Back

Privacy Policy

Last updated: March 19, 2026

1. Introduction

Co-Create ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our collaborative project management platform.

This Privacy Policy applies to all users of Co-Create and complies with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

By using Co-Create, you acknowledge the data practices described in this policy.

2. Data Controller

Co-Create is operated as a personal, non-commercial project. For the purposes of GDPR, the data controller is the individual operator of this Service.

If you have questions about how your data is handled, you can contact us through the contact methods provided at the end of this policy.

3. Information We Collect

3.1 Information You Provide Directly

When you create an account or use the Service, you provide us with:

  • Account Information: Name, email address, and password (encrypted)
  • Project Content: Project titles, descriptions, messages, and other content you create or share
  • Membership Requests: Information you provide when requesting to join projects
  • Third-Party Login (Google OAuth): If you sign in with Google, we receive your name, email address, avatar URL, and provider ID from Google (disclosed per GDPR Article 14)
  • Profile Information: Description, skills, interests, and visibility preference you set on your profile
  • Feedback: User-submitted feedback through the platform
  • Profile Images: Avatar or profile images you upload (stored via Active Storage)

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Session Information: IP address and user agent (browser information) for security purposes
  • Usage Data: Information about how you interact with the Service, including timestamps of actions
  • Onboarding Status: Whether you have completed the onboarding process
  • Notification Preferences: Your chosen notification settings

3.3 Cookies and Tracking

We use strictly necessary cookies to:

  • Maintain your login session (session cookies)
  • Remember your authentication state (permanent signed cookies)

We do not use: Marketing or advertising analytics cookies, advertising cookies, or third-party tracking technologies. We do not share your data with marketing analytics services like Google Analytics. Note: Honeybadger processes technical error data server-side for application monitoring purposes; it does not set any browser cookies or perform client-side tracking.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing account information and user content is necessary to provide the Service you've requested
  • Legitimate Interests: Session tracking (IP address and user agent) is necessary for security, fraud prevention, and service stability
  • Legitimate Interest — Profiling (Article 6(1)(f)): We compute a Co-Create Index for users with validated contributions. This automated profiling helps contributors build a verifiable track record and helps project owners assess collaboration fit. It does not produce legal or similarly significant effects on users.
  • Consent: Where required, we obtain your explicit consent before processing your data

5. How We Use Your Information

We use your personal data for the following purposes:

  • To create and manage your user account
  • To provide the core functionality of the Service (project creation, membership management, messaging)
  • To authenticate users and maintain secure sessions
  • To prevent fraud, abuse, and unauthorized access
  • To communicate with you about your account or the Service
  • To improve and develop new features for the Service
  • To comply with legal obligations

We do not: Sell your data, use it for advertising purposes, or share it with third parties for marketing.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties.

Limited Sharing: We may share your data only in the following circumstances:

  • With Other Users: Your name and content you post (projects, messages) are visible to other users as necessary for collaboration
  • Service Providers: We use the following trusted processors who may process your data on our behalf under strict data processing agreements:
    • Hosting Provider (EU): Infrastructure and data storage, processing within the EU
    • Honeybadger (US): Error monitoring and application performance insights — processes error reports, request metadata, and technical diagnostics
    • Google (US): OAuth authentication — processes name, email, and avatar URL during sign-in
  • Legal Requirements: We may disclose your information if required by law or to protect our rights, safety, or the rights and safety of others

No Marketing Analytics: We do not use third-party marketing analytics services, advertising networks, or tracking services. Honeybadger is used strictly for error monitoring and application stability, not for marketing or user profiling purposes.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Active Accounts: Your data is retained while your account is active
  • Deleted Accounts: When you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes
  • Session Data: Session information (IP addresses, user agents) is retained for security purposes and deleted after session expiration or account deletion
  • Data Exports: Stored for 7 days after generation, then automatically deleted

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: Passwords are encrypted using industry-standard bcrypt hashing
  • Secure Cookies: Session cookies are signed, httponly, and use same-site protection
  • Database Security: Database access is restricted and protected
  • Regular Updates: We keep our software and dependencies up to date with security patches

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Automated Profiling — Co-Create Index

In accordance with GDPR Articles 13(2)(f) and 14(2)(g), we inform you that Co-Create performs automated profiling as defined by Article 4(4) of the GDPR.

9.1 What We Profile

We compute a "Co-Create Index" for users who have validated contributions. This index evaluates five dimensions of your collaborative activity:

  • Activity (15%): How frequently you contribute, weighted by recency (contributions within the last 90 days carry more weight)
  • Quality (30%): How your work is received by peers, based on endorsement rates and submission acceptance rates
  • Impact (25%): The significance of your contributions, based on impact levels assigned by project owners (routine, major, or game-changer)
  • Consistency (15%): How regularly you participate over time, measured as the ratio of active months to total months since your first contribution
  • Collaboration (15%): Your engagement across projects, including the number of projects you participate in, endorsements you give to others, and cross-project contributions

These dimensions are combined into a composite score (0–100) using a weighted geometric mean, which determines your tier: Newcomer, Contributor, Builder, Architect, or Visionary. Higher tiers also require sustained participation over time (e.g., Visionary requires at least 6 active months and contributions to 3 or more projects).

9.2 Data Inputs

The following personal data is used to compute your Co-Create Index:

  • Your validated contributions and their timestamps
  • Peer endorsements received on your contributions
  • Submission acceptance rates for your contribution submissions
  • Impact levels assigned to your contributions by project owners
  • The number of projects you are a member of
  • Endorsements you have given to other contributors
  • The number of projects you have launched

9.3 How Your Score Is Used

Your Co-Create Index and tier are:

  • Displayed on your public profile (if your profile is visible)
  • Shown in the user directory, where other users can filter and sort by tier

Your score does not: restrict access to any platform features, gate any functionality, affect your ability to join projects, or produce any legal or similarly significant effects. It is purely informational and reputational.

9.4 Legal Basis

We process this data under Legitimate Interest (Article 6(1)(f)) to enable contributors to build a verifiable track record and to help project owners understand collaboration patterns. We have conducted a balancing test and determined that this profiling does not override your fundamental rights, particularly because the index is informational only and carries no material consequences.

9.5 Your Rights Regarding Profiling

Under Article 21 of the GDPR, you have the right to object to profiling based on legitimate interest. You can exercise this right at any time:

  • Opt out: You can disable Co-Create Index computation entirely from your profile privacy settings. When disabled, your existing score is deleted and no new score will be computed.
  • Contest: If you believe your score is inaccurate, you can submit a contestation from your profile, and we will review it within 30 days.
  • Visibility: You can make your profile private, which hides your score from other users.

9.6 Recalculation Schedule

Your Co-Create Index is recalculated daily and also immediately whenever one of your contributions is validated or an endorsement is created or removed.

10. Your Rights Under GDPR

As a user in the European Union, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you
  • Right to Rectification: You can update or correct your personal information through your account settings
  • Right to Erasure ("Right to be Forgotten"): You can request deletion of your account and personal data
  • Right to Restrict Processing: You can request that we limit how we use your data
  • Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
  • Right to Object: You can object to our processing of your data in certain circumstances
  • Right to Object to Profiling: You can opt out of the Co-Create Index automated profiling at any time from your profile privacy settings. You can also contest your score if you believe it is inaccurate. See Section 9 for details.
  • Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time
  • Right to Lodge a Complaint: You can file a complaint with your local data protection authority

To exercise any of these rights, please contact us using the information provided at the end of this policy.

11. International Data Transfers

The majority of your data is processed and stored within the European Union. However, certain third-party processors operate in the United States:

  • Honeybadger (US): Error monitoring and application performance insights. Transfers are governed by Standard Contractual Clauses (SCCs).
  • Google (US): OAuth authentication (sign-in with Google). Transfers are governed by Standard Contractual Clauses (SCCs).

All other data processing remains within the EU. Where data is transferred outside the EU, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V requirements.

12. Children's Privacy

Co-Create is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.

We will notify you of any material changes by updating the "Last updated" date at the top of this policy and by sending an email notification to the address associated with your account. We encourage you to review this policy periodically.

14. Contact Information

If you have any questions about this Privacy Policy, want to exercise your GDPR rights, or have concerns about how your data is handled, please contact us at:

Email: sacha.gotainer@proton.me
Response Time: We aim to respond to all privacy-related inquiries within 30 days as required by GDPR.

Last updated: March 19, 2026