Rights

United States (CA, CO, CT, UT, VA) – you may request access, deletion, correction, or portability of your personal information and may opt‑out of any sale or sharing. We will not discriminate against you for exercising these rights.

European Economic Area and United Kingdom – you may request access, rectification, erasure, restriction, portability, object to processing, or withdraw consent at any time. You may also lodge a complaint with a supervisory authority.

How to exercise your rights – email privacy@onsharp.com or use the in‑app Privacy Center. We will verify your identity and respond within the timelines required by applicable law (30 days for GDPR; 45 days for CPRA).


10. Children

Core is a business‑to‑business service and is not directed at children under 13. If you believe a child has provided personal information, please contact us so we can delete it.


11. Changes to This Policy

We may update this Policy from time to time. For material changes, we will email customer administrators and post a notice in the Service at least 30 days before the new terms take effect. The “Last updated” date at the top tells you when we last revised the Policy.


12. Contact Us

If you have any questions, concerns, or complaints, please email privacy@onsharp.com or write to:

Onsharp, Inc. – Privacy Team
PO Box 1585
Fargo, ND 58107 USA