Privacy Policy
This Privacy Policy explains how Collimate collects, uses, shares, and protects personal data when you visit our websites, create an account, and use our managed sandbox cloud (the “Service”). We aim to collect only what we need to run the Service securely and reliably.
Contents
1.Data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, email address, organization, profile identifiers from your sign-in provider (Google or GitHub) | You / your identity provider |
| Billing | Plan, billing contact, transaction and subscription status. Card and payment details are collected and stored by Paddle, not by us; we receive limited transaction metadata. | You / Paddle |
| Usage & metering | API requests, sandbox lifecycle events, compute/storage metering, quotas, timestamps | Automatic |
| Technical & logs | IP address, device/browser data, request and error logs, security events | Automatic |
| Support & comms | Messages you send us, support tickets, survey responses | You |
We do not intentionally collect special categories of personal data, and you should not submit them as account or support data.
2.How we use data
- Provide, operate, secure, and maintain the Service and your account;
- Authenticate you, provision Sandboxes, meter usage, and process billing (via Paddle);
- Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms;
- Provide support and communicate with you about the Service (including service, security, and billing notices);
- Understand and improve the Service, including aggregate and de-identified analytics; and
- Comply with legal obligations and enforce our agreements.
We do not sell your personal data, and we do not use the contents of your Sandboxes to train models.
3.Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, operate, and improve the Service and prevent abuse, balanced against your rights); legal obligation (for example, tax and accounting); and consent where required (for example, certain communications), which you may withdraw at any time.
4.Sharing & sub-processors
We share personal data only as needed to run the Service, and never sell it. Recipients include service providers acting on our behalf under contract:
| Provider | Purpose |
|---|---|
| Google Cloud Platform | Cloud hosting, compute, databases, and storage that run the Service |
| Paddle.com | Merchant of Record — payment processing, invoicing, and tax |
| Identity providers (Google, GitHub) | Authentication / single sign-on, at your election |
| Communications & support tooling | Transactional email and support |
We may also disclose data to comply with law, respond to lawful requests, protect our rights and the safety of others, or in connection with a merger, acquisition, or asset sale (with notice where required). A current list of sub-processors is available on request at privacy@collimate.ai.
5.International transfers
We operate from Israel and host the Service on cloud infrastructure that may be located in the United States and other regions. Israel is recognized by the European Commission as providing an adequate level of data protection. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the Standard Contractual Clauses. Contact us for more information.
6.Retention
We keep personal data for as long as your account is active and as needed to provide the Service, then for the period required to meet legal, accounting, security, and dispute-resolution obligations, after which we delete or de-identify it. Logs and security data are typically retained for a limited period. You may request deletion as described below; some data may be retained where we have a legal obligation or legitimate need.
7.Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls and least-privilege administration, network controls, and logging. Sandboxes are isolated from one another using virtual-machine-level isolation, and we apply controls to prevent access to cloud metadata and cross-tenant access. No method of transmission or storage is completely secure; you are responsible for securing your API keys and credentials and for backing up anything you need.
8.Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent. If you are in the EEA/UK you may lodge a complaint with your supervisory authority. If you are in Israel, you have rights under the Protection of Privacy Law, 5741-1981. If you are a California resident, you have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of “sale”/“sharing” (we do not sell or share personal data as those terms are defined). To exercise any right, contact privacy@collimate.ai; we will verify your request and respond within the time required by law. We will not discriminate against you for exercising your rights.
9.Customer Content (Sandboxes)
When you run code and data in Sandboxes, we process that Customer Content as a processor solely to provide the Service, under your instructions and our Terms and Data Processing Addendum. We do not access Customer Content except as necessary to operate and secure the Service, prevent or address technical or security problems, comply with law, or at your request. You are the controller of Customer Content and are responsible for its lawful collection and use, including providing any required notices and obtaining any required consents from your own end users.
10.Cookies
Our websites and console use strictly necessary cookies and similar technologies to keep you signed in, remember preferences, and secure the Service. We keep non-essential tracking to a minimum; where we use analytics, we prefer privacy-respecting, aggregate measurement. You can control cookies through your browser settings; disabling essential cookies may break sign-in.
11.Children
The Service is intended for businesses and adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 (or under the age of digital consent in your jurisdiction). If you believe a child has provided us data, contact us and we will delete it.
12.Changes & contact
We may update this Policy from time to time. If we make material changes, we will provide notice (for example, by email or in the console) and update the “Last updated” date above. For any privacy question, or to exercise your rights, contact our privacy team at privacy@collimate.ai.