How Core Dynamics handles your data

1. Who we are (controller identity)

The data controller is Core Dynamics, Professional Licence No. 100444, Ground Floor, Building 16, Dubai Internet City, PO Box 9581, Dubai, United Arab Emirates (contact@core-dynamics.io). We decide the purposes and means of processing personal data collected through this website.

We have not appointed a formal Data Protection Officer. For all privacy matters, contact us at contact@core-dynamics.io. We aim to respond within 30 days.

2. What data we collect, why, and on what legal basis

We process personal data only for the specific purposes below. For each purpose, we identify the legal basis under GDPR Article 6.

2a. Contact form submissions

Data collected: name, work email, company name, message, project type, company size, IP address, UTM attribution (source/medium/campaign), referring URL.

Purpose: To receive and respond to your enquiry, assess whether we can help, and initiate a potential engagement.

Legal basis: Article 6(1)(b) — processing is necessary to take steps at your request prior to entering a contract. Where no contract results, Article 6(1)(f) — our legitimate interest in conducting business development and responding to inbound enquiries. We have assessed that this interest is not overridden by your rights, as you initiated the contact voluntarily.

Retention: 24 months from the date of submission, or for the duration of any resulting business relationship plus 12 months after it ends. We review records annually and delete those with no ongoing purpose.

2b. Agent intake submissions (AI agent interface)

Data collected: contact email (optional), project description (free text), agent or system name, IP address, raw submission payload.

Purpose: To receive and process project requests submitted programmatically by AI agents operating on your behalf.

Legal basis: Article 6(1)(b) — steps prior to contract; or Article 6(1)(f) — legitimate interest in receiving and assessing project enquiries.

Important: Do not include protected health information (PHI), special-category data (GDPR Article 9), or other sensitive personal data in intake descriptions. No BAA or data processing agreement is in place for this channel until a formal engagement begins.

Retention: 24 months from submission, subject to the same annual review described above.

2c. Website analytics (Google Analytics 4)

Data collected: page views, session data, device and browser metadata, approximate location (country/city level), event interactions, UTM attribution. This data is collected and processed by Google LLC on our behalf.

Purpose: To understand how visitors use this site so we can improve content, navigation, and conversion flows.

Legal basis: Article 6(1)(a) — your consent. Analytics cookies are not placed and GA4 does not load until you accept via the consent banner. You may withdraw consent at any time by clicking "Manage cookies" in the footer or clearing your browser's local storage for this domain. Withdrawal does not affect the lawfulness of processing before withdrawal.

Retention: GA4 data is retained for 14 months in Google's systems, as configured by us. You can review Google's data retention practices at support.google.com/analytics.

2d. Bot-protection (hCaptcha)

Data collected: interaction signals (mouse movements, timing), IP address, browser metadata. Processed by Intuition Machines, Inc. (hCaptcha).

Purpose: To prevent automated spam submissions through the contact form.

Legal basis: Article 6(1)(f) — our legitimate interest in maintaining the security and integrity of this website and preventing abuse. hCaptcha is specifically designed to minimise data collection compared to alternative CAPTCHA services.

Retention: Governed by hCaptcha's privacy policy. We do not store hCaptcha verification results beyond confirming pass/fail at the time of form submission.

2e. Server and access logs

Data collected: IP address, HTTP method, requested URL, response status code, response time, user-agent string, timestamp.

Purpose: Security monitoring, abuse detection, and debugging.

Legal basis: Article 6(1)(f) — our legitimate interest in operating a secure, stable service.

Retention: 30 days, after which logs are deleted or anonymised.

3. Recipients of your data

We do not sell personal data to third parties. We share data only with the following categories of recipients, each bound by appropriate data protection obligations:

• Google LLC — email delivery (Gmail/Google Workspace) for contact form notifications; website analytics (Google Analytics 4). Google acts as a data processor under a Data Processing Addendum incorporating Standard Contractual Clauses for transfers to the US.
• Intuition Machines, Inc. (hCaptcha) — bot-protection verification on form submission.
• Hosting and infrastructure providers — server hosting for core-dynamics.io. Current provider details available on request.
• Legal and regulatory authorities — if required by applicable law, court order, or to protect our legal rights.
• Prospective acquirers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy notice.

4. International data transfers

Core Dynamics is based in the UAE. When you submit data through this site, it is processed on servers which may be located in the European Economic Area, United States, or other countries.

For transfers from the EEA or UK to countries not recognised as providing adequate protection (including the United States), we rely on the following safeguards:

• Google (Analytics + Gmail): Standard Contractual Clauses (SCCs) incorporated into Google's Data Processing Addendum.
• hCaptcha: Standard Contractual Clauses under their Data Processing Addendum.

You may request a copy of the relevant transfer safeguards by contacting contact@core-dynamics.io.

5. Cookies

This site uses the following cookies and browser storage:

• cd_cookie_consent (localStorage, this domain) — stores your analytics consent decision ("accepted" or "declined"). Essential for operating the consent system. No expiry; persists until you clear site data. Not a cookie — stored in localStorage and never transmitted to our servers.
• Google Analytics cookies (_ga, _ga_*, _gid) — set only if you accept analytics. Used to distinguish users and sessions. Expire after 13 months (_ga) or 24 hours (_gid).
• hCaptcha cookies — set by the hCaptcha script during form verification. Session-scoped. See hcaptcha.com/privacy.

To withdraw analytics consent, open your browser's developer tools and run localStorage.removeItem('cd_cookie_consent'), then reload the page. The consent banner will reappear.

6. Your rights

If you are located in the EEA, UK, or another jurisdiction with equivalent data protection law, you have the following rights. To exercise any of them, email contact@core-dynamics.io with your request. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

• Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to restriction of processing (Art. 18): Request that we restrict processing of your data in certain circumstances (e.g., while accuracy is contested).
• Right to data portability (Art. 20): Where processing is based on consent or a contract and carried out by automated means, receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object at any time to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent (analytics only), withdraw consent at any time without affecting the lawfulness of prior processing.

We do not use automated decision-making or profiling (Art. 22 GDPR) that produces legal or similarly significant effects.

Providing contact form data is voluntary — it is not a statutory or contractual requirement. However, without a name, email, and message we cannot respond to your enquiry.

7. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. If you are in the EU or EEA, you may contact the supervisory authority in your country of residence or the country where the alleged infringement occurred. A list of EU supervisory authorities is available at edpb.europa.eu.

If you are in the UK, you may contact the Information Commissioner's Office at ico.org.uk.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority — please reach out to contact@core-dynamics.io first.

8. California privacy rights (CCPA / CPRA)

This section applies to residents of California. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents additional rights over their personal information.

Categories of personal information collected

In the preceding 12 months we have collected the following categories of personal information, as defined by the CCPA:

• Identifiers: name, email address, IP address.
• Internet or other electronic network activity: pages visited, session data, device/browser metadata, UTM attribution, referring URL (analytics, only with consent).
• Commercial information: project type and company size (provided voluntarily via contact form).
• Professional or employment-related information: company name, job context inferred from message content.

We do not collect sensitive personal information as defined by the CPRA (e.g., Social Security numbers, financial account data, geolocation, health data, biometric data).

Purposes for collection

We collect the categories above to respond to enquiries, assess potential engagements, operate and secure the website, and (with your consent) analyse site usage. See Section 2 for full details per processing activity.

Disclosure and sale of personal information

We do not sell personal information for monetary consideration.

We share identifiers and internet activity data with Google LLC for analytics purposes (Google Analytics 4), but only after you provide consent via the cookie banner. Under CPRA, sharing data with a third party for cross-context behavioural advertising may constitute "sharing" even without payment. We do not use GA4 for targeted or cross-context advertising. The "Share data with Google" signals in our GA4 configuration are set to off. If you wish to opt out of any potential sharing, decline analytics in the consent banner or submit an opt-out request as described below.

Your California rights

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we have shared it.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations).
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: Opt out of the sale or sharing of your personal information for cross-context behavioural advertising. As noted above, we do not sell PI and do not use analytics data for targeted advertising. You may nonetheless submit an opt-out request.
• Right to limit use of sensitive personal information: Not applicable — we do not collect sensitive PI.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights. We will not deny services, charge different prices, or provide a different quality of service.

How to submit a California rights request

To exercise any of the rights above, contact us by either of the following methods:

• Email: contact@core-dynamics.io — include "California Privacy Request" in the subject line.
• Web form: Use the contact form on core-dynamics.io and state "California Privacy Request" in your message.

We will verify your identity before processing the request. We will respond within 45 days; if we require additional time (up to 90 days), we will notify you within the initial 45-day period. We may not be able to fulfil a deletion request if the data is necessary to complete a transaction you requested or to comply with a legal obligation.

Authorised agents may submit requests on your behalf with written permission. We may require you to verify directly with us that the agent is authorised.

10. Security

We implement technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include HTTPS encryption in transit, server-side rate limiting, IP-based access controls on admin interfaces, and access restricted to authorised personnel only. No transmission over the internet is completely secure; we cannot guarantee absolute security.

11. Children

This website is directed at business professionals and is not intended for use by children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately at contact@core-dynamics.io and we will delete it.

12. Changes to this notice

We may update this privacy notice from time to time. The version number and effective date at the top of this page will reflect any changes. For material changes — those that significantly affect your rights or how we process your data — we will provide prominent notice on this website. We encourage you to review this page periodically.

13. Contact us

For any privacy questions, data subject rights requests, or concerns:

Core Dynamics
Professional Licence No. 100444
Ground Floor, Building 16, Dubai Internet City
PO Box 9581
Dubai, United Arab Emirates
contact@core-dynamics.io

Effective date: 20 March 2026  ·  Version: 2.1