Privacy Policy
Last updated: 2026-04-30. This policy describes how WorldOfTaxonomy collects, uses, and protects your personal data, and explains your rights under GDPR, UK GDPR, and CCPA/CPRA.
1. Data controller
The data controller for personal data processed via worldoftaxonomy.com is Colaberry Inc, on behalf of itself and Colaberry Research Labs. Contact: contact form on /developers or open an issue at our GitHub repository.
2. What we collect, why, and on what legal basis
| Category | Why | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address (developer signup) | Send the magic-link sign-in email; identify your account; let you receive operational notices. | Performance of contract (Art. 6(1)(b)) - delivering the service you requested. |
| IP address (request-time) | Apply per-IP rate limits, detect abuse, comply with our security obligations. | Legitimate interests (Art. 6(1)(f)) - protecting the service from abuse. |
| Email address (contact form) | Reply to enterprise inquiries. | Legitimate interests (Art. 6(1)(f)) - responding to a request you initiated. |
| Email address (classify lead capture) | Provide the demo classification result; occasionally tell you about new features. You can opt out at any time. | Performance of contract for the demo result; legitimate interests for follow-up email. |
| API request log (method, route, status, IP, user-agent) | Operational metrics, abuse detection, billing for paid tiers. | Legitimate interests (Art. 6(1)(f)). |
Auth + CSRF cookies (dev_session, wot_csrf) | Strictly necessary for sign-in and to prevent cross-site request forgery on state-changing requests. | Performance of contract; strictly necessary cookies under ePrivacy. |
We do not use third-party advertising trackers, remarketing pixels, or session-replay tools. We do not sell or share personal data with advertisers.
3. How long we keep data
- Account email + API keys: until you delete the account or 12 months after the last sign-in, whichever comes first.
- Email-send audit log (hashed email + IP): 7 days, then deleted automatically by a daily cron.
- API request log: 30 days for operational metrics, then aggregated and the row-level data deleted.
- Classify lead emails: 24 months after last interaction; you can request immediate deletion.
- Server logs at the infrastructure layer (Cloud Run): 30 days per Google Cloud's default retention.
4. Where data is processed
Application servers run on Google Cloud (Cloud Run, Cloud SQL) in the us-central1region. The website and edge layer are served from Cloudflare's global network. Email is delivered via Resend (US-based).
For users in the European Economic Area, the United Kingdom, or Switzerland, your data may be transferred to the United States. Such transfers are made under Standard Contractual Clauses(the EU Commission's 2021 SCCs) entered into between Colaberry and each sub-processor (Google Cloud, Cloudflare, Resend), supplemented where necessary by encryption in transit and at rest, organizational access controls, and the additional safeguards described in those processors' published SCC addenda.
5. Sub-processors
- Google Cloud (US) - application hosting, database, secret management.
- Cloudflare (US/global) - CDN, DDoS protection, edge rate limiting.
- Resend (US) - transactional email delivery (magic-link, contact-form notifications).
- Sentry (US) - error monitoring; Authorization headers, cookies, and the
dev_sessioncookie value are scrubbed before events leave our servers.
We will update this list when sub-processors change. Material changes are announced on the website and by email to active developers.
6. Your rights
Under GDPR, UK GDPR, and CCPA/CPRA you have the following rights with respect to your personal data:
- Access - request a copy of the data we hold about you.
- Rectification - request correction of inaccurate data.
- Erasure (“right to be forgotten”) - request deletion of your account and associated data.
- Restriction - request that we stop processing while a dispute is resolved.
- Portability - request a machine-readable copy of the data you provided.
- Objection - object to processing based on legitimate interests.
- Withdraw consent - where processing is based on consent (none today, but reserved for future features).
- Lodge a complaint with a supervisory authority (in the EU, your local data-protection authority; in the UK, the ICO).
Most rights can be exercised directly: revoke API keys and delete your account from the developer dashboard. For requests we can't handle in-product, use the contact form. We respond within 30 days.
7. CCPA / CPRA notice (California residents)
We do not sell or share personal information as those terms are defined under the CCPA/CPRA. California residents have the rights described above and may also designate an authorized agent to exercise them.
8. Children
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.
9. Cookies
We use only strictly necessary cookies: dev_session (authentication, httpOnly, SameSite=Lax, ~60 minutes) and wot_csrf (CSRF double-submit token, same lifetime). Strictly necessary cookies do not require consent under ePrivacy. We do not use analytics, advertising, or tracking cookies. If we add any non-essential cookies in the future, we will deploy a consent banner first.
10. Security
Passwords are not stored; sign-in is by single-use magic link. API keys are stored as bcrypt hashes; the raw key is shown to you exactly once. All traffic is served over HTTPS with HSTS. We run automated dependency scanning, secret scanning, and security headers (CSP, X-Frame-Options, X-Content-Type-Options) on every deploy. We will notify affected users without undue delay (and within 72 hours where GDPR applies) of any personal-data breach.
11. Changes to this policy
We may update this policy. Material changes are announced on the website and by email to active developers at least 30 days before they take effect.