Privacy Policy
Last updated: July 2026
This Privacy Policy explains how Kollect (“Kollect”, “we”, “us”) collects, uses, shares, and protects your personal data when you use our mobile application and website (together, the “Service”). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act.
1. Who we are
Kollect is a collection-sharing service operated by its publisher, based in France, acting as the data controller for the personal data described in this policy.
For any question about this policy or your personal data, contact us at contact@kollect.me.
2. Data we collect
We only collect what is necessary to run the Service. Specifically:
- Account data. Authentication is handled by our provider, Clerk. When you sign up, we process your email address, your chosen username, and, depending on how you sign in, information from a third-party sign-in provider (e.g. Google). Clerk manages your credentials and session identifiers on our behalf; our own database stores your email address and username together with a technical account identifier.
- Content you create. The collections, items, descriptions, custom fields, and photos you add, as well as social actions such as likes and follows. You choose whether each collection is public or private.
- Photos. Images you upload for your items and collection covers are stored on our object storage. Photos in a public collection are part of that collection’s public web page (see section 4).
- Support & feedback data. When you send feedback, a suggestion, or a bug report from the app, or when you report content, we receive the message you write together with your username and email address so we can follow up.
- Technical data. To operate and secure the Service we process the minimum technical data required to serve requests (such as timestamps and server logs, which may include an IP address for security and abuse prevention). We do not use advertising SDKs, we do not carry out behavioural or usage analytics or ad tracking, and we do not build advertising profiles about you.
- Crash reporting & diagnostics. We use Sentry, a third-party processor, to collect crash logs and diagnostic and performance data (such as error traces, device and OS type, and app version) so we can fix bugs and keep the app stable. Sentry is configured without personal data (its sendDefaultPii option is off): we do not attach your email address or identity to crash reports.
- Push notification token. If you enable notifications, we collect a device push token (a device identifier) and store it linked to your account so we can send you notifications. Delivery uses Firebase Cloud Messaging (Google) as a processor. You can disable notifications at any time in your device or app settings.
Public collections are visible to anyone. If you mark a collection public, it (its name, items, custom fields, and photos) becomes accessible on the web to anyone who has the link, and may be indexed by search engines. Set a collection to private to keep it visible only to you.
3. How and why we use your data
We use your data for the following purposes, each with its GDPR legal basis:
- Providing the Service: creating and authenticating your account, storing and displaying your collections, items, and photos, and enabling public sharing. Legal basis: performance of our contract with you (our Terms).
- Responding to support & moderating content: replying to your messages and reviewing reported content. Legal basis: our legitimate interest in supporting users and keeping the Service safe.
- Security and abuse prevention: protecting the Service against fraud, abuse, and technical failures. Legal basis: our legitimate interest and legal obligations.
- Transactional emails: sending you a welcome email and, where applicable, account-related messages. Legal basis: performance of our contract / our legitimate interest. Any purely optional communications would rely on your consent, which you can withdraw at any time.
- Crash reporting & diagnostics: collecting crash logs and diagnostic and performance data (via Sentry, configured without personal data) to diagnose problems and keep the app stable and secure. Legal basis: our legitimate interest in the stability and security of the Service.
- Push notifications: if you opt in, sending you notifications using the device push token you provide (delivered via Firebase Cloud Messaging). You can turn notifications off at any time in your device or app settings. Legal basis: your consent.
4. Sharing and third-party processors
We do not sell your personal data, and we do not use it for advertising or third-party tracking. We share data only with the service providers (processors) that are strictly necessary to run Kollect, under contracts that require them to protect your data:
- Clerk: authentication and account management (email, username, credentials, sessions).
- Cloudflare: object storage (R2) for your uploaded photos, plus DNS and network delivery.
- Our hosting infrastructure: self-managed servers (orchestrated with Coolify) that run the application and database.
- Stalwart: our email server, used to deliver the transactional emails described above from contact@kollect.me.
- Sentry: crash reporting and diagnostics (crash logs and diagnostic and performance data, configured without personal data).
- Google: Firebase Cloud Messaging, used to deliver push notifications to your device (processing your device push token) if you enable them.
We may also disclose data where required by law or to protect our rights, users, or the public.
5. Data retention
We keep your account data and the content you create for as long as your account exists. When you delete your account (see section 6), your account and associated content are deleted from our systems, except where we must retain limited data to comply with a legal obligation, resolve disputes, or prevent abuse. Server logs are kept only for a short period for security and troubleshooting.
6. Your rights and account deletion
Under the GDPR you have the right to access, rectify, erase, and export your personal data, to restrict or object to certain processing, and to withdraw consent where processing is based on consent. To exercise any of these rights, email us at contact@kollect.me. You also have the right to lodge a complaint with a supervisory authority. In France, this is the CNIL (www.cnil.fr).
Deleting your account
You can delete your account at any time directly in the mobile app: open the Profile tab (Settings), scroll to the Account section, tap Delete account, and confirm. This permanently removes your account and your associated collections, items, and photos.
Alternatively, you can request deletion by emailing us at contact@kollect.me from the address associated with your account, and we will erase your account and data.
7. Security
We take appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS/TLS), authentication handled by a specialised provider, access controls, and storage of credentials on your device using the platform’s secure storage. No method of transmission or storage is completely secure, but we work to protect your data and to address any incident appropriately.
8. Children
The Service is not directed at children. You must be at least 16 years old (or the minimum age of digital consent in your country, and in any case at least 13) to create an account. We do not knowingly collect data from children below that age; if you believe a child has provided us with personal data, contact us and we will delete it.
9. International data transfers
Some of our processors (for example Clerk and Cloudflare) may process data on servers located outside the European Economic Area. Where that happens, the transfer is protected by appropriate safeguards recognised under the GDPR, such as the European Commission’s Standard Contractual Clauses or an adequacy decision.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service. Your continued use of the Service after an update means you accept the revised policy.