This page is the authoritative Privacy Policy and legal supplement for CORR. It covers how we collect, use, and protect your data, who processes it on our behalf, and your rights under GDPR, CCPA, and other laws. For our full Terms of Service, see /terms.html.
CORR ("CORR," "we," "our," or "us") operates the CORR platform at corrapp.com. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data.
CORR is a software platform operated as a sole proprietorship based in Monticello, Kentucky, United States. We operate a software-as-a-service platform for service-business owners (tattoo artists, barbers, mechanics, contractors, and similar professionals) to manage their clients, finances, scheduling, inventory, and payments.
When you ("the artist" or "business owner") sign up for CORR and enter your own business data, you are the data controller for your clients' information, and CORR is the data processor acting on your instructions. When CORR collects your account information (name, email, billing data) to operate our service, CORR is the data controller. The Data Processing Addendum covering the artist → client relationship is available on request from privacy@corrapp.com.
We collect information you provide directly:
We also collect information automatically:
We do not sell your personal information. We do not share your business data with advertisers. We do not use your clients' data to train AI models. We do not run third-party ad tracking on corrapp.com. We do not use Google Calendar data for any purpose other than the calendar sync you enabled.
To operate CORR we rely on the following third-party service providers ("sub-processors"). Each has its own privacy commitments and we have contractual obligations (standard contractual clauses, data-processing addenda, or the vendor's standard terms) requiring them to protect your data.
| Provider | Purpose | Data category | Location |
|---|---|---|---|
| InterServer | Web hosting, PHP execution, incoming & outgoing email mailboxes (support@, privacy@, etc.) |
All data in transit through corrapp.com, server log files, inbound email | United States |
| Firebase / Google Cloud | Authentication, Firestore database, Cloud Storage (images & files) | Account and business data you enter, files you upload | United States |
| Stripe, Inc. | Subscription billing & payment processing | Full card data, billing address, subscription status | United States |
| Square, Inc. | Point-of-sale payment processing (only when you connect a Square account) | Sale amounts, OAuth access tokens, location and merchant IDs | United States |
| Resend, Inc. | Transactional email delivery (receipts, welcomes, appointment confirmations) | Recipient email address, message content, delivery status | United States |
| Google (OAuth & Calendar API) | Calendar sync for appointments (only when you explicitly connect) | OAuth tokens, calendar events you create or view in CORR | United States |
| Anthropic, PBC | AI features: receipt-scan text extraction, AI Advisor chat | Individual receipt images, AI Advisor prompts. Anthropic does not train on API data. | United States |
We will update this list when we add or change a sub-processor. Material changes will be announced in-app or via the email on file before the change takes effect.
CORR's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google Calendar data is used only to provide the calendar-sync feature you explicitly enabled. We never use it for advertising, profiling, training AI models, or any purpose other than calendar sync.
When you connect your Google Calendar to CORR we request the scope https://www.googleapis.com/auth/calendar.events, which allows us to:
You can disconnect Google Calendar any time from the CORR Client app (Calendar tab → Settings → Disconnect). You can also revoke access at myaccount.google.com/permissions. On disconnection your OAuth tokens are invalidated and removed from our server.
Depending on where you live, you may have the following rights over your personal data:
Email privacy@corrapp.com from the email address on file with your CORR account, or send a signed letter to the address in Section 11. We will verify your identity, respond within 30 days (GDPR) or 45 days (CCPA), and act on the request unless a legal exception applies. If we deny your request we will explain why.
You may also use an authorized agent to submit a request on your behalf. We will require written proof of authorization.
While your account is active, we retain your business data (clients, transactions, appointments, invoices, inventory, tax records, settings) indefinitely so your records remain accessible. You can delete any individual record from inside the app at any time.
If we are required by a subpoena, court order, or active investigation to retain specific records, we will do so for the minimum period required even if you have asked for deletion. We will notify you unless legally prohibited.
You can export your data to CSV from the admin panel inside CORR at any time. For a complete portable export beyond the in-app option, email privacy@corrapp.com. We will provide the export within 7 business days.
OAuth tokens are deleted from our server immediately upon disconnection. No Google Calendar event data is retained after your session ends.
CORR uses a minimal set of cookies and similar technologies:
We do not use advertising cookies, cross-site trackers, or analytics cookies that profile you individually. If EU or California regulations require an explicit cookie-consent banner when you visit corrapp.com, we will display one at first visit and respect your choice.
We honor Global Privacy Control (GPC) signals where feasible. Because we do not engage in cross-context behavioral advertising, there is no tracking to disable.
Detailed subscription, billing, auto-renewal, cancellation, and refund terms are in the Terms of Service. The short version:
For billing questions email billing@corrapp.com.
Account-critical emails are sent via Resend. They include purchase receipts, welcome emails on signup, appointment confirmations, invoice notices, and similar operational messages. These cannot be turned off while you have an active account, because they are required to operate the service you paid for.
If we ever send product announcements or newsletters, every message will identify CORR as the sender, include our physical mailing address, and contain a one-click unsubscribe link as required by the U.S. CAN-SPAM Act. You can opt out of marketing email without affecting transactional email.
CORR no longer operates an automated SMS reminder service. Where phone numbers are stored in your client records, the app offers a "tap to text" link that opens your device's native messaging app with the message pre-filled — your carrier sends the text, not CORR. Standard carrier rates apply.
When you use CORR to contact your own clients (SMS tap-to-text, appointment-confirmation email, etc.), you are the sender and you are responsible for collecting appropriate consent, honoring opt-out requests, and complying with TCPA, CAN-SPAM, CASL, or your local equivalent.
CORR is a business-tools product intended for use by adults (18+). We do not knowingly collect personal information from children under 13 (COPPA) or 16 (GDPR). If you believe a minor has provided us with personal information, contact privacy@corrapp.com and we will delete it promptly.
Some CORR features (self-booking pages, waivers, client intake forms) may collect information about your clients. It is your responsibility as the CORR account holder to ensure you are not collecting data about minors without proper parental/guardian consent.
security@corrapp.com)If we confirm a data breach that affects your personal information, we will notify you without undue delay — and no later than 72 hours after discovery where GDPR applies — at the email address on file. Notifications will describe the nature of the incident, the categories of data affected, steps we have taken, and recommended steps for you.
Report a suspected vulnerability to security@corrapp.com.
Use the address that matches your question — it routes faster:
Privacy, data access, deletion, GDPR / CCPA requests
privacy@corrapp.com
Terms of Service, legal notices, DMCA
legal@corrapp.com
Billing, refunds, subscription questions
billing@corrapp.com
Product help, bug reports, general support
support@corrapp.com
Security vulnerabilities
security@corrapp.com
Postal address
CORR
Monticello, KY · United States
We may update this Privacy Policy from time to time. Material changes will be announced in-app or via email at least 14 days before they take effect. Continued use of CORR after the effective date constitutes acceptance of the updated policy.