Privacy Policy

Last updated: April 24, 2025

1. Who We Are

CollabPals Inc. ("CollabPals," "we," "us," or "our") operates the CollabPals creator-collaboration platform (the "Service"), available at collabpals.com . We are incorporated in Ontario, Canada. Our contact details appear in Section 15 below.

2. Scope

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service, visit our website, or otherwise interact with us. It applies to all users worldwide, including those in the European Economic Area ("EEA") and the State of California.

3. Information We Collect

3.1 Information You Provide to Us

• Account Details — name, Google UID, e-mail address, chosen channel niche.
• Connected-Channel Data — public channel ID, title, avatar URL, subscriber count, and description (via YouTube read-only API scopes).
• Collaboration Content — campaign descriptions, URLs, proofs of completion, comments, and messages.
• Payment Details — last four digits of card, expiry date, billing country (processed and stored by Stripe; we never store full card numbers).
• Support Requests — e-mails, chat transcripts, or attachments you send us.

3.2 Information We Collect Automatically

• Log Data — IP address, browser type, referring URL, pages visited, time spent, and the date/time of each request.
• Device Data — operating system, device identifiers, and screen resolution.
• Cookies & Similar Technologies — session cookies for authentication, CSRF tokens, and analytics cookies (see Section 8).

3.3 Information We Receive from Third Parties

• Google OAuth / YouTube API Services — when you connect a channel, we receive basic channel metadata and your Google account name and e-mail (read-only scopes https://www.googleapis.com/auth/youtube.readonly and openid email profile).
• Payment Processor (Stripe) — fraud scores, dispute information, and billing events.
• E-mail Service (Mailgun) — delivery status and engagement data (opens, clicks, bounces).

4. How We Use Your Information

We process your information to:

1. Create and manage your account.
2. Facilitate collaboration campaigns, escrow Credits, and track completions.
3. Process payments and manage subscriptions.
4. Send transactional e-mails (acceptance, proof submitted, approvals, denials, receipts).
5. Provide customer support and respond to inquiries.
6. Monitor, detect, and prevent fraud, spam, or abuse.
7. Improve and develop the Service, including analytics and research.
8. Comply with legal obligations and enforce our Terms of Service.

5. Legal Bases for Processing (EEA / UK Users)

Where GDPR applies, we rely on the following legal bases:

• Performance of a Contract — to operate your account and deliver the Service.
• Legitimate Interests — to protect the Service, prevent fraud, and improve the product.
• Consent — for optional analytics cookies or marketing communications (you may withdraw at any time).
• Legal Obligation — for tax, accounting, and regulatory purposes.

6. How We Share Information

Recipient / Purpose	Data Shared
Stripe Payments	Billing details, transaction amounts, country, IP address
Mailgun (Transactional E-mail)	E-mail address, message content, delivery metadata
Google OAuth / YouTube API Services	OAuth tokens (encrypted at rest), channel IDs
Analytics Provider (Fathom or Google Analytics) (if enabled)	Anonymized usage events; no Contact data
Law Enforcement / Tax Authorities	Only when required by law or court order

We never sell your personal information. We require all processors to protect data under written agreements consistent with this Policy.

7. International Transfers

We are headquartered in Canada but use service providers in the United States and other jurisdictions. Where personal data is transferred from the EEA/UK to a third country, we rely on Standard Contractual Clauses or an adequacy decision.

8. Cookies & Tracking Technologies

We use:

• Essential Cookies — authentication and CSRF.
• Functional Cookies — to remember preferences.
• Analytics Cookies — optional; you may disable via the cookie banner or browser settings.

9. Data Retention

We retain account information for as long as your account is active and for 6 years thereafter (tax & bookkeeping). We delete OAuth refresh tokens within 30 days of account deletion. Server logs are purged after 12 months.

10. Security

We implement technical and organizational measures such as TLS encryption, least-privilege access controls, and annual penetration tests. No Internet transmission is 100 % secure, so we cannot guarantee absolute security.

11. Your Rights

11.1 EEA / UK Residents

You may:

• Access, correct, or delete your personal data;
• Restrict or object to processing;
• Port your data to another controller;
• Withdraw consent at any time.

Submit requests via [email protected]. We will respond within one month.

11.2 California Residents

Under CCPA/CPRA you have the right to know what personal information we collect, request deletion, opt-out of "sale" or "sharing," and not be discriminated against for exercising your rights. CollabPals does not sell personal information. To exercise your rights, e-mail [email protected].

12. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us information, please contact us and we will delete it.

13. Third-Party Links

The Service may contain links to third-party sites (e.g., YouTube). We have no control over their privacy practices. Please review their policies before providing personal information.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will post the new version on this page and, if changes are material, provide 30 days' notice via e-mail or in-app banner.

15. Contact Us

Data Controller: CollabPals Inc.
100 Queens Quay E, Suite 800
Toronto, ON M5E 1A4 Canada
[email protected]

16. Additional Notice for YouTube API Services

Our use of Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. You may revoke our access at any time via the Google Security Permissions page.