Legal
CorroZone Privacy Policy
Last updated: 13 May 2026
1. Introduction
This Privacy Policy explains how CorroZone ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website, applications, and services (collectively, the "Service").
CorroZone is an AI company that brings AI to corrosion, with corporate clients as its primary audience (bespoke AI builds, scoped pilots, training engagements) and a curated set of products available to individual users (currently lead product: EIS Fitting), plus a free public courses catalogue.
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. Data Controller
The data controller responsible for your personal data is:
CorroZone
Operated by Corrozone LTD
Registered in England and Wales
Company number: 15188319
ICO registration number: ZB752330
Registered address: Harry Sager & Co Ltd 249 North, Lynnfield House, Church Street, Altrincham, England, WA14 4DZ
Contact for data protection enquiries:
Email: [email protected]
3. Personal Data We Collect
3.1 Account and Authentication Data
When you create an account, we collect:
- Email address (provided during registration or via authentication provider)
- Display name (if provided or obtained from authentication provider)
- Authentication provider (email/password or Google Sign-In)
- Email verification status
- User identifier (UID) assigned by Firebase Authentication
- Account creation date and last login date
3.2 Service Usage Data
When you use the Service, we collect:
- Credit transactions (records of credits purchased, consumed, and remaining)
- Tool usage logs (which tools and features you use, including timestamps)
- Course enrolments and progress through lessons
- Session data (interactions with AI-powered tools, uploaded data files, AI-generated outputs)
- Application run records (metadata about billable feature usage)
3.3 Payment Data
When you purchase credits or subscriptions, payment is processed by Stripe. We collect and store: Stripe Customer ID; Subscription status; Transaction history.
We do not collect, store, or have access to your full credit or debit card numbers, CVV codes, or other raw card details. All card data is collected and stored directly by Stripe in accordance with PCI DSS requirements.
3.4 User-Generated Content
Depending on which tools you use, we may store:
- Text inputs and prompts submitted to AI-powered tools
- Uploaded data files (e.g., EIS datasets, documents)
- AI-generated responses and analysis results
- Discussion and conversation histories
- Expert profiles and configurations you create
3.5 Technical Data
We automatically collect certain technical data:
- Browser type and version
- Operating system
- IP address
- Referring URLs
- Pages visited and features used
- Date and time of access
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account management, tool access, AI features) | Contract performance |
| Processing payments and managing credits | Contract performance |
| Authenticating identity and securing account | Contract performance, Legitimate interest |
| Fraud prevention and detecting abuse | Legitimate interest |
| Service improvement and analytics | Legitimate interest |
5. Third-Party Data Processors
5.1 Stripe (Payment Processing)
Stripe Payments Europe, Limited and Stripe, Inc. process payments, manage subscriptions, handle card data, invoicing, and fraud prevention.
5.2 AI Providers
Third-party AI providers (including but not limited to OpenAI, L.L.C. and Anthropic, PBC) process user inputs to deliver AI-powered features. We do not send your email address, payment data, or account credentials to AI providers.
5.3 Google Cloud Platform and Firebase
Google LLC and Google Ireland Limited provide cloud infrastructure, hosting, authentication (Firebase Authentication), database services (Cloud Firestore), and cloud storage (Google Cloud Storage).
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | While account active; deleted within 30 days of deletion request |
| Credit transaction records | 7 years (UK accounting and tax requirements) |
| Usage logs | 12 months, then aggregated and anonymised |
| User-generated content | While account active; deleted within 30 days of deletion request |
7. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of Access — request a copy of the personal data we hold about you
- Right to Rectification — request correction of inaccurate personal data
- Right to Erasure — request deletion of your personal data (subject to legal retention requirements)
- Right to Data Portability — receive your data in a machine-readable format
- Right to Restrict Processing — request restricted processing in certain circumstances
- Right to Object — object to processing based on legitimate interest
- Right to Withdraw Consent — where processing is based on consent
To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month.
7.1 Right to Complain
If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Website: ico.org.uk
Helpline: 0303 123 1113
8. Cookies and Similar Technologies
We use essential cookies that are strictly necessary for the Service to function. These include Firebase Auth session cookies for managing your authentication session. Stripe sets cookies for fraud prevention and payment session management.
We do not currently use analytics cookies or third-party tracking cookies. If we introduce these in the future, we will update this Privacy Policy and implement a cookie consent mechanism.
9. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside the United Kingdom, including the United States, as some of our third-party processors (Stripe, AI providers, Google Cloud) operate infrastructure in the United States.
We ensure all international transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) as adopted by the UK and the UK International Data Transfer Addendum (IDTA).
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption in transit — all data transmitted using TLS (HTTPS)
- Encryption at rest — data stored in databases encrypted using Google Cloud's encryption
- Authentication security — managed by Firebase Authentication with industry-standard practices
- Payment security — card data handled exclusively by Stripe (PCI DSS Level 1 certified)
11. Children's Data
The Service is not directed at, and is not intended for use by, children under the age of 18. We do not knowingly collect personal data from children under 18.
12. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:
Email: [email protected]
Subject line: Data Protection Enquiry
Postal address:
Corrozone LTD
Harry Sager & Co Ltd 249 North,
Lynnfield House, Church Street,
Altrincham, England, WA14 4DZ