Privacy Policy

Last updated: February 21, 2026

1. Data We Collect

When you use APEX (also known as SpaHub), operated by CoreX, we collect the following data:

Account Data

  • Email address and password (for authentication)
  • Business name and plan selection

Business Data

  • Employee information: names and PINs (for staff login)
  • Customer records and contact details
  • Services, pricing, and business settings
  • Appointments and bookings
  • Transaction and payment records

Technical Data

  • Browser type, device information, and IP address
  • Error reports and performance data (via Sentry)
  • Usage analytics for service improvement

2. How We Use Your Data

  • To provide and maintain the APEX service
  • To authenticate your identity and manage your account
  • To process subscription billing
  • To sync your data between devices
  • To monitor and fix errors and improve service reliability
  • To communicate with you about your account and service updates

3. Local Device Storage (PouchDB)

APEX is an offline-first application. Your business data is stored locally on your device using PouchDB (browser-based database) and syncs with our cloud servers when online.

  • Data stored on your device remains under your control.
  • Clearing your browser data or uninstalling the app will remove locally stored data.
  • Local data is not encrypted at rest by default — it relies on your device's security.
  • We recommend securing your device with a password or PIN to protect local data.

4. Third-Party Services

We use the following third-party services that may process your data:

Service Purpose Data Shared
Supabase Authentication Email, password (hashed)
Lemon Squeezy Billing and payments Email, subscription details
Sentry Error tracking Error reports, device info
Cloudflare (R2) Cloud storage and backups Encrypted business data backups

Each third-party service has its own privacy policy. We encourage you to review their policies for details on how they handle your data.

5. Data Retention

  • Your data is retained as long as your account is active.
  • After account termination, data is retained for 30 days and then permanently deleted.
  • Backups may retain data for up to 30 additional days after deletion.
  • We may retain anonymized, aggregated data indefinitely for analytics purposes.

6. Your Rights

Under Vietnamese law and our commitment to data protection, you have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate personal data.
  • Deletion — Request deletion of your personal data and account.
  • Export — Export your business data while your account is active.
  • Objection — Object to processing of your data for specific purposes.

To exercise any of these rights, contact us at support@core8x.com.

7. Cookies

APEX uses minimal cookies for essential functionality:

  • Authentication cookies — To keep you logged in.
  • Preference cookies — To remember your language and settings.
  • Analytics cookies — To understand how the service is used (only with your consent).

You can manage cookie preferences through our cookie consent banner or your browser settings.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS/SSL), secure authentication, and regular security reviews. However, no method of transmission or storage is 100% secure.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@core8x.com.