Back

Privacy Policy

Last updated: January 3, 2026

1. Introduction

Co-Create ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our collaborative project management platform.

This Privacy Policy applies to all users of Co-Create and complies with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

By using Co-Create, you consent to the data practices described in this policy.

2. Data Controller

Co-Create is operated as a personal, non-commercial project. For the purposes of GDPR, the data controller is the individual operator of this Service.

If you have questions about how your data is handled, you can contact us through the contact methods provided at the end of this policy.

3. Information We Collect

3.1 Information You Provide Directly

When you create an account or use the Service, you provide us with:

  • Account Information: Name, email address, and password (encrypted)
  • Project Content: Project titles, descriptions, messages, and other content you create or share
  • Membership Requests: Information you provide when requesting to join projects

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Session Information: IP address and user agent (browser information) for security purposes
  • Usage Data: Information about how you interact with the Service, including timestamps of actions

3.3 Cookies and Tracking

We use strictly necessary cookies to:

  • Maintain your login session (session cookies)
  • Remember your authentication state (permanent signed cookies)

We do not use: Analytics cookies, advertising cookies, or third-party tracking technologies. We do not share your data with analytics services like Google Analytics.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing account information and user content is necessary to provide the Service you've requested
  • Legitimate Interests: Session tracking (IP address and user agent) is necessary for security, fraud prevention, and service stability
  • Consent: Where required, we obtain your explicit consent before processing your data

5. How We Use Your Information

We use your personal data for the following purposes:

  • To create and manage your user account
  • To provide the core functionality of the Service (project creation, membership management, messaging)
  • To authenticate users and maintain secure sessions
  • To prevent fraud, abuse, and unauthorized access
  • To communicate with you about your account or the Service
  • To improve and develop new features for the Service
  • To comply with legal obligations

We do not: Sell your data, use it for advertising purposes, or share it with third parties for marketing.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties.

Limited Sharing: We may share your data only in the following circumstances:

  • With Other Users: Your name and content you post (projects, messages) are visible to other users as necessary for collaboration
  • Service Providers: We use trusted infrastructure providers (hosting services) who may process your data on our behalf under strict confidentiality agreements
  • Legal Requirements: We may disclose your information if required by law or to protect our rights, safety, or the rights and safety of others

No Third-Party Analytics: We do not use third-party analytics services, advertising networks, or tracking services.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Active Accounts: Your data is retained while your account is active
  • Deleted Accounts: When you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes
  • Session Data: Session information (IP addresses, user agents) is retained for security purposes and deleted after session expiration or account deletion

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: Passwords are encrypted using industry-standard bcrypt hashing
  • Secure Cookies: Session cookies are signed, httponly, and use same-site protection
  • Database Security: Database access is restricted and protected
  • Regular Updates: We keep our software and dependencies up to date with security patches

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights Under GDPR

As a user in the European Union, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you
  • Right to Rectification: You can update or correct your personal information through your account settings
  • Right to Erasure ("Right to be Forgotten"): You can request deletion of your account and personal data
  • Right to Restrict Processing: You can request that we limit how we use your data
  • Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
  • Right to Object: You can object to our processing of your data in certain circumstances
  • Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time
  • Right to Lodge a Complaint: You can file a complaint with your local data protection authority

To exercise any of these rights, please contact us using the information provided at the end of this policy.

10. International Data Transfers

Your data is processed and stored within the European Union. If we need to transfer data outside the EU in the future, we will ensure appropriate safeguards are in place in accordance with GDPR requirements.

11. Children's Privacy

Co-Create is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.

We will notify you of any material changes by updating the "Last updated" date at the top of this policy. We encourage you to review this policy periodically.

13. Contact Information

If you have any questions about this Privacy Policy, want to exercise your GDPR rights, or have concerns about how your data is handled, please contact us at:

Email: sacha.gotainer@proton.me
Response Time: We aim to respond to all privacy-related inquiries within 30 days as required by GDPR.

Last updated: January 3, 2026