Colora

Privacy Policy

Effective date: February 8, 2026
Last updated: March 19, 2026

1. Data Controller

AF10 S.r.l., Viale Zara 133, 20159 Milano, Italia. Contact: af10srl@gmail.com.

Quick summary: Colora processes your account/profile data and the content you upload so the social features work. We also process security/abuse signals, limited first-party usage metrics, copyright notices, and ad/privacy preference data so we can keep the platform safe, operate the service, and show sponsored content in supported feed surfaces.

2. Data We Collect

Account and profile data: email address (for login), username, display name, bio, and profile image. If you sign in with Google, we receive your Google account email and basic profile information (name and profile picture) as permitted by Google Sign-In.
User content: photos and videos you upload, captions, hashtags, mentions, comments, likes, follows, bookmarks, direct messages, and related metadata (for example book title, author, coloring medium, and brand fields you add to posts).
Usage and engagement data: post view tracking (we record when you view a post, stored as unique per-user views server-side); first-party aggregate app metrics stored in Supabase such as authenticated app opens, top-level section visits, and daily counts of core actions; and, only if you opt in from the app, behavioral analytics collected through Firebase Analytics (for example screen views, sessions, and feature usage).
Advertising and consent data: consent choices collected through Google's User Messaging Platform, Apple App Tracking Transparency status, ad request and response metadata, advertiser and campaign metadata made available through the ad SDKs, in-feed ad delivery events, ad reports submitted from the app, and first-party house ad impression/click events. Where permitted by your consent choices and Apple's tracking permission, advertising SDKs may also process device-level identifiers such as IDFA. House ad metrics are measured without using IDFA.
Device and technical data: IP address, user-agent, and timestamps (for security, rate limiting, and fraud prevention); device model, operating system version, app version, and crash/error reports collected by Firebase Crashlytics; and network-level data collected by our CDN and security providers (for example Cloudflare).
Moderation and safety data: reports, enforcement actions, moderation results, and audit logs. Posts, captions, comments, and other content you submit in Colora community features may be checked by automated moderation systems and, where needed, human reviewers to detect spam, abuse, misuse, and violations of our rules.
Local device storage: The app stores an authentication token securely in the iOS Keychain; recent search history in local device storage (automatically cleared after 7 days); and cached images on device (up to approximately 50 MB in memory and 200 MB on disk) using standard iOS caching mechanisms.
Support communications: messages you send to support.

3. Purposes and Legal Bases

Provide the service (contract): create accounts, authenticate users, display feeds and profiles, enable posting and interactions, deliver direct messages, and track content engagement (post views).
Security and abuse prevention (legitimate interests / legal obligations): detect spam, fraud, malicious activity, and policy violations; moderate content using automated AI systems and human review; rate limiting; and manage access tokens securely.
Copyright and legal compliance (legal obligation / legitimate interests): handle DMCA notices and counter-notices, preserve evidence, and enforce repeat infringer policy.
Operate and improve the service (legitimate interests): diagnose outages, fix bugs, measure broad feature usage through first-party aggregate metrics, collect crash reports, and improve performance.
Optional behavioral analytics (consent, where required): if you enable analytics from the app and allow Apple's tracking permission, we use Firebase Analytics to understand screen usage, sessions, and feature flows so we can make product decisions.
Sponsored content and consent management (consent / legitimate interests, depending on jurisdiction): show in-feed native ads and Colora first-party promotions, manage privacy choices for advertising, cap ad frequency, determine whether ads should be personalized or non-personalized, measure fill and delivery quality, prevent ad fraud/abuse, and investigate ad reports submitted through the app.

4. Retention

We retain personal data only as long as necessary for service operations, legal obligations, dispute resolution, and security/audit purposes. We may retain limited moderation metadata, such as outcomes, timestamps, enforcement decisions, and audit logs, as needed for safety, dispute handling, and legal compliance.

5. Sharing

We share data with:

Service providers (processors): providers that help us operate Colora, including:
- Firebase (Google) — authentication, optional analytics (enabled only after your in-app choice and Apple's tracking permission), messaging, and crash reporting;
- Google AdMob, Google User Messaging Platform, and Meta Audience Network — ad serving, mediation, privacy messaging, fraud prevention, frequency management, and measurement for sponsored content shown inside feed surfaces;
- Google Sign-In (Google) — federated authentication;
- Supabase — database hosting and serverless functions;
- Cloudflare — content delivery, image storage (R2), web application security, and CAPTCHA (Turnstile);
- Bunny.net — video hosting and streaming for user-uploaded video content;
- OpenAI — automated moderation of text and images for policy compliance. Requests are routed through our secure proxy. We do not intentionally include direct profile identifiers such as your username or email in moderation requests, although the content you submit may itself contain personal information.
These providers process data on our behalf under contractual terms.
Other users: your public profile and content you choose to share are visible to other users according to product features. Direct messages are visible only to participants.
Legal recipients: we may share information with rights holders, users, and authorities as required by law (including DMCA processing and subpoenas/court orders).

6. International Transfers

Where data is transferred internationally, we apply appropriate safeguards as required by applicable law.

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, object to processing of, restrict, or request portability of your personal data. To exercise any of these rights, contact us at af10srl@gmail.com. We will respond within the timeframe required by applicable law.

You can enable or disable optional Firebase Analytics at any time from Settings > Analytics > Share Usage Analytics inside the app. You can revisit ad privacy choices from Settings > Privacy & Ads, and you can change Apple's tracking permission from the iOS Settings app after Apple's ATT prompt has been shown. If you decline Apple's tracking permission or withdraw advertising consent, you may still see ads, but they may be less relevant and may be served without IDFA-based personalization where permitted by law. Minimal first-party aggregate metrics used to operate the service (such as authenticated app opens and top-level section visits) are separate from this optional analytics setting.

8. Account Deletion

You can delete your account directly from within the Colora app by navigating to Settings > Delete Account. The deletion process requires re-authentication for security. Upon deletion, your profile, posts, media files, and associated data are permanently removed from our systems.

You may also request account deletion by emailing af10srl@gmail.com.

Some data may be retained after deletion where required for legal compliance, security, fraud prevention, or dispute resolution (for example, DMCA records and moderation audit logs). Any retained data is kept only as long as legally required and is not used for other purposes.

9. Children

Colora is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided personal data to Colora, please contact us at af10srl@gmail.com and we will take steps to delete that information. Users between 13 and the age of majority in their jurisdiction should have parental or guardian consent to use the service.

10. Security

We use technical and organizational controls to protect personal data, including access controls, logging, and abuse prevention.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes are effective when posted. The “Last updated” date at the top reflects the latest version. We encourage you to review this policy periodically.