Privacy Policy

Kocre IT Services (“Kocre IT,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, and protect personal information through our website, client portal, support workflows, and related services (collectively, the “Services”).

We provide remote IT support to small businesses in the United States, Canada, the United Kingdom, and Ireland. Because we operate across these regions, this Policy includes disclosures required by the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec’s Law 25, and US state privacy laws including the California Consumer Privacy Act as amended (“CCPA/CPRA”) and the Virginia Consumer Data Protection Act.

1. Our Role: Controller vs. Processor

Our responsibilities under data-protection law depend on the context in which we handle personal information:

• As a controller. For information collected through our website, marketing, inquiries, free assessments, account administration, and billing, Kocre IT determines the purposes and means of processing and acts as the data controller (or “business” under US law). This Policy governs that processing.
• As a processor / service provider. When we deliver support services, we may process personal information contained in a client’s systems, accounts, files, or tickets on that client’s behalf and under their instructions. In that role the client is the controller and Kocre IT is a processor (or “service provider”). That processing is governed by our client agreement and, where applicable, a separate Data Processing Agreement (“DPA”) — not by this Policy. If you are an employee or contact of one of our clients, please direct privacy requests to that client in the first instance.

2. Information We Collect

Depending on how you interact with us, we may collect:

• Contact information such as name, email address, phone number, company name, and job title.
• Account and portal information such as login credentials and profile details.
• Support information such as ticket contents, uploaded files, screenshots, device or platform details, and related communications.
• Billing and transactional information (payment processing is handled by third-party processors; we do not store full payment card numbers).
• Technical information such as browser type, IP address, device information, referring pages, timestamps, and usage activity.
• Information you submit through forms, scheduling tools, email, chat, or support channels.

We do not intentionally collect special-category data (such as health, biometric, or similar sensitive data) through our website, and we ask that you not submit it through public forms.

3. How We Use Information & Legal Bases

We use information to:

• Operate the website and portal, and authenticate and secure accounts.
• Respond to inquiries and free assessments, and manage client relationships.
• Provide and deliver contracted services and support.
• Process billing and payments.
• Improve workflows, documentation, service quality, and internal operations.
• Detect, investigate, and prevent fraud, misuse, and security issues.
• Send administrative, service-related, billing, legal, and account notices.
• Comply with legal obligations and establish, exercise, or defend legal claims.

For individuals in the EU, UK, and other regions that require a legal basis, we rely on: performance of a contract (to provide the Services you request); legitimate interests (to operate, secure, and improve our business, balanced against your rights); consent (for optional marketing and non-essential cookies, which you may withdraw at any time); and legal obligation (to meet recordkeeping, tax, and compliance requirements). Where we rely on consent, you may withdraw it without affecting prior processing.

4. AI-Assisted Processing & Automated Decisions

We may use AI-assisted tools to help classify requests, extract structured information from files, route workflows, generate drafts, assist internal research, support knowledge retrieval, and improve operational speed.

Unless we expressly state otherwise in writing, Kocre IT does not use client confidential information or service data to train public AI models. Where third-party AI providers are used as part of service delivery, they act as service providers or subprocessors.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without meaningful human involvement. AI output in our workflows is reviewed under human supervision.

5. How We Share Information

We share information with service providers and subprocessors that help us operate the business and deliver services, including providers for:

• Hosting and infrastructure
• Authentication and account management
• Storage and backups
• Communications and email
• Scheduling
• Payments
• Analytics
• AI-assisted workflow and service-delivery functions

These providers are bound by contractual obligations to process personal information only as instructed and to protect it. A current list of subprocessors is available on request at privacy@kocreit.com.

We may also disclose information:

• To comply with law, legal process, or valid governmental requests
• To protect rights, safety, security, systems, and property
• In connection with a merger, sale, restructuring, or similar business transaction
• With your direction or consent

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under US state privacy laws.

6. International Data Transfers

Kocre IT is based in the United States, and our service providers may process information in the United States and other countries. If you are located in the EU/EEA, the UK, or Canada, your personal information may be transferred to and processed in a country whose data-protection laws differ from those of your jurisdiction.

Where we transfer personal information from the EU/EEA or UK to a country without an adequacy decision, we use appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where appropriate. For transfers subject to PIPEDA, we remain accountable for personal information transferred to service providers for processing and use contractual means to require comparable protection. You may request more information about these safeguards using the contact details below.

7. Cookies and Similar Technologies

We use strictly necessary cookies to operate the website and maintain authenticated portal sessions. Where we use non-essential cookies or similar technologies (for example, analytics), we will, where required in the EU and UK, obtain your consent before setting them. You can also control cookies through your browser settings, though some site features may not function properly if cookies are disabled.

8. Data Retention

We retain information for as long as reasonably necessary for service delivery, account management, security, legal compliance, recordkeeping, dispute resolution, and backup rotation. Retention periods depend on the type of information and the purpose for which it was collected; when no longer needed, we delete, archive, or de-identify it. Information processed on behalf of a client is retained and deleted in accordance with that client’s agreement.

9. Data Security

We use administrative, technical, and organizational safeguards designed to protect information appropriate to its nature and the Services provided, including access controls, encryption in transit, and least-privilege practices. No method of transmission, storage, or processing is completely secure, and we cannot guarantee absolute security. We will notify affected individuals and regulators of a personal-data breach where required by applicable law.

10. Marketing Communications

If you receive promotional emails from us, you can opt out using the unsubscribe link or by contacting us. We may still send non-promotional communications relating to accounts, support, billing, security, legal notices, or active services. Where required, we obtain consent before sending marketing communications.

11. Children’s Privacy

Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal information from children below the age of digital consent in their jurisdiction (for example, 13 in the United States and the UK, and 16 in Ireland and much of the EU). If you believe a child has provided us personal information, contact us and we will delete it.

12. Your Privacy Rights

Subject to applicable law and verification of your identity, you may have the following rights. To exercise any of them, contact privacy@kocreit.com. We will respond within the timeframe required by the applicable law and will not discriminate against you for exercising your rights.

EU/EEA & United Kingdom (GDPR / UK GDPR)

You have the right to access; rectify; erase; restrict or object to processing; data portability; and to withdraw consent. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You may lodge a complaint with your supervisory authority — in Ireland, the Data Protection Commission (dataprotection.ie); in the UK, the Information Commissioner’s Office (ico.org.uk).

Canada (PIPEDA & Quebec Law 25)

You may request access to and correction of your personal information, ask about our handling practices, and withdraw consent subject to legal or contractual restrictions. You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, in Quebec, the Commission d’accès à l’information.

California & other US states (CCPA/CPRA, VCDPA)

You may request to know, access, correct, and delete personal information, and to opt out of any “sale” or “sharing” and limit use of sensitive personal information — though, as noted above, we do not sell or share personal information. You may use an authorized agent to submit a request, and you may appeal a denied request as permitted by law.

13. Healthcare and Other Regulated Data

If we provide services involving regulated data, including protected health information, additional contractual terms may apply, including a Business Associate Agreement where legally required.

14. Client Data Processing Agreement

Where we act as a processor of personal information on a client’s behalf, that processing is governed by our client agreement and a Data Processing Agreement that addresses processing instructions, confidentiality, security, subprocessors, international transfers, assistance with data-subject requests, and deletion or return of data. Clients may request our DPA at legal@kocreit.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on this page with a revised effective date. Material changes will be communicated as required by law.

16. Contact

For privacy questions or to exercise your rights, contact us:
Email: privacy@kocreit.com
Phone: (540) 515-8324
Kocre IT Services, Stafford, Virginia, United States