Collabr.ai LogoCOLLABR.AI

Privacy Policy

Last Updated: October 2, 2025

Effective Date: October 2, 2025

Table of Contents

  1. 1. Introduction
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. Legal Bases for Processing (GDPR)
  5. 5. How We Share Your Information
  6. 6. Cookies and Tracking Technologies
  7. 7. Data Retention
  8. 8. Security Measures
  9. 9. Your Privacy Rights
  10. 10. International Data Transfers
  11. 11. Children's Privacy
  12. 12. Changes to This Policy
  13. 13. Contact Us

1. Introduction

Welcome to Collabr.ai ("we," "us," or "our"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.

This Privacy Policy explains our data practices for the Collabr.ai platform (the "Platform" or "Service"), including our website, applications, and related services.

By using our Platform, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our Service.

Applicable Laws: This policy is designed to comply with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when using our Platform:

  • Account Information: Name, email address, profile picture
  • Authentication Data: Login credentials, magic link requests, OAuth provider data (Google)
  • Profile Information: User role (User, Team Leader, Admin), preferences
  • Course Activity: Challenge submissions, quiz responses, lesson progress, certificates earned
  • Team Information: Team name, member invitations, team settings
  • Payment Information: Processed by Stripe (we store only Stripe customer ID and subscription details)
  • Communications: Support tickets, feedback messages, contact form submissions, newsletter subscriptions
  • Demo Access: Email addresses provided for demo system access

2.2 Information Collected Automatically

When you use our Platform, we automatically collect certain information:

  • Usage Data: Pages viewed, features used, time spent on lessons, course progress metrics
  • Session Data: Login timestamps, last active time, session duration
  • Technical Data: Browser type, device information (via analytics when consented)
  • Cookies and Similar Technologies: See our Cookie Policy for details
  • Analytics Data: Performance metrics, user journey analytics (only with your consent)

2.3 Information from Third Parties

We may receive information from third-party services you choose to use:

  • OAuth Providers (Google): When you sign in with Google, we receive your name, email address, and profile picture as permitted by Google's authorization
  • Payment Providers (Stripe): Payment status, transaction IDs (no raw payment card data)

3. How We Use Your Information

We use the collected information for the following purposes:

Provide and Maintain Our Service

Account creation, authentication, course delivery, progress tracking, certificate issuance, team management, and personalized learning experiences.

Process Payments

Handle subscriptions, team course purchases, billing, and invoicing through Stripe.

Communicate With You

Send authentication emails (magic links), course updates, support responses, transactional notifications, and newsletters (with consent).

Improve Our Platform

Analyze usage patterns, understand user preferences, develop new features, and enhance user experience (only with consent for analytics cookies).

Security and Fraud Prevention

Detect and prevent fraud, abuse, security incidents, and unauthorized access through session monitoring and rate limiting.

Legal Compliance

Comply with legal obligations, respond to legal requests, enforce our Terms of Service, and protect our rights and the rights of others.

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who process data on our behalf:

Service ProviderPurposeData SharedLocation
Vercel Inc.
Privacy Policy →		Hosting, infrastructure, analyticsUsage data, page views (with consent)United States
Stripe, Inc.
Privacy Policy →		Payment processingName, email, payment informationUnited States (PCI-DSS, SCCs)
OpenAI
Privacy Policy →		AI-powered lesson interactionsUser messages, lesson contextUnited States (DPA, SOC 2)
Resend
Privacy Policy →		Email deliveryEmail addresses, namesUnited States (DPA)
Google LLC
Privacy Policy →		OAuth authenticationName, email, profile pictureUnited States
PostHog Inc.
Privacy Policy →		Product analytics (when implemented)Usage data, events (with consent)EU/US (GDPR-compliant)

Important: We do NOT sell your personal information to third parties. Service providers process data on our behalf under strict data processing agreements (DPAs) and are contractually obligated to protect your data and use it only for the specified purposes.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal requests (subpoenas, court orders, government requests)
  • Enforcement of our Terms of Service
  • Protection of our rights, property, or safety, or that of our users
  • Investigation of fraud, security, or technical issues

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Platform before your information is transferred and becomes subject to a different privacy policy.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Platform. For detailed information about the cookies we use, how we use them, and your choices, please see our Cookie Policy.

Summary: We use strictly necessary cookies for authentication and functionality (no consent required), and optional analytics cookies (requires your consent via our cookie banner).

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data TypeRetention Period
Account data (active accounts)Duration of account + 30 days after deletion request
Inactive accounts (no login activity)2 years, then deleted
Course progress and submissionsDuration of account + 90 days after deletion
CertificatesPermanent (educational records), anonymized after account deletion
Payment and billing records7 years (tax and legal requirements)
Support tickets and feedback3 years from closure
Demo access emails1 year from last access
Analytics data (cookies)Up to 30 days (Vercel), up to 365 days (PostHog)
Session cookiesSession duration or 30 days maximum
Backup data30 days rolling retention

Account Deletion: You may request account deletion at any time by contacting privacy@collabr.ai. Upon deletion, we will remove or anonymize your personal data within 30 days, except where longer retention is required by law (e.g., financial records, legal holds).

8. Security Measures

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

Encryption

Data in transit is encrypted using TLS/SSL. Data at rest is encrypted via our database provider (PostgreSQL).

Authentication Security

Secure session management via NextAuth, HTTPOnly and Secure cookie flags, SameSite protections against CSRF attacks.

Access Controls

Role-based access controls (RBAC), principle of least privilege, regular access reviews for admin accounts.

Payment Security

Payment processing through Stripe (PCI-DSS Level 1 certified). We never store raw payment card data.

Infrastructure Security

Hosting on Vercel with SOC 2 Type II compliance, automated security updates, regular vulnerability scanning.

Rate Limiting & Abuse Prevention

API rate limiting to prevent abuse, monitoring for suspicious activity, automated threat detection.

Important: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your personal information.

9. Your Privacy Rights

9.1 Rights for EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure (Right to be Forgotten): Request deletion of your personal data
  • Right to Restriction: Request limitation of processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority

9.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Know what personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of your personal information
  • Right to Limit Use: Limit the use of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising these rights

Important for California Residents: We do NOT "sell" your personal information as defined by CCPA. We do not share your personal information with third parties for monetary compensation.

Analytics services (Vercel Analytics, PostHog) process data on our behalf under strict data processing agreements. This is not considered a "sale" under CCPA.

9.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us at:

Email: privacy@collabr.ai

Response Time: We will respond to your request within 30 days (or as required by applicable law)

We may ask you to verify your identity before processing your request to protect your personal information from unauthorized access.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

For EU/EEA/UK Data Subjects: When we transfer your personal data outside the European Economic Area, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our US-based service providers (Vercel, Stripe, OpenAI, Resend)
  • Adequacy Decisions: Where applicable, we rely on European Commission adequacy decisions
  • Data Processing Agreements: All service providers sign DPAs committing to GDPR-level protections
  • Encryption: Data is encrypted in transit and at rest

You have the right to obtain details about the safeguards we use for international transfers by contacting us at privacy@collabr.ai.

11. Children's Privacy

Our Platform is not directed to children under the age of 16 (or under 13 in jurisdictions where that is the applicable age of digital consent, such as the United States under COPPA).

We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@collabr.ai, and we will delete such information from our systems.

Age Requirement: By using our Platform, you represent that you are at least 16 years old (or 13 years old with parental consent where applicable).

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for operational, regulatory, or other reasons.

How We Notify You:

  • We will update the "Last Updated" date at the top of this policy
  • For material changes, we will notify you via email (to the address on your account)
  • For significant changes, we may display a prominent notice on our Platform
  • We encourage you to review this policy periodically

Your continued use of the Platform after changes become effective constitutes acceptance of the updated policy. If you do not agree to the changes, please discontinue use of our Service.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Email: privacy@collabr.ai

General Support: support@collabr.ai

Response Time: We aim to respond to all privacy inquiries within 30 days (or as required by applicable law).

For EU/UK Residents: If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority).

Find your local authority: European Data Protection Board - Member List →

Thank you for trusting Collabr.ai with your personal information. We are committed to protecting your privacy and ensuring transparency in our data practices.

Related Policies:

Cookie PolicyTerms of ServiceSubmit Feedback