Privacy Policy

Effective Date: Aug 1st, 2025

Last Updated: Sep 7th, 2025

This Privacy Policy explains how Colnma, Inc. (“Colnma,” “we,” “us”) collects, uses, shares, and protects personal information when you visit our websites, use our Services, or interact with us.

1) Scope

This Policy applies to our websites (including colnma.com), applications, APIs, and related services (collectively, the “Services”). It does not apply to third-party services that you connect (e.g., model providers, data sources), which have their own privacy policies.

2) Information we collect

Account & contact data: name, email, company, job role, password (hashed), profile info.
Billing data: payment method, transaction records (processed by our payment processor).
Service data you provide: prompts, files, documents, context sources, configuration, and AI outputs (“Customer Content”).
Integration data: tokens/identifiers to connect third-party services (e.g., Google Drive, Notion, Jira); scopes and metadata.
Usage & diagnostics: log files, device/browser details, IP, timestamps, feature usage, latency, token/cost metrics, crash reports.
Cookies & similar tech: to keep you signed in, remember preferences, and analyze usage (see §8).

3) How we use information

Provide, operate, and secure the Services.
Process prompts and context through selected model providers and integrations you enable.
Monitor performance, detect abuse, prevent fraud, and enforce Terms.
Improve the Services (e.g., aggregate diagnostics, UX research).
Communicate with you (service notices, updates, marketing where permitted).
Comply with legal obligations.

Model training: We do not use Customer Content to train Colnma foundation models or thirdparty models without your explicit opt-in. We may use de-identified, aggregated telemetry to
improve reliability and security.

4) Legal bases (EEA/UK/Switzerland)

Where GDPR/UK GDPR applies, we process personal data under:

Contract (to provide the Services),
Legitimate interests (security, improvement, analytics),
Consent (marketing cookies, optional features), and
Legal obligations (tax, compliance).

5) Sharing of information

We share personal data with:

Service providers / processors: hosting, analytics, email, payment, support.
Model providers you select (e.g., OpenAI, Anthropic, Google, Mistral) to generate outputs you request.
Connectors/integrations you authorize (e.g., Notion, Google, Jira, Slack) to fetch context.
Business transfers: merger, acquisition, financing, or sale of assets.
Legal: to comply with law, enforce Terms, protect rights, safety, and security.

We do not sell personal data. We do not share for targeted advertising where restricted by law;
where required, we offer opt-out.

6) International transfers

We may transfer data to countries with different data protection laws. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses). For UK transfers, we use the UK Addendum/IDTA as applicable.

7) Data retention

We retain personal data as long as needed to provide the Services and for legitimate purposes (security, legal, accounting). You may request deletion; we will delete within a reasonable time unless retention is required by law or for legitimate interests.

8) Cookies & analytics

We use cookies and similar technologies for authentication, preferences, and analytics (e.g., GA4, privacy-enhanced settings where possible). You can control cookies via browser settings and our cookie banner where offered. Disabling certain cookies may affect functionality.

9) Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to processing or withdraw consent.

EEA/UK/Swiss users: exercise GDPR rights by emailing [email protected]. You may lodge a complaint with your supervisory authority.
California (CPRA): right to know, delete, correct, opt-out of sale/sharing; no discrimination for exercising rights. Use [email protected] or our web form (if available). We will verify your request and respond within statutory timeframes.

10) Children’s privacy

The Services are not intended for children under 13 (or under the relevant age where you live). We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

11) Security

We apply industry-standard safeguards (encryption in transit, key management, access controls, logging). No system is 100% secure. You are responsible for maintaining the secrecy of your credentials and API keys.

12) Third-party links & services

Our Services may link to third-party websites or include third-party SDKs/APIs. Their privacy practices are governed by their own policies.

13) Automated decision-making

We use AI models to generate outputs you request. We do not engage in solely automated decisions that produce legal or similarly significant effects without human involvement.

14) Changes

We may update this Policy. Material changes will be posted with a new “Last updated” date and, where required, notified. Continued use indicates acceptance.

15) Controller & contact

Colnma, Inc. | [email protected]
EU/UK representative and DPO (if appointed): [Name/Contact]

DATA PROCESSING ADDENDUM (One-page summary for B2B customers)

(Offer as an attachment or link for enterprise customers; full DPA should be reviewed by counsel.)

Colnma acts as Processor of Customer Personal Data; Customer is Controller.
Sub-processors: hosting (e.g., AWS/GCP/Azure), email, analytics, support, error tracking, and selected model providers you enable. We maintain an updated list on request.
Processing is limited to providing the Services as documented; we follow Customer
instructions and implement appropriate security measures.
International transfers via SCCs / UK Addendum as applicable.
Breach notifications without undue delay; cooperation with audits per agreement.
Deletion/return of personal data upon termination.