Privacy Policy for Colourlab AI

1. Introduction

Color Intelligence Inc. ("Color Intelligence," "we," "us," or "our") provides Colourlab AI, a professional color grading desktop application, together with the websites at colourlab.ai, beta.colourlab.ai, and related subdomains (collectively, the "Services"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

If you have questions about this policy or your personal information, contact us at admin@colourlab.ai.

Color Intelligence Inc. is a Delaware-incorporated corporation with its mailing address at:

2. Scope

This Privacy Policy applies to:

• Our marketing website at colourlab.ai
• Our private beta website at beta.colourlab.ai (including beta signup, beta access notifications, and beta feedback)
• The Colourlab AI desktop application and any data the application transmits to us or to our service providers

It does not apply to third-party websites, services, or platforms that we link to but do not control.

3. Information We Collect

3.1 Beta program signup

When you request access to the Colourlab AI private beta, we collect your name and email address. We use this information to evaluate your application, send you an approval or non-approval decision, notify you of new beta releases, and receive your feedback.

3.2 Account and authentication

When you sign in to the application, we use Google Sign-In for authentication. We receive your email address, name, profile picture, and a unique Google account identifier. We do not receive your Google password.

3.3 License validation and device fingerprint

When you launch and use the application, it contacts our servers to validate your license. As part of this validation, we receive a computer fingerprint — a hash derived from hardware and operating system attributes — used to bind a license to a specific device and to prevent abuse. The fingerprint is not personally identifying on its own, but is associated with your account when you are signed in.

3.4 Still images sent to OpenAI for semantic analysis

The application includes features that perform semantic analysis of still images (for example, to allow you to search your media library by content, mood, or cinematography). When you use these features, the relevant still images are transmitted to OpenAI's API for analysis, and OpenAI returns descriptions or embeddings that are stored locally on your device. Per OpenAI's API policies, content submitted via the API is not used to train OpenAI's models.

3.5 AI agent queries sent to Anthropic

The application includes an autonomous color-grading agent system that uses Anthropic's Claude APIfor orchestration. When you use these features, prompts, conversation context, and metadata about your project (such as image tags, palette descriptors, and grading parameters) are transmitted to Anthropic's API. Per Anthropic's API policies, content submitted via the API is not used to train Anthropic's models.

3.6 What stays on your device

We want to be specific about what we do not collect:

• Your video files, project files, raw footage, color-graded output, LUTs, and intermediate processing data are stored only on your device.
• All color grading, color matching, neural-preset inference, look application, and other media processing happens locally on your computer.
• We do not have access to your media library, your timeline, or any video content.

The only content that leaves your device is the data described in Sections 3.4 and 3.5 (still images sent to OpenAI for semantic analysis, and prompts and metadata sent to Anthropic for agent features) and the diagnostic data described in Section 3.7.

3.7 Crash and error data

The application is instrumented with Sentry for crash and error reporting. When the application crashes or encounters an unhandled error, Sentry collects diagnostic data including stack traces, application version, operating system version, and a session identifier. Crash reports may incidentally contain limited contextual data such as filenames, but we do not intentionally transmit your project content. Sentry-based crash reporting may be configured progressively during the beta period; this section applies once enabled.

3.8 Payments

If and when you make a purchase, payment processing is handled by Stripe. We receive transaction metadata such as amount, currency, country, and the last four digits and brand of your card. We do not receive or store full payment card numbers. Please see Stripe's privacy notice for details on its handling of payment data.

3.9 Support and feedback

When you contact our support team or submit feedback, we receive the contents of your message and your contact details via Zendesk. When you join our community on Discord, you do so under Discord's own terms and privacy policy.

3.10 Marketing and transactional email

We use Kit (the email service formerly known as ConvertKit) to send beta updates, release announcements, and other communications. Kit receives your name, email address, and email engagement data (such as opens and clicks). You can unsubscribe at any time using the link in any email.

3.11 Website analytics and cookies

We use Google Analytics on our websites to understand aggregate traffic and usage. Google Analytics sets cookies and collects information including a truncated IP address, browser type, device type, pages visited, and referrer.

We use cookies and similar technologies for:

• Essential site functionality (such as authentication state)
• Analytics (Google Analytics)

You can manage cookies through your browser settings. Where required by law (including in the EU, UK, and California), we display a cookie banner and obtain consent before setting non-essential cookies.

4. How We Use Information

We use the information described above to:

• Operate, maintain, secure, and improve the Services
• Manage the private beta program (review applications, send approval decisions, distribute new beta builds, collect feedback)
• Authenticate users and validate licenses
• Provide AI features that you choose to use
• Diagnose crashes and improve stability
• Process payments
• Respond to support requests
• Send transactional and (with consent where required) marketing communications
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases:

• Contract — to provide the Services you have requested (account, license, beta access, support).
• Legitimate interests — to secure the Services, prevent fraud, analyze aggregate usage, and improve our products. We balance these interests against your rights and freedoms.
• Consent — for marketing emails (where required) and for non-essential cookies. You can withdraw consent at any time.
• Legal obligation — where we must process data to comply with applicable law.

6. How We Share Information

We do not sell your personal information. We share information with the following categories of service providers, each of which acts as our processor or sub-processor and is contractually bound to protect your data:

We may also disclose information when required by law, court order, or valid government request; to enforce our terms; to protect our rights, property, or safety, or those of others; or in connection with a merger, acquisition, financing, or sale of assets (in which case we will notify you and any successor will be bound by this policy or provide notice of changes).

7. International Data Transfers

We are based in the United States. When you use the Services from outside the United States, your information will be transferred to and processed in the United States and in other countries where our service providers operate. Where required, we rely on Standard Contractual Clausesapproved by the European Commission and the UK Information Commissioner's Office, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

8. Data Retention

We retain personal information for as long as necessary to provide the Services and for the purposes described in this policy:

• Beta signup data: retained while you are in the beta program and for up to 24 months after the beta concludes, or until you ask us to delete it.
• Account data: retained while your account is active and for up to 12 months after account closure for legal and operational purposes.
• Crash and error logs: retained for up to 90 days.
• Email engagement data: retained while you are subscribed and for up to 12 months after you unsubscribe.
• Payment records: retained as required by tax and accounting law (typically 7 years).
• Support tickets: retained for up to 24 months after resolution.

We may retain information for longer where required by law or to resolve disputes.

9. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect your information, including encryption in transit (TLS), encryption at rest where applicable, access controls, and regular security review of our infrastructure and our service providers. No system is perfectly secure; we cannot guarantee absolute security.

10. Your Rights

10.1 GDPR / UK GDPR (residents of the EU, EEA, and UK)

You have the right to:

• Access the personal information we hold about you
• Rectify inaccurate or incomplete information
• Eraseyour personal information ("right to be forgotten")
• Restrict or object to processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time, where consent is the legal basis for processing
• Lodge a complaint with your local data protection supervisory authority

10.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share
• Access and delete your personal information
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
• Limit the use of sensitive personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the Services.
• Non-discrimination for exercising your privacy rights.

10.3 How to exercise your rights

To exercise any of these rights, email admin@colourlab.ai. We will respond within the timeframes required by applicable law (typically within 30 days under the GDPR and within 45 days under the CCPA, with extensions where permitted). We may need to verify your identity before fulfilling your request.

You may designate an authorized agent to make a request on your behalf where applicable law permits.

11. Children

The Services are intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact admin@colourlab.ai and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page. For material changes, we will provide additional notice — such as an email to registered users or a prominent notice on our website — before the change takes effect.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information:

Email: admin@colourlab.ai