Privacy Policy

1. Introduction

Collision ("we", "our", or "us"), operated by CodingLab, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at collitech.org (the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

2. Data We Collect

2.1 Account Information

When you sign in via Google, GitHub, or LinkedIn OAuth, we receive and store your name, email address, and profile image. This data is used solely to create and manage your account.

2.2 Payment Information

Payments are processed securely through Stripe. We receive confirmation of your purchase (amount, date, package) but we never receive, process, or store your full credit card number, CVV, or banking details.

2.3 Usage Data

We do not retain any user-level usage data. Anonymous, aggregate counters (such as total requests served per day) may be calculated in-memory for capacity planning, but no individual session, prompt, or behavior history is stored.

2.4 Support Communications

Messages and images sent through our in-app support chat are stored only while your ticket is active and are automatically deleted within 24 hours after the ticket is closed. We do not archive support conversations beyond that window.

2.5 Log & Security Data

We process IP addresses, browser fingerprints, and access timestamps strictly in real time for bot mitigation, rate limiting, and abuse prevention. Security logs are kept only for the minimum window required to detect ongoing attacks (typically a few hours) and are never shared with third parties.

3. Content You Submit

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process transactions and manage your credit balance.
• Respond to support requests and communicate with you about the Service.
• Monitor and prevent security threats, fraud, and abuse.
• Comply with legal obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Cookies

Our cookies exist for one purpose only: to keep your session secure and to stop bots, scrapers, and automated abuse. We do not set advertising cookies, we do not sell behavioral data, and we do not run cross-site tracking of any kind.

• Anti-bot & security cookies: Short-lived tokens used to verify that requests come from a real human browser, to enforce rate limits, and to protect login flows from credential stuffing and automated abuse.
• Session cookies: Required to keep you signed in once you authenticate with an OAuth provider. They are deleted when you sign out or when the session expires.

You can clear or block these cookies in your browser at any time. Doing so will prevent sign-in and may cause our anti-bot defenses to challenge or block your requests.

6. Data Sharing & Third Parties

We may share limited data with the following categories of third parties, only as necessary to operate the Service:

• Authentication providers (Google, GitHub, LinkedIn) — to verify your identity during sign-in.
• Payment processor (Stripe) — to process credit purchases securely.
• Infrastructure providers (Vercel, Neon) — to host and operate the Service.
• Email service (Resend) — to deliver transactional emails such as support notifications.

We may also disclose your information if required to do so by law or in response to valid requests by public authorities.

7. Data Security

We implement industry-standard security measures to protect your data, including:

• TLS/SSL encryption for all data in transit.
• Encrypted database connections with connection pooling.
• Rate limiting and IP-based abuse prevention.
• Content Security Policy (CSP), HSTS, and other security headers.
• Role-based access controls for internal systems.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

Our default position is simple: we do not retain user data. Inputs and outputs of our AI services are processed in-memory and discarded as soon as the response leaves our servers.

The only data we keep is what is strictly required to operate your account: your OAuth identifier, email, display name, and credit balance. If you delete your account this data is removed within 30 days, unless we are legally required to retain a specific record (for example, a tax invoice). Support messages are deleted 24 hours after the ticket is closed; security logs are kept only for short rolling windows for active abuse mitigation.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EU/EEA Residents)

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate personal data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to restrict processing — request limitation of how we use your data.
• Right to object — object to processing of your personal data in certain circumstances.

Under CCPA (California Residents)

• Right to know what personal information is collected and how it is used.
• Right to delete personal information held by us.
• Right to opt-out of the sale of personal information — we do not sell your data.
• Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, please contact us through our contact form or via the support chat. We will respond to verifiable requests within 30 days.

10. International Data Transfers

Our Service is hosted on infrastructure located in the European Union (EU-Central). If you access the Service from outside the EU, your data may be transferred to and processed in the EU. We ensure appropriate safeguards are in place to protect your data in compliance with applicable data protection laws.

11. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or for legal, operational, or regulatory reasons. We will post the revised policy on this page and update the "Last updated" date. We encourage you to review this page regularly.