Privacy Policy

1. Introduction

Colistor ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how information is handled when you use our self-hosted productivity platform ("the Service").

2. Self-Hosted Nature

2.1 Data Controller

When you deploy and use Colistor on your own infrastructure, you are the data controller for all personal data processed by your instance. We do not have access to, collect, or process any personal data from your self-hosted deployment.

2.2 Your Responsibilities

As the operator of a self-hosted instance, you are responsible for:

• Ensuring compliance with applicable data protection laws (GDPR, Swiss FADP, etc.)
• Implementing appropriate security measures
• Managing user consent and data subject rights
• Maintaining data processing records
• Conducting data protection impact assessments where required

3. Information We Do Not Collect

Since the Service is self-hosted:

• We do NOT collect any personal information from your instance
• We do NOT track your usage or activity
• We do NOT have access to your data
• We do NOT process any information on our servers

4. Information You Control

When running your own instance, you may collect and process:

4.1 User Account Information

• Names, email addresses, usernames
• Authentication credentials
• User preferences and settings

4.2 Content Data

• Tasks, notes, bookmarks, and other user-generated content
• Files and attachments uploaded to the system
• Metadata associated with user content

4.3 Technical Information

• IP addresses and access logs (if logging is enabled)
• Browser type and device information
• Usage patterns and analytics (if configured)

5. Legal Basis for Processing (GDPR)

If you process personal data of individuals in the EU/EEA, you must ensure a legal basis under GDPR Article 6:

5.1 Consent (Article 6(1)(a))

• Obtain clear, informed consent from users
• Users must be able to withdraw consent at any time

5.2 Contract (Article 6(1)(b))

• Processing necessary for providing the Service to users

5.3 Legal Obligation (Article 6(1)(c))

• Compliance with legal requirements

5.4 Legitimate Interests (Article 6(1)(f))

• Security and fraud prevention
• Service improvement and optimization

6. Data Subject Rights (GDPR)

As the data controller, you must ensure users can exercise their rights under GDPR:

6.1 Right of Access (Article 15)

Users have the right to obtain confirmation whether their personal data is being processed and access to such data.

6.2 Right to Rectification (Article 16)

Users have the right to have inaccurate personal data corrected.

6.3 Right to Erasure (Article 17)

Users have the right to request deletion of their personal data ("right to be forgotten").

6.4 Right to Data Portability (Article 20)

Users have the right to receive their personal data in a structured, commonly used format.

6.5 Right to Object (Article 21)

Users have the right to object to processing of their personal data.

6.6 Right to Restriction (Article 18)

Users have the right to request restriction of processing under certain circumstances.

7. Swiss Data Protection (FADP)

If you process personal data of individuals in Switzerland, you must comply with the Swiss Federal Act on Data Protection:

7.1 Data Processing Principles

• Process personal data lawfully
• Collect data for specified, explicit, and legitimate purposes
• Process only adequate, relevant, and necessary data
• Ensure data accuracy
• Limit data retention periods

7.2 Information Obligations

• Inform data subjects about data processing
• Provide information about data retention periods
• Inform about rights to access and correction

7.3 Data Security

• Implement appropriate technical and organizational measures
• Protect data against unauthorized access
• Ensure confidentiality and integrity

7.4 Cross-Border Data Transfers

If transferring data outside Switzerland:

• Ensure adequate level of protection
• Use appropriate safeguards (Standard Contractual Clauses, etc.)
• Comply with Swiss data transfer requirements

8. Data Security

You are responsible for implementing security measures including:

• Encryption of data at rest and in transit
• Access controls and authentication
• Regular security updates and patches
• Backup and disaster recovery procedures
• Monitoring and logging (with appropriate privacy measures)

9. Data Retention

You should establish and implement data retention policies:

• Retain personal data only as long as necessary
• Define retention periods for different data categories
• Implement automated deletion where appropriate
• Document retention periods and legal justifications

10. Third-Party Services

If you integrate third-party services with your instance:

• You are responsible for ensuring their compliance
• Review their privacy policies and data processing terms
• Implement appropriate data processing agreements
• Inform users about third-party data sharing

11. Cookies and Tracking

The Service may use:

11.1 Essential Cookies

• Session management and authentication
• Security and fraud prevention
• These are necessary for the Service to function

11.2 Optional Cookies

• Analytics and performance monitoring (if enabled)
• User preferences and settings
• Obtain consent where required by law

See our Cookie Policy for more details.

12. Children's Privacy

The Service is not intended for children under 16 years of age. If you become aware that a child has provided personal data:

• Take immediate steps to delete such information
• Implement age verification if targeting users under 16
• Obtain parental consent where required

13. Data Breaches

In the event of a personal data breach:

13.1 GDPR Requirements (Article 33-34)

• Notify supervisory authority within 72 hours (if risk to rights)
• Notify affected data subjects without undue delay (if high risk)
• Document all data breaches

13.2 Swiss FADP Requirements

• Notify the Federal Data Protection and Information Commissioner (FDPIC) if high risk
• Implement measures to mitigate risks
• Document incidents

14. International Data Transfers

If your instance processes data across borders:

• Ensure adequate protection mechanisms
• Implement Standard Contractual Clauses where required
• Conduct Transfer Impact Assessments
• Comply with data localization requirements

15. Records of Processing Activities

Under GDPR Article 30, maintain records including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Data retention periods
• Security measures

16. Data Protection Officer (DPO)

Consider appointing a DPO if:

• Required by GDPR Article 37
• Processing large amounts of sensitive data
• Required by national law

17. Updates to This Policy

As the operator of your instance, you should:

• Review and update this policy regularly
• Inform users of material changes
• Maintain version history
• Obtain renewed consent where required

18. Compliance Recommendations

To ensure compliance:

• Conduct regular privacy audits
• Implement privacy by design and default
• Provide privacy training for administrators
• Maintain documentation of compliance measures
• Establish procedures for handling data subject requests

19. Contact for Privacy Matters

For privacy-related questions about your specific deployment, users should contact the administrator of that instance.

For questions about this Privacy Policy template or the Service itself, contact the Colistor project through the official support channels.

20. Governing Law

This Privacy Policy is provided as a template and should be adapted to your specific jurisdiction and use case. Consult with legal counsel to ensure compliance with applicable laws in your region.

21. Disclaimer

This Privacy Policy provides a framework for self-hosted deployments. The actual privacy practices depend on how you configure, deploy, and operate your instance. You are solely responsible for ensuring compliance with all applicable privacy laws and regulations.