Privacy Policy
Last updated: January 30, 2026
This Privacy Policy explains how Colluno ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our collaboration platform. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR).
1. Data Controller
Colluno is currently operated by Pavel Svetoslavov Hristov as a sole proprietor. In the event of a business restructuring or incorporation, users will be notified and data controller details will be updated accordingly. When processing personal data on behalf of users (e.g., content uploaded by you pertaining to third parties), Colluno acts as a data processor. The service is operated by:
Pavel Svetoslavov Hristov
Address: st. "San Stefano" 6A, Dobrich, Bulgaria
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@colluno.com
Website: https://colluno.com
Pavel Svetoslavov Hristov
Address: st. "San Stefano" 6A, Dobrich, Bulgaria
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@colluno.com
Website: https://colluno.com
2. Information We Collect
We collect information you provide directly and information collected automatically:
Information You Provide:
• Account information (email address, name, password)
• Business information (company details, billing addresses)
• Content you upload (posts, media files, documents)
• Communication data (chat messages, comments)
• Invoice and payment information
Information Collected Automatically:
• Device and browser information
• Usage data and interaction patterns (via Grafana Faro)
• Log data (IP address, access times, pages viewed). IP addresses are truncated or anonymized where technically feasible and are never used for marketing or profiling.
• Application performance metrics and errors
Information You Provide:
• Account information (email address, name, password)
• Business information (company details, billing addresses)
• Content you upload (posts, media files, documents)
• Communication data (chat messages, comments)
• Invoice and payment information
Information Collected Automatically:
• Device and browser information
• Usage data and interaction patterns (via Grafana Faro)
• Log data (IP address, access times, pages viewed). IP addresses are truncated or anonymized where technically feasible and are never used for marketing or profiling.
• Application performance metrics and errors
3. How We Use Your Information
We process your personal data for the following purposes:
• Service Delivery: To provide, maintain, and improve our collaboration platform
• Account Management: To create and manage your user account
• Communication: To send service-related notifications and respond to inquiries
• Security: To detect, prevent, and address fraud and security issues
• Legal Compliance: To comply with legal obligations and enforce our terms
• Service Delivery: To provide, maintain, and improve our collaboration platform
• Account Management: To create and manage your user account
• Communication: To send service-related notifications and respond to inquiries
• Security: To detect, prevent, and address fraud and security issues
• Legal Compliance: To comply with legal obligations and enforce our terms
4. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
• Contract Performance: Processing necessary to fulfill our service agreement with you
• Legitimate Interests: For business operations, security, and service improvement
• Consent: Where you have given explicit consent for specific processing activities
• Legal Obligation: To comply with applicable laws and regulations
• Contract Performance: Processing necessary to fulfill our service agreement with you
• Legitimate Interests: For business operations, security, and service improvement
• Consent: Where you have given explicit consent for specific processing activities
• Legal Obligation: To comply with applicable laws and regulations
5. Cookies and Local Storage
We use cookies and browser storage to provide essential functionality and monitoring. Essential cookies and storage are processed based on contract performance and legitimate interest. Where consent is required (e.g. non-essential analytics), it will be requested explicitly:
Essential Cookies:
• refresh_token - Secure, HttpOnly authentication cookie for session management
• sidebar_state - Remembers your sidebar reference (collapsed/expanded)
Local Storage & Session Storage:
• language - Your preferred language setting
• itemsPerPage - Your preference for number of items to display in lists
• chat-panel-sizes - Layout preferences for the chat interface
• token-expires-at - Timestamp for access token expiration
• refresh-token-expires-at - Timestamp for refresh token expiration
• com.grafana.faro.lastNavigationId - Session tracking for performance monitoring
• com.grafana.faro.session - Real User Monitoring (RUM) session data
• error-boundary-logs - Temporary error logs for troubleshooting (automatically cleared)
These storage mechanisms are essential for the service to function properly, to maintain your user preferences, or to monitor system stability (Grafana Faro). Grafana Faro is used strictly for performance monitoring, error detection, and system stability, not for marketing, profiling, or cross-site tracking.
Essential Cookies:
• refresh_token - Secure, HttpOnly authentication cookie for session management
• sidebar_state - Remembers your sidebar reference (collapsed/expanded)
Local Storage & Session Storage:
• language - Your preferred language setting
• itemsPerPage - Your preference for number of items to display in lists
• chat-panel-sizes - Layout preferences for the chat interface
• token-expires-at - Timestamp for access token expiration
• refresh-token-expires-at - Timestamp for refresh token expiration
• com.grafana.faro.lastNavigationId - Session tracking for performance monitoring
• com.grafana.faro.session - Real User Monitoring (RUM) session data
• error-boundary-logs - Temporary error logs for troubleshooting (automatically cleared)
These storage mechanisms are essential for the service to function properly, to maintain your user preferences, or to monitor system stability (Grafana Faro). Grafana Faro is used strictly for performance monitoring, error detection, and system stability, not for marketing, profiling, or cross-site tracking.
6. Data Sharing and Third Parties
We may share your information with:
• Hosting Provider: Hetzner Online GmbH (Germany) - Core infrastructure and hosting
• Cloud Storage: Cloudflare R2 - For secure storage of images, videos, and documents
• AI Processing: OpenAI, LLC (USA) - For AI-powered features (utilizing GPT 4.1-mini). Note regarding AI: Data sent to the AI API is NOT used for model training under our commercial agreement.
• Monitoring & Logs: Grafana Labs (USA) - For application logging and frontend performance monitoring (Faro)
• Email Services: Brevo (France) - For sending transactional emails and notifications
• Payment Processing: Paddle.com (UK/Global) - Our Merchant of Record for handling subscriptions and payments. Your payment data is processed directly by Paddle.
A Data Processing Agreement (DPA) is available upon request for business customers acting as data controllers.
Note on Logs: System logs may temporarily contain email addresses for troubleshooting and monitoring purposes. These logs are securely stored with Grafana Cloud.
We do not sell your personal data to third parties. Any data sharing is governed by appropriate data processing agreements ensuring GDPR compliance. An up-to-date list of sub-processors is available upon request.
• Hosting Provider: Hetzner Online GmbH (Germany) - Core infrastructure and hosting
• Cloud Storage: Cloudflare R2 - For secure storage of images, videos, and documents
• AI Processing: OpenAI, LLC (USA) - For AI-powered features (utilizing GPT 4.1-mini). Note regarding AI: Data sent to the AI API is NOT used for model training under our commercial agreement.
• Monitoring & Logs: Grafana Labs (USA) - For application logging and frontend performance monitoring (Faro)
• Email Services: Brevo (France) - For sending transactional emails and notifications
• Payment Processing: Paddle.com (UK/Global) - Our Merchant of Record for handling subscriptions and payments. Your payment data is processed directly by Paddle.
A Data Processing Agreement (DPA) is available upon request for business customers acting as data controllers.
Note on Logs: System logs may temporarily contain email addresses for troubleshooting and monitoring purposes. These logs are securely stored with Grafana Cloud.
We do not sell your personal data to third parties. Any data sharing is governed by appropriate data processing agreements ensuring GDPR compliance. An up-to-date list of sub-processors is available upon request.
7. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we assess the legal environment of recipient countries and apply additional technical safeguards where necessary. We ensure appropriate safeguards are in place, including:
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where available
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where available
8. Data Retention
We retain your personal data only as long as necessary:
• Account Data: For the duration of your account plus 30 days after deletion
• Business Records: As required by applicable tax and commercial laws (typically 7-10 years)
• Security Logs: Up to 90 days for security monitoring
• Backup Data: Up to 30 days in backup systems. Deleted data may persist in encrypted backups until they are automatically overwritten, after which it is permanently removed.
• Legal/Tax Records: Certain data (e.g., invoices) may be retained longer where required by law.
• Account Data: For the duration of your account plus 30 days after deletion
• Business Records: As required by applicable tax and commercial laws (typically 7-10 years)
• Security Logs: Up to 90 days for security monitoring
• Backup Data: Up to 30 days in backup systems. Deleted data may persist in encrypted backups until they are automatically overwritten, after which it is permanently removed.
• Legal/Tax Records: Certain data (e.g., invoices) may be retained longer where required by law.
9. Your Rights Under GDPR
You have the following rights regarding your personal data:
• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise these rights, contact us at privacy@colluno.com. We will respond within 30 days.
• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise these rights, contact us at privacy@colluno.com. We will respond within 30 days.
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
• Encryption in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• Role-based access controls
• Regular security assessments
• Secure, HttpOnly authentication cookies
• Encryption in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• Role-based access controls
• Regular security assessments
• Secure, HttpOnly authentication cookies
11. Children's Privacy
Our service is not directed to individuals under 16 years of age. In accordance with GDPR Article 8, we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.
12. Automated Decision-Making
Colluno does not engage in fully automated decision-making that produces legal or similarly significant effects on users.
13. US Residents (CCPA/CPRA)
For California residents, we do not 'sell' or 'share' personal data as defined under the CCPA/CPRA.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.
15. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (CPDP). You can also contact your local data protection authority.
16. Contact Us
For any questions about this Privacy Policy or our data practices:
Email: privacy@colluno.com
Website: https://colluno.com/contact
Email: privacy@colluno.com
Website: https://colluno.com/contact