Privacy Policy
1. Who we are
The data controller is ReviseTouch ("we", "us"), the operator of Colpan and colpan.app. For privacy matters contact [email protected].
2. What we do NOT collect
- Your documents and their contents — indexing, full-text search, preview, OCR and conversion run locally. Document content is not transmitted to us.
- Your indexes, search queries and previews — stored only on your device.
- Website tracking — colpan.app uses no analytics, no advertising trackers and no tracking cookies. Your browser's localStorage keeps only your theme and language preference; this never leaves your browser.
- Payment card data — handled entirely by Paddle (Section 4); we never see it.
3. What we do collect
a) Purchase and subscription data
When you subscribe, Paddle (our merchant of record) processes your order and shares with us the data needed to fulfil it: your e-mail address, subscription/transaction identifiers, plan and subscription status. Paddle is an independent controller for payment processing under its own privacy policy.
b) License records
To operate your subscription we store: your license key, e-mail address, subscription status and plan, device seat records (a random per-install identifier — not a hardware fingerprint — an optional device name such as the computer name, and activation time), an encrypted AI access credential, and aggregate AI usage totals (a spend figure — never the content of your prompts).
c) Support correspondence
If you e-mail us, we process your address and message to answer you.
4. Managed AI processing
When you use the managed AI feature, the text you choose to send (your prompt and the document excerpts you attach) is transmitted to OpenRouter, Inc. (USA), which routes it to the AI model provider serving your request. Before sending, Colpan's PII guard masks detected personal data on your device, and you can review what will be sent; the guard is a best-effort tool, and you decide what leaves your machine. We do not store your prompts or AI responses on our servers. If you use BYOK or local models instead, your AI traffic does not involve our services at all.
5. Purposes and legal bases
- Providing the Service (license management, activation, seat management, AI allowance) — performance of a contract.
- Sending your license and service e-mails — performance of a contract.
- Preventing fraud and abuse, securing the Service — legitimate interests.
- Compliance (tax, accounting, legal claims) — legal obligations and legitimate interests.
6. Recipients and processors
| Provider | Role | Location |
|---|---|---|
| Paddle.com Market Ltd | Merchant of record — payments, tax, invoicing (independent controller) | UK/EU/USA |
| Cloudflare, Inc. | Website hosting, network, and license database infrastructure | Global (EU/USA) |
| OpenRouter, Inc. | AI request routing to model providers (managed AI only) | USA |
| Resend (Plus Five Five, Inc.) | Transactional e-mail delivery (license e-mails) | USA |
We do not sell personal data and do not share it with anyone else except where required by law.
7. International transfers
Some providers above process data outside your country, including in the USA. Where GDPR or similar laws apply, transfers rely on appropriate safeguards such as the providers' standard contractual clauses or applicable adequacy frameworks.
8. Retention
- License records — for the life of your subscription and afterwards only as long as needed for tax, accounting and legal-claim purposes.
- Support e-mails — up to 24 months after the matter is closed.
- On a verified deletion request we delete personal data we are not legally required to keep.
9. Security
We apply reasonable technical and organizational measures appropriate to the small data footprint we keep: TLS for data in transit, encryption at rest for AI credentials, least-privilege access, and secrets management. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security; we handle any personal-data incident in accordance with applicable law, including notification duties where they apply. Remember that the most sensitive data — your documents — never leaves your device in the first place.
10. Your rights
Subject to applicable law (including the GDPR and, for users in Türkiye, KVKK — Law No. 6698), you may request access to, correction of, deletion of, or a copy of your personal data, object to or restrict certain processing, and withdraw consent where processing is based on consent. Write to [email protected]; we respond within the statutory time limits. You may also lodge a complaint with your data protection authority.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect their data.
12. Changes
We may update this policy; material changes will be announced on this page (and by e-mail where appropriate) with a new effective date.