LetsCollab

LetsCollab.bio

Privacy Policy

Effective date: May 12, 2026 · Last updated: May 12, 2026

LetsCollab.bio ("LetsCollab", "we", "us", "our") provides a web application that helps users publish public collab pages, receive structured requests from requesters, manage request threads, generate invoices, track deliverables, and optionally connect Google Calendar for scheduling visibility. This Privacy Policy explains what personal information we collect, how we use it, how we share it, and the choices and rights you have. It applies to the LetsCollab.bio website, the authenticated dashboard, public pages, request portals, and related backend services (the "Service").

1. Who Is Responsible For Your Data

The data controller for personal data processed through the Service is the operator of LetsCollab.bio. For privacy-related requests — including access, correction, deletion, and Google Calendar data concerns — contact feedback@getletscollab.com. We respond to verified requests within 30 days.

2. Information We Collect

2.1 Information You Provide

  • Account data: email address, authentication identifiers issued by our auth provider, display name, handle, password (stored only as a one-way hash by the auth provider; we never see plaintext passwords).
  • Profile content: bio, avatar, content categories, social and web links, public collab listings, and any other profile fields you choose to fill in.
  • Collab and request data: intake answers, brief details, messages, attachments, deliverables, contract status, invoice records, payment status, and workflow activity.
  • Payment-routing data: payment-link URLs, handles, or instructions you choose to store so requesters can pay you directly through your own processor. LetsCollab never collects, holds, settles, or routes funds (see Terms · "Payments").
  • Support and feedback: any content you submit through the in-app feedback form, support emails, or surveys.

2.2 Information Collected Automatically

  • Device and session data: IP address, user-agent string, locale, time zone, browser, OS, referrer, and pages visited — used for security, abuse prevention, and debugging.
  • Product analytics: feature usage, page performance, and aggregated event counts. Only collected when optional analytics are enabled by your privacy choice.
  • Cookies and local storage: required cookies for authentication, CSRF, and privacy choices; optional cookies for analytics. See Section 6.

2.3 Information From Third Parties

  • Authentication provider (Supabase Auth): the verified email and a stable subject identifier when you sign in.
  • Google sign-in or Google Calendar connection (optional): see Section 4.

3. How We Use Information

  • Operate public pages, collab listings, request intake, request threads, notifications, contracts, invoices, deliverables, and dashboard workflows.
  • Authenticate users, secure accounts, prevent abuse, debug issues, and maintain service reliability.
  • Send transactional notifications related to requests, messages, invoices, payments, contracts, deliverables, and account events.
  • Improve usability and performance using optional product analytics, subject to your privacy choice and Global Privacy Control.
  • Comply with legal obligations, enforce our Terms, and protect the rights, property, and safety of LetsCollab, our users, and the public.

The lawful bases for processing under GDPR/UK-GDPR are: performance of a contract (delivering the Service to you), legitimate interests (security, abuse prevention, product improvement), consent (optional analytics and certain communications), and legal obligation.

4. Google User Data — OAuth Scopes And Limited Use

Connecting Google Calendar is optional. If you connect Google Calendar, LetsCollab requests the following OAuth scopes:

  • openid, email — to identify the connected Google account so we can attach the calendar connection to your LetsCollab account.
  • https://www.googleapis.com/auth/calendar.readonly — to list the calendars on your Google account and read existing event timing so the dashboard can show your availability, conflicts, and next booked slot.
  • https://www.googleapis.com/auth/calendar.events — to create LetsCollab scheduling events on the calendar you choose when a booking is confirmed in LetsCollab.

The Google account email, the Google subject identifier (sub), the list of granted scopes, and an encrypted OAuth refresh token are stored so the backend can refresh access while you use calendar features. Calendar event details (calendar IDs, calendar names, event start/end times, event status, event transparency, and minimal event metadata required for the user-facing surface) are fetched at request time and are not retained as durable product records; we cache only the smallest working set needed to render the current scheduling view.

Limited Use disclosure. LetsCollab's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

  • We do not use Google user data, including Google Calendar data, to serve advertising.
  • We do not sell Google user data or transfer it to data brokers, advertising platforms, or third parties for the purpose of advertising or lead generation.
  • We do not use Google user data to train generalized or third-party AI/ML models.
  • We do not allow humans to read Google user data except (i) with your affirmative agreement for specific messages, (ii) for security or abuse investigation, (iii) to comply with law, (iv) to debug an issue you have reported, or (v) for aggregated, anonymized operational metrics.

You can revoke LetsCollab's access at any time by disconnecting Google Calendar from your in-app settings, or by visiting Google Account → Security → Third-party apps. Disconnecting deletes the stored refresh token from our systems within 7 days and stops further calendar API calls. Events already created on your Google Calendar through LetsCollab remain in your Google Calendar and can be managed there.

5. How We Share Information

We do not sell personal information. We share data only as needed to operate the Service, and only with service providers bound by confidentiality and data-protection obligations that limit their use to the services they perform for LetsCollab:

  • Hosting and database: Railway, Supabase (Postgres, Auth, Storage). Storage region: United States.
  • Transactional email: Resend.
  • Observability and error reporting: Sentry (scrubbing rules strip request bodies and known PII fields).
  • Authentication identity providers: Supabase Auth, and Google (when you sign in with Google or connect Google Calendar).
  • Optional product analytics: only when you opt in through the privacy banner; we do not enable analytics when Global Privacy Control is signaled.

We may also disclose information to comply with applicable law, valid legal process, or to investigate suspected fraud, abuse, or harm. In the event of a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality terms and continued protection under this Policy or a successor policy with substantively equivalent protections. We will notify affected users where required.

For international transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses and equivalent UK and Swiss safeguards with our service providers.

6. Cookies, Local Storage, And Privacy Controls

Required cookies and local storage keep authentication, CSRF protection, and your privacy choices working. Optional analytics cookies help us understand product usage and page performance. You can accept, reject, or change optional analytics through the in-app privacy banner at any time. If your browser sends the Global Privacy Control (GPC) signal, optional analytics remain off and are treated as a Do-Not-Sell/Do-Not-Share signal for California residents.

7. Data Retention

  • Account, profile, collab, request, message, invoice, contract, deliverable, and workflow data: retained while your account is active and for up to 30 days after deletion to allow recovery and complete pending transactions; then permanently deleted or de-identified, except where longer retention is required by law (for example, tax records may be retained up to 7 years).
  • Google Calendar refresh tokens and connection metadata: retained while the connection is active. When you disconnect or revoke access, the refresh token and connection metadata are deleted from our primary systems within 7 days; encrypted backup snapshots are rotated out within 90 days.
  • Security and audit logs: retained up to 13 months for fraud, abuse, and incident investigation.
  • Aggregated, de-identified analytics: retained indefinitely and cannot be re-associated with you.

8. Your Rights And Choices

8.1 Account Deletion

You can delete your LetsCollab account at any time from Settings → Profile → Delete account. Deletion removes your account, profile, collabs, request data, messages, attachments, invoices, deliverables, and the encrypted Google Calendar refresh token from active systems within 30 days, and from backups within 90 days. If you cannot access the in-app flow, email feedback@getletscollab.com from the email address on file and we will action the request within 30 days.

8.2 GDPR / UK-GDPR Rights (EEA, UK, Switzerland)

  • Right of access, rectification, erasure, restriction, and portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent (e.g., optional analytics) at any time without affecting prior processing.
  • Right to lodge a complaint with your local supervisory authority.

8.3 California Rights (CCPA / CPRA)

  • Right to know what categories of personal information we collect, use, disclose, and the sources/purposes.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" — we do not sell personal information and we honor Global Privacy Control as an opt-out of sharing.
  • Right to non-discrimination for exercising any of the above rights.

To exercise any of the rights above, email feedback@getletscollab.com from the email address on file. We will verify the request and respond within statutory time limits (typically 30 days for GDPR, 45 days for CCPA).

9. Security

We use reasonable technical and organizational safeguards, including TLS for browser-to-backend traffic, encrypted storage for OAuth refresh tokens, least-privilege backend access, audit logging, and regular dependency monitoring. No internet service can guarantee absolute security; if you believe your account or data has been compromised, contact us immediately.

10. Children

The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact feedback@getletscollab.com and we will delete it.

11. Changes To This Policy

We will update this Privacy Policy when the Service, legal requirements, or our data practices change. We will revise the "Last updated" date above and, for material changes (especially any new use of Google user data), we will provide reasonable prior notice — through the app, by email, or both — and obtain consent where required before applying the change to existing data.

12. Contact

For privacy questions, data-subject requests, or Google user data concerns, contact feedback@getletscollab.com. We monitor this address and respond within 30 days.