Big Deck

Privacy Policy

Last updated: 13/02/2026

This Privacy Policy explains how COR Solutions Services Ltd, trading as COR Intelligence ("we", "us", "our"), collects, uses, and protects your personal data when you use our Big Deck software products and the claudedeck.ai website (collectively, the "Services").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

  • Company: COR Solutions Services Ltd
  • Trading as: COR Intelligence
  • Company number: 15027891 (England & Wales)
  • Address: Eastway Enterprise Centre, 7 Paynes Park, Hitchin, Hertfordshire, SG5 1EH
  • Email: enquiries@corsolutions.co.uk

2. What Data We Collect

2.1 Account Data

When you create an account on claudedeck.ai, we collect:

  • Email address
  • Name
  • Company name (optional)
  • Password (stored as a salted hash — we never store plain-text passwords)

2.2 Payment Data

Payments are processed securely by Stripe. We do not store your card number, CVV, or full card details on our servers. We retain only:

  • Stripe customer ID and subscription ID
  • Last four digits of your card (for display in your dashboard)
  • Billing country (for VAT and regional pricing)
  • Transaction history (amount, date, status)

2.3 Machine Fingerprint

To validate your licence, we generate a hardware fingerprint (a one-way hash of system attributes). This fingerprint:

  • Is a cryptographic hash that cannot be reversed to identify your hardware.
  • Cannot be used to personally identify you.
  • Is used solely to enforce machine activation limits as described in our Terms of Service.

2.4 Usage Data

We collect anonymised usage data to improve our products, including:

  • Launch counts and session duration
  • Feature usage patterns (which features are used, not what content is created)
  • Application version and macOS version
  • Error reports and crash logs

2.5 Anonymous Telemetry

With your consent, we collect optional anonymous telemetry including:

  • Installation ID (a random identifier not linked to your account)
  • Aggregate performance metrics
  • Feature discovery patterns

You may opt out of anonymous telemetry at any time through the application settings. Opting out has no effect on your ability to use the software.

2.6 Website Data

When you visit claudedeck.ai, we collect:

  • Standard server logs (IP address, browser type, referring page)
  • Essential cookies required for authentication and session management
  • Optional analytics cookies (with your consent)

3. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

3.1 Contract Performance (Article 6(1)(b))

  • Account creation and management
  • Licence validation and subscription management
  • Payment processing
  • Customer support

3.2 Legitimate Interest (Article 6(1)(f))

  • Usage analytics and product improvement
  • Abuse and piracy detection
  • Usage cap enforcement
  • Security monitoring

We have conducted a legitimate interest assessment for each of these processing activities and concluded that our interests do not override your rights and freedoms.

3.3 Consent (Article 6(1)(a))

  • Marketing emails and newsletters
  • Optional anonymous telemetry
  • Non-essential cookies

You may withdraw consent at any time. See Section 8 for details on how to exercise your rights.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Licence validation — verifying your subscription status and machine activations.
  • Subscription management — processing payments, renewals, and cancellations.
  • Usage cap enforcement — monitoring launch counts for free tier limits.
  • Abuse and piracy detection — identifying and preventing unauthorised use.
  • Product improvement — analysing usage patterns to improve features and performance.
  • Customer support — responding to your queries and resolving issues.
  • Transactional communications — sending receipts, renewal reminders, and service notifications.
  • Marketing — with your consent, sending product updates and newsletters.

We never access, read, transmit, or store your code, project files, or Claude Code conversation content. Big Deck operates locally on your machine. Your intellectual property remains yours.

5. Data Sharing

We share your data only with the following third-party service providers, each of whom processes data on our behalf under appropriate data processing agreements:

  • Stripe — payment processing (PCI DSS Level 1 compliant).
  • Supabase — database hosting (EU-based servers, SOC 2 Type II).
  • Vercel — website hosting (global CDN with London primary region).
  • AWS SES — transactional email delivery (eu-west-2 London region).

We will never sell, rent, or trade your personal data to third parties. We do not share data with advertisers, data brokers, or any party for their own marketing purposes.

6. Data Retention

We retain your data for the following periods:

  • Account data — while your account is active, plus 2 years after deletion to handle any outstanding queries or legal obligations.
  • Usage data — 12 months on a rolling basis. Older data is permanently deleted.
  • Payment records — 7 years as required by UK tax law (HMRC requirements).
  • Audit logs — 24 months for security and compliance purposes.
  • Machine fingerprints — deleted when you deactivate a machine or delete your account.

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised.

7. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit — all data transmitted between your device and our servers uses TLS 1.3.
  • Encryption at rest — database fields containing personal data are encrypted at rest.
  • Licence tokens — signed using Ed25519 cryptographic keys with 30-day expiry.
  • Local storage — sensitive data on your device is protected using Stronghold encrypted storage (Tauri).
  • Access control — internal access to personal data is restricted on a need-to-know basis with audit logging.
  • Row Level Security — database policies ensure users can only access their own data.

8. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data (subject to legal retention obligations).
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to restriction — request that we limit how we process your data.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — withdraw consent for any processing based on consent at any time.

To exercise any of these rights, contact us at enquiries@corsolutions.co.uk. We will respond within one calendar month as required by UK GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

9. International Data Transfers

Your data is primarily processed within the UK and European Economic Area. Where our service providers process data outside the UK, we ensure appropriate safeguards are in place:

  • Supabase — EU-based servers (covered by UK adequacy decision for the EEA).
  • Vercel — global CDN with London (lhr1) as primary region. Edge functions execute in the UK.
  • AWS SES — eu-west-2 (London) region.
  • Stripe — processes data under Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreement (IDTA) where applicable.

10. Children

Our Services are not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at enquiries@corsolutions.co.uk and we will promptly delete it.

11. Cookies

11.1 Essential Cookies

We use essential cookies that are strictly necessary for the operation of claudedeck.ai. These include:

  • Authentication session cookies
  • Security tokens (CSRF protection)
  • User preference cookies (theme, language)

These cookies cannot be disabled as they are required for the Website to function.

11.2 Analytics Cookies

With your consent, we use analytics cookies to understand how visitors interact with our Website. You can manage your cookie preferences at any time through the cookie banner or your browser settings.

We do not use any third-party advertising or tracking cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Send a notification to your registered email address.
  • Display a notice within the Big Deck application.

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

  • Email: enquiries@corsolutions.co.uk
  • Address: COR Solutions Services Ltd, Eastway Enterprise Centre, 7 Paynes Park, Hitchin, Hertfordshire, SG5 1EH