privacy policy -

Version: 1.0
Date of Last Update: 15th May 2026
Effective Date: 19th March 2026

1. About This Privacy Policy

1.1 This Privacy Policy explains how Collab Media Group Ltd collects, uses, stores, shares, and protects your personal data when you access or use the website located at https://collabable.ai and any related services, features, content, or applications (together, the "Platform").

1.2 We have tried to write this Privacy Policy in plain language. Defined terms used here have the same meaning as in our Terms of Service.

1.3 This Privacy Policy is written for the United Kingdom market and is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR). If we later extend the Platform to the European Economic Area, we will update this Privacy Policy and provide a separate notice for EEA residents.

1.4 By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Platform.

2. Who We Are

2.1 The controller of your personal data is:

Collab Media Group Ltd
A company incorporated in England and Wales under company number 17102549
Registered office: 20-22 Wenlock Road, London, N1 7GU, United Kingdom

Contact email: contact@collabable.ai

2.2 Privacy contact. We have not appointed a formal Data Protection Officer because we are not required to do so under Article 37 of the UK GDPR. You can contact our privacy team at contact@collabable.ai with any data protection question, request, or complaint. We will review this position as the Platform grows and appoint an external DPO if and when the thresholds in Article 37 are met.

3. Personal Information We Collect

We collect personal data in three ways: from you directly, automatically when you use the Platform, and from third parties.

3.1 Information you provide to us

Account data — email, full name, username, password (hashed), date of birth (to verify you are 18 or over), country, language.
Profile data — display name, profile picture, short biography, podcast topics, expertise, experience level, location (city and country), website and social media handles, media samples (audio/video clips), podcast RSS feed URL, work preferences, and any other information you choose to publish on your profile.
Studio Operator data — business name, studio address, photographs, pricing, availability calendar, insurance confirmation, bank account details for payouts (held and encrypted by our payment processor — see clause 5), business registration details.
Booking data — studio booked, dates and times, number of participants, special requests, invoice address.
Communications data — messages you send through the Platform to other Users, collaboration requests, reviews you write, reports you submit.
Support data — information you provide when contacting us at contact@collabable.ai, including the content of your enquiry and any attachments.
Payment data — we do not store card numbers or card details. These are collected directly by our payment processor (Stripe). We retain limited transaction metadata (amount, date, currency, subscription plan, booking reference).
Preferences — notification, marketing, and language preferences.

3.2 Information we collect automatically

Device and technical data — IP address, browser type and version, operating system, device identifiers, screen resolution, referring URL, time zone.
Usage data — pages visited, features used, search queries, click-through activity, time spent on pages, scroll depth, login timestamps, interaction with other Users' profiles.
Cookies and similar technologies — see our Cookie Policy.
Log and security data — failed login attempts, suspicious activity, rate-limiting events, error logs. IP addresses are used in memory for rate-limiting (10 login attempts per 5 minutes, 5 password-reset attempts per 15 minutes) and are not written to the database.

3.3 Information we receive from third parties

Social login providers — if you sign in using Google, Facebook, or Apple, we receive from them your email, name, profile picture URL, and a unique provider identifier. We do not receive your contacts, friends list, or any other information beyond the basic scope you approve during authentication.
Payment processor (Stripe) — confirmation that a payment was successful or failed, the last four digits of your card number, card brand, expiry (only for display in your account), fraud signals, and tax identifiers where applicable.
Google Business Profile (if you are a Studio Operator) — if you connect your Google Business Profile to your Studio listing, we import public business information (name, address, opening hours, photographs) and customer reviews (star rating, text, reviewer name, date).
Fraud prevention and verification partners — where used, we may receive risk scores, identity verification outcomes, or watch-list match results.

3.4 Special category data

3.4.1 We do not actively collect, ask for, or process special category personal data (as defined in Article 9 of the UK GDPR), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

3.4.2 Please do not include information you consider sensitive or confidential — including any information falling within the Article 9 special categories above — in areas of the Platform designated as public, such as your profile, biography, podcast topics, media samples, reviews, or messages that are not addressed to a single specific recipient.

3.4.3 If you choose to publish such information voluntarily in a public area of the Platform, we rely on Article 9(2)(e) of the UK GDPR (information manifestly made public by the data subject) as our condition for processing. We will not use any information you identify or we reasonably identify as special category data to train our AI models (see clause 6).

4. How We Use Your Information and Our Legal Bases

We use your personal data for the purposes set out below. For each purpose, we have identified the lawful basis under Article 6 of the UK GDPR on which we rely.

4.1 To provide the Platform — contract performance (Art 6(1)(b))

creating and maintaining your Account and profile;
enabling you to search, discover, contact, and match with other Users;
processing Bookings and payments;
sending transactional emails (welcome message, password reset, booking confirmation, invoice, payment receipt, subscription renewal, account notifications);
enabling reviews and ratings;
providing customer support.

4.2 To comply with legal obligations — legal obligation (Art 6(1)(c))

retaining transaction records for tax, accounting, and anti-money-laundering purposes (UK Companies Act 2006, HMRC rules, Money Laundering Regulations 2017);
responding to lawful requests from public authorities;
cooperating with investigations into fraud or unlawful activity;
meeting our obligations under the UK GDPR, DPA 2018, PECR, and the Online Safety Act 2023.

4.3 For our legitimate interests — legitimate interests (Art 6(1)(f))

In many cases we handle personal data on the grounds that it furthers our legitimate commercial interests, in ways that are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:

providing and improving the Platform — measuring engagement, identifying popular features, improving user experience, conducting internal research;
security — detecting security incidents, protecting against malicious, deceptive, fraudulent, or unlawful activity;
fraud prevention — reviewing Accounts and activities for signs of fraud or abuse;
content moderation — identifying content that breaches our Acceptable Use Policy or applicable law;
ranking and recommendations — ordering search results, suggesting profiles and Studios that may be relevant to you, promoting engagement between Users;
product development — developing new features, fixing bugs, improving matching algorithms;
corporate transactions — supporting mergers, acquisitions, investment, or sale of business.

Where we rely on legitimate interests, we conduct a balancing test (a "legitimate interests assessment") to ensure that our interests are not overridden by your rights. You may request a summary of this assessment by contacting contact@collabable.ai.

4.4 With your consent — consent (Art 6(1)(a))

marketing communications (newsletters, product updates, promotional offers) where we do not have a "soft opt-in" right under PECR reg 22(3);
non-essential cookies and similar technologies (see our Cookie Policy);
use of your data for purposes that go beyond those listed above.

You may withdraw consent at any time by using the unsubscribe link in any marketing email, adjusting your cookie preferences, or contacting contact@collabable.ai. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.5 Marketing communications

4.5.1 Transactional emails (account-related, booking-related, payment-related, legal or security notices) are sent on the basis of contract performance and cannot be unsubscribed from while your Account is open.

4.5.2 Marketing emails (platform news, promotional offers, feature announcements) are sent only with your prior consent or, where applicable, on the PECR reg 22(3) "soft opt-in" basis for existing customers who have not objected. Every marketing email contains a one-click unsubscribe link, and you can also manage your preferences in your Account settings.

5. Sharing and Recipients of Your Information

We share your personal data only with the categories of recipients listed below, and only to the minimum extent necessary. We do not sell your personal data.

5.1 Other Users of the Platform

Information you choose to publish on your public profile (including your display name, picture, biography, media samples, topics, location, and reviews you write) is visible to other Users and to visitors to the Platform. Information exchanged in private messages is visible only to the other participant(s) in the conversation.

5.2 Professional advisers

Lawyers, accountants, auditors, insurers, and consultants acting under professional duties of confidentiality — where we need their advice or services.

5.3 Authorities and legal process

Courts, law enforcement agencies, regulators (including the Information Commissioner's Office, HM Revenue & Customs, and the Financial Conduct Authority where applicable), government bodies, and other third parties, where required by law, court order, or regulatory request, or where necessary to protect our rights, property, or safety, or that of our users or others.

5.4 Corporate transactions

In the event of a merger, acquisition, financing, reorganisation, bankruptcy, or sale of some or all of our assets, your personal data may be transferred to the successor entity, subject to the same protections set out in this Privacy Policy.

6. AI and Automated Processing

6.1 No solely automated decisions with legal or similarly significant effect

6.1.1 We do not take decisions producing legal or similarly significant effects on you based solely on automated processing within the meaning of Article 22 of the UK GDPR.

6.1.2 Specifically:

No automated account suspension. Any decision to suspend, restrict, or terminate your Account is made by a member of our team after human review. Automated tools may flag accounts or content for review, but they never take the final decision.
Pricing is not personalised. Our subscription prices (Basic free, Featured £29/month, Pro £99/month) are the same for every User. We do not adjust prices based on your profile, browsing history, device, or any automated scoring.
Trust scoring affects visibility, not access. Our Trust Engine produces internal scores based on verification, activity, and reliability signals. These scores may affect how prominently your profile appears in search results and recommendations, but they never restrict your access to core Platform features such as messaging, Booking, or making or receiving collaboration requests.

6.2 Automated processing used in the Platform today

6.2.1 We use limited automated processing for:

Content moderation — keyword filters, image classification, and pattern detection to flag potentially non-compliant content for human review;
Fraud and abuse prevention — pattern detection for suspicious login attempts, fake reviews, spam, or abuse;
Search, ranking, and recommendations — algorithmic ordering of search results and suggested profiles based on the parameters described in our Terms of Service;
Trust scoring — calculation of internal trust signals based on verification data and User activity.

6.3 AI matching (Pro plan — future activation)

6.3.1 As part of our Pro subscription plan, we intend to offer an AI-powered matching feature using the Anthropic Claude API (provided by Anthropic PBC, United States). The feature is not yet active as of the Effective Date of this Privacy Policy.

6.3.2 When we activate AI matching, we will:

update this Privacy Policy and notify affected Users by email at least 30 days before activation;
provide a clear opt-out in your Account settings, and honour any opt-out signal received;
minimise the personal data sent to the Claude API by removing names, email addresses, and other direct identifiers before each request (pseudonymisation);
instruct Anthropic under our commercial agreement not to retain or train models on your data beyond the short operational retention period required by the Claude API;
process AI matching requests under the lawful basis of legitimate interests (to provide a differentiated paid feature to Pro users);
not use any information you have identified, or we reasonably identify, as special category data to train or improve AI models.

6.3.3 AI matching outputs are informational only and do not produce legal or similarly significant effects on you. The decision whether to contact, message, or collaborate with any User suggested by AI matching remains entirely yours.

6.4 Safeguards when we use AI

When we use personal data to operate or improve AI-based features, we take appropriate measures to safeguard your privacy. These may include de-identifying personal data prior to processing by removing names and other identifying information, implementing encryption in transit and at rest, using pseudonymisation techniques, and restricting access to personal data used in this manner to a limited number of authorised individuals subject to strict confidentiality obligations.

7. International Data Transfers

7.1 Collab Media Group Ltd is established in the United Kingdom, and the Platform is hosted in the United Kingdom wherever possible. Some of our service providers (listed in clause 5.2) are established outside the United Kingdom, and operating the Platform requires us to transfer your personal data to those providers.

7.2 Where we transfer personal data from the United Kingdom to a country that has not received an adequacy decision from the UK Government, we rely on one or more of the following transfer mechanisms:

The UK Extension to the EU-U.S. Data Privacy Framework (DPF), where the recipient is certified under the DPF — currently including Stripe, Inc., Google LLC, Meta Platforms, Inc., Cloudflare, Inc., and other providers that maintain active certifications;
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses (2021/914), together with any supplementary measures required in light of the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18);
Your explicit consent (Article 49(1)(a) UK GDPR), where the transfer is occasional and we have informed you of the possible risks.

7.3 Transfers to service providers established in the European Economic Area (such as Sendinblue SAS in France, Meta Platforms Ireland Ltd, and Apple Distribution International Ltd in Ireland) are covered by the UK Government's adequacy decision for the EEA.

7.4 You may request a copy of the transfer mechanism applicable to a specific transfer, or further information about our supplementary measures, by contacting contact@collabable.ai.

8. How Long We Keep Your Information

8.1 We retain personal data only for as long as necessary for the purposes described in this Privacy Policy. The table below sets out the retention periods we apply by default.

Category of data	Retention period	Reason
Account data (active)	For the duration of your Account	Contract performance
Account data (after closure — active deletion)	30 days between closure and deletion	Legitimate interest — allowing you to reactivate and reversing erroneous closures
Account data (after closure — final deletion)	Within 90 days of closure, except where a longer period applies below	UK GDPR Article 5(1)(e)
Transaction and payment records	7 years	UK Companies Act 2006, HMRC record-keeping, Money Laundering Regulations 2017
Invoices and tax records	7 years	HMRC / statutory minimum
Messages exchanged on the Platform	3 years after the last activity in the conversation	Legitimate interest — dispute resolution, fraud investigation
Reviews (public)	Indefinite, even after the reviewer's Account is closed	Legitimate interest — Platform integrity; reviews remain attributed to the reviewer's display name
Moderation and enforcement records	5 years after the event	Legitimate interest — pattern detection, repeat-offender management
Support conversations	3 years after closure of the ticket	Legitimate interest — recurrence analysis
Marketing consent records (opt-in / opt-out)	Until withdrawal of consent + 2 years	Legal obligation (PECR proof of consent)
Server and security logs	12 months	Legitimate interest — security, troubleshooting
Backup data (residual copies)	30 days rolling window	Legitimate interest — business continuity, disaster recovery
Legal hold data (litigation)	For the duration of the legal hold plus the applicable limitation period	Legal obligation

8.2 Public content persistence. Information you have shared with other Users and visitors — such as reviews, profile information, and community posts — may remain visible on the Platform even after your Account is closed, in accordance with clause 8.1. You may request the removal or anonymisation of specific content by contacting contact@collabable.ai; we will assess each request in good faith, balancing your rights with the legitimate interests of the recipients of that content and the integrity of the Platform.

9. Your Rights Under the UK GDPR

9.1 You have the following rights regarding your personal data:

Right	What it means
Access (Art 15)	Request a copy of the personal data we hold about you and information about how we process it
Rectification (Art 16)	Ask us to correct inaccurate or incomplete data
Erasure (Art 17)	Ask us to delete your personal data in certain circumstances ("right to be forgotten")
Restriction (Art 18)	Ask us to limit the processing of your data in certain circumstances
Data portability (Art 20)	Receive your data in a structured, commonly used, machine-readable format, or ask us to send it to another controller
Objection (Art 21)	Object to processing based on legitimate interests or for direct marketing
Automated decision-making (Art 22)	Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see clause 6.1)
Withdraw consent	Where we rely on consent, withdraw it at any time without affecting prior processing

9.2 How to exercise your rights. Send a request to contact@collabable.ai. We may need to verify your identity to prevent unauthorised disclosure. We aim to respond within one calendar month of receiving a valid request, as required by Article 12(3) of the UK GDPR. In complex or numerous requests, we may extend this period by up to two further months and will inform you of the extension and the reasons for the delay.

9.3 No charge. Exercising your rights is free of charge. We may charge a reasonable fee, or refuse to act on requests that are manifestly unfounded or excessive, as permitted by Article 12(5) of the UK GDPR.

10. Cookies and Similar Technologies

10.1 We use cookies and similar technologies to operate the Platform, remember your preferences, analyse usage, and (with your consent) deliver marketing. A full list of cookies, their purposes, and how long they last is set out in our Cookie Policy.

10.2 Our consent mechanism complies with PECR regulation 6 and the Information Commissioner's Office (ICO) guidance of July 2023 on cookies. Strictly necessary cookies are set automatically; all other cookies are only set after you have given specific, informed, unambiguous consent, and can be rejected as easily as they can be accepted. You can change your preferences at any time via the "Cookie Settings" link in the footer of the Platform.

11. Children

11.1 The Platform is intended for adults aged 18 years or older. We do not knowingly collect personal data from anyone under 18.

11.2 If we become aware that an Account has been created by a person under 18, we will suspend the Account and delete the associated personal data without undue delay.

11.3 If you believe that a minor has provided us with personal data, please contact us at contact@collabable.ai so that we can take appropriate action.

12. Security and Personal Data Breaches

12.1 We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction, as required by Article 32 of the UK GDPR. These measures include:

encryption of data in transit using HTTPS/TLS;
encryption at rest for sensitive fields, including OAuth refresh tokens and bank account details (using AES-256-CBC);
hashed password storage;
role-based access controls;
regular software patching and security updates;
rate-limiting of login and password-reset attempts;
regular backups with off-server storage;
staff confidentiality obligations.

12.2 No system is perfectly secure. While we do our best to protect your personal data, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at contact@collabable.ai.

12.3 Breach notification. In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify the affected individuals without undue delay, as required by Article 34.

13. Changes to This Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes to the Platform, our service providers, applicable law, or regulatory guidance. The "Date of Last Update" at the top of this document indicates when the most recent changes took effect.

13.2 Where the changes are material — such as the introduction of a new category of processing, a new sub-processor with privacy implications, a change in retention periods, or the activation of AI-based matching — we will notify you by email and/or through a prominent notice on the Platform at least 30 days before the changes take effect, unless a shorter period is required by law.

13.3 Continued use of the Platform after the effective date of the changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the proposed changes, you may close your Account before the changes take effect.

14. Contact Us and Complaints

14.1 Contacting us

For any question, request, or concern relating to this Privacy Policy or to how we handle your personal data, please contact us at:

Collab Media Group Ltd
20-22 Wenlock Road, London, N1 7GU, United Kingdom
Email: contact@collabable.ai

14.2 Right to complain to the ICO

If you believe we have not handled your personal data in accordance with UK data protection law, you have the right to lodge a complaint with the supervisory authority. We would appreciate the opportunity to address your concerns first — please contact us at contact@collabable.ai before lodging a complaint. You may also contact the ICO at any time:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Website: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Email: casework@ico.org.uk