Privacy Policy.

The information you give us — name, email, and anything you publish on your public site. Basic technical data needed to operate the service (sign-in events, device and browser information, IP for security and rate limiting).

With your consent, we also collect analytics: first-party events we store ourselves (anonymous pageviews, Core Web Vitals) and, when you accept analytics in the cookie banner, events delivered through Google Tag Manager to services configured in our container (currently Google Analytics). We don't sell your data. For the full list of cookies and analytics events, see our cookie policy.

To run your account, deliver the features you signed up for, protect the service against abuse, and meet our legal obligations. That's it.

You, your admin collaborators if any, and the vendors we rely on to run the service (hosting, email delivery, payments, and — if you grant analytics consent — Google, via Tag Manager and Analytics, acting as our data processor). Nobody else. We don't share your data with third parties for advertising.

Colos-AI — the AI agent in your admin — works by sending your prompt plus a small amount of context (the page you're on, the specific content you're drafting, your coach profile basics) to our AI provider so it can generate the response. That provider processes the request and returns a draft to Colos-AI, which then shows it to you in the thread.

What we don't do: we don't use your data to train third-party models, we don't sell AI prompts or outputs to anyone, and we don't share them across accounts. We log enough metadata (tokens, cost, timing) to meter usage and catch abuse — not the prompt content.

Threads stay in your admin until you delete them, which you can do at any time from the Colos-AI panel. If you cancel Colos-AI, existing threads remain read-only in your account and are removed when you close the account.

You can access, correct, export, or delete your data from the admin at any time. If you live somewhere with data-protection laws (such as the GDPR), those rights apply in full.

We apply standard security practices — encryption in transit, careful access control, two-factor authentication for your account. We can't promise perfect security; no one can. We'll notify you promptly if your data is affected by an incident.

While your account is active, and for a reasonable period after closure to meet our legal and operational obligations. You can delete your account at any time.

We'll email you before material changes to this policy take effect. The "last updated" date above reflects the current version.