This is a plain-English rundown of what data Kollabo collects, what we do with it, and your rights around it. Covers both the AI marketing module (ai.kollabo.online) and the operations + booking module (os.kollabo.online).
Two roles to keep straight
If you sign up to Kollabo as a studio owner or marketer, we are the data controller for your account data. If you take payments from your customers via the operations module, you are the data controller for those customer records and Kollabo is the processor — we hold the data on your behalf, you decide what happens to it.
What we collect (about you)
- Account data: your email, name, and the password hash stored by Supabase.
- Business profile: business name, industry, audience, goals, voice samples, colours, logo — whatever you enter during onboarding and settings.
- Generated content: the captions, ads, emails, images, and plans the AI creates for you.
- Usage data: how many content plans / captions / sales / class bookings you've made this month, so we can enforce plan limits and bill correctly.
- Stripe Connect data (operations module): your Stripe account ID + KYC status. Bank account details, tax IDs, and verification documents are held by Stripe, not us.
What we hold on behalf of your customers (operations module)
- Name, email, phone, date of birth, address.
- Booking history, attendance, packs + memberships, gift card balances.
- Saved card token (held by Stripe; we hold the reference).
- Waivers + intake form responses, signed signatures.
- SOAP notes (clinical practitioners), tags, and free-text notes you write about them.
- Stripe customer ID + payment intent IDs for reconciliation.
We never use this data to market Kollabo to your customers. We never sell it. We don't share it with other studios on the platform.
Who we share data with
Third-party processors we use to run Kollabo:
- Supabase — database + file storage (auth, business profile, generated content, customer roster, sales)
- Anthropic (Claude) — AI generation. Your brand profile + prompts are sent to Claude to produce output. Anthropic does not train on API inputs.
- Stripe + Stripe Connect — payment processing for both Kollabo subscriptions and your customers' transactions. Stripe sees card data; we don't.
- Resend — transactional emails (welcome, invites, booking confirmations, password reset).
- Twilio (optional) — SMS for class reminders + flash invites, only if you enable it.
- Vercel — hosting + request logs.
- Apify / Zernio (optional) — competitor scraping + social publishing, only when you opt in.
We never sell your data. We never give it to advertisers. We only share with the above providers because they're required to run the service you're paying for.
Cookies
We use essential cookies for authentication (so you stay logged in) and session management. No tracking cookies, no third-party ad pixels.
Your rights
- Access: ask us to export everything we have on you.
- Correction: fix anything wrong via account settings.
- Deletion: email hello@kollabo.online and we'll wipe your account + all generated content within 30 days.
- Portability: we'll provide your data in JSON or CSV on request.
- Withdraw consent: cancel any time. Data deleted per the above.
Where your data lives
Our infrastructure (Supabase, Vercel) runs on AWS regions in the US and EU. Anthropic runs in the US. If you need specific data residency (EU-only, for example), email us before signing up.
Security
All data is encrypted in transit (HTTPS) and at rest. Authentication is handled by Supabase with rate-limited login attempts. We never store plaintext passwords. Service role keys are kept server-side only.
Children
Kollabo is not for anyone under 18. If we learn a child signed up, we'll delete the account.
Changes
If we materially change this policy we'll email you at least 14 days before it takes effect.
Contact
Privacy questions → hello@kollabo.online.
This is a plain-language placeholder to get Kollabo launched. Before scaling or taking EU enterprise clients we'll replace it with a fully reviewed policy.