Legal · Version 1.0

Privacy Policy

How Corollary collects, uses, and protects your data — written in plain language, governed by our commitment to transparency.

Effective: February 25, 2026 · Last Updated: February 25, 2026

Governance Principle 3 — Transparency

This policy is written to be understood, not to obscure. Every data practice described here is subject to community governance review. If we change how we handle your data, you'll know before it happens, and the community council has authority to reject changes that violate governance principles.

1. Who We Are

Corollary (“we,” “us,” “our”) operates the corollary.tools platform — an AI tool marketplace governed by seven binding principles. This Privacy Policy explains what data we collect, why, and what rights you have over it.

Our data controller is Corollary, and you can reach our privacy team at privacy@corollary.tools.

2. Data We Collect

Data you provide

Account information: email address, username, display name, and password (hashed, never stored in plain text)
Profile information: bio, website URL, GitHub URL, and avatar
Tools you create: source code, metadata, descriptions, schemas, and configuration
Reviews and ratings you leave on other tools
Communications: messages to our support team
Payment information: processed by Stripe — we never see or store your full card number

Data collected automatically

Usage data: pages visited, features used, tools downloaded or forked, session duration
Device data: browser type, operating system, screen resolution, and language preference
Network data: IP address (anonymized after 30 days), approximate location (city-level, never precise)
Performance data: page load times, errors encountered, API response times

Data we do NOT collect

What we don't do

We do not read, analyze, train on, or sell the source code of your tools. We do not track you across other websites. We do not build advertising profiles. We do not use dark patterns to extract additional data. We do not sell any personal data — ever.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Provide the platform	Account info, tools, usage data	Contract
Process payments	Payment info (via Stripe)	Contract
Display your public profile	Username, display name, bio, tools	Contract
Prevent fraud and abuse	IP address, usage patterns	Legitimate interest
Improve the platform	Anonymized usage and performance data	Legitimate interest
Service notifications	Email address	Contract
Marketing emails	Email address	Consent

We do not use your data for purposes not listed above. If we ever need to use data for a new purpose, we will notify you and obtain consent where required.

4. Your Source Code and Intellectual Property

This section is especially important because it reflects Governance Principle 5 (Human Value) and Principle 6 (Anti-Concentration).

You own your source code. We claim no intellectual property rights over tools you create.
We do not use your source code to train AI models — not ours, not anyone else's.
We do not analyze your code for competitive intelligence or sell insights derived from it.
Your code is stored encrypted at rest and transmitted over TLS.
You can export all your tools and data at any time (see Section 8).
If you mark a tool as open-source, the license you choose governs its use — we enforce that license, not override it.

5. AI Processing and Builder Sessions

When you use the Builder to generate tools, your prompts are sent to a third-party AI provider (currently Anthropic) to generate responses. Here's what that means for your data:

Your prompts and the generated code are stored in your builder session history, which only you can access.
We do not share your prompts with Anthropic for model training — we use their API under terms that prohibit training on input data.
Builder sessions are retained for 90 days after last activity, then automatically deleted. You can delete them manually at any time.
We log token usage and cost per session for billing purposes but do not log the content of prompts or responses beyond your session history.

6. Data Sharing

We share data with third parties only in these limited circumstances:

Service providers

Stripe: payment processing (governed by Stripe's Privacy Policy)
Cloudflare: CDN, DDoS protection, and file storage (data processed under their Privacy Policy)
Anthropic: AI model inference for Builder sessions (no training on input data per API terms)

Legal requirements

We may disclose data if required by law, subpoena, or court order. If legally permitted, we will notify you before doing so.

What we will never do

Sell your personal data to any third party
Share your data with advertisers
Provide your data to data brokers
Allow third parties to use your data for profiling or targeting

7. Data Retention

Data Type	Retention Period	After Deletion
Account information	Duration of account	Deleted within 30 days of account deletion
Published tools	Duration of account	Source code deleted; public forks remain under their fork license
Builder sessions	90 days after last activity	Permanently deleted
Payment records	7 years (tax/legal requirement)	Anonymized after retention period
IP addresses	30 days	Anonymized
Usage analytics	24 months (anonymized)	Aggregated, no individual identification possible
Support communications	2 years after last contact	Permanently deleted

8. Your Rights

Regardless of where you live, we extend these rights to all users — not just those in jurisdictions that require them:

Access: Request a copy of all data we hold about you.
Correction: Update or correct inaccurate data.
Deletion: Delete your account and all associated data (subject to legal retention requirements).
Export: Download all your tools, profile data, and session history in standard formats (JSON, ZIP).
Restriction: Ask us to limit how we process your data.
Objection: Object to processing based on legitimate interest.
Portability: Receive your data in a machine-readable format to transfer to another service.

Governance Principle 2 — Creator Ownership

Data portability is a right, not a feature we can revoke. You can export everything at any time through your dashboard. If we ever fail to honor this right, the community council has authority to enforce it — including mandating a platform-wide data export.

To exercise any of these rights, email privacy@corollary.tools. We respond within 30 days.

9. Security

We protect your data through multiple layers:

All data transmitted over TLS 1.3 encryption
Source code and sensitive data encrypted at rest (AES-256)
Passwords hashed using bcrypt with per-user salts
JWT tokens with short expiration (access: 15 minutes, refresh: 7 days)
Rate limiting on authentication endpoints to prevent brute-force attacks
Regular security audits and dependency updates
Infrastructure hosted on Cloudflare with DDoS protection

No system is 100% secure. If we ever discover a breach affecting your data, we will notify affected users within 72 hours and report to relevant authorities as required by law.

10. Cookies and Tracking

We use minimal cookies:

Cookie	Purpose	Duration	Type
access_token	Authentication (JWT)	15 minutes	Essential
refresh_token	Session persistence	7 days	Essential
theme_pref	UI preference	1 year	Essential

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking pixels. We do not participate in ad networks or retargeting programs.

11. Children's Privacy

Corollary is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it immediately. If you believe a child has provided us with data, please contact privacy@corollary.tools.

12. International Data Transfers

Our infrastructure is primarily hosted in the United States. If you are accessing Corollary from outside the US, your data may be transferred to and processed in the US. We ensure appropriate safeguards are in place, including standard contractual clauses where required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do:

We will update the “Last Updated” date at the top of this page.
For material changes, we will notify you by email and display a prominent notice on the platform.
Material changes to data collection or sharing require 30 days advance notice before taking effect.
The community governance council may review and object to changes that conflict with governance principles.

14. Contact

If you have questions about this Privacy Policy or want to exercise your rights:

Email: privacy@corollary.tools
General inquiries: hello@corollary.tools

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.