Privacy Policy

Who We Are And How To Reach Us

Colour Curver is currently operated by Ruben Rekker as an individual based in Australia while the service is being validated before a company is formally registered. In this policy, references to Colour Curver, we, us, and our mean that current individual operator unless and until this policy is updated after a company formation or restructuring. If you have questions, requests, or complaints about privacy, contact privacy@colourcurver.com.

What This Policy Covers

This policy covers the public website, the palette editor, account and billing surfaces, public and private palette sharing, collaboration features for teams and workspaces, beta access request flows, and the current Figma and Sketch plugin surfaces.

It applies to information processed through the current production service and integrations visible in the codebase, including Supabase for authentication and data storage, Stripe for paid billing flows, and Upstash Redis or in-memory fallbacks for rate limiting.

Information You Give Us

When you create an account or accept an invite, we process account information such as your email address, password credentials handled through Supabase Auth, and any profile details you add such as display name or locale preference.

When you create or save work in the editor, we process palette data, palette names, colours, exportable palette metadata, publishing settings, and sharing settings including public slugs, tags, descriptions, private-share tokens, and optional password-protection state for private publishing flows.

When you collaborate through teams and workspaces, we process team membership, workspace access roles, invite targets, invite email addresses, invite delivery state, and related collaboration metadata needed to grant, review, revoke, or restore access.

When you request beta access, submit feedback, contact support, or interact with account-management surfaces, we process the information you choose to send, including names, email addresses, messages, and the administrative metadata needed to respond or enforce policy.

Information We Collect Automatically

The service processes technical request data such as IP-derived network information, user-agent strings, request identifiers, route outcomes, error codes, and other operational metadata used for reliability, abuse prevention, auditability, and debugging.

The service tracks some interaction events for published palettes, including views and remixes. These flows use short-lived cookies and hashed request signals to reduce duplicate counting and rate-limit abuse rather than to build broad behavioural advertising profiles.

The service also stores limited browser-side state, including locale preference cookies, short-lived anti-duplicate palette-view cookies, and local auth access cache entries used to keep signed-in surfaces responsive.

How We Use Information

We use information to create and secure accounts, verify sessions, honour invitation and access rules, persist your palettes and workspace state, deliver published and private sharing features, and let collaborators work inside teams and workspaces.

We use information to process subscriptions, open checkout and billing portal flows, apply plan entitlements, manage invite queues, review beta access requests, send transactional authentication or invite emails through our providers, and provide customer support.

We also use information to detect fraud and abuse, enforce rate limits, investigate errors, maintain audit trails for sensitive actions, and improve the product through service-level telemetry and operational diagnostics.

Public Palettes, Private Links, And Collaboration

If you choose to publish a palette publicly, other users may be able to discover it through public routes and feeds, and may see information such as the palette title, colours, slug, description, tags, author or team identity, and public interaction counts.

If you choose private sharing, access may depend on an opaque share token and, in some flows, an access password. Anyone you share those credentials with may be able to view the linked palette, so you should share them carefully.

If you collaborate inside a team or workspace, other authorised members may see palette metadata, membership details, invite state, workspace names, and role information as needed for the collaboration features implemented by the service.

Payments And Service Providers

The current codebase uses Supabase for authentication, session handling, account email flows, and core application data storage; Stripe for checkout, subscriptions, recurring billing state, and billing portal actions; and Upstash Redis or compatible fallbacks for rate limiting and service protection.

Palette exports and design-tool workflows may also involve the current Figma and Sketch plugin surfaces. Depending on the flow, those integrations can read palette data from Colour Curver, write design-token data into the tool, or use configured local integration endpoints.

We share information with service providers only to the extent reasonably needed to operate those features. As at the last updated date of this policy, the production product flows described here do not include third-party advertising networks or social-media tracking SDKs.

Because these providers may store or process information in jurisdictions outside Australia, your information may be disclosed to or accessed from other countries depending on provider infrastructure, billing flow, delivery route, or account email processing.

Cookies, Local Storage, And Similar Signals

Colour Curver currently uses a small set of cookies and local browser storage for functional purposes, including locale preference, short-lived anti-duplicate palette-view tracking, session-adjacent access caching, and test or environment-specific authentication helpers where enabled.

If you block or clear cookies or local storage, parts of the product may stop working as expected, especially sign-in persistence, locale handling, anti-abuse counters, and some public palette interaction flows.

Retention, Deletion, And Security

We retain information for as long as reasonably needed to operate the service, enforce access and billing rules, keep audit and collaboration records, resolve disputes, and meet legal or security obligations. Retention periods can vary by data type, and we do not currently publish a single universal retention schedule for every table, log, or event stream.

Account deletion and related administrative actions can remove user-owned palette data and revoke associated access, but some billing, security, invite, moderation, or audit records may remain when needed for operational integrity or compliance.

We rely on provider and application-level safeguards that are visible in the current stack, but no internet or software system can be guaranteed perfectly secure. You should use a strong password and protect any private share links or team invites that you control.

Your Privacy Choices And Rights

You can choose whether to keep a palette private, share it by token, or publish it publicly. You can also update account details that the product exposes, manage team access where your role allows it, and request account deletion through the available account flows.

If you need a privacy-related correction, access request, deletion review, or complaint handling step that is not available directly in the app, contact us and we will review the request against the product's current operational and legal constraints and any law that applies to us.

If the Privacy Act 1988 (Cth), the Australian Privacy Principles, or another applicable privacy law gives you rights to access, correction, complaint handling, or other protections, nothing in this policy is intended to limit those rights.

Australia-First Privacy Position

Colour Curver is currently being validated before a company is formed. We nevertheless intend to handle personal information in a manner consistent with responsible Australia-first privacy practice, including limiting collection to what is reasonably needed for product operations and addressing access, correction, and complaint requests in good faith.

If you are in Australia and believe we have mishandled your personal information, please contact us first so we can try to resolve the issue. Where the Privacy Act 1988 (Cth) applies and you are not satisfied with our response, you may also have the right to complain to the Office of the Australian Information Commissioner.

Children's Privacy

Colour Curver is not intended for children under 13, and the service Terms require users to be at least 13 years old.

Changes To This Policy

We may update this Privacy Policy as the product, infrastructure, billing model, collaboration features, or legal obligations change. When we make material updates, we will revise the page content and its effective-date language.