Legal Notice, Privacy & DPA

Effective date: 01/01/2025

Download full legal pack (PDF)

Summary: We collect only what is needed to respond to your enquiry and to provide demos or proofs-of-concept. We never sell personal data. Marketing emails are sent only if you opt in. For enterprise customers, we act as a processor and follow the DPA below.

Privacy Policy

1) Who we are & scope

  • Controller for this website and enquiries: Colentia ("we").
  • Contact (all requests): contact@colentia.com
  • Scope: website visits, the Get in touch form, sales/demos/POCs, support channels, and use of the Colentia product by customers and their end users.
  • If your employer enabled Colentia, your employer is usually the controller, and Colentia is the processor. In that case this notice should be read together with the DPA below and your employer's privacy notice.

2) Data we collect

A) Website & marketing

  • Form fields: first name, last name, work email, company, job title, company size, country/region, phone (optional), "I'm interested in", and your message.
  • System data: IP address, timestamps, anti-bot signals, user-agent, referrer, and pages viewed.
  • Cookies: strictly necessary cookies; optional analytics or marketing cookies only with consent (see Cookie section).

B) Sales, demos, support

  • Lead data: company profile, use case, meeting notes.
  • Support data: ticket metadata, log snippets or screenshots that you choose to share.
  • Recordings/transcripts: off by default; if enabled we ask for consent at the time of recording.

C) Customer product end users

  • Account data: name, business email, role, org unit, groups.
  • Work signals: emails, calendar events, chat messages, files, tickets, tasks, meeting transcripts, plus the access controls that accompany those items.
  • Product telemetry: ingestion/indexing status, latency, error codes, feature use counts.
  • We do not use customer content for advertising or to train general-purpose models.

Special categories: we do not seek special category data. Because work tools may include free text, customers should apply minimization, blocklists, and retention.

3) Why we use data & legal bases (GDPR/UK GDPR)

PurposeTypical dataLegal basis
Run/secure the sitedevice and usage data, logslegitimate interests; security
Respond to enquiries & schedule demoscontact details, messagepre-contract steps or contract
Send product updatescontact, preferencesconsent (opt-in only)
Provide & improve the productaccount data, telemetrycontract; legitimate interests
Process end-user work signalsconnected content & metadatacontract with customer
Security & legal compliancelogs, audit trailslegitimate interests; legal obligation

4) Sharing & disclosure

We use service providers acting under contract as our processors to: host infrastructure; send emails; manage leads and scheduling; protect against bots; deliver analytics (consent-based); and provide CDN/WAF. We do not sell personal data. We may disclose data if required by law or to protect safety.

International transfers: if data moves outside the EEA/UK/Switzerland, we rely on EU Standard Contractual Clauses (2021) and relevant UK/Swiss addenda plus supplementary measures (encryption in transit/at rest, access controls).

5) Retention

  • Enquiry & CRM leads: 24 months from last interaction (or sooner on request).
  • POC/demo uploads: 30 days after the evaluation ends unless you become a customer.
  • Marketing consent logs: 6 years from last change.
  • Customer product data: controlled by the customer's retention settings.
  • Audit logs: typically 12 months, extendable for security needs.

6) Your rights & how to exercise them

Depending on your location, you may have rights to access, rectification, deletion, restriction, portability, object to processing, and withdraw consent.

  • How to submit a request: email contact@colentia.com with the subject "Privacy request" and tell us what you need.
  • Verification: we verify using your email and reasonable additional information.
  • Timelines: GDPR/UK GDPR—1 month (extendable by 2 months if complex). CPRA—45 days (extendable by 45).
  • We do not discriminate for exercising privacy rights.

8) Security

SSO (SAML/OIDC) and least-privilege access for admins, MFA, encryption in transit and at rest, optional customer-managed keys, tenant isolation, private networking, IP allowlists, immutable audit logs, monitoring/alerting, vulnerability management and pen tests, disaster recovery with documented RPO/RTO.

Cookie Policy

We use cookies and similar technologies to make our website work and to improve your experience. You can control which categories of cookies you accept.

Cookie categories

  • Strictly necessary: session, load balancing, consent, CSRF. These cookies are essential for the website to function and cannot be disabled.
  • Preferences: language/locale settings.
  • Analytics: help us understand how visitors use our site. Only loaded with your consent.
  • Marketing: used to show relevant content. Only loaded with your consent.

Typical lifetimes

Session cookies expire when you close your browser. Persistent cookies may last up to 24 months. Clearing cookies or using your browser privacy settings may affect functionality.

Managing your choices

You can change your cookie preferences at any time by clicking "Cookie settings" in the footer. You can also use your browser settings to block or delete cookies, though this may affect site functionality.

Data Processing Addendum (DPA)

This section forms a Data Processing Addendum between Customer (controller) and Colentia (processor) once you sign a service order or otherwise engage Colentia to process personal data on your behalf.

1) Subject matter, nature, purpose, duration

Processing personal data as necessary to provide the Colentia services (ingestion from connected systems; normalization/enrichment; knowledge graph; search/Q&A with citations; dashboards; support and security) for the term of your agreement and until deletion/return.

2) Roles & instructions

Customer is the controller; Colentia is the processor. We process only on documented instructions from Customer, including those given through product settings and APIs.

3) Confidentiality

All personnel with access to personal data are bound by confidentiality and receive privacy/security training.

4) Security

We implement appropriate technical and organizational measures proportionate to the risk, including SSO/SCIM, MFA, encryption in transit/at rest with cloud KMS, customer-managed key option, network isolation, Private Link/peering, IP allowlists, immutable audit logs, monitoring, secure SDLC, penetration tests, and business continuity/disaster recovery.

5) Sub-processing

Customer authorizes Colentia to use sub-processors to provide the services. We impose the same data-protection obligations by contract and remain liable for them. Categories: cloud hosting & storage; key-management; email delivery; CRM/marketing automation; scheduling/meeting tools; CDN/WAF & anti-bot; analytics (consent-based only).

6) Assistance with data-subject requests

We assist Customer via appropriate technical and organizational measures to fulfill rights requests (access, rectification, erasure, restriction, portability, objection).

7) Personal data breach

We will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer data.

8) Return & deletion

At termination or upon request, we delete or return all personal data and then delete existing copies from active systems. Backups are purged on a rolling schedule.

9) International transfers

For transfers outside the EEA/UK/Switzerland, the EU SCCs (2021) are incorporated (Module 2 for controller→processor and Module 3 for onward processor transfers) plus the UK Addendum and Swiss addendum as relevant.

Contact

All privacy and data requests: contact@colentia.com