Privacy Policy

Effective Date: February 27, 2026 Β· Last Updated: April 1, 2026

Operator: Colab8 (colab8.com)

Services Covered

This policy covers all Colab8 products and services: AskRosetta (trade compliance API and web app), Goldmex International (cross-border shipping platform), and Fabric8 (design and operations dashboard).

What Data We Collect

  • Product descriptions submitted for classification
  • Trade parameters (country of origin, declared value, quantity, shipping method)
  • API usage metadata (endpoint, latency, timestamp, status code)
  • API key identifier (hashed, never stored in plaintext)
  • Account email (for authentication and communication)
  • Shipment details (package dimensions, weight, origin/destination for rate calculation)

What We Do NOT Collect

  • No payment card data (handled entirely by Stripe, PCI DSS compliant)
  • No location data beyond country-level origin/destination
  • No biometric data
  • No data from minors under 16

How We Use Your Data

  • Classification: Product descriptions are processed by AI models (Claude by Anthropic, Gemini by Google) to determine HTS tariff codes. Descriptions are not stored after classification unless you opt into audit trail.
  • Metering: API calls are counted per key to enforce rate limits and billing tiers.
  • Audit Trail (opt-in): Classification results stored for compliance record-keeping.
  • Shipping Rates: Shipment details are shared with carrier partners (Gori, Estafeta) solely to generate rate quotes.

Data Retention

  • API usage logs: 90 days, then aggregated
  • Classification audit trail: 7 years (per CBP record-keeping requirements, 19 CFR 163)
  • API keys: until revoked by the owner
  • Account data: until account deletion is requested

Data Sharing

  • We do not sell or share your data with third parties for marketing
  • AI model providers (Anthropic, Google) process prompts per their data use policies β€” we use zero-retention API tiers where available
  • Infrastructure: Supabase (Google Cloud, Zurich region) and Stripe β€” governed by their respective DPAs
  • Carrier partners: shipment details shared only for rate calculation (no PII beyond origin/destination)

Cookies

We use essential cookies only β€” authentication session cookies (httpOnly, secure) required for the platform to function. We do not use tracking cookies, analytics cookies, or advertising cookies. No consent banner is needed for essential cookies under GDPR, but we display one for transparency.

Your Rights (GDPR / CPRA)

  • Access: Request a copy of your data (Article 15)
  • Deletion: Request erasure of your data (Article 17)
  • Portability: Export your classification audit trail in JSON format (Article 20)
  • Rectification: Correct inaccurate data (Article 16)
  • Restriction: Restrict processing of your data (Article 18)
  • Objection: Object to processing based on legitimate interest (Article 21)

To exercise these rights, contact support@colab8.com. We respond within 30 days per GDPR requirements.

Data Security

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row Level Security on all database tables
  • API keys stored hashed, never in plaintext
  • VPC Service Controls on Google Cloud infrastructure
  • Automated security scanning (Dependabot, Nuclei) on all endpoints

Sub-Processors

ProviderPurposeLocation
AnthropicAI classification (Claude)US (zero retention)
Google CloudAI embeddings, infrastructureEU (Zurich)
SupabaseDatabase, authEU (Zurich)
StripePayment processingUS/EU
CloudflareCDN, edge computeGlobal
VercelWeb hostingUS/EU

Contact

Colab8
Data Protection Contact: Carlos E. Fuentes
Email: support@colab8.com
Web: colab8.com