Privacy
This is the privacy policy for cmintel.ai (the website) and the COLOSSEUM content intelligence and publishing platform operated by Colosseum Intelligence Ltd. We refer to ourselves as “we”, “us”, and “our” below.
It is a normal privacy policy. It describes the data we collect, what we do with it, and how to make us stop. It does not editorialize about the operational state of the service. The rules below apply to anyone who engages — visitors, operators, prospective customers, and customers when subscription billing is enabled.
If you want to know who is responsible for this document and the data behind it: that is Colosseum Intelligence Ltd (UK), and the named contact is the Data Protection Officer at [email protected].
1. Last updated
2026-05-04. Material changes are described in section 12 (Changes), and the change log is at the bottom of this page.
2. Controller
Colosseum Intelligence Ltd — registered in England and Wales. Companies House registration number, VAT number (if applicable), and the registered office address are listed in the footer of every page on this site and at /about. The Data Protection Officer (DPO) is reachable at [email protected].
We are the controller of personal data covered by this policy. When we process customer data on behalf of a subscribed business, we may be the processor; the controller-vs-processor split is governed by the Data Processing Addendum (DPA) at /trust.
3. Data we collect
We collect five categories of personal data.
| Category | What it is | When |
|---|---|---|
| Account data | Operator name, work email, employer (where given) | When you create an operator account in the dashboard |
| Platform-fetched public data | Public data the platforms (Meta, TikTok, YouTube, X, Pinterest, Snap, LinkedIn at Phase 6.5+) expose under operator-granted scopes — engagement counts, timestamps, public post bodies | When an operator connects a platform integration with explicit consent |
| Usage data | Timestamps and identifiers of operator actions inside our dashboard (which agents ran, which decisions were taken, which approvals were issued) | While you use the operator dashboard |
| Device and browser data | IP address (truncated for analytics), user-agent string, referrer | On every request to cmintel.ai or the operator dashboard |
| Cookies and storage | Session and consent state — see /cookies for the full list | As described in the cookie list |
We do not collect: payment-card data (Stripe holds that when subscriptions are enabled — see section 5), passwords (we use SSO + passwordless auth where supported), facial-recognition data, or any data from a user under 16 (see section 9).
4. Why we collect it
Each category is collected on a specific lawful basis under UK GDPR Article 6.
| Category | Purpose | Lawful basis |
|---|---|---|
| Account data | Authentication, authorisation, sending operational emails | Performance of contract — Art 6(1)(b) |
| Platform-fetched public data | Producing the operator’s content insights and the Feedback agent’s learning loop | Legitimate interests — Art 6(1)(f); balanced against the data subject’s rights, see section 4.1 below |
| Usage data | Audit-log integrity, billing, system-incident response | Performance of contract — Art 6(1)(b); legitimate interests — Art 6(1)(f) |
| Device and browser data | Site security, abuse prevention, aggregate analytics | Legitimate interests — Art 6(1)(f) |
| Cookies and storage | Functional preferences, security (Turnstile), consent record | Consent (Art 6(1)(a)) for any non-essential cookie; necessity for essential cookies |
4.1 Legitimate-interests balancing test (summary)
Where we rely on legitimate interests under Art 6(1)(f), we have completed a balancing test and recorded it internally. The summary, in plain language:
- Our interest is to operate a content platform that publishes on behalf of business operators with a complete audit trail.
- Your interest is to know what we are doing with your data and to be able to stop us.
- Our safeguards are: a published audit log, a 30-day deletion SLA at
/data-rights, a 24-month retention cap on engagement data, and a public sub-processor list at/trust. - Net effect: the processing is foreseeable, narrowly scoped, and reversible. We hold the balancing test on file at the DPO mailbox.
5. How we share it
We share your data with named recipients only. Every sub-processor is listed at /trust with the data category, country of operation, the link to the signed Data Processing Addendum, and the date of last review.
Today the v1 list is: Cloudflare (hosting, edge compute, DNS, Turnstile, analytics), Supabase (operator database), SendGrid/Twilio (transactional email), Anthropic and OpenAI (language-model inference for specific agents), Sentry (error monitoring), and Stripe (payment processing — activated only when subscription billing goes live). LinkedIn integration via the Marketing Developer Platform is deferred to a later phase and will be added to this list when active.
We do not sell your data to anyone. We do not share data with advertisers or data brokers. We do not use your data to train third-party AI models without an explicit, separate consent — and at v1 we have not requested any such consent.
When law enforcement or a court compels disclosure, we comply with the minimum disclosure that satisfies the demand and we publish an annual transparency report at /trust summarising aggregate counts.
6. Where we send it
Some sub-processors are based in the United States. For transfers of UK and EU personal data to the US (and any other non-adequate country):
- UK transfers rely on the International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses (SCCs).
- EU transfers rely on the EU Standard Contractual Clauses (2021/914).
- Each sub-processor has signed the IDTA + SCCs as part of its DPA.
- We have completed a Transfer Risk Assessment for each non-adequate destination and hold the records on file at the DPO mailbox.
Destination countries at v1: United States (Cloudflare, Supabase, SendGrid, Anthropic, OpenAI, Sentry), United Kingdom (Stripe).
7. How long we keep it
| Category | Retention |
|---|---|
| Account data | For the life of the operator account, plus 90 days after closure for billing-record reconciliation |
| Platform-fetched engagement data | 24 months from the date of fetch |
| Operator usage data (audit log) | 24 months for trend analysis; cryptographic hashes of audit-log rows retained indefinitely for integrity verification |
| Device and browser data (analytics) | Aggregated, no row-level retention beyond 30 days |
| Cookies and storage | As listed at /cookies |
| DSAR records (verification tokens, request bodies) | 36 months as required by the regulator’s enforcement record-keeping; verification tokens are deleted within 24 hours of resolution |
| Contact-form submissions | 90 days; mail us first if you need a copy or earlier deletion |
We do not say “as long as necessary.” Every category has a number above.
8. Your rights
Under UK GDPR (and the EU GDPR for EU users), you have the following rights. Exercise any of them at /data-rights, or by mailing [email protected].
- Access — get a copy of all data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — be deleted (“right to be forgotten”).
- Restriction — pause our processing of your data.
- Portability — receive your data in a portable format.
- Objection — object to legitimate-interests processing (see section 4.1).
- No automated decision-making — opt out of any automated decision that produces legal or similarly significant effects (see section 11).
- Withdraw consent — where consent is the basis, you may withdraw it at any time.
Our SLA for any of these is 30 days from verification of your identity. If we cannot meet it, we will tell you why and what we are doing about it. If you are not satisfied, you may complain to your supervisory authority — the UK ICO for UK users, your national DPA for EU users.
9. Children
The service is not directed to users under 16, and we do not knowingly collect personal data from minors. If we learn that we have collected data from a user under 16, we delete it and notify the parent or guardian where contact details are available.
10. Security
A summary lives at /security. The short version: TLS 1.3 in transit, AES-256 at rest, mandatory MFA on all human accounts, quarterly internal pen-tests, annual third-party pen-tests, and a one-business-hour disclosure mailbox at [email protected].
11. Automated decisions
The COLOSSEUM publishing engine performs automated content classification and decision-making — for example, deciding whether a draft post passes the safety guardrails described at /safety. These decisions do not produce legal or similarly significant effects on the individuals whose engagement we read. If you believe an automated decision has affected you significantly, you may request human review by mailing [email protected]; we will review and respond within 30 days.
We do not profile individuals for marketing or advertising purposes.
12. Changes
We notify users of material changes by:
- Posting a change-log entry at the bottom of this page (below).
- Emailing every operator account holder at least 30 days before the material change takes effect, where reasonably practicable.
- Restating in plain language what changed and why.
Material changes include: a new sub-processor, a new data category, a new lawful basis, an extension of retention, a change in jurisdiction, or any erosion of a data-subject right. Cosmetic changes — typo fixes, link rewordings — do not require notice.
13. Contact
- DPO — [email protected]
- Press / legal — [email protected]
- Trust desk — [email protected] (sub-processor questions, transparency report)
- Postal — see footer for the registered office address
For UK users, the supervisory authority is the UK ICO. For EU users, your national supervisory authority. The lead supervisory authority for the EU is to be determined once Colosseum’s main establishment in the EU is set; until then, EU users may complain to their national DPA.
When subscription billing goes live (Phase 7 of the build), an EU representative under Article 27 will be appointed and named here. Until then, the service does not require an Article 27 representative because the in-scope EU data is limited to inbound contact-form and DSAR submissions.
Change log
- 2026-05-04 — first published. v1 policy. No prior versions.
This document was Claude-drafted in line with the deferred-counsel policy at /research. Tier-2 solicitor review will fire when the first paying customer subscribes or when the data-flow scope changes materially — see the trigger logic at the same link.