GDPR compliance

Collecta is built for European businesses and the partners who serve them. We treat the EU General Data Protection Regulation (GDPR) as a baseline, not a checkbox: data protection is designed into the platform's multi-tenant architecture rather than bolted on afterwards.

This page explains the roles we play, the lawful bases we rely on, the rights available to data subjects, and the technical and organisational measures we maintain. It is a plain-language companion to our Data Processing Agreement and Privacy Policy, which together govern how personal data is handled.

GDPR distinguishes between the controller (who decides why and how personal data is processed) and the processor(who processes it on the controller's behalf). Collecta wears both hats depending on the data in question.

• Processor— for the customer and workspace data you store in Collecta (module records, custom fields, attachments, your end customers' details). You are the controller; we process it only on your documented instructions.
• Controller — for the data we need to run our own business: your account profile, authentication credentials, billing records and product usage telemetry.

The processor relationship is formalised in our Data Processing Agreement.

As a controller, we process personal data under the lawful bases that fit the purpose: performance of a contract (to deliver the service you subscribed to), legitimate interests (securing the platform, preventing abuse, improving the product) and legal obligation (tax, accounting and compliance records).

As a processor, the lawful basis for your workspace data is yours to establish with your own data subjects. We collect data only for the purposes set out in our agreements and do not repurpose it. We never sell personal data and never use customer or workspace content to train AI models.

GDPR grants individuals the rights of access, rectification, erasure, restriction, portability and objection. Where Collecta is the controller, you can exercise these by contacting us. Where Collecta is the processor, the request belongs to your end customer and you fulfil it — Collecta gives you the tooling to do so quickly:

• Access & portability — workspace owners can export tenant data to a structured, machine-readable JSON file at any time.
• Rectification — records and custom fields are editable in-product, with every change captured in the audit log.
• Erasure & restriction — records can be deleted, and a workspace can be scheduled for permanent deletion with cascading removal across all related data.
• Isolation by default— PostgreSQL row-level security scopes every query to a single tenant, so one customer's data is never exposed to another while you action a request.

Need help with a specific request? Contact us and we will assist.

We engage a small, vetted set of subprocessors to deliver the service. Each is bound by data protection terms at least as protective as ours. Current subprocessors include:

• Anthropic — the Claude AI models that power the in-product assistant and agent (no customer content is used for model training).
• Stripe — subscription billing and payment processing.
• Cloud hosting provider — managed infrastructure and database hosting.
• Email provider — transactional and notification email delivery.

The complete, current list — together with the relevant Standard Contractual Clauses — is maintained in our Data Processing Agreement. We give notice of changes so you can object before a new subprocessor begins processing.

Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) together with supplementary measures such as encryption in transit and at rest.

Customers who require their data to stay in the EU can opt for EU data residency, with hosting in the eu-central-1 region. Speak to us when provisioning your workspace and we will configure it accordingly.

GDPR Article 32 requires appropriate technical and organisational measures. Ours are architectural, not afterthoughts:

• PostgreSQL row-level security — enforced per tenant at the database layer.
• AES-256-GCM encryption — for sensitive data such as stored API keys and backups.
• JWT access tokens with refresh-token rotation — short-lived sessions with device tracking and login lockout.
• TOTP two-factor authentication and SSO for organisation-wide access control.
• Tamper-evident audit log covering 102 actions across the platform.

Read the full breakdown on our security page.

We maintain incident response procedures designed to detect, contain and assess personal data breaches. In the event of a breach affecting personal data we process on your behalf, we will notify affected customers without undue delay after becoming aware of it, and provide the information you need to meet your own notification obligations to supervisory authorities and data subjects.

Questions about how we handle personal data, or requests to exercise your rights, can be sent to our data protection contact at dpo@collecta.app. This contact also coordinates with our EU representative where an Article 27 representative is required.

We offer a Data Processing Agreement (DPA) to all customers as a standard part of our terms. It sets out the subject matter and duration of processing, the categories of data and data subjects, our obligations as processor, the approved subprocessors and the Standard Contractual Clauses for international transfers. Review and request it on our DPA page.

In line with the accountability principle, we maintain records of our processing activities, review our subprocessors and security controls, and keep our policies current. The platform's audit log provides a verifiable trail of administrative and data actions, helping both Collecta and our customers demonstrate compliance to supervisory authorities.

For GDPR or privacy matters, email dpo@collecta.app or reach us through our contact page. For technical and security details, see our security page and Privacy Policy.