Privacy Policy of Collec

Account Information: When you create an account with Collec, we may collect your name, email address, password, and other registration details. We use OAuth-based authentication through Supabase, and we do not store your passwords directly.

Usage Information: We collect information about how you use the Services, such as the features you access, the collections you create, the links you save, and the actions you take within the Services. This includes information about your device, browser type, IP address, and the date and time of your activities.

Collection Data: When you use our browser extension or web application to save, organize, and share web resources, we store the URLs, page titles, descriptions, screenshots, text scraps, color palettes, and other metadata you choose to collect.

Communication Information: If you contact us through email, chat, or other communication channels, we will collect the information you provide in your messages, including your name, contact details, and the content of your inquiries.

Payment Information: When you purchase a paid subscription, our third-party payment processor (Stripe) collects your billing details and payment card information to process the transaction. We do not store full payment card numbers on our servers.

Analytics and Performance Data: We use analytics tools to collect non-personal information about the performance of the Services, such as page load times, error rates, and traffic sources. This information helps us improve the quality and performance of the Services.

Device and Connection Information: We collect information about your device, such as the device type, operating system, and network information. This information is used to optimize the Services for your device and to provide a seamless user experience.

We use your personal information to create and manage your account, provide you with access to the Services, and deliver the features and functionality you request, including collection management, AI-powered chatbot assistance, and collaborative workspace features.

Your usage information helps us understand how you interact with the Services, identify areas for improvement, and develop new features and enhancements to meet your needs.

When you use our AI chatbot or AI-assisted features, your prompts and relevant context (such as page content you are viewing) may be sent to third-party AI service providers (such as OpenAI, Anthropic, or Google) to generate responses. We do not use your personal conversations to train AI models.

We may use your contact information to send you important updates, announcements, and administrative messages related to the Services, such as service changes, security alerts, and legal notices.

If you opt-in, we may also send you marketing communications, such as newsletters, product promotions, and event invitations. You can unsubscribe from these marketing emails at any time by following the instructions provided in the email.

We use analytics tools to analyze the usage patterns and trends of the Services. This helps us gain insights into user behavior, measure the effectiveness of our efforts, and make data-driven decisions to improve the Services.

Essential cookies are required for the proper functioning of the Services. These cookies enable you to access and use the basic features of the Services, such as logging in and navigating between pages. We use Supabase authentication cookies to maintain your session. Without these cookies, the Services may not function properly.

Analytics cookies help us analyze how you use the Services and improve their performance. We use Amplitude for analytics, which collects information such as the number of visitors to the Services, the pages they visit, and how long they stay on each page.

Our Amplitude integration also uses autocapture and Session Replay. Autocapture automatically logs your interactions with the Services (such as clicks and page navigation), and Session Replay records a visual playback of your browsing sessions, which may include content displayed on your screen. We use this data solely to diagnose issues and improve the usability of the Services.

We may share your personal information with third-party service providers who assist us in operating the Services. These include:

• Supabase: Authentication, database, and storage
• Cloudflare: Web hosting, CDN, and R2 object storage
• OpenAI / Anthropic / Google: AI chatbot and content generation
• Resend: Transactional email delivery
• Stripe: Payment processing and billing
• Amplitude: Analytics and session replay

These service providers are contractually obligated to protect your personal information and use it only for the purposes for which it was shared.

We may disclose your personal information if required to do so by law, regulation, or legal process, such as a court order, subpoena, or government investigation. We may also disclose your information to protect our rights, property, or safety, or the rights, property, or safety of others.

In the event of a merger, acquisition, sale of assets, or other business transfer, your personal information may be transferred to the acquiring or successor entity. We will notify you of any such transfer and the applicable privacy policies of the new entity.

Collec is operated from the Republic of Korea, and the third-party service providers listed in Section 5.1 are located outside Korea, primarily in the United States. By using the Services, your personal information may be transferred to and processed in these countries.

Such transfers occur over secure networks at the time you use the relevant feature of the Services. The categories of data transferred, the recipients, and the purposes are as described in Sections 2 and 5.1, and each provider retains the data only for as long as necessary to deliver its service. Where required for transfers from the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses.

The extension declares <all_urls> as a host permission. This is required because users need to save links, capture screenshots, or scrape text from arbitrary web pages they visit. Content scripts run on a page only when:

• The user opens the floating action bar on that page, or
• The user invokes a save / capture action (via context menu, keyboard shortcut, or side panel button)

We do not transmit page content to our servers unless you explicitly trigger a save action. Passive browsing data (URLs you visit but do not save) is not collected.

Local-only data: User preferences, UI state, cached collections, and draft items are stored in chrome.storage.local on your device. This data does not leave your device unless you sign in and opt to sync.

Synced data: When you sign in, items you explicitly save (links, text scraps, screenshots, collections, workspace metadata) are uploaded to our Supabase database and Cloudflare R2 object storage for cross-device access and collaboration. Screenshots are stored in a private bucket and served only via short-lived signed URLs.

Workspace metadata: Workspace names, member email addresses, and collection structures are visible to other members of the same workspace.

You can use the extension while signed out. In that mode, all data stays inchrome.storage.local and nothing is transmitted to our servers.

We are committed to complying with the General Data Protection Regulation (GDPR). If you are a resident of the European Economic Area (EEA), you have certain rights under the GDPR, including the right to access, correct, delete, and port your personal information, as well as the right to object to or restrict the processing of your information. To exercise these rights, please contact us using the information provided in the "Contact Us" section below.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

• Right to Know: request disclosure of the categories and specific pieces of personal information we collect about you, the sources, the business purposes, and the categories of third parties we share it with.
• Right to Delete: request deletion of your personal information, subject to certain exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt-Out: opt out of the "sale" or "sharing" of your personal information. We do not sell your personal information for monetary consideration (see Section 8).
• Right to Limit: limit the use and disclosure of sensitive personal information.
• Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights.

California's "Shine the Light" law (Civil Code §1798.83) entitles California customers to request, once per year, a list of personal information disclosed to third parties for direct-marketing purposes. We do not currently disclose personal information to third parties for their direct-marketing use.

To exercise any of these rights, contact us at the email address in Section 14.

If you are a resident of the Republic of Korea, the Personal Information Protection Act (PIPA, 개인정보 보호법) grants you the following rights:

• Right to Access (열람권): request access to your personal information.
• Right to Correction & Deletion (정정·삭제권): request correction or deletion of your personal information.
• Right to Suspend Processing (처리정지 요구권): request that we suspend the processing of your personal information.
• Right to Object to Automated Decision-Making (자동화 결정 거부권):refuse decisions made solely by automated means that significantly affect your rights or obligations, and request human review.
• Right to Data Portability (전송 요구권): request that we transfer your personal information to you or to another controller in a structured, machine-readable format.

To exercise these rights, contact our designated personal information protection officer at the email address in Section 14. We will respond within the period prescribed by PIPA (within 10 days, extendable by an additional 10 days with notice).

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected:

• Account information: for the duration of your account and for a reasonable period after deletion (up to 30 days) to handle restoration requests.
• Saved collections, links, captures, text scraps: until you delete them or your account is deleted.
• Browser-extension cached data (local-only): remains on your device until you uninstall the extension or clear extension storage.
• Usage / analytics data: retained for 12 months, after which it is anonymized or deleted.
• Records required by law (e.g., billing records): retained for the period required by applicable law (typically 5 years for transactional records under Korean Commercial Code).

You retain ownership of the content you save, create, and organize within Collec, including links, text scraps, screenshots, notes, and other materials. By using the Services, you grant us a limited license to store, process, and display your content solely for the purpose of providing the Services to you.

Content generated through our AI-powered features (such as the chatbot or content summarization) may be subject to the terms and conditions of the underlying AI service providers (such as OpenAI or Anthropic). You are free to use AI-generated content for personal and commercial purposes, but you acknowledge that such content may not be protected by copyright in all jurisdictions.

If your content infringes on the rights of others, you will be solely responsible for such infringement. This includes any claims arising from the content you save, share, or publish through the Services.

We reserve the right to suspend or terminate your account if you violate our Terms of Service, engage in fraudulent activities, or fail to comply with applicable laws and regulations.

If you believe your account has been suspended in error, you may submit an appeal within 14 days by contacting us at support@collec.ai. Our team will review your appeal within 7 business days.