Privacy Policy

Who We Are

Colby is a voice-first wellness companion built by REMOTAHEALTH.AI, LDA., a private limited company incorporated in Portugal (NIF 517700760), with registered address at Travessa da Estrada n.º 3, Lomar e Arcos, Braga 4705-255, Portugal.

REMOTAHEALTH.AI, LDA. is the data controller responsible for the personal data you share when using Colby. It uses the latest in full-duplex conversational AI and accelerated reasoning to have real, flowing conversations — not scripted exchanges. We built Colby to help people move forward, and that starts with respecting your privacy. This policy explains what we collect, why, and what we will never do with your information.

What We Collect

We collect only what is necessary to make Colby work for you. Nothing more.

• Account information. Your email address when you sign up or join the waitlist. That is all we ask for.
• Conversation data (special category — health data). When you speak or write to Colby, you may share things about your mental health, emotional state, or personal wellbeing. Under the EU General Data Protection Regulation (GDPR), this type of information is classified as special category data — data concerning health — under Article 9. This category receives the highest level of legal protection.
  
  We process this data only on the basis of your explicit consent, as required under GDPR Article 9(2)(a). You give this consent when you actively choose to begin a session with Colby. You can withdraw your consent at any time by deleting your account — and we will delete all associated conversation data within 30 days. Withdrawal does not affect the lawfulness of any processing carried out before you withdrew consent.
  
  We do not use your special category data for any purpose beyond providing and improving your experience with Colby. It is never sold, never shared with advertisers, and never used to train third-party AI models.
  
  The general legal basis for all other data processing (account information, usage data, device data) is Article 6(1)(b) (performance of a contract) and Article 6(1)(f) (legitimate interests), as detailed in the sections above.
• Basic usage data. Anonymous signals like page views and session duration so we can understand how the product is being used and where it can improve.
• Device information. Browser type, operating system, and IP address — strictly for security, abuse prevention, and rate limiting. We do not fingerprint you.

What We Do Not Collect

We do not collect your location, contacts, photos, files, or any data from other apps on your device. We do not use third-party advertising trackers. We do not build behavioral profiles for ad targeting. We do not sell or rent your personal information to anyone — ever.

How We Use Your Information

We use the information we collect to:

• To provide and improve the Colby experience for you.
• To monitor, evaluate, and improve the accuracy and safety of Colby's AI-generated responses — including identifying and correcting instances of inaccurate or inappropriate output.
• To communicate with you about your account, service updates, security notices, and support requests. These communications are necessary for the service.
• To send you marketing communications about Colby — but only where you have given us your explicit, separate consent to do so, as described in the "Direct Marketing and Communications" section below.

Our Lawful Basis for Processing

Under GDPR Article 6, we are required to identify a lawful basis for every type of personal data we process. Here is how that maps to what we collect:

• Account information (your email address) is processed on the basis of contract performance — Article 6(1)(b). We need your email to create and maintain your account and to communicate with you about your service. This includes:
  • To communicate with you about your account, service updates, security notices, and support requests. These communications are necessary for the service.
  • To send you marketing communications about Colby — but only where you have given us your explicit, separate consent to do so, as described in the "Direct Marketing and Communications" section below.
• Conversation data (the voice and text exchanges you have with Colby) is processed on the basis of your explicit consent — Article 6(1)(a). Because this data may include information about your mental health and emotional wellbeing, it is also classified as special category data under Article 9, and we process it only on the basis of explicit consent under Article 9(2)(a). You give this consent when you choose to begin a session. You can withdraw it at any time by requesting deletion of your account.
• Basic usage data (anonymous signals such as page views and session duration) is processed on the basis of our legitimate interests — Article 6(1)(f). Our interest is in understanding how the product is used so we can improve it. This does not override your rights — the data is anonymous and is never used to build a profile of you as an individual.
• Device information (browser type, operating system, and IP address) is processed on the basis of our legitimate interests — Article 6(1)(f). Our interest is in maintaining the security and integrity of the platform, preventing abuse, and ensuring reliable access. We do not use this data to fingerprint or track you.
• Marketing communications (where you have opted in) are processed on the basis of your explicit consent — Article 6(1)(a). You can withdraw this consent at any time without affecting your account.

Where processing is necessary to comply with a legal obligation — such as responding to a lawful request from a regulatory authority — the basis is legal obligation under Article 6(1)(c).

You may withdraw consent for conversation data processing at any time by emailing privacy@askcolby.ai. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

Direct Marketing and Communications

Service communications. If you have an account with Colby, we may contact you by email about your account, service updates, security notices, and changes to these policies. These communications are necessary for the service and are not marketing — you cannot opt out of them while your account is active.

Marketing communications. We would like to send you occasional emails about new features, updates, and wellness content related to Colby. We will only do this if you have given us your explicit, separate consent to receive marketing emails — for example, by ticking an opt-in box during sign-up. We will never send you marketing emails based solely on the fact that you joined our waitlist or created an account, unless you have actively opted in.

Under the EU ePrivacy Directive (Directive 2002/58/EC) and GDPR Article 6(1)(a), marketing emails require your prior consent. That consent must be:

• Freely given — not a condition of using Colby
• Specific — clearly for marketing, separate from any other consent
• Informed — you know what you are signing up for
• Unambiguous — given by a clear affirmative action, never a pre-ticked box

Opting out. You can withdraw your consent for marketing emails at any time by clicking the unsubscribe link in any email we send, or by emailing francesco@askcolby.in. We will action your request within 5 working days. Withdrawing consent for marketing does not affect your account or your consent for conversation data processing.

We do not share your email address with third parties for their own marketing purposes. Ever.

Data Sharing

We do not sell your data. Period. We work with a small number of trusted service providers (hosting, authentication, and infrastructure) to keep Colby running. These providers are bound by strict data protection agreements — including Standard Contractual Clauses where required under GDPR Chapter V — and only process data on our behalf, solely for the purpose of operating Colby. We will never share your conversation content with third parties for their own purposes.

International Data Transfers

REMOTAHEALTH.AI, LDA. is a Portuguese company and processes your data within the European Union. However, some of the third-party infrastructure providers we rely on to operate Colby — including cloud hosting, authentication, and AI processing services — may be based outside the European Economic Area (EEA), including in the United States.

When your data is transferred outside the EEA, we ensure it remains protected to the same standard required by GDPR Chapter V. We do this through one or more of the following mechanisms:

• Adequacy decisions — where the European Commission has determined that a third country provides an adequate level of data protection. The United States is covered by the EU-US Data Privacy Framework, adopted in July 2023.
• Standard Contractual Clauses (SCCs) — where we have entered into the European Commission's approved standard contractual clauses with our service providers, legally binding them to protect your data under GDPR-equivalent standards.

We do not transfer your data to countries outside the EEA unless one of these mechanisms is in place. We carry out due diligence on all third-party providers before engaging them and require them to sign appropriate data processing agreements.

Your conversation data — which may include special category health information — is treated with the highest level of care in any transfer context. We do not permit our infrastructure providers to use your conversation data for their own purposes.

If you would like to know which specific providers we use, which countries they are based in, or which transfer mechanism applies in each case, you can request this information at any time by emailing francesco@askcolby.in. We will respond within 30 days.

Data Retention and Deletion

We keep your data only for as long as it is necessary for the purpose it was collected. Here is exactly how long we retain each type of data:

Deleting your account. If you want your account and all associated data permanently deleted, email us at francesco@askcolby.in. We will confirm receipt within 2 working days and complete the deletion within 30 days. This is a binding commitment, not a best-effort timeline. Once deletion is complete, we will confirm it by email.

Inactivity. If your account has been inactive for 12 consecutive months, we will email you at the address on file to ask whether you wish to keep your account. If we receive no response within 30 days, we will delete your account and all associated data.

Legal holds. In limited circumstances — for example, where we are required by law to retain data for a specific period — we may retain certain information beyond the periods listed above. We will always inform you if this applies to your data.

No hoops. No retention tricks.

Data Protection

REMOTAHEALTH.AI, LDA. processes special category data \u2014 specifically, information you may share about your mental health and emotional wellbeing \u2014 in the course of providing Colby.

Under GDPR Article 37(1)(c), the appointment of a Data Protection Officer (DPO) is mandatory where an organisation's core activities involve large-scale processing of special category data. We have assessed this requirement and, at our current stage of operation, the volume of data we process does not yet meet the threshold of "large scale" as defined under GDPR. We are therefore not currently obligated to appoint a formal DPO.

However, we take our data protection responsibilities seriously. All data protection queries, subject access requests, and privacy concerns are handled directly and personally by our founding team. You can reach us at any time at francesco@askcolby.in. We will respond within 30 days.

As our user base grows, we will reassess this obligation and appoint a DPO when required. Any appointment will be reflected in an updated version of this policy, and the DPO's contact details will be published here.

Security

All data is encrypted in transit using TLS and encrypted at rest using AES-256. We follow industry-standard practices to protect your information. That said, no system is perfectly secure — we are transparent about that, and we work continuously to improve our protections.

Internal access controls

Access to your personal data — especially your conversation data — is restricted to the members of our team who genuinely need it to operate and maintain the service. We enforce this through:

• Role-based access controls (RBAC): Only team members with an explicit operational need are granted access to any personal data. Access rights are reviewed regularly.
• Multi-factor authentication (MFA): All internal systems containing personal data are protected by MFA. No employee can access these systems on a password alone.
• Conversation data isolation: Under normal operational circumstances, the content of your individual conversations with Colby is not accessible to any member of our team. Access to raw conversation data requires a specific, documented operational justification and is logged for audit purposes.

De-identification

Where technically possible, we separate information that directly identifies you — such as your name or email address — from your conversation data by assigning each user a randomised internal identifier. This means that even within our systems, your conversation content is stored against a code rather than your name or email. Only authorised personnel with access to the key linking codes to identities can re-associate conversation data with a specific individual. This practice is consistent with GDPR's data minimisation principle under Article 5(1)(c).

What happens if there is a data breach

If we become aware of a personal data breach, we will act immediately. Here is what that means in practice:

• Within 72 hours of discovering a breach, we will notify the Comiss\u00e3o Nacional de Prote\u00e7\u00e3o de Dados (CNPD) as required under GDPR Article 33. This notification will include the nature of the breach, the categories and approximate number of people affected, the likely consequences, and the steps we are taking to address it.
• If the breach poses a high risk to your rights and freedoms \u2014 for example, if your conversation data or account information is exposed \u2014 we will notify you directly without undue delay under GDPR Article 34. We will contact you at the email address associated with your account and tell you clearly what happened, what data was affected, what we are doing about it, and what steps you can take to protect yourself.
• If the breach is contained or the risk is low \u2014 for instance, because the data involved was fully encrypted and remains unreadable \u2014 we may determine that direct notification to you is not required. In that case, we will document our reasoning internally and report to the CNPD as required.

We will never conceal a breach or delay notification to protect our reputation. If you believe your account or data may have been compromised, contact us immediately at francesco@askcolby.in.

Your Rights

Because we are a Portuguese company and process data under GDPR, these rights apply to all our users — not just those in the EU.

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct any inaccurate or incomplete data
• Erasure — ask us to delete your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent
• Restriction — ask us to pause processing of your data in certain circumstances
• Portability — receive your personal data in a structured, machine-readable format and transfer it to another service
• Object — object to processing based on our legitimate interests at any time
• Withdraw consent — where processing is based on your consent (including conversation data), you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email us at francesco@askcolby.in. We will respond within 30 days.

Right to complain to a supervisory authority

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with Portugal's data protection authority:

Comissão Nacional de Proteção de Dados (CNPD)

Rua de São Bento, 148-3.º, 1200-821 Lisboa, Portugal

Website: www.cnpd.pt

If you are resident in another EU member state, you may also lodge a complaint with your local supervisory authority. A full list is available at www.edpb.europa.eu.

We would always appreciate the chance to resolve a concern directly before you escalate to a regulator — please reach out to us first at francesco@askcolby.in.

Cookies

We use essential cookies only. These are strictly necessary for Colby to function — they cannot be switched off. We do not use advertising cookies, tracking pixels, or any third-party marketing or analytics tools.

Here is exactly what we set:

Note: Cookie names above are indicative and will be updated to reflect the exact cookies set by your production environment before publishing.

Because these are strictly necessary cookies, we do not require your consent to set them under Directive 2002/58/EC (ePrivacy Directive) and Portugal's Law 41/2004. However, you can block or delete cookies at any time through your browser settings. Doing so may prevent Colby from functioning correctly.

We do not use any cookies for advertising, behavioural profiling, or cross-site tracking. We never will.

Children

Colby is not intended for anyone under the age of 18. We do not knowingly collect data from minors. If we learn that we have collected information from someone under 18, we will delete it immediately.

Changes to This Policy

If we make material changes to this policy, we will notify you by posting a notice on the site before the changes take effect. Continued use of Colby after that point constitutes acceptance.

Contact

Questions, concerns, or requests? Email us at francesco@askcolby.in. We read every message.

You may also write to us at our registered address:

REMOTAHEALTH.AI, LDA.

Travessa da Estrada n.º 3

Lomar e Arcos

Braga 4705-255

Portugal