Privacy Policy

1. Data Controller

The data controller within the meaning of the EU General Data Protection Regulation is Collision Technologies S.R.L.S — Società Benefit, Via Fabio Filzi 6, 34132 Trieste, Italy, operating the Collision platform at collitech.org. (Art. 4(7)) For any privacy-related request, you may contact us at contact@collitech.org or through our contact form. (Art. 13(1)(a))

This policy applies to all personal data processed when you visit or use the Service, regardless of the device or method used. If you are a resident of the European Union or European Economic Area, the GDPR governs our processing of your personal data in its entirety.

2. Data We Collect and Legal Basis

For each category of personal data we process, we identify both the purpose and the specific legal basis under Article 6 GDPR. (Art. 13(1)(c)(d))

2.1 Account Information

When you authenticate via Google, GitHub, or LinkedIn OAuth, we receive and store your name, email address, and profile image. This data is used exclusively to create and maintain your account and to provide you with access to the Service. (Art. 6(1)(b)) — processing is necessary for the performance of a contract to which you are party.

2.2 Payment Information

All payments are processed exclusively by Stripe, Inc., a certified third-party payment processor. We receive only a payment confirmation notification containing the amount, date, and package purchased. We never receive, process, store, or have any access to your card number, CVV, expiry date, IBAN, or any other banking or payment credentials — these are entered directly on Stripe's secure, PCI-DSS compliant payment page and remain exclusively within Stripe's systems. (Art. 6(1)(b)) — performance of the service contract; (Art. 6(1)(c)) — compliance with tax and accounting legal obligations.

2.3 Usage Data

We do not retain any individual-level usage data. Anonymous, aggregate counters such as total daily requests may be maintained in-memory for capacity planning and are never attributed to any user, session, or device. No personal data is retained under this category. (Art. 6(1)(f)) — legitimate interests in maintaining service stability, with no impact on your personal data rights.

2.4 Support Communications

Messages and media sent through our in-app support chat are stored only for the duration your ticket remains open and are automatically and permanently deleted within 24 hours after the ticket is closed. We do not archive, back up, or retain support conversations beyond that window. (Art. 6(1)(b)) — performance of contract; (Art. 6(1)(f)) — legitimate interests in resolving disputes and preventing abuse.

2.5 Log and Security Data

We process IP addresses, browser fingerprints, and access timestamps strictly in real time for bot mitigation, rate limiting, and abuse prevention. Security logs are retained only for the minimum window required to detect and respond to ongoing threats, typically a few hours, and are never shared with third parties or used for any other purpose. (Art. 6(1)(f)) — legitimate interests in protecting the security and integrity of the Service. We have conducted a balancing test and concluded that these security interests are not overridden by your rights and freedoms, given the minimal data involved and the extremely short retention period. (Art. 5(1)(c))

3. Content You Submit — Zero-Retention Policy

We do not retain any content you submit to the Service. All input — text, documents, files, API payloads, and prompts — is processed entirely in-memory and permanently discarded the moment the response is returned to you. Nothing is written to disk, logged, archived, or used in any way to train, fine-tune, or evaluate any machine learning model. (Art. 5(1)(c)) — data minimisation; (Art. 5(1)(e)) — storage limitation.

You retain full and exclusive ownership of every piece of content you submit. We claim no licence, rights, or interest of any kind over your input or the results we return to you.

4. Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes and is not processed in any manner incompatible with those purposes. (Art. 5(1)(b)) We use the data we collect to: provide, maintain, and improve the Service; process transactions and manage your credit balance; respond to support requests; monitor and prevent security threats, fraud, and abuse; and comply with applicable legal obligations. (Art. 6(1)(c)) We do not sell, rent, trade, or otherwise disclose your personal data to third parties for marketing or advertising purposes.

5. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with the ePrivacy Directive 2002/58/EC as amended and the GDPR. Strictly necessary cookies do not require your consent and are placed automatically. All other categories require a freely given, specific, informed, and unambiguous affirmative action from you before being set. (Art. 4(11)) Consent obtained under pre-ticked boxes or inactivity is not valid under applicable law.

Essential cookies include session tokens required for authentication and short-lived anti-bot tokens used to enforce rate limits and protect login flows from automated abuse. These are exempt from the consent requirement as they are strictly necessary for the Service to function. (Art. 6(1)(f)) Analytics cookies, which collect aggregate usage data to help us understand how the Service is used, are only set after you grant explicit consent. (Art. 6(1)(a)) Marketing cookies, used for personalised content and promotional communications, are also only set after explicit consent. (Art. 6(1)(a)) Both analytics and marketing cookies default to OFF.

You may withdraw or modify your cookie consent at any time without any disadvantage. Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal. (Art. 7(3)) To manage your preferences, use the button below. You may also clear or block cookies directly in your browser settings at any time, though blocking essential cookies will prevent sign-in and may cause our security systems to challenge your requests.

6. Data Sharing and Third-Party Processors

We share limited personal data with the following categories of third-party data processors, strictly as necessary to operate the Service. All processors are engaged under a written data processing agreement that complies with the requirements of Article 28 GDPR. (Art. 28) We do not authorise any processor to use your data for their own purposes.

Authentication providers — Google, GitHub, and LinkedIn — verify your identity during sign-in and provide us with your name, email, and profile image. Stripe, Inc. processes credit purchase transactions securely; as described in Section 2.2, we receive only a payment confirmation and no payment credentials. Vercel and Neon provide hosting and database infrastructure; our primary data centres are located within the EU (EU-Central region). Resend delivers transactional emails such as support notifications. (Art. 13(1)(e))

We may disclose personal data if required by applicable law, enforceable court order, or valid request by a competent public authority. Where legally permitted, we will notify you of any such request prior to disclosure.

7. International Data Transfers

Our primary infrastructure is located within the European Union. Where personal data is transferred to processors established outside the EU/EEA — for example, Stripe's operations in the United States — we ensure that appropriate safeguards are in place as required by Chapter V GDPR. (Art. 44) These safeguards include Standard Contractual Clauses adopted by the European Commission (Art. 46(2)(c)), reliance on the EU–US Data Privacy Framework adequacy decision where applicable (Art. 45), and Binding Corporate Rules or other approved transfer mechanisms where relevant. (Art. 46) You may request a copy of the applicable transfer safeguards by contacting us at contact@collitech.org.

8. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration, as required by Article 32 GDPR. (Art. 32) These measures include TLS/SSL encryption for all data in transit, encrypted database connections, rate limiting and IP-based abuse prevention, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and role-based access controls for all internal systems.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and within 72 hours of becoming aware of the breach. (Art. 33) Where required by law, we will also notify you directly. (Art. 34) While we apply rigorous security practices, no transmission over the internet or electronic storage system is unconditionally secure.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. (Art. 5(1)(e)) Account data, including your name, email, and OAuth identifier, is retained for the duration of your account and deleted within 30 days of account deletion, unless a specific legal retention obligation applies. Payment records are retained for 10 years in compliance with Italian civil and tax law. (Art. 6(1)(c)) Support messages are deleted within 24 hours after ticket closure. Security and access logs are maintained in short rolling windows of a few hours for active threat detection only. Cookie consent records are retained for 3 years to allow us to demonstrate lawful consent where required. (Art. 5(2), Art. 7(1)) All AI input and output — prompts, files, and responses — is not stored at any point and is processed in-memory only.

10. Your Rights Under GDPR

If you are located in the EU or EEA, you have the following rights under Chapter III GDPR. The exercise of these rights is free of charge (Art. 12(5)), and we are required to respond within one calendar month, extendable to three months for complex or multiple requests with written notification of the extension. (Art. 12(3))

You have the right of access to the personal data we hold about you and to receive a copy of it. (Art. 15) You have the right to rectification of inaccurate or incomplete personal data. (Art. 16) You have the right to erasure — the right to be forgotten — where personal data is no longer necessary for the purposes for which it was collected, where consent is withdrawn, or where the data has been unlawfully processed, subject to legal retention obligations. (Art. 17) You have the right to restriction of processing in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful but you oppose erasure. (Art. 18) You have the right to data portability, to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller. (Art. 20) You have the right to object to processing based on legitimate interests or for direct marketing purposes. (Art. 21) Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing. (Art. 7(3)) We do not use automated individual decision-making or profiling that produces legal or similarly significant effects. (Art. 22)

To exercise any of these rights, please contact us at contact@collitech.org or through our contact form. We may request verification of your identity before processing your request. (Art. 12(6))

11. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement — if you consider that the processing of your personal data infringes the GDPR. (Art. 77(1)) We encourage you to contact us first so that we may address your concern directly, but you are under no obligation to do so before contacting a supervisory authority. A complete list of EU and EEA data protection authorities is maintained by the European Data Protection Board at edpb.europa.eu.

12. Children's Privacy

The Service is not directed to, and is not intended for use by, children under the age of 16. We do not knowingly collect personal data from children under 16. (Art. 8) If we become aware that we have inadvertently collected personal data from a child under the age of 16 without verifiable parental or guardian consent, we will take immediate steps to delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. We will post the revised policy on this page and update the effective date. For material changes that affect your rights or the way we process your data, we will provide additional notice by email or by a prominent notice on the Service, as required by Article 13(3) GDPR. (Art. 13(3)) We encourage you to review this page periodically.