Privacy Policy | Colega AI

Last updated: January 1, 2026

1. Introduction

Colega AI Inc. ("Colega AI", "we", "our", or "us") is a Delaware C-Corporation registered at 1007 N Orange Street, 4th Floor, Suite #1382, Wilmington, Delaware 19801, United States.

We operate the Colega AI platform, including our website at colega.ai, mobile applications for iOS and Android, and related services (collectively, the "Service"). We are committed to protecting your privacy and handling your personal information with transparency and care.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our AI-powered social media management platform. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you do not agree with the practices described in this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

Account information: Name, email address, password, and phone number when you register.
Organization and business profile: Business name, industry, brand voice preferences, target audience details, and other business context you provide.
Social media account credentials: OAuth tokens and related authorization credentials when you connect your social media accounts (Facebook, Instagram, TikTok, LinkedIn, X/Twitter, Google Business Profile, and others).
Content and media: Text, images, videos, and other media you create, upload, or generate through the platform. Media files are stored via our cloud media storage provider (Cloudinary).
Chat and conversation data: Messages and instructions you provide to our AI assistant, including content generation requests and feedback.
Payment and billing information: Payment method details, billing address, and transaction history. Payment processing is handled by Stripe and RevenueCat (for mobile subscriptions); we do not store full credit card numbers on our servers.
Communications: Messages you send to our support team or through in-app feedback.

2.2 Information Collected Automatically

Usage data: Features used, actions taken, content generated, scheduling activity, and interaction patterns within the platform.
Device information: Device type, operating system, browser type, app version, screen resolution, language settings, and unique device identifiers.
Log data: IP address, access times, pages viewed, referring URLs, and crash/error reports.
Analytics and advertising data: Performance metrics, session duration, feature engagement, conversion events, and advertising attribution data collected via analytics and advertising tools (see Section 9 for full details).

2.3 Information from Third Parties

Social media platforms: When you connect your social accounts, we receive and store profile information, page/account data, published content, post performance metrics (reach, impressions, engagement), and audience demographics as permitted by each platform's API. This data is used to provide analytics and to improve AI-generated content recommendations. Note on audience data: Audience demographic data we receive from social media platforms (e.g., age ranges, geographic distribution, interests) is aggregated and statistical in nature as provided by the platforms. We do not attempt to identify individual members of your audience. We process this data under our legitimate interest in providing you with analytics and improving content recommendations. This data is not used for any purpose other than providing the Service to you.
Authentication providers: If you sign in via a third-party identity provider (e.g., Google, Apple), we receive your name, email, and profile picture as provided by that service.
Payment processors: Stripe and RevenueCat provide us with transaction status, payment method type, subscription state, and billing details necessary to manage your subscription.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis (GDPR)
Provide and operate the Service (account management, social media publishing, scheduling, analytics)	Contract performance
AI-powered content generation using your business context, brand voice, conversations, and social media data	Contract performance
Process payments, subscriptions, and billing	Contract performance
Send transactional communications (account verification, password resets, billing receipts, service updates)	Contract performance / Legitimate interest
Provide customer support	Contract performance
Improve and personalize the Service (analyze usage patterns, fix bugs, develop new features)	Legitimate interest
Ensure security, detect fraud, and enforce our Terms of Use	Legitimate interest
Send promotional and marketing communications	Consent
Display targeted advertising and measure ad effectiveness via advertising pixels	Consent
Comply with legal, tax, and regulatory obligations	Legal obligation

4. AI and Automated Processing

4.1 How AI Uses Your Data

Our AI features process the following to generate content and recommendations:

Your business profile and brand voice settings
Conversation history within the AI chat
Connected social media account data, analytics, and audience demographics
Organization memory (business context extracted from your interactions — see Section 4.3)

4.2 AI Training and Model Improvement

We may use de-identified, aggregated, or anonymized data derived from user interactions to train, fine-tune, or improve our own custom AI models and the overall quality of the Service. When we do so, we apply the following safeguards:

De-identification: All personal identifiers (names, email addresses, business names, account details) are removed or replaced before data is used for training purposes.
Aggregation: Data is combined across many users so that individual contributions are not distinguishable.
No re-identification: We do not attempt to re-identify de-identified data, and we contractually prohibit any third parties who may assist with model training from doing so.
Purpose limitation: Training data is used solely to improve the quality, accuracy, and safety of AI-generated content within the Service — not for any other commercial purpose.

We do not use your identifiable content, business data, or conversations in raw form to train AI models. Your original data is used solely to provide the Service to you.

Third-party AI providers: We use third-party AI providers (OpenAI, Anthropic, AWS Bedrock, Google Gemini, Fal AI, and Replicate) as well as open-source AI models to power our content generation features. We have Data Processing Agreements (DPAs) in place with these providers that contractually prohibit them from using your data to train their models. Data sent to AI providers is used only to process your specific request and is not retained by them beyond what is necessary to deliver the response. Open-source models may be hosted on our own infrastructure or through our cloud providers under the same data protection standards.

Your choices: If you do not wish for your de-identified data to be used for model improvement, you may opt out by contacting us at privacy@colega.ai. Opting out will not affect the quality of the Service provided to you.

4.3 Organization Memory

Our platform extracts and stores key business facts from your AI chat interactions (e.g., brand preferences, target audience details, product information) to improve future content generation for your organization. This is not automated decision-making that produces legal or similarly significant effects — it is used solely to enhance content suggestions.

Your rights regarding Organization Memory:

View: You can view all extracted memories in your organization settings.
Delete: You can delete individual memories or request full deletion of all extracted memories.
Opt out: You can opt out of memory extraction by contacting us at privacy@colega.ai. Opting out may reduce the personalization quality of AI-generated content.

4.4 No Automated Decision-Making

We do not use automated processing to make decisions that produce legal or similarly significant effects on you. AI-generated content is always presented as suggestions — you decide what to review, edit, and publish.

5. Cookies, Tracking, and Advertising

5.1 Essential Cookies

These are required for authentication, security, and basic platform functionality. They cannot be disabled.

Cookie/Technology	Purpose
Session cookies	Authentication and session management (via Clerk)
Security cookies	CSRF protection and fraud prevention

5.2 Analytics Cookies

Used to understand how you interact with the Service and to improve the platform. These are activated only with your consent where required by law.

Tool	Purpose
PostHog	Product analytics, feature usage, session analysis
Google Analytics	Website traffic analysis and user behavior

5.3 Advertising and Attribution Cookies

Used to measure the effectiveness of our advertising campaigns and attribute conversions. These are activated only with your explicit consent where required by law (e.g., in the EU/EEA, UK, and other jurisdictions requiring opt-in).

Tool	Purpose
Meta Pixel (Facebook/Instagram)	Ad conversion tracking and audience building
TikTok Pixel	Ad conversion tracking and audience building
Tenjin	Mobile advertising attribution and analytics

5.4 Your Cookie Choices

Cookie consent banner: When you first visit our website, a consent banner allows you to accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings link in the footer.
Browser settings: You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features.
Do Not Track: We honor Do Not Track (DNT) browser signals where technically feasible.

Important: In the EU/EEA, UK, and other jurisdictions requiring prior consent, advertising and analytics cookies are not activated until you provide explicit consent. Declining these cookies does not affect your ability to use the core Service.

6. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following limited circumstances:

6.1 Sub-Processors (Service Providers)

We share data with the following categories of third-party providers who process data on our behalf under contractual obligations to protect your data:

Sub-Processor	Purpose	Data Processed	Location
Render	Cloud hosting and compute (primary)	All service data	United States
PlanetScale	Database hosting	All structured data	United States
Cloudinary	Media storage and processing	Images, videos, media files	United States
Stripe	Payment processing	Billing and payment data	United States
RevenueCat	Mobile subscription management	Subscription and purchase data	United States
Clerk	Authentication and identity	Account credentials, profile data	United States
Amazon Web Services (AWS)	Cloud hosting, compute, AI content generation (Bedrock)	All service data, prompts, conversations	United States
Google Cloud Platform (GCP)	Cloud hosting, compute, AI content generation (Gemini)	All service data, prompts, conversations	United States
OpenAI	AI content generation	Business context, prompts, conversations	United States
Anthropic	AI content generation	Business context, prompts, conversations	United States
Fal AI	AI content generation (images, video)	Prompts, media inputs	United States
Replicate	AI content generation (open-source models)	Prompts, media inputs	United States
PostHog	Product analytics	Usage data, anonymized events	United States
Sentry	Error monitoring and performance	Error logs, device info, stack traces	United States
Resend	Transactional email delivery	Email addresses, email content	United States
Google Analytics	Website analytics	Usage data, anonymized events	United States
Meta (Facebook)	Advertising attribution	Conversion events, hashed identifiers	United States
TikTok	Advertising attribution	Conversion events, hashed identifiers	United States
Tenjin	Mobile advertising attribution	Device identifiers, attribution data	United States

We maintain DPAs (Data Processing Agreements) with sub-processors where required. A current list of sub-processors is maintained above and will be updated when changes occur. We will notify you of material changes to our sub-processor list.

6.2 Social Media Platforms

When you use our Service to publish content, we transmit that content and associated metadata to the social media platforms you have connected (e.g., Meta/Facebook/Instagram, TikTok, LinkedIn, X/Twitter, Google). This sharing is necessary to perform the core function of the Service and is governed by each platform's own privacy policy.

6.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of Colega AI Inc.
Prevent fraud or address security issues
Protect the personal safety of users or the public

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share your information for any other purpose with your explicit prior consent.

7. International Data Transfers

All data is processed and stored in the United States. If you are accessing the Service from outside the United States (including from the European Economic Area, United Kingdom, Switzerland, Brazil, or Asia-Pacific), your personal data will be transferred to and processed in the United States.

We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our sub-processors where required for transfers from the EEA/UK.
Data Processing Agreements: Contractual commitments with all sub-processors to protect your data.
Supplementary measures: Technical measures including encryption in transit and at rest to protect data during transfer.

By using the Service, you acknowledge that your data will be transferred to the United States. If you do not consent to this transfer, you should not use the Service.

8. Data Retention

Data Type	Retention Period
Account and profile data	Retained while your account is active. Deleted within 30 days of account deletion.
Content and media	Deleted when you remove them, or within 30 days of account deletion.
Social media data (analytics, audience)	Retained while your account is active and the social account is connected. Deleted within 30 days of account deletion or disconnection.
Organization memory	Retained while the organization is active. Deletable at any time by user. Fully deleted within 30 days of account deletion.
Chat/conversation history	Retained while your account is active. Deleted within 30 days of account deletion.
Billing and transaction records	Retained for up to 7 years after the end of your subscription to comply with tax, accounting, and legal obligations.
Log and error data	Retained for up to 12 months, then aggregated or deleted.
Analytics data	Retained according to our analytics providers' retention policies (typically 12–24 months).
System backups	May contain your data for up to 30 days after deletion from production systems.

When you request account deletion, we initiate deletion of your personal data within 30 days. Some data may persist in encrypted backups for up to an additional 30 days before being permanently removed.

Inactive accounts: In accordance with data minimization principles, if your account has been inactive (no logins or API activity) for 24 consecutive months, we will send you a notification to the email address on file. If we receive no response within 30 days, we may delete your account and associated personal data. We will send at least two reminders before taking any action. This does not apply to accounts with active paid subscriptions.

9. Data Security

We implement the following technical and organizational measures to protect your personal information:

Encryption: Data encrypted in transit (TLS 1.2+/HTTPS) and at rest
Authentication: Secure authentication via third-party identity provider (Clerk) with support for multi-factor authentication
Access control: Role-based access controls and least-privilege principles for internal systems
Token security: Social media OAuth tokens stored securely with encryption at rest
Monitoring: Application performance and error monitoring via Sentry
Incident response: Documented incident response plan with defined escalation procedures
Security testing: Regular security audits and penetration testing
Sub-processor security: Contractual security requirements for all third-party providers

No method of transmission over the Internet or electronic storage is 100% secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to security@colega.ai.

10. Your Rights

10.1 Rights for All Users

Regardless of your location, you can:

Access your data: View your account information, content, and settings within the platform.
Update your data: Edit your profile and organization settings at any time.
Delete your content: Remove individual posts, media, and organization memories.
Delete your account: Request account deletion through settings or by emailing support@colega.ai.
Disconnect social accounts: Revoke platform access to your social media accounts at any time.
Manage communications: Unsubscribe from marketing emails using the link in each email.
Manage cookies: Adjust cookie preferences through our consent banner or browser settings.

10.2 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, you additionally have the right to:

Access: Request a copy of all personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
Restriction: Request that we restrict processing of your data in certain circumstances.
Portability: Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
Object: Object to processing based on legitimate interests, including profiling and organization memory extraction.
Withdraw consent: Where processing is based on consent (e.g., marketing, advertising cookies), withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint: File a complaint with your local data protection supervisory authority.

Legal bases for processing: See the table in Section 3 for the specific legal basis for each processing activity.

Data Protection Contact: For GDPR-related requests, contact us at privacy@colega.ai. We will respond within 30 days (or sooner if required by applicable law).

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: Request details about the categories and specific pieces of personal information we have collected, the sources, purposes of collection, and categories of third parties with whom we share it.
Right to delete: Request deletion of your personal information, subject to certain exceptions.
Right to correct: Request correction of inaccurate personal information.
Right to opt out of sale/sharing: We do not sell your personal information. We share limited data with advertising partners (Meta, TikTok, Tenjin) for targeted advertising purposes, which may constitute "sharing" under the CPRA. You can opt out of this sharing through our cookie consent banner or by emailing privacy@colega.ai.
Right to limit use of sensitive personal information: We do not collect or process sensitive personal information as defined by the CPRA.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA/CPRA rights, contact us at privacy@colega.ai or use the controls available in your account settings. We will verify your identity before processing your request.

10.4 Japan (APPI)

If you are in Japan, you have rights under the Act on the Protection of Personal Information (APPI), including the right to request disclosure, correction, cessation of use, and deletion of your personal data. We transfer your personal data from Japan to the United States for processing. By using the Service, you consent to this transfer. We ensure that our data protection measures meet the standards required by the APPI for cross-border transfers, including contractual safeguards with our sub-processors. Contact us at privacy@colega.ai.

10.5 Brazil (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent. Contact us at privacy@colega.ai.

10.6 Other Jurisdictions

We are committed to complying with applicable data protection laws in all jurisdictions where we operate. If your local law provides additional rights not listed above, please contact us and we will work to accommodate your request.

10.7 Exercising Your Rights

To exercise any of your privacy rights:

Email: privacy@colega.ai
In-app: Use the relevant controls in your account and organization settings
Response time: We will acknowledge your request within 72 hours and respond substantively within 30 days (or the timeframe required by applicable law).
Verification: We may need to verify your identity before processing certain requests to protect your privacy.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@colega.ai.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (as required by GDPR Article 34)
Notify affected California residents as required by California Civil Code Section 1798.82
Document the breach, its effects, and the remedial actions taken

Sub-processor incidents: Our Data Processing Agreements require sub-processors to notify us of any data breach affecting your data without undue delay. When we are notified of a sub-processor breach, we will assess the impact to your data and notify you in accordance with the timelines above. We maintain contractual rights to audit sub-processor security practices and require sub-processors to cooperate in breach investigation and remediation. While we take reasonable steps to ensure our sub-processors maintain appropriate security, we cannot guarantee the security of third-party systems and are not liable for breaches originating solely within a sub-processor's infrastructure, except to the extent required by applicable law.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by:

Posting the updated policy on our website with a new "Last updated" date
Sending an email notification for material changes
Displaying a notice within the platform for material changes

Material changes will take effect 30 days after notification. Non-material changes (e.g., formatting, clarifications) take effect when posted. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy inquiries: privacy@colega.ai
General support: support@colega.ai
Security issues: security@colega.ai
Mail: Colega AI Inc., 1007 N Orange Street, 4th Floor, Suite #1382, Wilmington, Delaware 19801, United States