Privacy Policy

Effective date: 12 July 2026 · Version 1.0
Local-first by design. Colpan indexes, searches, previews and OCRs your documents on your own device. Your documents, indexes and search queries never reach our servers. The only personal data we process is the minimum needed to run your subscription — and this policy lists all of it.

1. Who we are

The data controller is ReviseTouch ("we", "us"), the operator of Colpan and colpan.app. For privacy matters contact support@colpan.app.

2. What we do NOT collect

3. What we do collect

a) Purchase and subscription data

When you subscribe, Paddle (our merchant of record) processes your order and shares with us the data needed to fulfil it: your e-mail address, subscription/transaction identifiers, plan and subscription status. Paddle is an independent controller for payment processing under its own privacy policy.

b) License records

To operate your subscription we store: your license key, e-mail address, subscription status and plan, device seat records (a random per-install identifier — not a hardware fingerprint — an optional device name such as the computer name, and activation time), an encrypted AI access credential, and aggregate AI usage totals (a spend figure — never the content of your prompts).

c) Support correspondence

If you e-mail us, we process your address and message to answer you.

4. Managed AI processing

When you use the managed AI feature, the text you choose to send (your prompt and the document excerpts you attach) is transmitted to OpenRouter, Inc. (USA), which routes it to the AI model provider serving your request. Before sending, Colpan's PII guard masks detected personal data on your device, and you can review what will be sent; the guard is a best-effort tool, and you decide what leaves your machine. We do not store your prompts or AI responses on our servers. If you use BYOK or local models instead, your AI traffic does not involve our services at all.

5. Purposes and legal bases

6. Recipients and processors

ProviderRoleLocation
Paddle.com Market LtdMerchant of record — payments, tax, invoicing (independent controller)UK/EU/USA
Cloudflare, Inc.Website hosting, network, and license database infrastructureGlobal (EU/USA)
OpenRouter, Inc.AI request routing to model providers (managed AI only)USA
Resend (Plus Five Five, Inc.)Transactional e-mail delivery (license e-mails)USA

We do not sell personal data and do not share it with anyone else except where required by law.

7. International transfers

Some providers above process data outside your country, including in the USA. Where GDPR or similar laws apply, transfers rely on appropriate safeguards such as the providers' standard contractual clauses or applicable adequacy frameworks.

8. Retention

9. Security

We apply reasonable technical and organizational measures appropriate to the small data footprint we keep: TLS for data in transit, encryption at rest for AI credentials, least-privilege access, and secrets management. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security; we handle any personal-data incident in accordance with applicable law, including notification duties where they apply. Remember that the most sensitive data — your documents — never leaves your device in the first place.

10. Your rights

Subject to applicable law (including the GDPR and, for users in Türkiye, KVKK — Law No. 6698), you may request access to, correction of, deletion of, or a copy of your personal data, object to or restrict certain processing, and withdraw consent where processing is based on consent. Write to support@colpan.app; we respond within the statutory time limits. You may also lodge a complaint with your data protection authority.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

12. Changes

We may update this policy; material changes will be announced on this page (and by e-mail where appropriate) with a new effective date.