PRIVACY POLICY
Collio
Including Cookie Policy and Data Processing Information
Last Updated: June 25, 2026
INTRODUCTION
Metrixbite S.R.L. ("Company", "we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Collio platform located at collio.chat ("Platform").
This Privacy Policy applies to all users of the Platform and is designed to comply with the General Data Protection Regulation (GDPR - EU Regulation 2016/679), Romanian data protection law, and other applicable privacy regulations.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the data processing practices described herein.
1. DATA CONTROLLER AND CONTACT INFORMATION
The data controller responsible for your personal data is:
- Legal name: Metrixbite S.R.L.
- Registered address: Str. Pinilor, no. 13, Medgidia, Romania
- VAT ID: RO52955094
- Registered with: ONRC (Romanian Trade Registry)
- Email: [email protected]
- WhatsApp: +40 774 941 690
- Website: collio.chat
We have not appointed a Data Protection Officer (DPO) as we do not meet the threshold requirements under GDPR Article 37.
For all privacy-related inquiries, data subject requests, or concerns, please contact us at [email protected].
2. PERSONAL DATA WE COLLECT
We collect the following categories of personal data depending on how you interact with the Platform:
2.1. Information You Provide Directly
Account Information:
- First and last name
- Email address
- Password (stored in hashed form)
- Organization name (for business accounts)
- Google account information (if you use Sign in with Google)
User-Generated Content:
- Messages and prompts submitted to AI agents
- Conversation history
- Files uploaded to the Platform
- Organizational structure (Organizations, Departments, AI Agent configurations)
- Data entered into Built-in Apps (CRM records, tasks, and other business data)
2.2. Information Collected Automatically
Technical Data:
- IP address
- Browser type and version
- Device type and operating system
- Time zone setting and location
- Browser plug-in types and versions
Usage Data:
- Pages visited and features used
- Time and date of visits
- Referring website addresses
- Interaction with AI agents and Built-in Apps
- AI model selections and usage patterns
- Credit consumption data
- Error logs and diagnostic data
- Session recordings and product interaction events (via PostHog)
2.3. Information from Third Parties
Payment Information (via Stripe):
- Credit/debit card information (processed by Stripe, not stored by us)
- Billing address
- Payment transaction history
Authentication Data (via Google OAuth):
- Basic Google profile information (name, email, profile picture) if you choose to sign in with Google
Marketing Data (via Meta Pixel, Google Analytics):
- Advertising interaction data
- Campaign performance metrics
- Website visitor behavior
IMPORTANT: We do not intentionally collect special categories of personal data (sensitive data) such as health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sexual orientation, or criminal records. Please do not submit such information through the Platform.
3. HOW WE USE YOUR PERSONAL DATA
We process your personal data for the following purposes, based on the legal grounds specified:
3.1. Performance of Contract (GDPR Article 6(1)(b))
- Creating and managing your Account
- Providing access to the Platform and AI services
- Processing your messages through third-party AI model providers (including OpenAI, Anthropic, Google, DeepSeek, and models accessible via OpenRouter), depending on your plan and model selection
- Enabling use of Built-in Apps (CRM, task management, and other tools) within the Platform
- Enabling team collaboration features
- Processing payments and managing subscriptions
- Providing customer support
- Communicating with you about your Account and Services
3.2. Legal Obligation (GDPR Article 6(1)(c))
- Issuing tax invoices as required by Romanian law
- Maintaining accounting records for 10 years as required by law
- Responding to lawful requests from authorities
- Complying with data protection laws and regulations
3.3. Legitimate Interest (GDPR Article 6(1)(f))
- Preventing fraud, abuse, and security threats
- Improving Platform functionality and user experience
- Analyzing usage patterns and product behavior to develop new features (via PostHog)
- Conducting market research and analytics
- Marketing our Services (subject to your opt-out rights)
- Protecting our legal rights and interests
- Ensuring network and information security
3.4. Consent (GDPR Article 6(1)(a))
- Sending promotional emails and newsletters (you may unsubscribe at any time)
- Using non-essential cookies for analytics and advertising
- Session recording and behavioral analytics via PostHog (where consent is required)
- Processing data for purposes you explicitly consent to
4. HOW WE SHARE YOUR PERSONAL DATA
We share your personal data with the following categories of recipients to provide and improve our Services:
4.1. Service Providers (Data Processors)
We engage third-party service providers who process personal data on our behalf. These providers are contractually bound to protect your data and use it only for specified purposes.
OpenAI, LLC (United States):
- Purpose: AI language model processing (ChatGPT / GPT models) — available on Pro and Business plans
- Data shared: Your prompts, messages, and conversation content when using OpenAI models
- Retention: 30 days for abuse monitoring, then deleted
- Training: Does NOT use API data for training AI models
Anthropic, PBC (United States):
- Purpose: AI language model processing (Claude models) — available on Pro and Business plans
- Data shared: Your prompts, messages, and conversation content when using Anthropic models
- Retention: 30 days by default under commercial API terms
- Training: Does NOT use API data for training AI models
Google LLC — Gemini (United States / EU):
- Purpose: AI language model processing (Gemini models) — available on Pro and Business plans
- Data shared: Your prompts, messages, and conversation content when using Google AI models
- Safeguards: SCCs, Cloud DPA
- Training: Does NOT use paid API data for training AI models
DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) (China / United States):
- Purpose: AI language model processing (DeepSeek v4 Flash — Default, DeepSeek v4 Pro — Advanced) — available on all plans
- Data shared: Your prompts, messages, and conversation content when using DeepSeek models
- Safeguards: Standard Contractual Clauses (SCCs)
- Training: Does NOT use API data for training AI models
- Important notice: DeepSeek is operated by a company incorporated in China. While SCCs apply to data transfers, data processed via DeepSeek API may be subject to Chinese data protection and national security laws in addition to contractual safeguards. Users processing sensitive personal data are advised to consider this when selecting AI models.
OpenRouter, Inc. (United States):
- Purpose: AI model routing and aggregation (multiple models accessible via OpenRouter) — available on all plans
- Data shared: Your prompts and messages when using OpenRouter-routed models
- Safeguards: SCCs; prompt logging is disabled — only metadata (timestamps, token counts, model used) is retained for billing purposes
- Training: Does NOT use data for training AI models
Stripe, Inc. (United States):
- Purpose: Payment processing
- Data shared: Payment information, billing address, transaction history
- Note: We do not store your full credit card details
Amazon Web Services — AWS (Germany):
- Purpose: Cloud hosting and infrastructure
- Data shared: All Platform data
- Location: Primary servers in Frankfurt, Germany (eu-central-1)
Hetzner Online GmbH (Germany):
- Purpose: Additional cloud hosting, database hosting, backup and storage infrastructure
- Data shared: Platform data, database content, backup data
- Location: Germany (Nuremberg / Falkenstein data centers)
- Safeguards: EU hosting, encryption at rest and in transit, GDPR-compliant DPA
PostHog, Inc. (Germany — EU Cloud):
- Purpose: Product analytics, usage tracking, and session recording
- Data shared: Usage events, feature interactions, session replays, device and browser information
- Location: EU Cloud hosted on AWS eu-central-1 (Frankfurt, Germany)
- Safeguards: EU hosting, DPA with SCCs
- Training: Does NOT use data for AI training purposes
- Note: Session recordings may capture interactions within the Platform interface. Sensitive form fields (such as password inputs) are masked automatically.
Google LLC — Analytics (United States):
- Purpose: Website analytics
- Data shared: Anonymized IP addresses, usage data, browser information
- Safeguards: IP anonymization, SCCs
Google LLC — Tag Manager (United States):
- Purpose: Tag and tracking code management
- Data shared: Website interaction data
- Safeguards: SCCs
Google LLC — Authentication (United States):
- Purpose: Sign in with Google (OAuth2 authentication)
- Data shared: Basic Google profile data (name, email, profile picture) if you choose this login method
- Safeguards: SCCs
Meta Platforms, Inc. (United States):
- Purpose: Advertising analytics and conversion tracking (Meta Pixel)
- Data shared: Website visitor behavior, conversions, advertising interactions
- Safeguards: SCCs
Brevo / Sendinblue (France / Germany):
- Purpose: Transactional and marketing email delivery
- Data shared: Email addresses, names, email content
- Safeguards: EU hosting, GDPR-compliant DPA
Cloudflare, Inc. (Global):
- Purpose: Content delivery network (CDN), DDoS protection, DNS
- Data shared: IP addresses, HTTP request data
- Safeguards: SCCs, EU data center options
A complete list of Sub-processors is maintained in Annex A of this Privacy Policy.
4.2. Legal Obligations and Protection
We may disclose your personal data if required by law or in good faith belief that such disclosure is necessary to:
- Comply with legal obligations, court orders, or government requests;
- Enforce our Terms of Service;
- Protect our rights, property, or safety, or that of our users or the public;
- Detect, prevent, or address fraud, security, or technical issues.
4.3. Business Transfers
If we undergo a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. You will be notified via email and/or prominent notice on our Platform of any such change in ownership.
4.4. With Your Consent
We may share your data with third parties when you explicitly consent to such sharing.
5. INTERNATIONAL DATA TRANSFERS
Your personal data is primarily processed and stored within the European Economic Area (EEA) on AWS and Hetzner servers located in Germany.
However, some of our service providers are located in countries outside the EEA, including the United States (OpenAI, Anthropic, Stripe, Google, Meta, OpenRouter, Cloudflare) and China (DeepSeek).
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with service providers in countries without adequacy decisions;
- Adequacy Decisions: We rely on EU Commission adequacy decisions where applicable;
- Supplementary Measures: We and our providers implement additional technical and organizational measures to ensure data protection;
- Provider Certifications: Many providers participate in frameworks such as the EU-US Data Privacy Framework (where applicable).
Special notice regarding DeepSeek: Transfers to DeepSeek involve data being processed by a company subject to Chinese law, including the Personal Information Protection Law (PIPL) and national security legislation. While SCCs are in place, these transfers carry a higher residual risk than transfers to US-based providers. If you process sensitive personal data, we recommend selecting alternative AI models available on Pro and Business plans.
5.1. Data Residency Options
EU Data Residency (Default): By default, your data is stored on AWS and Hetzner servers in Germany (EU). AI model processing involves transfers to the respective AI provider's infrastructure (US or China depending on model selected).
US Data Residency (Upon Request): US-based customers may request that their primary infrastructure data be stored on US servers by contacting [email protected]. This option may involve additional configuration and costs.
For more information about our data transfer safeguards or to request copies of relevant SCCs, please contact [email protected].
6. DATA RETENTION
We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Active Account Data: Retained as long as your Account remains active and you continue using the Platform.
- Inactive Account Data: If you do not log in for 1 year, we may delete your Account and associated data after notifying you via email.
- Conversation and Chat Data: Retained for a maximum of 1 year from the date of creation, after which conversations may be automatically deleted.
- Built-in App Data (CRM, tasks, etc.): Retained as long as your Account is active. Deleted within 30 days of Account termination unless a legal retention obligation applies.
- Payment and Billing Data: Retained for 10 years to comply with Romanian accounting and tax law requirements.
- Data After Account Deletion: Upon Account deletion (voluntary or involuntary), we retain data for up to 1 year for archival, legal compliance, and dispute resolution purposes, after which it is permanently deleted.
- Marketing Data: Retained until you withdraw consent or unsubscribe from communications.
- Backup Data: Data in backups is retained for up to 90 days and then automatically deleted.
- AI Provider Processing: Each AI model provider retains prompt and response data for a limited period for abuse monitoring (typically 30 days), after which data is deleted in accordance with their commercial API terms.
- PostHog Analytics Data: Session recordings and usage events are retained for up to 1 year, after which they are automatically deleted.
7. YOUR RIGHTS UNDER GDPR
Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:
- Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your personal data and to access that data. You may request a copy of your personal data in a commonly used electronic format.
- Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and to complete incomplete data.
- Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object to processing. This right is subject to legal limitations (e.g., we must retain billing data for 10 years).
- Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain situations, such as when you contest the accuracy of data or object to processing.
- Right to Data Portability (Article 20): You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can export your conversation data using our export functionality.
- Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to marketing, we will cease such processing immediately.
- Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right Not to be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not engage in such automated decision-making.
- Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Romania, the competent authority is ANSPDCP (see Section 15).
8. HOW TO EXERCISE YOUR RIGHTS
To exercise any of the rights described above, please submit a written request to:
- Email: [email protected]
- Postal Address: Metrixbite S.R.L., Str. Pinilor, no. 13, Medgidia, Romania
8.1. Response Time
We commit to responding to your request within 48 hours of receipt. If your request is complex or we receive multiple requests from you, we may extend this period by up to two additional months, in which case we will inform you within the initial 48 hours and explain the reason for the delay.
8.2. Verification
To protect your privacy and security, we may request additional information to verify your identity before processing your request. We may request government-issued ID, proof of Account ownership, or other verification measures.
8.3. No Fee
We do not charge a fee for processing data subject requests unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
9. DATA SECURITY
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Our security measures include:
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using SSL/TLS protocols;
- Encryption at Rest: Data stored on AWS and Hetzner servers is encrypted at rest using industry-standard encryption algorithms;
- Access Controls: Strict access controls and authentication mechanisms limit access to personal data to authorized personnel only;
- Security Monitoring: Continuous monitoring of systems for suspicious activity and potential security threats;
- Real-Time Backups: Automated real-time backups across AWS and Hetzner infrastructure to prevent data loss;
- Incident Response Plan: Documented procedures for responding to data breaches and security incidents;
- Vendor Security: We require all service providers to implement appropriate security measures through contractual obligations;
- Session Masking: PostHog session recordings automatically mask sensitive input fields (passwords, payment fields) to prevent capture of confidential data.
9.1. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify you without undue delay and in any event within 72 hours of becoming aware of the breach;
- Notify the relevant supervisory authority (ANSPDCP in Romania) as required by law;
- Provide information about the nature of the breach, likely consequences, and measures taken to address it.
9.2. Limitations
While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your Account credentials.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1. What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They help the website remember information about your visit, such as your preferences and login status. Cookies can be "persistent" (remain on your device until deleted or expired) or "session" (deleted when you close your browser).
10.2. Types of Cookies and Tracking Technologies We Use
Strictly Necessary Cookies: These cookies are essential for the Platform to function. They enable core functionality such as user authentication and session management, security and fraud prevention, and load balancing. These cookies cannot be disabled without severely affecting Platform functionality. Legal Basis: Legitimate interest and performance of contract.
Analytics Cookies (Google Analytics):
- Purpose: Understand how visitors interact with the Platform
- Data collected: Pages visited, time spent, browser type, anonymized IP addresses
- Provider: Google LLC
- Legal Basis: Consent (via cookie banner)
You can opt out through the cookie banner or browser settings.
Product Analytics and Session Recording (PostHog):
- Purpose: Understand how users interact with Platform features, identify usability issues, and improve the product experience
- Data collected: Feature usage events, click patterns, navigation flows, session recordings (video-like replays of your interactions within the Platform), device and browser information
- Provider: PostHog, Inc. (EU Cloud — Frankfurt, Germany)
- Legal Basis: Legitimate interest and/or Consent (via cookie banner where required)
- Note: Session recordings are stored on EU servers. Sensitive fields such as passwords and payment inputs are automatically masked and never recorded.
You can opt out of PostHog tracking by contacting us at [email protected] or through your Account settings where available.
Advertising and Marketing Cookies (Meta Pixel):
- Purpose: Measure advertising campaign effectiveness and deliver targeted ads
- Data collected: Website interactions, conversions, visitor behavior
- Provider: Meta Platforms, Inc.
- Legal Basis: Consent (via cookie banner)
You can opt out through the cookie banner or your Facebook ad settings.
10.3. Cookie Banner and Consent Management
When you first visit collio.chat, you will see a cookie banner informing you about our use of cookies. You can accept all cookies, reject non-essential cookies, or customize your preferences. Strictly necessary cookies are set automatically; all other cookies require your consent.
You can change your cookie preferences at any time through:
- The cookie settings link in the website footer
- Your browser settings (see Section 10.5)
10.4. Third-Party Cookies
Some cookies are set by third-party services we use:
- Google Analytics (analytics cookies)
- Google Tag Manager (tag management)
- Meta Pixel (advertising cookies)
- PostHog (product analytics and session recording)
- Cloudflare (performance and security cookies)
These providers may use cookies to collect information for their own purposes. Please review their respective privacy policies for more information.
10.5. Managing and Deleting Cookies
You can control cookies through your browser settings:
- Google Chrome: Settings > Privacy and security > Cookies and other site data
- Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Preferences > Privacy > Cookies and website data
- Microsoft Edge: Settings > Privacy, search, and services > Cookies
Please note that blocking all cookies may affect Platform functionality, including your ability to log in.
To opt out of Google Analytics across all websites, visit: https://tools.google.com/dlpage/gaoptout
To manage Meta Pixel tracking, visit your Facebook Ad Settings at https://www.facebook.com/ads/preferences
11. CHILDREN'S PRIVACY
The Platform is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. Users aged 16–18 may use the Platform only with the consent of a parent or legal guardian.
If we become aware that we have collected personal data from a child under 16 without proper parental consent, we will take steps to delete that information as quickly as possible. If you are a parent or guardian and believe your child under 16 has provided personal data to us without your consent, please contact us immediately at [email protected].
12. MARKETING COMMUNICATIONS
12.1. Email Marketing
With your consent, we may send you promotional emails, newsletters, product updates, and special offers. You can unsubscribe from marketing emails at any time by:
- Clicking the "Unsubscribe" link in any promotional email;
- Contacting us at [email protected];
- Updating your communication preferences in your Account settings.
12.2. Transactional Emails
Even if you opt out of marketing communications, we will still send you essential transactional emails, including:
- Account creation and verification
- Password resets
- Payment confirmations and receipts
- Important changes to Terms or Privacy Policy
- Security alerts
You cannot opt out of transactional emails as they are necessary for the Services.
12.3. Processing Time
Unsubscribe requests are processed immediately, though it may take up to 48 hours to fully remove you from our systems.
13. THIRD-PARTY LINKS
The Platform may contain links to third-party websites, applications, or services that are not owned or controlled by us. We are not responsible for the privacy practices or content of third-party sites. We recommend that you review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to information collected by Collio.
14. CHANGES TO THIS PRIVACY POLICY
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or for other operational reasons.
Material changes will be communicated to you via email at least 30 days before they take effect. Non-material changes (e.g., clarifications, formatting) will be effective immediately upon posting.
The "Last Updated" date at the top of this Privacy Policy indicates when the last changes were made. The current version will always be available at collio.chat/privacy-policy.
Your continued use of the Platform after changes take effect constitutes acceptance of the revised Privacy Policy.
15. CONTACT US AND SUPERVISORY AUTHORITY
15.1. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
- Company: Metrixbite S.R.L.
- Address: Str. Pinilor, no. 13, Medgidia, Romania
- VAT ID: RO52955094
- Email: [email protected]
- WhatsApp: +40 774 941 690
15.2. Supervisory Authority
If you are not satisfied with our response to your data protection concerns or believe we have violated your privacy rights, you have the right to lodge a complaint with the competent supervisory authority:
- Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
- English: National Supervisory Authority for Personal Data Processing
- Address: B-dul G-ral Gheorghe Magheru no. 28-30, Sector 1, Bucharest, Romania
- Website: www.dataprotection.ro
- Email: [email protected]
- Phone: +40 318 059 211
ANNEX A: SUB-PROCESSOR LIST
This annex lists all Sub-processors (third-party service providers) that process personal data on behalf of Metrixbite S.R.L. in connection with the Collio Platform. We will notify you at least 30 days in advance of any additions or changes to this list via email.
| Provider | Service | Location | Data Processed | Safeguards | AI Training Use |
|---|---|---|---|---|---|
| OpenAI, LLC | AI language model API (ChatGPT / GPT models) — Pro & Business plans | United States | Prompts, messages, conversation content | SCCs, DPA, 30-day retention | No |
| Anthropic, PBC | AI language model API (Claude models) — Pro & Business plans | United States | Prompts, messages, conversation content | SCCs, DPA (auto-incorporated) | No |
| Google LLC | AI language model API (Gemini models) — Pro & Business plans | United States / EU | Prompts, messages, conversation content | SCCs, Cloud DPA | No |
| DeepSeek (Hangzhou DeepSeek AI Co., Ltd.) | AI language model API (v4 Flash, v4 Pro) — All plans | China / United States | Prompts, messages, conversation content | SCCs | No (API terms) |
| OpenRouter, Inc. | AI model routing and aggregation — All plans | United States | Prompts, metadata (prompt logging disabled) | SCCs | No |
| Stripe, Inc. | Payment processing | United States | Payment info, billing address, transaction history | PCI-DSS, SCCs | N/A |
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | Germany (Frankfurt, eu-central-1) | All Platform data | EU hosting, encryption, SCCs | N/A |
| Hetzner Online GmbH | Cloud hosting, database hosting, backup and storage | Germany (Nuremberg / Falkenstein) | Platform data, database content, backup data | EU hosting, encryption, GDPR DPA | N/A |
| PostHog, Inc. | Product analytics and session recording | Germany (Frankfurt — EU Cloud) | Usage events, session recordings, device/browser info | EU hosting, DPA with SCCs | No |
| Google LLC (Analytics) | Website analytics | United States | Anonymized IP, usage data, browser info | IP anonymization, SCCs | N/A |
| Google LLC (Tag Manager) | Website tag management | United States | Website interaction data | SCCs | N/A |
| Google LLC (Auth) | Sign in with Google — OAuth2 authentication | United States | Name, email, profile picture (if used) | SCCs | N/A |
| Meta Platforms, Inc. | Advertising analytics — Meta Pixel | United States | Visitor behavior, conversions | SCCs | N/A |
| Brevo (Sendinblue) | Transactional and marketing email delivery | France / Germany | Email addresses, names, email content | EU hosting, GDPR DPA | N/A |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | Global (EU & US) | IP addresses, HTTP request data | SCCs, EU data centers | N/A |
Note on DeepSeek: DeepSeek is operated by a Chinese company and data processed via their API may be subject to Chinese law (including PIPL and national security legislation) in addition to SCCs. Users processing sensitive personal data are advised to select alternative models available on Pro and Business plans.
Abbreviations: SCCs = Standard Contractual Clauses; PCI-DSS = Payment Card Industry Data Security Standard; CDN = Content Delivery Network; DPA = Data Processing Agreement; PIPL = Personal Information Protection Law (China)
Last Updated: June 25, 2026
By using Collio, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.