Privacy Policy
1. What Data We Collect
- Account information: name, email address, phone number (optional, for SMS notifications)
- Business information: business name, sector, location, services offered, bio, profile photo, business logo
- Content you create: posts, messages, opportunity listings, comments
- Usage data: pages visited, features used, timestamps (collected automatically)
- Payment information: processed securely by Stripe — we do not store card details
2. How We Use Your Data
- Providing and improving the Colchester.Network service
- Sending notifications (in-app, email, SMS, push — based on your preferences)
- Processing payments and managing subscriptions
- Moderating content and enforcing community guidelines
- Generating anonymised usage analytics
3. Third-Party Processors
We use the following third-party services to operate Colchester.Network:
- Supabase — database, authentication, and real-time features (EU-hosted)
- Stripe — payment processing (PCI DSS compliant)
- Twilio — SMS notifications
- Resend — transactional email delivery
- OneSignal — push notifications
- Cloudflare — CDN, image storage (R2), and security
- Vercel — website hosting
4. Cookies
We use a single essential cookie for authentication (Supabase session). This cookie is HttpOnly, Secure, and SameSite=Lax. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.
5. Account Deletion
You may delete your account at any time from Settings → Account. Deletion is permanent and takes effect immediately; it cannot be reversed. When you delete your account, we will:
- Cancel any active subscription with Stripe and remove your customer record from Stripe.
- Erase your profile, contact details, preferences, bookmarks, follows, notifications, and private message routing data from our database.
- Reassign your public posts, articles, opportunities, jobs, and event listings to a “Former member” placeholder so the conversational record remains intact for the community.
- Retain certain audit and legal records (moderation actions, reports) with your identifier removed — see the retention schedule below.
If you are the sole owner of any business profile or the host of any challenge, you must transfer or delete those before account deletion can complete. The deletion dialog will guide you through this.
6. Data Export (Article 20 portability)
You may download a copy of all data we hold about you at any time from Settings → Account. The export is a JSON file delivered immediately to your browser. It includes your profile, authored content, received messages, notifications, business memberships, billing history, and account preferences. Rate-limited to one export per day.
7. Retention Schedule
We retain different categories of data for different periods, based on the legal basis under which we process them:
| Category | Retention | Legal basis |
|---|---|---|
| Pseudonymised content (posts, messages, articles, opportunities, jobs, events with author reassigned to “Former member”) | Indefinite | Author identifier severed; see “Former member” placeholder section below for what this means for the body of your content. |
| Moderation actions (with identifier removed) | 7 years from creation | UK Limitation Act 1980 — defence against tort claims |
| Reports (with identifier removed) | 7 years from creation | Same — defence against claims |
| SMS log + consent log (with identifier removed) | 12 months | Fraud-prevention legitimate interest (Art. 6(1)(f)) |
| Stripe invoices | 6 years | UK tax law (HMRC record-keeping) |
| Authentication / session logs | 90 days | Security |
| Server access logs (Vercel) | 30 days | Security; provider default |
| Account-deletion audit record | Indefinite | Accountability (Art. 5(2)) |
8. “Former member” placeholder and content responsibility
After account deletion, content you posted in public spaces (discussions, articles, opportunities, job listings, events) and private messages you sent remain visible attributed to Former member. This protects the conversation history of other community members who participated in your threads.
Important: this attribution change does not edit the body of your posts or messages. If your content contains identifying information about you (your name, contact details, or opinions identifiable by writing style), that text remains as you wrote it. You should review and delete or edit individual posts and messages via the in-app delete/edit action before deleting your account.
If you discover identifying content remains after deletion, contact privacy@colchester.network and we will assist with case-by-case erasure.
9. Your Rights (GDPR)
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data
- Right to data portability — receive your data in a portable format
- Right to withdraw consent — especially for SMS and push notifications
- Right to lodge a complaint— with the Information Commissioner's Office (ICO). Make a complaint at ico.org.uk/make-a-complaint.
10. Requests on Behalf of Someone Else
For data subject requests on behalf of another person — for example a legal representative, executor of an estate, or next-of-kin — contact privacy@colchester.network. We respond within 30 days, in line with Article 12(3) of the UK GDPR.
11. SMS Communications
If you opt in to SMS notifications, you will receive a maximum of 4 messages per week. You can opt out at any time by replying STOP, updating your notification preferences in account settings, or contacting us directly.
12. Data Security
All data is encrypted in transit (TLS) and at rest (Supabase encryption). Access to personal data is restricted through row-level security policies. Only authorised personnel can access system administration tools.
13. Contact
For data protection queries, contact us at privacy@colchester.network.
Last updated: April 2026