Privacy Policy

Last updated: April 24, 2026

This policy explains what information Colo collects when you use the service at colo-sci.com, what we do with it, and the choices you have. Colo is a small, self-funded research tool, and our data practices are intentionally minimal. We've tried to keep this policy plain and specific.

What we collect

Account information

• Email address. Required to sign in. We send a passwordless "magic link" to this address each time you log in.
• Profile fields you enter at onboarding. Career level (e.g. grad student, faculty, industry) and institution name. These are optional but encouraged so the tool can adjust to your context.

Content you create

• Research topics and hypotheses you enter on the setup page
• Chat messages you send to the AI assistant on the setup, methods, and scaffold pages
• Adversarial debate transcripts that the system generates from your hypothesis
• Configuration choices you make (study type, panel field values, grant type, etc.)
• Citations and PMIDs the system surfaces during debates

Technical and session data

• Session tokens and refresh tokens used to keep you signed in (managed by Supabase)
• Server logs from our web host (DigitalOcean): typically IP address, request URL, response status, and timestamp. Used to debug issues and protect against abuse
• A theme preference (light/dark) stored locally in your browser

Behavioral analytics (first-party only)

• Which UI features you use (e.g., clicks on the "Help" preset menu, manual injections into a debate)
• Whether the citations the agents produce match papers in our local corpus, used to track hallucination rates and improve retrieval quality

These events are stored in our own Supabase database, not sent to any third-party analytics provider. They are tied to your account but contain no message content or research data, only metadata about which features fired and what the verification system determined.

We do not run third-party analytics trackers (Google Analytics, Mixpanel, etc.), advertising pixels, or cross-site tracking cookies. We do not collect device fingerprints or browsing history outside of Colo.

How we use your information

We use the information listed above only to:

• Authenticate you and keep your sessions active
• Provide the literature synthesis, debate, methods, and scaffold features
• Persist your sessions so you can resume work later or on another device
• Diagnose problems and respond to your questions or feedback
• Protect the service from abuse (rate limiting, etc.)

We do not use your content to train AI models. We do not sell or rent your personal information to anyone. We do not show advertising in Colo, and we have no advertising or marketing partners that receive your data.

Third parties that process data on our behalf

Running Colo requires sending some data to a small number of service providers. These are processors that act on our instructions and have their own privacy policies you can review:

• Anthropic — Colo's adversarial debate, methods reasoning, and scaffold writing are powered by Anthropic's Claude API (currently claude-sonnet-4-6). Your chat messages and any research content included in the prompt are sent to Anthropic so the model can generate a response. See Anthropic's privacy policy. Anthropic's commercial terms state that API content is not used to train their models, and Colo does not train any models on your content either.
• Supabase — hosts our database (where account profiles, sessions, chat messages, and configuration are stored) and provides authentication. See Supabase's privacy policy.
• Resend — sends the magic-link sign-in emails to your inbox. See Resend's privacy policy.
• DigitalOcean — hosts the web server that serves colo-sci.com and runs the literature retrieval engine. See DigitalOcean's privacy policy.

All four providers are based in the United States. We do not share data with any other parties for any other purpose.

Who can see your data

Other Colo users cannot see your account, your sessions, or any content you create. Database-level row security enforces this: every row is keyed to a single user ID, and read/write access is restricted at the database itself, not just in the application code.

The developer (Preston Laney) administers the Supabase database and can therefore read user content if needed to debug an issue, investigate abuse, or respond to a support request. We are honest about this because it's a practical reality of being a small, self-hosted project: we don't have separate "operations" and "engineering" teams. We do not browse user content casually, and we don't share it with anyone outside of the third-party processors listed above.

If you don't want a particular piece of information stored in Colo, the safest approach is not to enter it. We recommend not entering data subject to HIPAA, identifiable patient information, unpublished proprietary IP, or anything else you wouldn't want a small SaaS tool to hold.

How long we keep your data

We retain your account and content indefinitely while your account is active, so that you can resume sessions and review prior debates. If you delete your account or ask us to delete your data, we remove your account, profile, sessions, runs, messages, and any related content from our database within 30 days. Deleted data may persist for up to 90 days in routine database backups before being overwritten.

Your rights and choices

You can, at any time:

• Access the data we have about you
• Correct inaccurate profile information
• Export your sessions and chat content
• Delete your account and all associated content
• Withdraw consent for any processing that requires it (in practice, by deleting your account)

To exercise any of these rights, email privacy@colo-sci.com from the address associated with your account. We'll respond within 30 days.

If you are a resident of California, the EU, the UK, or another jurisdiction with comprehensive data privacy laws, you may have additional rights under those laws (such as the right to data portability or to lodge a complaint with a supervisory authority). The same email address handles those requests.

Security

All traffic to and from colo-sci.com is encrypted using HTTPS with a current TLS certificate. Account data is stored in Supabase's managed Postgres database with encryption at rest. Authentication uses passwordless magic links so there is no password for an attacker to phish or for us to mismanage. Database access is restricted to the developer using credentials that are not embedded in any client-side code.

No service is perfectly secure. If you believe your account has been compromised or have reason to suspect a security issue, please email privacy@colo-sci.com.

Children

Colo is intended for researchers and graduate-level learners and is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child has signed up for the service, contact us and we will remove the account.

International users

Colo is operated from the United States, and your data is processed and stored in the United States. If you access Colo from outside the U.S., you consent to the transfer and processing of your data in the U.S.

Changes to this policy

As Colo grows, our data practices may change — for example, we may add analytics, payment processors, or new features that require additional categories of data. When that happens we will update this policy and revise the "Last updated" date at the top. For material changes, we'll also notify account holders by email before the change takes effect.

Governing law and contact

This policy is governed by the laws of the State of Texas, United States, without regard to conflict of laws principles. For questions about this policy or our data practices, write to privacy@colo-sci.com.