Colossee, Inc. (“Colossee,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have. It applies to all users of the Colossee platform and website (“Service”).
By using the Service, you agree to the collection and use of your information in accordance with this Policy. If you do not agree, please do not use the Service.
Data Controller
For purposes of applicable data protection law (including the EU General Data Protection Regulation, “GDPR”), the data controller is:
Where applicable, Colossee is also a “business” within the meaning of the California Consumer Privacy Act (“CCPA”) and a “controller” under the UK GDPR.
Information We Collect
Information You Provide
- -Account Information: When you create an account through Privy, we receive and store your email address or phone number as provided to us by Privy, Inc. We do not receive your authentication credentials (passwords, OTPs).
- -Profile Information: Your chosen display name and public handle, which you set in your account settings.
- -User Content Metadata: When you register a media asset, we collect and store associated metadata, including the asset title, type, description, tags, platform of publication, AI model used, and a cryptographic hash of the asset content. We do not store the full media file on our servers beyond what is needed for processing.
- -Communications: Any messages you send to us via email or support channels.
Information Collected Automatically
- -Usage Data: Information about how you use the Service, including pages visited, features used, registry entries viewed, and time spent on the platform.
- -Device and Log Data: Your IP address, browser type and version, operating system, referral URL, and timestamps of your requests.
- -Cookies and Similar Technologies: We use cookies and similar tracking technologies as described in our Cookie Policy.
Information from Third Parties
- -Authentication Provider (Privy): Upon login, Privy provides us with a unique user identifier and your verified email address or phone number.
- -Payment Processor (Dodo Payments): Upon a successful credit purchase, Dodo notifies us of the transaction amount and credits purchased. Dodo, as our Merchant of Record, handles all payment card data. Colossee does not receive or store full payment card numbers, CVVs, or bank account details.
Public Registry Data
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases to process your personal data:
- -Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the Service pursuant to our Terms of Service — including account management, registry operations, and credit transactions.
- -Legitimate Interests (Art. 6(1)(f)): Processing for fraud prevention, security monitoring, service improvement, and internal analytics, where our interests do not override your rights and freedoms.
- -Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including tax obligations, court orders, and regulatory requirements.
- -Consent (Art. 6(1)(a)): Where we rely on your consent, such as for non-essential cookies or marketing communications. You may withdraw consent at any time.
How We Use Your Information
- -Providing the Service: Account creation, authentication, asset registration, credit management, and generating provenance certificates.
- -Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent registrations, abuse, and other illegal activity.
- -Customer Support: Responding to your questions, resolving disputes, and processing feedback.
- -Service Improvement: Analyzing usage patterns to understand how the Service is used and to improve features, performance, and user experience.
- -Legal Compliance: Meeting our obligations under applicable law, including responding to lawful requests from regulatory and law enforcement authorities.
- -Communications: Sending transactional emails (purchase receipts, security alerts) and, with your consent, product updates and announcements. You may opt out of marketing communications at any time via the unsubscribe link in any email.
Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:
- -Account data is retained for the duration of your account plus 90 days after deletion, to allow for reactivation and dispute resolution.
- -Transaction records are retained for seven (7) years as required by U.S. tax and financial regulations.
- -Registry entry metadata stored in our database is retained for the life of the account. Registry data anchored to the distributed ledger is permanent and irremovable by design.
- -Log data is retained for up to 90 days for security and debugging purposes.
- -Support communications are retained for up to three (3) years.
After applicable retention periods, data is securely deleted or anonymized.
International Data Transfers
Colossee operates primarily in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the European Commission where required.
Security
We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, loss, destruction, or alteration. These measures include encryption in transit (TLS), encryption at rest, access controls, and regular security assessments.
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. You use the Service at your own risk.
If you believe your account has been compromised, please contact security@colossee.com immediately.
Your Rights and Choices
For EEA, UK, and Swiss Residents (GDPR Rights)
You have the following rights regarding your personal data:
- -Right of Access: Request a copy of the personal data we hold about you.
- -Right to Rectification: Request correction of inaccurate or incomplete personal data.
- -Right to Erasure: Request deletion of your personal data, subject to our legal obligations and the immutability of distributed ledger data.
- -Right to Restriction: Request that we limit the processing of your personal data in certain circumstances.
- -Right to Data Portability: Receive your personal data in a structured, machine-readable format.
- -Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- -Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise these rights, contact privacy@colossee.com. We will respond within 30 days (or within the statutory period required by applicable law). You also have the right to lodge a complaint with your local data protection authority.
For California Residents (CCPA / CPRA Rights)
California residents have the right to:
- -Know what personal information we collect, use, disclose, and sell.
- -Delete personal information we have collected, subject to exceptions.
- -Correct inaccurate personal information.
- -Opt-Out of the “sale” or “sharing” of personal information. Note: Colossee does not sell personal information.
- -Limit the use and disclosure of sensitive personal information.
- -Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a verifiable consumer request, email privacy@colossee.com with subject line “CCPA Request.” We will respond within 45 days.
Email and Marketing
You may opt out of marketing emails by clicking the “Unsubscribe” link in any such email or by emailing privacy@colossee.com. Transactional emails (receipts, security alerts) cannot be opted out of while your account is active.
Account Deletion
To delete your account, contact support@colossee.com. Note that Registry Entries already anchored to the distributed ledger are immutable and cannot be removed even after account deletion.
Children's Privacy
The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or 16 in the EEA). If we learn that we have collected personal information from a child under the applicable age threshold without verifiable parental consent, we will delete that information as quickly as practicable.
If you believe that a child has provided us with personal information, please contact privacy@colossee.com.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date above and, for material changes, provide notice via email or prominent notice on the Service. Your continued use of the Service after any change constitutes your acceptance of the updated Policy.
Contact
For privacy-related questions or to exercise your rights, please contact our Privacy Team: