Privacy Policy
Effective date: May 10, 2026 Last updated: May 10, 2026
1. Who we are
This Privacy Policy is provided by Andy Chung, ABN 70 449 384 246, trading as Colla ("we", "us", "our").
We operate Colla, an AI-powered personal assistant application for macOS, and the website at getcolla.app (together, the "Service").
Registered address: Gold Coast, Queensland, Australia Privacy contact: privacy@getcolla.app
We are the data controller for personal information collected through the Service. If you have questions about how your data is handled, contact us at the email above.
2. What this policy covers
This policy applies to all personal information we collect when you:
- Visit our website at getcolla.app
- Sign up for our waitlist
- Create a Colla account and use the application
- Interact with Colla via text or voice
It does not cover third-party websites or services linked from our website or application. We encourage you to read the privacy policies of any third-party services you interact with.
3. Information we collect
3.1 Information you provide directly
| Data | When collected | Purpose |
|---|---|---|
| Email address | Waitlist signup | To notify you about Colla availability |
| Google email and profile name | Account creation (via Google OAuth) | To create and identify your account |
| Preferred name, job role, industry, location | Onboarding | To personalise Colla's behaviour and responses |
| Contacts (name, tag, context notes) | When you add contacts in Colla | To help Colla reference people in your life |
| To-do items (title, notes, due date) | When you create tasks | To manage your tasks |
| Daily briefing time and notification preferences | In Settings | To deliver notifications at the right time |
3.2 Information collected automatically
| Data | How collected | Purpose |
|---|---|---|
| Timezone | Detected when you open the app | To display times correctly and schedule briefings |
| Dialogue state | During conversation | To manage multi-step interactions (e.g., confirming a calendar event) |
3.3 Google account data accessed via APIs
When you connect your Google account, Colla accesses the following data through Google's APIs:
Google Calendar (read and write access)
- Event titles, times, attendees, descriptions, and event links
- Used to answer questions about your schedule, create, update, and delete events on your behalf, and generate daily briefings
Gmail (read, label, archive, and send access)
- Email subjects, senders, recipients, and message content
- Used to summarise your inbox, help you triage email, label and archive messages, and send or reply to emails on your behalf
Important: Colla does not store copies of your calendar events or emails in our database. This data is fetched from Google in real time when needed, used to process your request, and then discarded from memory. We do not archive, index, or retain your Google data beyond the duration of a single request.
Colla will never delete your emails. It can only read, label, archive, and send. Every calendar write and email send requires your explicit confirmation before it executes.
3.4 Conversation and memory data
When you interact with Colla via text or voice, your messages are processed by our AI system in real time. We do not store full conversation transcripts.
However, Colla automatically extracts discrete facts from your conversations to build a personalised memory. For example, Colla might extract "User prefers morning meetings" or "User is working on a pitch deck this week." These facts are stored in our memory service (see Section 5) and used to personalise future interactions.
You can request access to and deletion of your memory data at any time by contacting us (see Section 9).
3.5 Voice data
When you use Colla's voice feature, your speech is processed as follows:
- Your spoken words are converted to text (speech-to-text) by our voice provider, ElevenLabs.
- Colla's written response is converted to spoken audio (text-to-speech) by ElevenLabs.
- Voice audio recordings and transcripts are retained by ElevenLabs for up to 30 days for service delivery purposes, after which they are deleted.
We do not store voice recordings in our own database. Voice data may constitute biometric information under certain laws. By using the voice feature, you consent to the processing of your voice data as described in this section.
3.6 Website data
When you visit getcolla.app, we may collect standard web analytics data including pages visited, referral source, and browser type. We do not use third-party advertising trackers. If we use analytics tools, they are configured to respect your privacy and do not track you across other websites.
We use essential cookies only — cookies required for the website to function correctly (such as theme preference). We do not use advertising or tracking cookies.
4. Legal basis for processing
We process your personal information on the following legal bases:
| Legal basis | Applies to |
|---|---|
| Consent | Waitlist signup, voice data processing, memory extraction from conversations, connecting your Google account |
| Contractual necessity | Account data, Google API access, conversation processing — required to provide the Service you signed up for |
| Legitimate interest | Aggregate product improvement, security monitoring, debugging |
You can withdraw consent at any time by disconnecting your Google account, disabling voice, requesting memory deletion, or deleting your account. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. Who we share data with
We share your data only with the services necessary to provide Colla. We do not sell, rent, or trade your personal information to any third party.
| Service | Role | Data received | Data retained by them |
|---|---|---|---|
| Supabase (US) | Database and authentication | Account profile, contacts, todos, integration status, application state | Retained while your account is active |
| Nango (US) | OAuth token management and Google API proxy | Google OAuth refresh tokens; proxies Google API requests | Tokens retained while your connection is active |
| Anthropic (US) | AI language model provider | Your messages, memory context, and relevant calendar/email data for the current request | Retained for up to 30 days for safety monitoring, then automatically deleted; not used for model training |
| Zep (US) | Long-term memory storage | Extracted facts from conversations (not full transcripts) | Retained while your account is active |
| ElevenLabs (US) | Voice speech-to-text and text-to-speech | Voice audio and transcripts | Retained for up to 30 days |
| TinyFish (US) | Web search and page fetching | Search queries | Retained per their retention policy |
| Google (US) | Calendar and email data provider | N/A — data flows from Google to Colla, not the reverse | Governed by Google's Privacy Policy |
We may also disclose your information if required to do so by law, in response to a valid legal request, or to protect the rights, property, or safety of our users or the public.
6. Google API Services User Data Policy
Colla's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data solely to provide and improve the user-facing features of Colla that are visible to you.
- We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or with your explicit consent.
- We do not use Google user data for serving advertisements, including retargeting, personalised advertising, or interest-based advertising.
- We do not allow humans to read your Google user data unless (a) you have given explicit consent, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymised so that it can no longer identify you.
7. International data transfers
We are based in Australia. The third-party services listed in Section 5 are primarily based in the United States. This means your personal information may be transferred to, stored in, and processed in the United States and other countries outside Australia or your country of residence.
These countries may have data protection laws that differ from those in your jurisdiction. We take reasonable steps to ensure your information is treated securely and in accordance with this Privacy Policy. Where required, we rely on standard contractual clauses, data processing agreements, or other appropriate safeguards.
8. Automated decision-making
Colla uses artificial intelligence to process your messages, extract memory facts, classify information, and generate responses. These processes are automated.
Colla's AI does not make decisions that produce legal effects or similarly significant effects on you. It assists you with scheduling, email management, and task organisation — but all actions that affect your Google account (creating events, sending emails) require your explicit confirmation before they are executed.
The memory extraction system automatically identifies facts from your conversations. You have the right to review, correct, and delete these extracted facts at any time.
9. Your rights
For all users
You have the right to:
- Access your personal data held by us.
- Correct inaccurate data, such as updating your name or location in Settings.
- Delete your data, including requesting full account deletion.
- Disconnect your Google account at any time, which immediately revokes Colla's access to your Google data. Disconnecting does not delete your Colla account or memories.
- Request memory deletion — you can ask us to delete specific memories or all memories associated with your account.
- Withdraw consent for data processing at any time by deleting your account.
Additional rights for Australian residents
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:
- Request access to the personal information we hold about you.
- Request correction of any information that is inaccurate, out of date, or incomplete.
- Make a complaint about how we handle your personal information (see Section 13).
Additional rights for EEA, UK, and Swiss residents
Under the General Data Protection Regulation (GDPR) and equivalent legislation, you also have the right to:
- Data portability — receive your personal data in a structured, machine-readable format within 30 days of your request.
- Restriction of processing — request that we limit how we use your data in certain circumstances.
- Object to processing — object to processing based on legitimate interest.
- Lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact us at privacy@getcolla.app.
10. Data retention
| Data type | Retention period |
|---|---|
| Account profile and preferences | Retained while your account is active; deleted on account deletion |
| Google Calendar and Gmail data | Not stored — fetched in real time and discarded after each request |
| Memory facts (extracted from conversations) | Retained while your account is active; deleted on request or account deletion |
| Voice audio and transcripts (held by ElevenLabs) | Up to 30 days |
| To-do items (after user deletion) | Soft-deleted for 30 days, then permanently removed |
| Contacts | Retained while your account is active; deleted on account deletion |
| Waitlist email address | Retained until you unsubscribe or the waitlist period ends |
| Website analytics | Retained in aggregate only; no individual profiles |
When you delete your account, we delete your data from our database and revoke your Google OAuth tokens. We instruct our sub-processors (Zep, ElevenLabs) to delete your data in accordance with their respective retention policies. Some residual data may persist in encrypted backups for a limited period before being overwritten.
11. Data security
We implement the following measures to protect your personal information:
- All data in transit is encrypted via HTTPS/TLS.
- API keys and secrets are stored server-side only and are never exposed to the client application.
- Our database enforces row-level security — each user can only access their own data.
- Client-facing API endpoints use JSON Web Token (JWT) verification.
- Voice sessions use a separate cryptographic authentication mechanism.
- All third-party service communication is routed through server-side functions. Your client device never communicates directly with our AI, memory, or integration providers.
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee absolute security.
12. Data breach notification
In the event of a data breach that is likely to result in serious harm to you, we will:
- Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme of the Privacy Act 1988.
- Notify affected individuals as soon as practicable.
- Take reasonable steps to contain the breach and mitigate any resulting harm.
If you are located in the EEA, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by Article 33 of the GDPR.
13. Complaints
If you are unhappy with how we have handled your personal information, please contact us first at privacy@getcolla.app. We will investigate your complaint and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with:
Office of the Australian Information Commissioner (OAIC) Website: www.oaic.gov.au Phone: 1300 363 992
If you are located in the EEA, you may also lodge a complaint with your local data protection supervisory authority.
14. Children's privacy
Colla is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@getcolla.app and we will take steps to delete it.
15. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by posting a notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.
Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
16. Governing law
This Privacy Policy is governed by the laws of Queensland, Australia. Any disputes arising from this policy will be subject to the exclusive jurisdiction of the courts of Queensland, Australia.
Contact us
If you have any questions about this Privacy Policy or wish to exercise any of your rights, contact us at:
Andy Chung ABN: 70 449 384 246 Address: Gold Coast, Queensland, Australia Email: privacy@getcolla.app Website: https://getcolla.app