Privacy Policy
Effective Date: February 11, 2026
Last Updated: February 11, 2026
1. Introduction
Welcome to Colorflare (“we,” “us,” or “our”). Colorflare is a global social platform where users communicate through colors and emojis — no words, no accounts. We are committed to protecting your privacy and being transparent about how we handle your information.
This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. This Privacy Policy forms part of, and is governed by, our Terms of Service. By using Colorflare, you enter into a contract with us on the terms set out in our Terms of Service, and we process your data as necessary to perform that contract and as otherwise described below.
For information about how we use cookies and similar technologies, please see our Cookie Policy.
2. Data We Collect
2.1 Data We Collect Automatically
| Data | Description | Purpose |
|---|---|---|
| Device Identifier (UUID) | A randomly generated unique identifier stored on your device. This is not linked to your name, email, or any personal account. | To provide core service functionality and distinguish users within Spaces |
| Country Code | An ISO 3166-1 alpha-2 country code (e.g., “US,” “JP”) derived from your IP address via Vercel's edge network. This identifies only your country, not your city, region, or precise location. | To display country-based statistics and participation data within Spaces |
| Activity Data | Colors you post, emojis you share, Spaces you join, and timestamps of your activity | To provide core service features (color distribution, emoji feeds, Sync Moments) |
| Session Identifier | A browser session ID | To manage your participation within Spaces during a session |
| IP Address Hash (Pseudonymized Data) | A one-way HMAC SHA-256 hash of your IP address (the first 32 characters). We do not store your raw IP address. Note: Under the GDPR, this hashed value is considered pseudonymized data and is treated as personal data. While the hash cannot be reversed to obtain your original IP address, it is used to identify repeat requests from the same source for rate limiting purposes. | Rate limiting and abuse prevention only |
2.2 Data You Provide
| Data | Description | Purpose |
|---|---|---|
| Transfer Code | A temporary code you may generate to transfer your device identity to another device | Device migration. Codes expire automatically. |
2.3 Aggregated Statistical Data (Non-Personal)
We also generate and store aggregated, anonymized statistics that cannot identify any individual user, including:
- Daily summaries (total users, total posts, color distribution, top Spaces)
- Sync Moment records (country distribution of participants at the moment of synchronization)
- Space activity statistics (vibe logs)
2.4 Data We Do NOT Collect
Colorflare is designed with privacy as a core principle. We do not collect:
- Email addresses (for general users)
- Names, physical addresses, or phone numbers
- Passwords (for general users)
- Payment or financial information (currently; see Section 11)
- Precise geolocation data (GPS, Wi-Fi, or Bluetooth-based)
- Raw IP addresses (only pseudonymized hashed derivatives are stored)
- Photos, messages, or text content (the service uses only colors and emojis)
3. How We Use Your Data
We use the data described above for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service — enabling participation in Spaces, displaying color and emoji feeds, generating Sync Moments | Performance of a contract (Article 6(1)(b)) — necessary to deliver the core service you use under our Terms of Service |
| Displaying Country Statistics — showing country-based participation data in Spaces and World views | Performance of a contract (Article 6(1)(b)) — integral to the service experience as described in our Terms of Service |
| Security & Abuse Prevention — rate limiting, detecting and preventing abusive behavior | Legitimate interest (Article 6(1)(f)) — protecting users and service integrity. We have conducted a balancing test and determined that our interest in maintaining a secure service does not override your rights and freedoms, particularly given the minimal and pseudonymized nature of the data processed for this purpose. |
| Aggregated Analytics — generating daily summaries and statistical insights (fully anonymized) | Legitimate interest (Article 6(1)(f)) — improving the service. This processing involves only anonymized, aggregated data that cannot identify individuals. |
| Device Transfer — enabling users to migrate their identity to a new device | Performance of a contract (Article 6(1)(b)) — fulfilling a user-initiated request |
We do not use your data for advertising, profiling, or selling to third parties.
4. Data Sharing and Third-Party Services
We do not sell, rent, or trade your personal data. We share data only with the following service providers who process data on our behalf:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting and real-time communication | Device UUID, country code, activity data, session ID |
| Upstash Redis | Rate limiting | IP address hash, request counts (temporary) |
| Vercel | Application hosting, edge functions, country code detection | IP address (processed at edge, not stored by us), country code |
| Twemoji (Twitter/X) | Emoji SVG asset delivery | No personal data shared; static assets only |
| GitHub Actions | Automated daily summary generation | No personal data shared; server-to-server API calls only |
Each third-party provider operates under its own privacy policy and data processing agreements. We encourage you to review their respective privacy policies.
5. International Data Transfers
Colorflare is operated from Japan and uses service providers that may process data outside your country of residence, including outside the EU/EEA. When your data is transferred internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Reliance on service providers' compliance with applicable data protection frameworks
By using Colorflare, you acknowledge that your data may be processed in countries with different data protection standards than your country of residence.
6. Data Retention
| Data | Retention Period |
|---|---|
| Device UUID | Retained until the user record is deleted |
| Country Code | Automatically reset every 30 days |
| Activity Data (colors, emojis, Space participation) | Retained until the user record is deleted |
| Session Identifiers | Deleted when the associated Space or user is deleted (CASCADE) |
| Transfer Codes | Expire automatically after a set period |
| IP Address Hashes (Pseudonymized) | Temporary; expire automatically based on a defined expiration period (used for rate limiting only) |
| Aggregated Statistics | Retained indefinitely (non-personal, anonymized) |
Data Deletion
When a user record is deleted, all associated personal data is automatically removed through cascading deletion, including: activity data, Space participation records, emoji posts, World posts, Sync Cards, and transfer codes.
7. Your Rights
7.1 Rights Under the GDPR (EU/EEA Residents)
If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation:
- Right of Access — Request a copy of the personal data we hold about you
- Right to Rectification — Request correction of inaccurate or incomplete data
- Right to Erasure (“Right to Be Forgotten”) — Request deletion of your personal data
- Right to Restriction of Processing — Request that we limit how we use your data
- Right to Data Portability — Receive your data in a structured, commonly used, machine-readable format
- Right to Object — Object to processing based on legitimate interests
- Right to Lodge a Complaint — File a complaint with your local data protection authority
To exercise any of these rights, please contact us at colorflare.app@gmail.com.
We will respond to your request within 30 days. Since Colorflare does not require account registration, we may request additional information to verify your identity before processing your request. If we are unable to verify your identity, we may be unable to fulfill your request, as permitted under applicable law (GDPR Article 12(6)).
7.2 Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights:
- Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete — Request deletion of your personal information
- Right to Correct — Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out.
- Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights
To exercise your rights, please contact us at colorflare.app@gmail.com.
8. Children's Privacy
Colorflare is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. Since Colorflare does not require account registration and collects minimal data, we have limited ability to determine the age of our users.
If you believe a child under the applicable age has provided us with personal data, please contact us at colorflare.app@gmail.com, and we will take steps to delete such data.
9. Security
We implement reasonable technical and organizational measures to protect your data, including:
- Encryption in transit — All communications with our service providers (Supabase, Upstash Redis, Vercel) use HTTPS/TLS
- IP address hashing — Raw IP addresses are never stored; only pseudonymized HMAC SHA-256 hashes are used for rate limiting
- Row Level Security (RLS) — Database access controls ensure data isolation
- Rate limiting — Protects against abuse and automated attacks
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
10. Data Breach Response
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law (including GDPR Article 33)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
- Take immediate steps to contain, investigate, and remediate the breach
- Document the breach including its nature, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it
Due to the minimal personal data we collect (no email addresses or names for general users), direct notification to affected users may not always be possible. In such cases, we will make a public communication or take a similar measure to inform affected users, as provided for under GDPR Article 34(3)(c).
11. Future Changes — Paid Features
Colorflare may introduce paid features (such as tipping/donation functionality) in the future. If we do, we may collect additional data necessary for payment processing (e.g., through Stripe). We will update this Privacy Policy before collecting any additional data and will notify users of material changes.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Provide at least 30 days' advance notice through a prominent notice within the Service before the changes take effect
Your continued use of Colorflare after the notice period constitutes your acceptance of the updated Privacy Policy.
13. EU Representative
As our processing of EU/EEA residents' data is occasional and does not include special categories of data on a large scale, we are currently exempt from the requirement to appoint an EU representative under Article 27(2)(a) of the GDPR. If this status changes, we will appoint an EU representative and update this Privacy Policy accordingly.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: colorflare.app@gmail.com
Data Protection Inquiries: For data protection-specific inquiries, please contact our data protection contact at: colorflare.app@gmail.com
For EU/EEA residents, you also have the right to lodge a complaint with your local data protection supervisory authority.
This Privacy Policy is governed by the laws of Japan.