Privacy policy.

Who we are

Core Shift Studios is a bespoke software studio based in Belfast, Northern Ireland. For the purposes of UK GDPR and the Data Protection Act 2018 we are the data controller for the information collected through this website and through our engagements. You can reach us at hello@coreshiftstudios.co.uk.

What information we collect

This site is a portfolio and contact site. We collect a small amount of information, and only what we actually need.

• Information you send us. When you complete the contact form or email hello@coreshiftstudios.co.uk, we receive what you choose to include: typically your name, organisation, how to reach you, and the details of your enquiry.
• Server logs. Our hosting provider (Vercel) keeps short-lived access logs as part of normal operation. These include your IP address, the page you visited, the time of the request, and basic browser metadata. We do not analyse or aggregate these logs ourselves.
• Client information during projects. If you commission us, we hold the project-related information you share with us: contact details for the people involved, scope documents, designs, and anything required to deliver the engagement and invoice for it.
• What we do not collect. We do not use advertising trackers, marketing cookies, or cross-site profiling. Any analytics we run are privacy-friendly and cookieless. We have no newsletter and no comment system. The contact form is the only place we ask for your details.

How we use it

We use the information above only for the purposes you would reasonably expect.

• Responding to your enquiry. We read the enquiry you send us, by form or email, and reply. If a project follows, we keep the correspondence for the duration of the work and for a reasonable period afterwards.
• Delivering commissioned work. If we enter into an engagement, we use the information you share with us to perform the contract: building, supporting, and invoicing for the system we have agreed to deliver.
• Statutory record-keeping. We retain invoices and engagement records for the period required by UK tax law.
• Security and abuse prevention. We may inspect server logs if we need to investigate a suspected attack, a bug, or an outage. We do not use them for any other purpose.

Lawful bases

Under UK GDPR we rely on legitimate interests to respond to an enquiry you send us by form or email and to keep server logs for security; contract to perform the work we have agreed with a client; and legal obligation to retain accounting and tax records.

Service providers we share data with

We rely on a small number of providers to operate the site and the studio. Each receives only the data needed to do its job, and each is bound by its own privacy policy.

• Vercel. Hosts this website and serves it to your browser. Receives the access-log information described above. Vercel's privacy policy: vercel.com/legal/privacy-policy.
• Cloudflare. Provides DNS for coreshiftstudios.co.uk and runs the email routing layer that delivers mail addressed to anything@coreshiftstudios.co.uk to our inbox. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
• Google (Gmail). Delivers and stores the email you send us. Google's privacy policy: policies.google.com/privacy.
• Resend. Delivers contact-form submissions to our inbox as email. Resend processes the name, organisation, contact details, and message you submit, solely to pass them to us. Resend's privacy policy: resend.com/legal/privacy-policy.
• Client project tools. During an engagement we may use additional providers (for example a Git host, an issue tracker, or a deployment platform) that the client has chosen or that the brief requires. These are agreed and named in the engagement contract before any data flows through them.

International transfers

Our service providers operate globally and may process data in the United States, the European Union, or other regions. Where personal data leaves the UK or EEA, our providers rely on standard contractual clauses or equivalent safeguards approved under UK GDPR.

How long we keep it

Retention is matched to purpose.

• Enquiry emails. Kept for up to 24 months from the last reply, then deleted. If a project follows, the thread is retained for the duration of the engagement plus six years for tax purposes.
• Server logs. Retained by Vercel for a short rolling window (typically days to weeks) per their own retention policy. We do not export or archive them.
• Client and invoicing records. Retained for at least six years from the end of the financial year in which the work was delivered, in line with HMRC requirements.

We do not sell your data

We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party not listed above.

Your rights

Under UK GDPR you have the right to access, correct, erase, restrict, port, or object to the processing of your personal data. To exercise any of these rights, write to hello@coreshiftstudios.co.uk and we will respond within one month. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.

Security

Traffic to this site is served over HTTPS. Mail addressed to our domain is routed through Cloudflare and delivered to Google over authenticated, encrypted transports. We restrict access to our inbox and to any client systems to the studio principals working on the engagement.

Cookies

We use no advertising cookies. Any analytics we run are privacy-friendly and cookieless, so no consent banner is required. See the separate cookies policy at /cookies for full detail.

Changes to this policy

We will update this page when our practices change. The effective date below tells you when this version was published.

Contact

For privacy-related questions, write to hello@coreshiftstudios.co.uk.