Privacy Policy
Last updated: 2026. 07. 03. AM 10:19
1. Who We Are
Vifork (바이포크), Representative: Inyoung An, Business Registration No. 139-06-21251 (the "Company", "we"), operates the Collabby service (collabby.ai). This Privacy Policy explains what personal data we process, why, and how we protect it. It applies to users worldwide; where the law of your place of residence (Korean Personal Information Protection Act, EU/UK GDPR, US state laws) grants you stronger rights, that law prevails.
2. Personal Data We Collect
· Account data (you provide): email, name, password (stored hashed), language, workspace/organization membership · Social login: email (if provided) and name from your Google or X account; if X provides no email, we generate an internal placeholder address · Security data: two-factor authentication secret (encrypted), recovery codes (hashed), sign-in attempt records (for rate limiting), bot-protection (Turnstile) verification · Payment and transaction records: orders, credit grants/consumption, buyer email, receipt identifiers. Card details are collected directly by our payment processor (Lemon Squeezy) and never touch our servers · Content and usage: prompts and AI conversations, generated app code, uploaded files, AI usage logs (model, tokens, cost) · Collected automatically: cookies, device/browser information, analytics events (GA4, with consent). IP addresses are used transiently for bot protection and rate limiting only and are not stored on our servers · End-user data of published apps: data that apps built by our users collect from their own visitors (contents determined by the app creator)
Please do not include other people's personal data or sensitive information in prompts or uploads.
3. Purposes and Legal Bases
· Providing and operating the Service (accounts, AI generation, hosting, billing) — performance of contract · Security and abuse prevention (rate limits, bot protection, abuse detection) — legitimate interests and legal compliance · Aggregate statistics to improve reliability — legitimate interests; analytics cookies only with consent · Customer support and legal obligations (statutory record-keeping, tax) — contract and legal obligation We currently send no marketing email; if we ever do, we will obtain separate opt-in consent first.
4. AI Processing and Training
We do not use your content to train our own AI models. Prompts and generated content are sent to third-party AI providers to produce outputs. Our managed Anthropic, OpenAI and Google accounts are all paid (commercial) APIs, whose policies state that inputs and outputs are not used to train their foundation models (subject to limited abuse-monitoring retention and legal-hold obligations). If you register your own API key (BYOK), your own agreement with that provider applies and data may be handled differently. When you use voice features, audio is transmitted directly from your browser to OpenAI.
5. Processors and International Transfers
Our infrastructure and AI providers are located outside Korea (mainly in the United States), so using the Service transfers personal data abroad. You may refuse such transfers, but the Service cannot then be provided, as the transfers are inherent to how it works. Questions/refusal: privacy@collabby.ai
Processors/recipients (all US-based; transfer method: network transmission during Service use; retention: for the duration of the entrusted work): · Supabase, Inc. — database hosting (account and service data) · Vercel Inc. — application hosting and serverless compute (request data, logs) · Cloudflare, Inc. — file storage (R2), bot protection (Turnstile: IP, browser signals), support site · Anthropic, PBC / OpenAI, L.L.C. / Google LLC — AI generation (prompts, outputs, uploaded files) · Lemon Squeezy, LLC — payment processing (name, email, billing data; acts as Merchant of Record under its own responsibility) · Resend — transactional email (email, name, notification content) · Upstash, Inc. — rate limiting and stream state (email/identifier keys) · Google LLC (Google Analytics) — web analytics (cookie identifiers, usage events, with consent) · Slack Technologies — internal operational alerts (optional)
For EEA/UK data we rely on appropriate safeguards such as Standard Contractual Clauses.
6. Disclosure to Third Parties
We do not sell personal data. We disclose it only: with your consent; to comply with valid legal process; to protect the rights and safety of the Company, our users or the public; or in connection with a merger or business transfer (with notice).
7. Retention and Deletion
We delete or anonymize personal data within 30 days after account deletion, except records we must keep by law: contract and withdrawal records (5 years), payment and supply records (5 years), consumer complaint and dispute records (3 years), advertising records (6 months) under the Korean E-Commerce Act. We may retain a masked email to prevent re-registration abuse and limited security audit logs. Content that was published and independently copied (forked) by other users may fall outside deletion. Destruction is irreversible (permanent deletion of electronic files). BYOK API keys are deleted immediately upon your deletion request.
8. Your Rights
You may request access to, correction or deletion of your personal data, restriction of processing, and withdrawal of consent at any time: privacy@collabby.ai (from your account email for verification). We respond within statutory deadlines (10 days for access under Korean law; one month for EEA/UK requests). For end-user data collected by a published app, we may route your request to the app's creator or assist directly to the extent technically available. The legal guardian of a child under 14 may exercise the child's rights. Requests are handled by the Data Protection Officer (Section 13).
9. Children
The Service is intended for users aged 18 or older, and we do not knowingly collect personal data from children under 14. If we learn that a user is under 18, we delete the account and its data. Users must not build apps directed to children or collecting children's personal data without verifiable parental consent.
10. Cookies
· Essential cookies: sign-in session, security (bot protection), language, cookie-consent state — required for the Service, not subject to consent · Analytics cookies (Google Analytics): usage statistics; analytics storage is enabled only if you choose "Accept all" in the cookie banner, and you can refuse or withdraw at any time via your browser settings or the banner Blocking essential cookies may break parts of the Service.
11. Automated Processing
We use automated systems for abuse and fraud detection, rate limiting, credit-balance gating and report handling. If an automated action significantly affects you, you may request human review, an explanation, and contest the outcome at privacy@collabby.ai.
12. Security
· Encryption in transit (TLS); passwords stored as bcrypt hashes · Optional two-factor authentication (TOTP) with recovery codes; bulk session revocation · Sign-in rate limiting and CAPTCHA bot protection · BYOK API keys and 2FA secrets stored encrypted (AES-256-GCM) · Admin access controls and audit logging If a personal-data breach occurs on our systems, we will notify affected users and the competent authorities without undue delay and within the timelines required by law (including 72 hours where applicable).
13. Data Protection Officer and Remedies
Data Protection Officer (개인정보 보호책임자): Inyoung An (Representative) · privacy@collabby.ai Korean users may also contact: Personal Information Dispute Mediation Committee (1833-6972), KISA Privacy Report Center (118), Supreme Prosecutors' Office (1301), National Police Cyber Bureau (182). EEA/UK users may lodge a complaint with their local supervisory authority.
14. Additional Notices by Region
EEA/UK (GDPR): legal bases are as in Section 3; you have the rights of access, rectification, erasure, restriction, portability and objection, and the right to complain to a supervisory authority. International transfers rely on appropriate safeguards such as Standard Contractual Clauses. US states (California, etc.): we do not sell personal information or share it for cross-context behavioral advertising. To exercise rights to know, delete or correct, contact privacy@collabby.ai; you will not be discriminated against for exercising them.
15. Changes to This Policy
We will announce changes and their effective date in advance by in-service notice or email; material changes are notified before they take effect. Previous versions are available on request.
This policy applies from the date of publication.
Company 바이포크 (Vifork)Representative 안인영 (Inyoung An)Business Reg. No. 139-06-21251Email support@collabby.aiHosting Vercel Inc. / Supabase Inc.Payments (MoR) Lemon Squeezy, LLCVerify business info ↗