PRIVACY POLICY

Collio

Including Cookie Policy and Data Processing Information

Last Updated: February 19, 2026

INTRODUCTION

Metrixbite S.R.L. ("Company", "we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Collio platform located at collio.chat ("Platform").

This Privacy Policy applies to all users of the Platform and is designed to comply with the General Data Protection Regulation (GDPR - EU Regulation 2016/679), Romanian data protection law, and other applicable privacy regulations.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the data processing practices described herein.

1. DATA CONTROLLER AND CONTACT INFORMATION

The data controller responsible for your personal data is:

• Legal name: Metrixbite S.R.L.
• Registered address: Str. Pinilor, no. 13, Medgidia, Romania
• VAT ID: RO52955094
• Registered with: ONRC (Romanian Trade Registry)
• Email: contact@collio.chat
• WhatsApp: +40 774 941 690
• Website: collio.chat

We have not appointed a Data Protection Officer (DPO) as we do not meet the threshold requirements under GDPR Article 37.

For all privacy-related inquiries, data subject requests, or concerns, please contact us at contact@collio.chat.

2. PERSONAL DATA WE COLLECT

We collect the following categories of personal data depending on how you interact with the Platform:

2.1. Information You Provide Directly

Account Information:

• First and last name
• Email address
• Password (stored in hashed form)
• Organization name (for business accounts)

User-Generated Content:

• Messages and prompts submitted to AI agents
• Conversation history
• Files uploaded to the Platform
• Organizational structure (Organizations, Departments, AI Agent configurations)

2.2. Information Collected Automatically

Technical Data:

• IP address
• Browser type and version
• Device type and operating system
• Time zone setting and location
• Browser plug-in types and versions

Usage Data:

• Pages visited and features used
• Time and date of visits
• Referring website addresses
• Interaction with AI agents
• Error logs and diagnostic data

2.3. Information from Third Parties

Payment Information (via Stripe):

• Credit/debit card information (processed by Stripe, not stored by us)
• Billing address
• Payment transaction history

Marketing Data (via Meta Pixel, Google Analytics):

• Advertising interaction data
• Campaign performance metrics
• Website visitor behavior

IMPORTANT: We do not intentionally collect special categories of personal data (sensitive data) such as health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sexual orientation, or criminal records. Please do not submit such information through the Platform.

3. HOW WE USE YOUR PERSONAL DATA

We process your personal data for the following purposes, based on the legal grounds specified:

3.1. Performance of Contract (GDPR Article 6(1)(b))

• Creating and managing your Account
• Providing access to the Platform and AI services
• Processing your messages through OpenAI API
• Enabling team collaboration features
• Processing payments and managing subscriptions
• Providing customer support (48-hour response commitment)
• Communicating with you about your Account and Services

3.2. Legal Obligation (GDPR Article 6(1)(c))

• Issuing tax invoices as required by Romanian law
• Maintaining accounting records for 10 years as required by law
• Responding to lawful requests from authorities
• Complying with data protection laws and regulations

3.3. Legitimate Interest (GDPR Article 6(1)(f))

• Preventing fraud, abuse, and security threats
• Improving Platform functionality and user experience
• Analyzing usage patterns to develop new features
• Conducting market research and analytics
• Marketing our Services (subject to your opt-out rights)
• Protecting our legal rights and interests
• Ensuring network and information security

3.4. Consent (GDPR Article 6(1)(a))

• Sending promotional emails and newsletters (you may unsubscribe at any time)
• Using non-essential cookies for analytics and advertising
• Processing data for purposes you explicitly consent to

4. HOW WE SHARE YOUR PERSONAL DATA

We share your personal data with the following categories of recipients to provide and improve our Services:

4.1. Service Providers (Data Processors)

We engage third-party service providers who process personal data on our behalf. These providers are contractually bound to protect your data and use it only for specified purposes.

OpenAI, LLC (United States):

• Purpose: AI language model processing
• Data shared: Your prompts, messages, and conversation content
• Retention: OpenAI retains data for 30 days for abuse monitoring, then deletes it
• Training: OpenAI does NOT use API data for training AI models (effective March 1, 2023)

Stripe, Inc. (United States):

• Purpose: Payment processing
• Data shared: Payment information, billing address, transaction history
• Note: We do not store your full credit card details

Amazon Web Services - AWS (Germany):

• Purpose: Cloud hosting and infrastructure
• Data shared: All Platform data
• Location: Primary servers in Frankfurt, Germany (EU)

Google LLC (United States):

• Google Analytics: Website analytics, anonymized IP addresses, usage data
• Google Tag Manager: Tag and tracking code management

Meta Platforms, Inc. (United States):

• Meta Pixel: Advertising analytics, conversion tracking, visitor behavior

Brevo / Sendinblue (France/Germany):

• Purpose: Transactional and marketing email delivery
• Data shared: Email addresses, names, email content

Cloudflare, Inc. (Global):

• Purpose: Content delivery network (CDN) and DDoS protection
• Data shared: IP addresses, HTTP request data

A complete list of Sub-processors is maintained in Annex A of this Privacy Policy.

4.2. Legal Obligations and Protection

We may disclose your personal data if required by law or in good faith belief that such disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests;
• Enforce our Terms of Service;
• Protect our rights, property, or safety, or that of our users or the public;
• Detect, prevent, or address fraud, security, or technical issues.

4.3. Business Transfers

If we undergo a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity.

You will be notified via email and/or prominent notice on our Platform of any such change in ownership.

4.4. With Your Consent

We may share your data with third parties when you explicitly consent to such sharing.

5. INTERNATIONAL DATA TRANSFERS

Your personal data is primarily processed and stored within the European Economic Area (EEA) on AWS servers located in Frankfurt, Germany.

However, some of our service providers are located in countries outside the EEA, including the United States (OpenAI, Stripe, Google, Meta, Cloudflare).

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with service providers in countries without adequacy decisions;
• Adequacy Decisions: We rely on EU Commission adequacy decisions where applicable;
• Supplementary Measures: We and our providers implement additional technical and organizational measures to ensure data protection;
• Provider Certifications: Many providers participate in frameworks such as EU-US Data Privacy Framework (where applicable).

5.1. Data Residency Options

EU Data Residency (Default): By default, your data is stored on AWS servers in Frankfurt, Germany (EU).

US Data Residency (Upon Request): US-based customers may request that their data be stored on US servers by contacting contact@collio.chat. This option may involve additional configuration and costs.

Please note that regardless of storage location, data may still be transmitted to OpenAI (US) for AI processing.

For more information about our data transfer safeguards or to request copies of relevant SCCs, please contact contact@collio.chat.

6. DATA RETENTION

We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Account Data: Retained as long as your Account remains active and you continue using the Platform.
• Inactive Account Data: If you do not log in for 1 year, we may delete your Account and associated data after notifying you via email.
• Conversation and Chat Data: Retained for a maximum of 1 year from the date of creation, after which conversations may be automatically deleted.
• Payment and Billing Data: Retained for 10 years to comply with Romanian accounting and tax law requirements.
• Data After Account Deletion: Upon Account deletion (voluntary or involuntary), we retain data for up to 1 year for archival, legal compliance, and dispute resolution purposes, after which it is permanently deleted.
• Marketing Data: Retained until you withdraw consent or unsubscribe from communications.
• Backup Data: Data in real-time backups is retained for up to 90 days and then automatically deleted.
• OpenAI Processing: OpenAI retains your prompts and responses for 30 days for abuse and misuse monitoring, after which the data is deleted unless legally required to retain longer.

7. YOUR RIGHTS UNDER GDPR

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:

• Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your personal data and to access that data. You may request a copy of your personal data in a commonly used electronic format.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and to complete incomplete data.
• Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object to processing. This right is subject to legal limitations (e.g., we must retain billing data for 10 years).
• Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain situations, such as when you contest the accuracy of data or object to processing.
• Right to Data Portability (Article 20): You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can export your conversation data using our export functionality.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to marketing, we will cease such processing immediately.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right Not to be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not engage in such automated decision-making.
• Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Romania, the competent authority is ANSPDCP (see Section 15).

8. HOW TO EXERCISE YOUR RIGHTS

To exercise any of the rights described above, please submit a written request to:

• Email: contact@collio.chat
• Postal Address: Metrixbite S.R.L., Str. Pinilor, no. 13, Medgidia, Romania

8.1. Response Time

We commit to responding to your request within 48 hours of receipt.

If your request is complex or we receive multiple requests from you, we may extend this period by up to two additional months, in which case we will inform you within the initial 48 hours and explain the reason for the delay.

8.2. Verification

To protect your privacy and security, we may request additional information to verify your identity before processing your request.

We may request government-issued ID, proof of Account ownership, or other verification measures.

8.3. No Fee

We do not charge a fee for processing data subject requests unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Our security measures include:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using SSL/TLS protocols;
• Encryption at Rest: Data stored on AWS servers is encrypted at rest using industry-standard encryption algorithms;
• Access Controls: Strict access controls and authentication mechanisms limit access to personal data to authorized personnel only;
• Security Monitoring: Continuous monitoring of systems for suspicious activity and potential security threats;
• Real-Time Backups: Automated real-time backups to prevent data loss;
• Incident Response Plan: Documented procedures for responding to data breaches and security incidents;
• Vendor Security: We require all service providers to implement appropriate security measures through contractual obligations;
• Employee Training: Regular training for employees on data protection and security best practices.

9.1. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach;
• Notify the relevant supervisory authority (ANSPDCP in Romania) as required by law;
• Provide information about the nature of the breach, likely consequences, and measures taken to address it.

9.2. Limitations

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure.

We cannot guarantee absolute security of your data.

You are responsible for maintaining the security of your Account credentials.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the website remember information about your visit, such as your preferences and login status.

Cookies can be "persistent" (remain on your device until deleted or expired) or "session" (deleted when you close your browser).

10.2. Types of Cookies We Use

Strictly Necessary Cookies: These cookies are essential for the Platform to function. They enable core functionality such as:

• User authentication and session management
• Security and fraud prevention
• Load balancing These cookies cannot be disabled without severely affecting Platform functionality. Legal Basis: Legitimate interest and performance of contract.

Analytics Cookies (Google Analytics):

• Purpose: Understand how visitors interact with the Platform
• Data collected: Pages visited, time spent, browser type, anonymized IP addresses
• Provider: Google LLC
• Legal Basis: Consent (via cookie banner) You can opt out of these cookies through the cookie banner or browser settings.

Advertising and Marketing Cookies (Meta Pixel):

• Purpose: Measure advertising campaign effectiveness and deliver targeted ads
• Data collected: Website interactions, conversions, visitor behavior
• Provider: Meta Platforms, Inc.
• Legal Basis: Consent (via cookie banner) You can opt out through the cookie banner or your Facebook ad settings.

10.3. Cookie Banner and Consent Management

When you first visit collio.chat, you will see a cookie banner informing you about our use of cookies.

You can accept all cookies, reject non-essential cookies, or customize your preferences.

Strictly necessary cookies are set automatically; all other cookies require your consent.

You can change your cookie preferences at any time through:

• The cookie settings link in the website footer
• Your browser settings (see Section 10.5)

10.4. Third-Party Cookies

Some cookies are set by third-party services we use:

• Google Analytics (analytics cookies)
• Google Tag Manager (tag management)
• Meta Pixel (advertising cookies)
• Cloudflare (performance and security cookies)

These providers may use cookies to collect information for their own purposes. Please review their privacy policies for more information.

10.5. Managing and Deleting Cookies

You can control cookies through your browser settings:

• Google Chrome: Settings > Privacy and security > Cookies and other site data
• Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Microsoft Edge: Settings > Privacy, search, and services > Cookies

Please note that blocking all cookies may affect Platform functionality, including your ability to log in.

To opt out of Google Analytics across all websites, visit: https://tools.google.com/dlpage/gaoptout

To manage Meta Pixel tracking, visit your Facebook Ad Settings.

11. CHILDREN'S PRIVACY

The Platform is not intended for children under the age of 16.

We do not knowingly collect personal data from children under 16 without parental consent.

Users aged 16-18 may use the Platform only with the consent of a parent or legal guardian.

If we become aware that we have collected personal data from a child under 16 without proper parental consent, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child under 16 has provided personal data to us without your consent, please contact us immediately at contact@collio.chat so we can take appropriate action.

12. MARKETING COMMUNICATIONS

12.1. Email Marketing

With your consent, we may send you promotional emails, newsletters, product updates, and special offers.

You can unsubscribe from marketing emails at any time by:

• Clicking the "Unsubscribe" link in any promotional email;
• Contacting us at contact@collio.chat;
• Updating your communication preferences in your Account settings.

12.2. Transactional Emails

Even if you opt out of marketing communications, we will still send you essential transactional emails, including:

• Account creation and verification
• Password resets
• Payment confirmations and receipts
• Important changes to Terms or Privacy Policy
• Security alerts

You cannot opt out of transactional emails as they are necessary for the Services.

12.3. Processing Time

Unsubscribe requests are processed immediately, though it may take up to 48 hours to fully remove you from our systems.

13. THIRD-PARTY LINKS

The Platform may contain links to third-party websites, applications, or services that are not owned or controlled by us.

We are not responsible for the privacy practices or content of third-party sites.

We recommend that you review the privacy policies of any third-party sites you visit.

This Privacy Policy applies only to information collected by Collio.

14. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or for other operational reasons.

Material changes will be communicated to you via email at least 30 days before they take effect.

Non-material changes (e.g., clarifications, formatting) will be effective immediately upon posting.

The "Last Updated" date at the top of this Privacy Policy indicates when the last changes were made.

The current version will always be available at collio.chat/privacy-policy.

Your continued use of the Platform after changes take effect constitutes acceptance of the revised Privacy Policy.

15. CONTACT US AND SUPERVISORY AUTHORITY

15.1. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Company: Metrixbite S.R.L.
• Address: Str. Pinilor, no. 13, Medgidia, Romania
• VAT ID: RO52955094
• Email: contact@collio.chat
• WhatsApp: +40 774 941 690

15.2. Supervisory Authority

If you are not satisfied with our response to your data protection concerns or believe we have violated your privacy rights, you have the right to lodge a complaint with the competent supervisory authority:

• Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• English: National Supervisory Authority for Personal Data Processing
• Address: B-dul G-ral Gheorghe Magheru no. 28-30, Sector 1, Bucharest, Romania
• Website: www.dataprotection.ro
• Email: anspdcp@dataprotection.ro
• Phone: +40 318 059 211

ANNEX A: SUB-PROCESSOR LIST

This annex lists all Sub-processors (third-party service providers) that process personal data on behalf of Metrixbite S.R.L. in connection with the Collio Platform.

We will notify you at least 30 days in advance of any additions or changes to this list via email.

OpenAI, LLC

• Service Provided: AI language model API
• Location: United States
• Data Processed: User prompts, messages, conversation content
• Safeguards: SCCs, 30-day retention, no training use

Stripe, Inc.

• Service Provided: Payment processing
• Location: United States
• Data Processed: Payment details, billing address, transaction history
• Safeguards: PCI-DSS, SCCs

Amazon Web Services (AWS)

• Service Provided: Cloud hosting, infrastructure, data storage
• Location: Germany (Frankfurt)
• Data Processed: All Platform data
• Safeguards: EU hosting, encryption at rest/transit

Google LLC (Google Analytics)

• Service Provided: Website analytics
• Location: United States
• Data Processed: Anonymized IP, usage data, browser info
• Safeguards: IP anonymization, SCCs

Google LLC (Tag Manager)

• Service Provided: Tag and tracking code management
• Location: United States
• Data Processed: Website interaction data
• Safeguards: SCCs

Meta Platforms, Inc. (Meta Pixel)

• Service Provided: Advertising analytics, conversion tracking
• Location: United States
• Data Processed: Website visitor behavior, conversions
• Safeguards: SCCs

Brevo (Sendinblue)

• Service Provided: Transactional and marketing email delivery
• Location: France / Germany
• Data Processed: Email addresses, names, email content
• Safeguards: EU hosting, GDPR compliance

Cloudflare, Inc.

• Service Provided: CDN, DDoS protection, web security
• Location: Global (EU & US)
• Data Processed: IP addresses, HTTP request data
• Safeguards: SCCs, edge caching

Abbreviations:

• SCCs = Standard Contractual Clauses (EU Commission-approved)
• PCI-DSS = Payment Card Industry Data Security Standard
• CDN = Content Delivery Network

Last Updated: February 19, 2026

By using Collio, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.