Privacy Policy

Last updated: March 26, 2026

Colmenita ("we", "us", "our") operates the Colmena mobile application and website (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you may have under applicable data protection law, including the GDPR.

1. Controller and Contact

For the personal data described in this policy, Colmenita is the controller. You can contact us about privacy or data-protection questions at privacy@colmenita.com.

2. Information We Collect

Account and Sign-in Data

When you are invited to and join Colmena, we collect your email address, sign-in credentials for email login, Google or Apple account identifiers if you choose those sign-in methods, session records, and basic account status information such as your role and active cluster.

Profile, Listing, and Transaction Data

We collect the information you provide or create in the Service, including child age-range profiles, bundle descriptions, condition details, listing photos, reservations, messages with other users, issue reports, invite requests, and wallet or ledger records needed to run the exchange flow.

Device, Notification, and Analytics Data

We collect basic device information such as device type, operating system version, and app version. If you enable notifications, we also store your push token so we can deliver service notifications. Release mobile builds with embedded PostHog configuration also send limited product analytics events and screen views to PostHog to help us understand feature usage and app reliability. Local Expo development runs do not send those analytics events.

3. How We Use Your Information and Legal Bases

We use personal data only where we have a valid legal basis. Depending on the context, that basis is performance of a contract with you, taking steps at your request before providing the Service, compliance with legal obligations, or our legitimate interests in operating a safe and reliable community exchange.

• Account access and core service operation: to create your account, sign you in, manage cluster access, and run browse, listing, reservation, chat, and wallet flows.
• Moderation, safety, and fraud prevention: to review listings, investigate issues, enforce our terms, and keep audit trails for account and admin actions.
• Service notifications: to send reservation and message updates through push notifications where your device permissions allow it.
• Product improvement: to measure feature use and app reliability in release mobile builds with embedded PostHog configuration through limited analytics events and screen views.
• Legal and accounting compliance: to keep records required for disputes, accounting integrity, fraud prevention, and legal obligations.

4. How We Share Your Information

We do not sell your personal data and we do not use it for third-party advertising. We may share limited personal data in these circumstances:

• With other users: other members of your cluster can see the listings and exchange information needed to participate in reservations with you. Messages are shared with the other participant in the reservation thread.
• Authentication, notification, and analytics providers: we use Google and Apple for optional sign-in methods, Expo for mobile push delivery, and PostHog for release mobile product analytics when the app build includes PostHog configuration.
• Infrastructure and storage providers: we use hosting, database, backup, and object-storage systems to run the Service and store uploaded photos and operational records.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

5. International Transfers

Some of the providers we use may process data outside the country where you are located, including outside the EEA or UK. When that happens, we rely on applicable contractual, organisational, and legal safeguards intended to protect your personal data.

6. Data Storage and Security

Your data is stored in secured database, backup, and object-storage systems. Photos are stored using S3-compatible object storage. We use technical and organisational measures designed to protect personal data, including encrypted connections, authentication controls, and access limits for administrative tools.

7. Data Retention

We retain your account data for as long as your account is active. When you delete your account, we delete or remove from active use your sign-in credentials, active sessions, child profiles, push tokens, bundle photos, bundle free-text fields, and message bodies you sent. We keep only the minimum remaining records needed to preserve shared transaction history, maintain wallet and ledger integrity, handle disputes, prevent fraud, meet legal or accounting obligations, and keep admin audit logs. Those retained records are reduced to a deleted-account reference where possible, are not used to reopen your account, and are reviewed periodically for deletion or further minimization when they are no longer needed.

We do not apply an extra waiting period before processing an account-deletion request.

We also keep disaster-recovery database backups in a rolling set of up to 20 archives. Deleted data may remain in those backups until they rotate out, but the backups are kept only for recovery and are not used to restore a deleted account in normal operation.

8. Your Rights

Depending on your jurisdiction, including if the GDPR applies to you, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your personal data
• Object to or restrict certain processing
• Request a portable copy of your data
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at the email address below or use the delete-account instructions on this website and in the app. We may ask for additional information to confirm your identity before acting on a request. We respond without undue delay and, where the GDPR applies, in principle within 1 month of receiving your request.

9. Children’s Privacy

Colmena is a service for parents and families. The Service is not directed at children under 16, and we do not knowingly collect personal data from children. All accounts are held by adult family members.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or by other means. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at: privacy@colmenita.com