Privacy Policy

This Privacy Policy explains how Colloxa ("Colloxa", "we", "us") collects, uses, and protects personal information when you visit colloxa.com, request a pilot invitation, or request an architecture review.

This policy applies to information collected through our marketing website. It does not cover information processed inside the Colloxa platform during a contracted engagement; that processing is governed by the Data Processing Agreement signed with each customer.

During a pilot or production engagement, the Colloxa platform is governed by your signed Data Processing Agreement, not this marketing-site policy. The platform defaults to metadata-first capture; full prompt logging is opt-in. Data minimisation detail is shared during diligence.

We collect the minimum information needed to evaluate a pilot or review request and to run a working website.

• Pilot invitation requests: full name, work email, company, team size, and the notes you choose to share.
• Architecture review requests: full name, work email, company, role, deployment model, AI surfaces in scope, controls in place, and your primary concern.
• Analytics (with consent only): aggregated page-view and user behaviour telemetry via Google Analytics 4, Microsoft Clarity, and Google Tag Manager. These scripts do not load until you accept analytics cookies in the cookie banner. Session recordings may contain pseudonymous usage data and are used solely to improve website usability. Configure your browser or contact us if you need to limit recording.
• Essential cookies: cookie consent preference and security cookies required for the site to function. These are not used for advertising.
• Operational logs: standard server logs (IP, user agent, timestamp) kept for security and abuse prevention.

We use the information for the following purposes only:

• To respond to your pilot invitation or architecture review request.
• To send you a single acknowledgement email confirming receipt.
• To improve the website and the materials we send during diligence.
• To meet our legal, regulatory, and contractual obligations.

We do not sell personal information. We do not enrol you in marketing drips. We do not share your details with third parties for advertising.

We process personal information on the basis of (a) your consent, given when you submit a form or accept analytics cookies; (b) our legitimate interest in operating and improving the website and pilot process (excluding analytics, which relies on consent); and (c) compliance with applicable law, including the Protection of Personal Information Act, 2013 (POPIA), Zimbabwe's Cyber and Data Protection Act where relevant, the General Data Protection Regulation (GDPR), the Kenya Data Protection Act, the Nigeria Data Protection Regulation (NDPR), and the Rwanda Law No. 058/2021 relating to the protection of personal data and privacy (Rwanda DPL), where each applies.

We use a small number of trusted sub-processors to operate the website and respond to you. Each is bound by data-processing terms appropriate to their role.

• Cloudflare: site hosting and edge delivery.
• Resend: transactional email delivery for form submissions and acknowledgements.
• Google Analytics 4: traffic analysis and user behaviour tracking (loaded only after analytics consent).
• Microsoft Clarity: user behavior analytics and session replay for website optimization (loaded only after analytics consent).
• Google Tag Manager: centralized tag management for analytics (loaded only after analytics consent).

A current sub-processor list is available on our DPA & sub-processors page and to design-partner customers on request under NDA.

Pilot invitation and architecture review request data is retained for up to 24 months from the date of submission, after which it is deleted unless you have entered into a contractual engagement with us, in which case retention is governed by that contract. Server and analytics logs are retained for up to 12 months.

Subject to applicable law, you have the right to access, correct, delete, or restrict the personal information we hold about you, to object to processing, and to lodge a complaint with a supervisory authority. Under POPIA, the South African Information Regulator is the supervisory authority.

To exercise any of these rights, email support@colloxa.com. We respond within 30 days.

We protect personal information using least-privilege access controls, multi-factor authentication for internal systems, encryption in transit, and regular third-party penetration testing. SOC 2 Type II is targeted for Q4 2026. Current security posture materials are available on request under NDA.

We may transfer personal information to sub-processors located outside Zimbabwe, South Africa, the European Union, Nigeria, Kenya, or Rwanda, depending on the service. Where required, transfers rely on appropriate safeguards such as standard contractual clauses or adequacy decisions. Specific transfer detail for a given engagement is documented in the customer's Data Processing Agreement.

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above. Continued use of the website after a change constitutes acceptance of the revised policy.