1. Overview
SupportCore is a customer support platform operated by Lord Systems, LLC. This Privacy Policy applies to:
- Our marketing website at supportcore.io
- The SupportCore application at
app.supportcore.ioand customer subdomains at{org}.supportcore.io - Our APIs, webhooks, and embeddable chat widget
If you are an end-user submitting a support request through a SupportCore-powered help portal, chat widget, or email channel, the company you are contacting (not SupportCore) is the controller of your information. Please refer to that company's privacy notice for how they handle your data. SupportCore processes that information on their behalf as described in Section 2.
2. Our role: controller and processor
We act in two distinct roles depending on whose data we are handling:
2.1 As a controller
We are the controller of personal information about visitors to our marketing site, prospects, and the administrators and agents of customer organizations who hold accounts in our application. We decide why and how we process this information, as described in this Policy.
2.2 As a processor
We are a processor of the personal information that customer organizations (our "Customers") submit to or generate within the SupportCore application — for example, the contents of support tickets, contact records, knowledge base articles, attachments, and chat transcripts ("Customer Data"). For Customer Data, the Customer is the controller and we process it only under that Customer's instructions, as governed by our Data Processing Addendum.
If you are a Customer's end-user and you want to exercise rights over Customer Data about you, please contact the relevant Customer directly. We will assist them in responding to your request.
3. Information we collect
3.1 Account information
When you create a SupportCore account, we collect:
- Name, email address, and password (stored as a salted hash — never in clear text)
- Workspace name, subdomain, organization details, and role
- Profile information you choose to add (avatar, signature, time zone)
- Two-factor authentication factors (TOTP secret, recovery codes)
3.2 Billing information
Payments are processed by our payment processor, Stripe. We collect billing contact details, subscription plan, invoice history, and the last four digits of your payment card. Full card data is collected and stored by Stripe under their own privacy practices and never reaches our servers.
3.3 Customer Data
While operating the service, our Customers' workspaces accumulate:
- Support tickets, replies, internal notes, tags, and attachments
- Contact records (typically the names and email addresses of the Customer's end-users)
- Knowledge base articles, automation rules, and SLA configuration
- Live chat transcripts, including any information end-users voluntarily provide
- Inbound emails sent to your support address (including headers, body, and attachments)
We process this information on behalf of the Customer. We do not sell Customer Data, do not use it for advertising, and do not use it to train third-party AI models.
3.4 Usage and device information
When you use our websites or the application, we automatically collect:
- IP address, browser type, operating system, and approximate location (city/country)
- Pages visited, features used, and timestamps
- Referring URLs and search terms
- Server logs, request identifiers, and error reports
3.5 Communications
When you contact us by email, complete a form on our marketing site, or interact with us on social media, we keep a record of that communication.
4. How we use information
We use the information we collect as a controller for the following purposes:
- Provide the service. Operate, maintain, and secure the application; authenticate users; route email and webhook traffic.
- Customer support. Respond to your questions and troubleshoot issues you report.
- Billing. Charge subscription fees, calculate overage, and issue invoices.
- Improve the product. Analyze aggregated usage to understand what works and what doesn't.
- Communications. Send transactional notifications (security alerts, billing receipts) and, where permitted, product updates and onboarding tips. You can unsubscribe from marketing emails at any time.
- Security and fraud prevention. Detect, prevent, and respond to abuse, account takeovers, and unauthorized access.
- Legal compliance. Comply with applicable laws, regulations, and lawful requests from authorities.
We process Customer Data only as a processor, on the documented instructions of the Customer, in accordance with our Data Processing Addendum.
5. Legal bases for processing (EEA, UK, Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and equivalent laws:
| Purpose | Legal basis |
|---|---|
| Provide the service to you under our contract | Performance of a contract |
| Bill and collect payment | Performance of a contract |
| Send transactional security and account messages | Performance of a contract / legitimate interests |
| Improve the product, debug, and secure the service | Legitimate interests |
| Send marketing emails to non-customers | Consent |
| Comply with legal obligations | Legal obligation |
You may object to processing based on legitimate interests at any time. See Your rights.
7. Sub-processors
The current list of sub-processors that may process personal information on our behalf:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Application hosting, CDN, DDoS protection, SSL | Global edge |
| Cloudflare R2 | Object storage for ticket and KB attachments | EU / US (per region) |
| Stripe, Inc. | Payment processing and billing | United States |
| Auth0 (Okta, Inc.) | Optional customer-portal SSO and social login | United States / EU (per region) |
| OpenAI, L.L.C. | AI assist and AI bot replies (GPT-4o-mini). Inputs are not used to train OpenAI's models. | United States |
| Resend, Inc. | Transactional and inbound email delivery | United States |
| Google LLC (Workspace) | Internal corporate email and document collaboration | United States |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting | United States |
| PostHog, Inc. | Product analytics on first-party domains (no third-party cookies) | United States / EU |
We will give Customers prior notice of any new sub-processor as required by our DPA. To subscribe to sub-processor change notifications, email privacy@supportcore.io.
8. International data transfers
SupportCore is operated from the United States. When we transfer personal information from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards including:
- The European Commission's Standard Contractual Clauses (SCCs) (2021/914) and the UK Addendum where applicable
- The EU-U.S. Data Privacy Framework and the UK Extension where the recipient is self-certified
- Supplementary technical and organizational measures, including encryption in transit and at rest
You may request a copy of the transfer mechanisms in place by emailing privacy@supportcore.io.
9. Data retention
We retain personal information for as long as needed to provide the service and for the purposes described in this Policy. Specifically:
- Account information — retained for the lifetime of your account.
- Customer Data — retained according to the Customer's configuration and instructions. When a Customer cancels, we delete their workspace and Customer Data within 30 days of cancellation, subject to backup rotation of up to 60 days.
- Billing records — retained for at least seven (7) years to comply with tax and financial reporting obligations.
- Server logs — retained for up to 90 days, then aggregated or deleted.
- Backups — encrypted backups are retained on a rolling 30-day schedule.
We may retain limited information longer where necessary to comply with legal obligations, resolve disputes, or enforce agreements.
10. Security
We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Highlights include encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, mandatory two-factor authentication for production access, audit logging, vulnerability scanning, and a documented incident response process. See our Security page for details.
No service can guarantee absolute security. If you discover a security issue, please report it to security@supportcore.io.
11. Your rights
Subject to local law, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Delete your information ("right to erasure")
- Restrict or object to processing
- Port your information in a machine-readable format
- Withdraw consent where we rely on consent
- Lodge a complaint with a data protection authority
To exercise these rights with respect to information we hold as a controller, email privacy@supportcore.io. We will respond within the timeframes required by applicable law (generally one month under the GDPR).
For information held in a SupportCore workspace as a processor, please contact the workspace owner directly. We will assist them in responding to your request.
12. US state privacy rights
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive privacy law, you may have additional rights, including the right to:
- Confirm whether we process your personal information and access it
- Correct inaccuracies and delete your information
- Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising — note that we do not sell or share personal information as those terms are defined in California's CCPA/CPRA and similar laws
- Limit the use of sensitive personal information
- Be free from retaliation for exercising your rights
- Designate an authorized agent to exercise rights on your behalf
To exercise these rights, email privacy@supportcore.io. We will verify your request using the email address associated with your account or other reasonable means.
14. Children
SupportCore is a business product not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please email privacy@supportcore.io and we will promptly delete it.
15. AI features and how your data is used
SupportCore offers AI features, including an AI bot that answers customer questions and "agent assist" suggested replies. When these features are enabled in a workspace:
- Inputs (ticket content, knowledge base context, chat messages) are sent to OpenAI's API for inference using GPT-4o-mini or a comparable model.
- OpenAI processes these inputs as our sub-processor under their API data usage policy, which prohibits using API inputs to train OpenAI's models.
- We log AI requests and responses for billing, debugging, and abuse-prevention purposes for up to 90 days.
- A workspace administrator can disable AI features at any time in workspace settings.
We do not use Customer Data to train SupportCore's own models or any third-party model. AI-generated suggestions may be inaccurate; agents are responsible for reviewing them before sending.
16. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or in-app notice at least 30 days before the changes take effect. The "Effective" date at the top of this page indicates when the current version was published. Prior versions are available on request.
17. Contact us
For privacy questions, requests, or to obtain a copy of our Data Processing Addendum, contact us at:
- Email: privacy@supportcore.io
- Data protection inquiries: dpo@supportcore.io
- Postal mail: Lord Systems, LLC — Attn: Privacy
We do not currently have an EU/UK representative under Article 27 of the GDPR. EEA and UK residents may contact us directly using the information above.