Privacy Policy

Effective Date: September 9, 2025 • Last Updated: September 9, 2025

Colioe.io ("Colioe", "we", "our", "us") is committed to protecting your privacy and securing your personal data. We designed the platform around data minimization and end‑to‑end encryption principles. We intentionally do not access the content you deploy (application code, databases, runtime data, environment variables, customer data). Your deployments are your property.

By using our services you agree to this Privacy Policy. If you do not agree, do not use the services.

1. Scope & Controller

This Policy covers personal data we collect when you create an account, manage domains, manage billing, or interact with our support. For account, billing and domain registration information Colioe is the Data Controller. For application / deployment content, Colioe acts as a blind Data Processor (we store & route encrypted bytes but do not inspect them).

2. Definitions

  • Personal Data: Information that identifies or can identify a natural person.
  • Processing: Any operation on Personal Data (collection, storage, use, deletion).
  • Data Controller: Entity determining the purposes & means of processing.
  • Data Processor: Entity processing data on behalf of a controller.

3. Information We Collect

3.1 You Provide

  • Account: name, email, handle/username, region, organization profile, phone (optional in some regions).
  • Billing: address, payment method tokens (processed & stored by Stripe), VAT / tax IDs if supplied.
  • Domain Registration: WHOIS contact details (required by ICANN). We transmit these to our accredited partner.
  • Support: content of messages or attachments you submit.

3.2 Automatically Collected

  • Usage metadata: timestamps, IP (truncated / rotated when feasible), user agent, device type.
  • Service metrics: aggregate resource usage (CPU, memory, bandwidth) & deployment identifiers.
  • Security & abuse signals: authentication events, rate‑limit counters, anomaly flags.

3.3 We Explicitly Do Not Collect

  • Application / database contents inside your deployments.
  • Your end‑user customer data (unless you deliberately transmit it to support).
  • Environment variables (stored encrypted; not inspected).

4. How We Use Personal Data

  • Provide & operate the platform and domain registration.
  • Authenticate users & secure accounts.
  • Process payments and send invoices / renewal notices.
  • Send essential transactional or security notifications.
  • Detect, prevent & investigate fraud, abuse or security incidents.
  • Comply with legal and regulatory obligations.
  • Improve reliability & performance (aggregate, anonymized metrics only).

5. Legal Bases (GDPR)

  • Performance of Contract (account, billing, domain management).
  • Legitimate Interests (security, service improvement, fraud prevention).
  • Consent (optional marketing; you can withdraw anytime).
  • Legal Obligation (tax, accounting, ICANN requirements).

6. Sharing & Disclosure

  • Domain Partner: Atak Domain Bilgi Teknolojileri Anonim Şirketi (ICANN‑accredited) for registration.
  • Payment Processor: Stripe (tokenized payment methods & invoices).
  • Cloud Providers & CDN: infrastructure & DNS (e.g. Cloudflare) — limited operational metadata only.
  • Support / Monitoring Vendors: strictly scoped access; bound by DPAs.
  • Legal: Where required by law or to protect rights, safety, security.
  • Never sold: We do not sell personal data.

7. International Transfers

We use globally distributed infrastructure. Transfers outside the EEA/UK rely on Standard Contractual Clauses and vendor assessments for equivalent protection.

8. Security

  • TLS 1.2+ in transit.
  • Encryption at rest (AES‑256 or provider equivalent). Deployment data encryption keys inaccessible to operational staff.
  • Principle of Least Privilege access controls & periodic key rotation.
  • Automated patching & dependency monitoring.
  • Routine internal security reviews & external assessments.

9. Your Rights

Subject to region you may request: access, correction, deletion, restriction, objection, portability, withdrawal of consent. Use your dashboard export or contact privacy@colioe.io.

10. Retention

We retain account & billing records for as long as the account is active and as required for tax / legal (generally 7 years for invoices). Deployment data is deleted promptly after you delete it or terminate the account (including backups on a rolling purge schedule).

11. Cookies & Similar Technologies

We use strictly necessary cookies (session & CSRF). Optional analytics or marketing cookies (if introduced) will request separate consent.

12. Children

The services are not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided data contact us for removal.

13. Changes

Material changes will be announced via dashboard notice or email with updated date. Continued use constitutes acceptance.

14. Contact / DPO

Email: privacy@colioe.io
Address: 169 Madison Ave, STE 38183, New York, NY 10016, USA

15. Supervisory Authority

EU / UK users may lodge complaints with their local data protection authority. We welcome resolving concerns directly first.

© 2026 Colioe. All rights reserved.