Privacy Policy

Coloo AI — Published by BCL — Version 2.0 — Effective date: 23 May 2026

This Privacy Policy describes how BCL, a société par actions simplifiée incorporated under French law, registered with the Registre du Commerce et des Sociétés of Paris under SIREN [SIREN], having its registered office at 200 rue de la Croix Nivert, 75015 Paris, France (“BCL”, “we” or “our”), acting as data controller, collects and processes your personal data in connection with your use of the Coloo AI service (the “Service”).

BCL is committed to protecting your privacy and to processing your personal data in accordance with Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”), French Law n° 78-17 of 6 January 1978 as amended (“French Data Protection Act”), the Children’s Online Privacy Protection Act 15 U.S.C. §6501 (“COPPA”, where applicable), the UK GDPR and Data Protection Act 2018 (where applicable), and any other applicable regulation.

1. Definitions

• “Data” or “Personal Data”: any information relating to an identified or identifiable natural person within the meaning of Article 4 of the GDPR.
• “Processing”: any operation performed on Personal Data within the meaning of Article 4(2) GDPR.
• “User”: the adult natural person using the Service, acting in their own name or as the holder of parental authority over a minor.
• “Minor”: any natural person under eighteen (18) years of age.
• “Child”: any minor under fifteen (15) years of age, in accordance with Article 45 of the French Data Protection Act.
• “Third-Party Platforms”: social networks and other online services accessible via URLs that the User may submit to the Service.
• “Subprocessor”: a third party processing Personal Data on behalf of and under instructions of BCL, in accordance with Article 28 GDPR.

2. Data controller and Data Protection Officer

Data controller (Article 4(7) GDPR):

• BCL — SAS au capital de [CAPITAL] €
• Registered office: 200 rue de la Croix Nivert, 75015 Paris, France
• RCS Paris [SIREN] / VAT FR [VAT]
• Email: jake@coloo.ai

Data Protection Officer (DPO):

• Email: jake@coloo.ai
• Postal address: DPO Coloo AI, BCL, 200 rue de la Croix Nivert, 75015 Paris, France

Where a representative within the European Union (Article 27 GDPR) or in the United Kingdom (UK GDPR Art. 27) is required for a non-EU/EU-only controller, BCL acts as its own controller within the EU and no separate representative is necessary.

3. Scope and binding privacy representations

Binding representations of BCL as to data minimization and processing architecture:

• BCL does not download, persist, index, share, broadcast or otherwise make available source video files or source images from Third-Party Platforms. Processing of source content is strictly ephemeral, performed in memory during the conversion request, with intermediate technical artefacts deleted automatically upon completion of processing and in any event within twenty-four (24) hours.
• BCL does not engage in advertising profiling of children.
• BCL does not sell, rent, lease or barter Personal Data.
• BCL does not use User content (Coloring Pages or source content) to train its own artificial intelligence or machine learning models, unless the User has given prior, express, freely given, specific, informed and unambiguous consent through a dedicated, separately presented opt-in (no pre-ticked boxes, no bundled consent). Such consent is fully revocable at any time without affecting prior lawful processing.
• BCL implements data protection by design and by default (Article 25 GDPR) — including pseudonymization, minimization at collection, encryption in transit and at rest where technically applicable, strict access controls and segregation between technical processing and account data.

4. Data collected, purposes, legal bases and retention

4.1 Account creation and management

• Data: first name or pseudonym, email address, hashed password (Argon2id or equivalent), account creation date, declaration of majority and of legal guardian status, verification artefacts (proof of payment-instrument check or other verifiable consent record).
• Purpose: account creation, identification, authentication, performance of the Service.
• Legal basis: performance of the contract (Article 6.1.b GDPR); legitimate interest in fraud prevention (Article 6.1.f) for verification artefacts.
• Retention: for the duration of the account, then intermediate archiving for three (3) years for evidentiary purposes (limitation period of common-law contractual actions).

4.2 Payment and billing

• Data: cardholder name and surname, billing address, card type and last four digits (the full PAN is never transmitted to or stored by BCL), transaction history, billing identifiers.
• Purpose: payment processing, billing, tax and accounting compliance, fraud prevention.
• Legal basis: performance of the contract (Article 6.1.b); compliance with legal obligations (Article 6.1.c) under Article L.123-22 of the French Commercial Code.
• Retention: ten (10) years from close of the accounting year.
• Recipients: payment service provider (currently [Stripe Payments Europe, Ltd. or equivalent]); chartered accountant; tax authorities upon legal request.

4.3 Submitted URLs and Coloring Page generation data

• Data: URLs submitted by the User, technical processing metadata (timestamp, processing duration, conversion parameters, success/error status), the generated Coloring Page itself (line drawing image file).
• Purpose: provision of the conversion service at the User’s request; storage of Coloring Pages in the private account space of the User; debugging and abuse prevention.
• Legal basis: performance of the contract (Article 6.1.b).
• Retention — Coloring Pages: stored privately on the User’s account for as long as the User does not delete them or close their account.
• Retention — URLs and metadata: thirty (30) days for support, debugging and abuse prevention; anonymized aggregate statistics may be retained beyond this period.

IMPORTANT — EPHEMERAL PROCESSING OF SOURCE CONTENT: BCL DOES NOT PERSIST OR RETAIN SOURCE VIDEO, AUDIO OR SOURCE IMAGE FILES OBTAINED IN THE TECHNICAL CONVERSION PROCESS. EXTRACTION, FRAME-SELECTION AND LINE-DRAWING CONVERSION ARE PERFORMED IN MEMORY OR ON SHORT-LIVED TECHNICAL STORAGE AND THE CORRESPONDING ARTEFACTS ARE DELETED AT THE END OF THE PROCESSING TASK, IN ANY EVENT WITHIN TWENTY-FOUR (24) HOURS. ONLY THE FINAL COLORING PAGE GENERATED FROM THE USER’S REQUEST IS STORED ON THE USER’S PRIVATE ACCOUNT SPACE.

4.4 Connection, technical and usage data

• Data: IP address (truncated or anonymized after thirteen (13) months for analytics; full retention for one (1) year for identification under LCEN Article 6-II and DSA Article 9), session identifier, device type, operating system, browser version, language, pages viewed, timestamps, technical performance data, error logs, abuse-detection signals.
• Purpose: security of the Service; prevention and detection of fraud and abuse; audience measurement; debugging and reliability.
• Legal basis: legitimate interest (Article 6.1.f GDPR) in security, fraud prevention and improvement; legal obligation (Article 6.1.c) for identification data retained under LCEN and DSA.
• Retention: thirteen (13) months for technical logs; one (1) year for identifying data required by LCEN/DSA; six (6) months for anonymized aggregate audience data.

4.5 Support communications

• Data: email address, content of exchanges with support.
• Purpose: handling of support requests, customer relationship.
• Legal basis: performance of contract (Article 6.1.b) or legitimate interest (Article 6.1.f).
• Retention: three (3) years from last exchange.

4.6 Marketing communications

• Data: email address, communication preferences, open and click metrics.
• Purpose: information about new features, offers and similar products of BCL.
• Legal basis: consent (Article 6.1.a) for prospects; legitimate interest for existing customers regarding similar products in accordance with Article L.34-5 of the French Postal and Electronic Communications Code (Article 13 of Directive 2002/58/EC).
• Retention: three (3) years after the last active contact or withdrawal of consent.
• The User may unsubscribe at any time via the link present in each communication or by contacting jake@coloo.ai.

5. Cookies and similar tracking technologies

The Service uses cookies and similar technologies. On first visit, a consent management platform (CMP) compliant with CNIL recommendations and the ePrivacy directive allows the User to accept, refuse or configure each purpose.

• Strictly necessary cookies (authentication, session, security, load balancing): exempt from consent.
• Aggregated audience measurement cookies (anonymized statistics): exempt from consent where they meet CNIL exemption criteria.
• Detailed analytics or marketing/advertising cookies: subject to prior, express consent, revocable at any time with the same ease as it was given.

Preferences may be changed at any time via the preference center accessible from the Service. No advertising tracker is deployed on pages or features intended for use by children.

6. Minors and special protection of Children

THE SERVICE IS INTENDED FOR FAMILY USE UNDER ADULT SUPERVISION. NO ACCOUNT MAY BE CREATED BY A MINOR UNDER EIGHTEEN (18) YEARS OF AGE. THE URL IMPORT FEATURE IS DESIGNED TO BE TRIGGERED EXCLUSIVELY BY THE ADULT ACCOUNT HOLDER THROUGH A VERIFIABLE PARENTAL CONSENT MECHANISM (PARENT-GATING).

6.1 Verifiable parental consent mechanism

In accordance with Article 8 GDPR, Article 45 of the French Data Protection Act and, where applicable, COPPA, BCL implements a verifiable parental consent mechanism comprising:

• A positive opt-in declaration of being an adult holder of parental authority (no pre-ticked boxes);
• Verification via a payment instrument associated with an adult (credit/debit card check, SEPA mandate verification or equivalent), which is an accepted method of verifiable parental consent under FTC COPPA guidance and CNIL recommendations;
• An in-app parent-gate (delayed reveal or multi-step confirmation) on access to the URL import feature;
• Where appropriate, secondary email confirmation by double opt-in from the parent’s verified email address;
• Audit logging of the consent record (timestamp, method, IP, declared identifiers) for evidentiary purposes.

6.2 Data minimization concerning end-user Children

BCL actively minimizes data collected concerning end-user Children:

• No collection of the Child’s first or last name;
• No collection of photographs of the Child;
• No advertising profiling of Children;
• No open chat, no social features, no commenting feature exposing the Child to interaction with third parties;
• No behavioral advertising or remarketing on Service surfaces accessible to Children.

6.3 Removal at parental request

If you are a parent or holder of parental authority and you discover that a Child has provided Personal Data to BCL, please contact jake@coloo.ai so that BCL may proceed with immediate verification and, where confirmed, deletion of the data within fifteen (15) days, in compliance with Article 17 GDPR (right to erasure) and COPPA Section 312.6.

7. Recipients and subprocessors

Personal Data is accessible to BCL personnel authorized within the strict limits of their duties, subject to confidentiality undertakings and access controls, and to Subprocessors acting on behalf of BCL in accordance with Article 28 GDPR.

Categories and identification of Subprocessors:

• Hosting / infrastructure (web hosting, application servers): GoDaddy.com, LLC (USA) — and any additional infrastructure providers listed in the up-to-date subprocessor list.
• Cloud database and storage: [DATABASE PROVIDER, EU REGION].
• AI / machine learning conversion (frame-to-line-drawing technical processing): [PROVIDER NAME, COUNTRY] — current model providers are listed in the up-to-date subprocessor list at coloo.ai/subprocessors and notified in case of substitution. Processing instructions strictly limit such Subprocessors to performing the conversion task and prohibit them from retaining, repurposing or using submitted content to train general models.
• Payment processing: [Stripe Payments Europe, Ltd. or equivalent], located in the European Union.
• Transactional email: [PROVIDER, EU REGION].
• Customer support tooling: [PROVIDER, EU REGION].
• Audience measurement: [PROVIDER, EU REGION].
• Observability, error monitoring and fraud prevention: [PROVIDER, EU REGION].
• Identity / age verification (where used): [PROVIDER].

Each Subprocessor is bound to BCL by a written subprocessing agreement compliant with Article 28 GDPR, including provisions on confidentiality, security measures, sub-subprocessing, audit rights, return or deletion of data, and assistance with data-subject rights. An up-to-date list of Subprocessors, the countries of processing and the safeguards in place is published at coloo.ai/subprocessors and may also be obtained upon request at jake@coloo.ai. BCL provides advance notice of any addition or substitution of Subprocessors, allowing Users to object on legitimate grounds.

Your Data is never sold, rented, leased or exchanged with third parties for commercial purposes.

8. Transfers outside the European Economic Area

BCL prioritizes hosting and processing of Personal Data within the European Economic Area. Where a transfer to a third country (outside the EEA) is necessary, in particular via a Subprocessor, BCL ensures that such transfer is governed by one or more of the mechanisms provided in Articles 44 et seq. GDPR:

• Adequacy decision of the European Commission (e.g. EU-U.S. Data Privacy Framework where the U.S. importer is certified);
• Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914);
• Additional technical and organizational measures (encryption with EU-controlled keys, pseudonymization, access controls, transparency reports) supplementing the SCC, in accordance with EDPB Recommendations 01/2020;
• Where applicable, binding corporate rules, codes of conduct or certification mechanisms.

Each material transfer is documented in a Transfer Impact Assessment (TIA). A summary of ongoing transfers, recipient countries and applicable safeguards is available at jake@coloo.ai.

9. Security

BCL implements appropriate technical and organizational measures to ensure security, confidentiality, integrity and availability of Personal Data, taking into account the state of the art, costs, the nature, scope and purposes of processing, and the risks for data subjects:

• Encryption of Data in transit (TLS 1.2+) and at rest (where technically applicable);
• Password hashing using Argon2id, bcrypt or equivalent state-of-the-art algorithms;
• Strict access controls, principle of least privilege, multi-factor authentication for personnel accessing production systems;
• Logging of access to sensitive Data and to administration interfaces, with retention for security audit;
• Regular backups, disaster-recovery plan and tested incident-response procedure;
• Training of authorized personnel in security and Data protection;
• Documented procedure for Data-breach management: notification to the supervisory authority within seventy-two (72) hours under Article 33 GDPR and to data subjects without undue delay under Article 34 GDPR where the breach is likely to result in a high risk to rights and freedoms.

10. Automated decision-making and generative AI

BCL does not make automated individual decisions producing legal effects or similarly significantly affecting Users within the meaning of Article 22 GDPR.

Generative AI processing of the conversion request:

The Service uses third-party AI models for the technical conversion of frames into line drawings. The terms applicable to such Subprocessors are aligned with Article 28 GDPR and instruct them strictly:

• Not to retain the User’s submitted content beyond the technical time necessary for the conversion;
• Not to use the User’s submitted content for training of general models;
• Not to use the resulting Coloring Page for any purpose other than returning it to BCL for delivery to the User.

Training of BCL’s own models:

BCL does not use User content (Coloring Pages or source content) to train its own AI models, except where the User has given prior, express, granular and revocable consent through a dedicated opt-in mechanism (no pre-ticked boxes, no bundled consent). Such consent may be withdrawn at any time, in which case no further use of the User’s content for training occurs.

In compliance with the EU AI Act (Regulation 2024/1689) transparency obligations, BCL informs Users that they are interacting with an AI-driven generation system.

11. Your rights

In accordance with Articles 12 to 22 GDPR, you have the following rights over your Personal Data:

• Right of access: to obtain confirmation that your Data is being processed and to receive a copy (Article 15);
• Right of rectification: to have inaccurate or incomplete Data corrected (Article 16);
• Right to erasure (“right to be forgotten”): under the conditions of Article 17;
• Right to restriction of processing (Article 18);
• Right to portability (Article 20): to receive your Data in a structured, commonly used and machine-readable format;
• Right to object (Article 21): on grounds relating to your particular situation, to processing based on legitimate interest, and at any time and without justification for direct marketing;
• Right to withdraw consent (Article 7(3)), at any time, without affecting the lawfulness of prior processing;
• Right not to be subject to automated decision-making producing legal effects or similarly significantly affecting you (Article 22);
• Right to set post-mortem directives regarding the fate of your Data after your death (Article 85 French Data Protection Act).

To exercise these rights, contact the DPO at jake@coloo.ai or by postal mail at the address indicated in Article 2, providing proof of identity where necessary to prevent identity fraud. BCL responds within one (1) month, extendable by two (2) months for complex requests, in accordance with Article 12(3) GDPR. No fee is charged for the exercise of these rights except where requests are manifestly unfounded or excessive.

12. Right to lodge a complaint with a supervisory authority

If you consider that the processing of your Data does not comply with applicable regulations, you have the right to lodge a complaint with a competent supervisory authority, in particular the French Data Protection Authority (CNIL):

• Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France
• Phone: +33 1 53 73 22 22
• Website: www.cnil.fr

Users residing in another Member State may also lodge a complaint with the supervisory authority of their habitual country of residence.

13. Special regimes — UK, California (CCPA/CPRA), other US States

13.1 United Kingdom

For Users in the United Kingdom, BCL processes Personal Data in accordance with the UK GDPR and the Data Protection Act 2018. Rights and remedies are equivalent to those described above. UK Users may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

13.2 California Consumer Privacy Act / California Privacy Rights Act (where applicable)

Where applicable to California residents, BCL recognizes the following CCPA/CPRA rights: right to know, right to delete, right to correct, right to opt out of the sale or sharing of personal information (BCL does not sell or share personal information for cross-context behavioral advertising), right to limit use of sensitive personal information, right of non-discrimination. To exercise these rights, contact jake@coloo.ai. Authorized agents may submit requests on behalf of California residents subject to verification.

13.3 Other US states

For residents of other US states with applicable privacy laws (Virginia, Colorado, Connecticut, Utah, etc.), BCL recognizes equivalent rights of access, deletion, correction, opt-out of sale/share/targeted advertising and appeal, exercisable at jake@coloo.ai.

14. Confidentiality of requests by authorities

In accordance with applicable law (LCEN, DSA, Code of Criminal Procedure), BCL may receive judicial or administrative requests for User identification or content production. BCL responds only to valid requests issued by competent authorities. To the extent permitted by law, BCL informs the User concerned of such requests. BCL publishes a periodic transparency report summarizing the volume and nature of requests received in accordance with Article 15 DSA.

15. Modifications to the Policy

BCL may modify this Privacy Policy to reflect legal, regulatory or technical developments. Any substantive modification will be notified by email and/or via a notice displayed within the Service at least thirty (30) days before entry into force. Continued use of the Service after that date constitutes acceptance. Where new processing requires consent, such consent will be solicited separately before processing begins.

16. Contact

For any question relating to this Privacy Policy or your Personal Data:

• DPO: jake@coloo.ai
• Legal notifications: jake@coloo.ai
• Support: jake@coloo.ai
• Postal address: BCL — DPO Coloo AI — 200 rue de la Croix Nivert, 75015 Paris, France

END OF PRIVACY POLICY — Version 2.0 — 23 May 2026