Privacy Policy

This Privacy Policy explains how Colloxa ("Colloxa", "we", "us") collects, uses, and protects personal information when you visit colloxa.com, request a pilot invitation, or request an architecture review.

This policy applies to information collected through our marketing website. It does not cover information processed inside the Colloxa platform during a contracted engagement; that processing is governed by the Data Processing Agreement signed with each customer.

We collect the minimum information needed to evaluate a pilot or review request and to run a working website.

• Pilot invitation requests: full name, work email, company, team size, and the notes you choose to share.
• Architecture review requests: full name, work email, company, role, deployment model, AI surfaces in scope, controls in place, and your primary concern.
• Analytics: aggregated page-view and user behaviour telemetry via Microsoft Clarity. Session recordings are anonymised and used solely to improve website usability.
• Operational logs: standard server logs (IP, user agent, timestamp) kept for security and abuse prevention.

We use the information for the following purposes only:

• To respond to your pilot invitation or architecture review request.
• To send you a single acknowledgement email confirming receipt.
• To improve the website and the materials we send during diligence.
• To meet our legal, regulatory, and contractual obligations.

We do not sell personal information. We do not enrol you in marketing drips. We do not share your details with third parties for advertising.

We process personal information on the basis of (a) your consent, given when you submit a form; (b) our legitimate interest in operating and improving the website and pilot process; and (c) compliance with applicable law, including the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (GDPR), the Kenya Data Protection Act, the Nigeria Data Protection Regulation (NDPR), and the Rwanda Law No. 058/2021 relating to the protection of personal data and privacy (Rwanda DPL), where each applies.

We use a small number of trusted sub-processors to operate the website and respond to you. Each is bound by data-processing terms appropriate to their role.

• Cloudflare: site hosting and edge delivery.
• Resend: transactional email delivery for form submissions and acknowledgements.
• Microsoft Clarity: user behavior analytics and session replay for website optimization.

A current sub-processor list is available to design-partner customers on request under NDA.

Pilot invitation and architecture review request data is retained for up to 24 months from the date of submission, after which it is deleted unless you have entered into a contractual engagement with us, in which case retention is governed by that contract. Server and analytics logs are retained for up to 12 months.

Subject to applicable law, you have the right to access, correct, delete, or restrict the personal information we hold about you, to object to processing, and to lodge a complaint with a supervisory authority. Under POPIA, the South African Information Regulator is the supervisory authority.

To exercise any of these rights, email privacy@colloxa.com. We respond within 30 days.

We protect personal information using least-privilege access controls, multi-factor authentication for internal systems, encryption in transit, and regular third-party penetration testing. SOC 2 Type II is targeted for Q4 2026. Posture materials are available on request under NDA.

We may transfer personal information to sub-processors located outside South Africa, the European Union, Nigeria, Kenya, or Rwanda, depending on the service. Where required, transfers rely on appropriate safeguards such as standard contractual clauses or adequacy decisions. Specific transfer detail for a given engagement is documented in the customer's Data Processing Agreement.

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above. Continued use of the website after a change constitutes acceptance of the revised policy.