InCorr

Legal

Privacy Policy

Last updated: 26 April 2026

1. Who we are

InCorr Method Ltd(“InCorr”, “we”, “our”) is the data controller for personal data collected through the InCorr membership platform. Our registered address and contact for all privacy matters is privacy@incorrmethod.com.

2. What data we collect and why

DataWhy we collect itLawful basis
Name, email, roleAccount creation and loginContract (Art. 6(1)(b))
Password (hashed)Authentication — you log in securelyContract (Art. 6(1)(b))
Learning progressGating, progress tracking, curriculum positionContract (Art. 6(1)(b))
Session tokensKeeping you signed inLegitimate interest (Art. 6(1)(f))

We do not collect special category data (health, biometric, etc.) and we do not use your data for advertising or sell it to third parties.

3. Cookies and session storage

We use a single authentication session cookie (HttpOnly, Secure, SameSite=Lax) to keep you signed in. This cookie is strictly necessary for the service to function and does not require consent under ePrivacy rules. We do not use any tracking, analytics, or advertising cookies.

4. Data retention

We keep your account data for as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days. Backups are purged within 60 days. You can delete your account at any time from Settings → Danger zone.

5. Your rights (GDPR)

Under UK/EU GDPR you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — delete your account and all associated data
  • Portability — export your data in a machine-readable format (JSON)
  • Restriction — ask us to stop processing your data in certain circumstances
  • Object — object to processing based on legitimate interest

To exercise any of these rights, email privacy@incorrmethod.com or use the controls in your account settings. We will respond within 30 days.

6. Third-party processors

We use the following sub-processors, each with a signed Data Processing Agreement:

  • Supabase Inc. (EU — Frankfurt, Germany) — database and authentication. Privacy policy
  • Vercel Inc. (EU edge network available) — hosting and CDN. Privacy policy

7. Security

Passwords are hashed using bcrypt and never stored in plain text. All data is transmitted over HTTPS. Session cookies are HttpOnly and Secure. We conduct regular security reviews and will notify affected users within 72 hours of becoming aware of a personal data breach, in line with GDPR Article 33.

8. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your national supervisory authority. In the UK that is the Information Commissioner's Office (ICO). In Ireland it is the Data Protection Commission (DPC).

9. Changes to this policy

We will notify you by email of any material changes to this policy at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Terms of ServiceBack to sign in