Privacy Policy

This Privacy Policy explains how Collecta(“Collecta”, “we”, “us”) collects, uses, shares and protects personal data when you use our multi-tenant operations platform, our websites, and related services (together, the “Service”).

It applies to visitors, account holders, and the employees and collaborators of organizations that operate a Collecta workspace. Where your organization is our customer, that organization is the controller of the workspace data it submits, and Collecta acts as a processor on its behalf. For our own websites and account administration, Collecta is the controller.

We collect the following categories of information:

• Account data — name, work email, hashed password, role, organization, and authentication details (including 2FA and SSO identifiers).
• Workspace and module content — the modules, custom fields, records, attachments, automations and other data you and your team input into the Service.
• Usage and telemetry — log data, device and browser information, IP address, feature usage and diagnostic events used to operate and secure the Service.
• Payment information — billing contact and subscription details. Card data is collected and processed directly by Stripe; Collecta does not store full card numbers.
• Support communications — messages, tickets and feedback you send to us.
• Cookies — strictly necessary cookies for sign-in and security (see the Cookies section below).

We use personal data to:

• provide, maintain and secure the Service, including authentication and access control;
• process subscriptions, seats and billing through our payments provider;
• respond to support requests and communicate service and security notices;
• monitor, troubleshoot and improve the reliability, safety and performance of the product;
• power AI features — when you use the in-product agent, relevant prompts and records are processed by Anthropic’s Claude models to generate responses (see AI processing below);
• comply with legal obligations and enforce our agreements.

Where the GDPR or similar laws apply, we rely on the following legal bases:

• Performance of a contract — to provide the Service to you and your organization.
• Legitimate interests — to secure, improve and operate the Service, where not overridden by your rights.
• Consent — where required, for example optional communications; you may withdraw consent at any time.
• Legal obligation — to comply with tax, accounting and other applicable laws.

We share personal data with a limited set of vetted subprocessors who process it only on our instructions and under contract:

• Anthropic — AI model processing for the in-product agent and AI features.
• Stripe — payment processing and subscription management.
• Cloud hosting — infrastructure, compute and managed database hosting.
• Email delivery — transactional and service email.

The full, current list of subprocessors is maintained in our Data Processing Addendum. We do not sell personal data and we do not share it for cross-context behavioral advertising.

Collecta’s AI agent is powered by Anthropic’s Claude models. When you invoke an AI feature, the relevant prompts and the workspace records needed to answer your request are sent to Anthropic for processing and returned as a response. Customers may also bring their own Anthropic API key (BYOK) at the workspace level, in which case AI requests are processed under that key.

Data sent to power these features is not used to train third-party models. AI processing is governed by the terms in our Data Processing Addendum.

We retain workspace content for as long as your organization maintains an active workspace. When a workspace is scheduled for deletion, data is held during a grace period and then permanently removed, subject to encrypted backups that expire on a rolling retention schedule.

Account, billing and audit records are retained as required for security, dispute resolution and legal or accounting obligations, after which they are deleted or anonymized.

We apply layered technical and organizational safeguards, including:

• PostgreSQL row-level security for strict per-tenant data isolation;
• AES-256-GCM encryption for sensitive secrets at rest;
• short-lived JWT access tokens with refresh-token rotation and device tracking;
• TOTP-based two-factor authentication and SSO support;
• a tamper-evident audit log of user and configuration actions.

No system is perfectly secure, but we work continuously to protect your data and to respond promptly to any incident.

Personal data may be processed in countries other than your own. Where data is transferred out of the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and equivalent mechanisms. EU data residency is available as an option for eligible plans — contact us to discuss your requirements.

Subject to applicable law, you have the right to access, rectify, erase, restrict and object to the processing of your personal data, and to data portability. You may also lodge a complaint with your local supervisory authority.

To exercise these rights, contact us at privacy@collecta.app or via our contact page. If you are an employee of a customer organization, we may direct your request to that organization as the controller. See our GDPR page for more detail.

We use strictly necessary cookies only — for sign-in, session integrity and security. We do not use advertising or cross-site tracking cookies. Product preferences such as theme, language and table layout are stored in your account inside the product, not in cookies.

Collecta is a business tool and is not directed to children. The Service is not intended for, and we do not knowingly collect personal data from, anyone under the age of 16. If you believe a minor has provided us personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.

Questions about this policy or your personal data? Email our privacy team at privacy@collecta.app or reach us through our contact page.