Privacy Policy

1. Who we are

Kolega is operated by LumiVerse d.o.o., registered at Markuševečka cesta 20C, Zagreb, registration number OIB 88595646800. For data-protection enquiries, contact pozdrav@kolega.hr.

2. What we collect, and why

We collect personal data in three categories, each with a specific lawful basis under GDPR Article 6.

Account & workspace data

When you sign up, we collect your name, email address, hashed password, the workspaces you belong to, and basic billing information (legal name, VAT number where applicable). Lawful basis: performance of a contract (we need this to provide the Service to you).

Agent operating data

To run the agent on your site, we ingest the content you supply (catalog, FAQ, policy documents, site pages). We also store the transcripts of conversations between your site visitors and the agent, including any contact details a visitor chooses to share during an escalation. Lawful basis: performance of a contract on your side, and legitimate interest on the visitor side (running a customer-service interaction on a website they visited). Visitor data is processed on your behalf; in GDPR terms you are the controller for visitor conversations and we are your processor, under our Data Processing Agreement.

Telemetry & analytics

We collect minimal product analytics on the Kolega dashboard (page views, feature usage) and standard server logs (IP address, user agent, timestamps). We do not run third-party advertising trackers or fingerprinting. Lawful basis: legitimate interest in operating, securing, and improving the Service.

3. Who else processes your data

We use carefully selected third-party processors. The current, authoritative list — with each processor's purpose, location, and transfer basis — is at kolega.hr/subprocessors. The principal ones are:

• Stripe (Ireland / United States) — payment processing. Card details are handled by Stripe; we never see or store them.
• Brevo (formerly Sendinblue, France) — transactional email (verification, password reset, escalation notifications).
• LLM providers — depending on the model your workspace uses, conversations may be processed by OpenAI (United States) or by a self-hosted local model that does not transmit data externally. Each provider operates under enterprise terms that prohibit training on your data. The model in use is shown in your dashboard under each agent.
• Hosting — our application infrastructure runs on Hetzner Online GmbH in the EU.

We notify customers of material changes to the sub-processor list through the dashboard at least fourteen days in advance.

4. International transfers

Some of our processors (Stripe, OpenAI) are based outside the European Economic Area. Where this involves a transfer of personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses or an equivalent valid transfer mechanism. We do not transfer data to jurisdictions without an adequate protection framework.

5. Cookies and similar technologies

We use a minimal set of cookies:

• magentic_auth_token — strictly necessary for keeping you signed in to your workspace. HttpOnly, SameSite=Lax, expires after seven days of inactivity.

We do not use advertising cookies, third-party analytics cookies, or session-replay tools on the Kolega dashboard. If we add any in the future, we will surface a consent mechanism in line with the EU ePrivacy Directive.

6. How long we keep data

We retain personal data only as long as needed for the purpose it was collected for, then delete or anonymise it. Specific retention windows:

• Account data — for the lifetime of your workspace, then ninety days after termination unless you request earlier deletion.
• Conversation transcripts — twelve months by default, configurable down to thirty days in the dashboard. Aggregated metrics may be retained longer in anonymised form.
• Billing records — seven years (legal retention obligation for accounting records in most EU jurisdictions).

7. Your rights under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights regarding personal data we hold about you:

• Access — ask us for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete data we no longer need to hold.
• Restriction — ask us to restrict processing while a dispute is resolved.
• Portability — ask us to provide your data in a machine-readable format you can take elsewhere.
• Objection — object to processing based on legitimate interest.
• Complaint — lodge a complaint with your local supervisory authority. The Croatian authority is AZOP for users in Croatia.

To exercise any of these rights, email pozdrav@kolega.hr. We respond within thirty days.

8. Children

Kolega is a B2B service intended for use by businesses, not individual consumers under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

9. Security

We protect personal data with appropriate technical and organisational measures: encrypted transport (TLS), encryption at rest for sensitive fields, principle of least privilege on production systems, regular dependency updates, and audit logging. No system is perfectly secure; if we ever suffer a breach affecting your personal data, we will notify you and the relevant supervisory authority within the timelines required by law.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email at the address on file at least fourteen days before they take effect. The "Last updated" date at the top of this document reflects the most recent revision.

11. Contact

Data-protection enquiries: pozdrav@kolega.hr. General questions about the Service: pozdrav@kolega.hr. The full Terms of Service are at /terms.