Privacy Policy

Last updated: 29 April 2026

kolma.app is operated by a natural person resident in Spain. In this policy, “we”, “us” and “our” refer to kolma.app and its operator.

1. What data we collect

We collect the following categories of personal data:

Category	Examples
Account & authentication	Email address, display name, OAuth profile (if you sign in with Google, GitHub, etc.)
Profile	Language preference, role within the school
Organisational	School membership, family relationships, commission memberships
Contribution	Community hours logged, tasks completed, approval records
Communication	Messages you send or receive within the platform
Educational	Class enrolment, student names, attendance records
Voting	Consultation responses (anonymous votes are stored with a cryptographic hash, not your identity)
Bookings	Space reservations you create
Files	Documents, images and newsletters you upload
Technical	Error logs (via Sentry), IP address for rate limiting, session cookie
Aggregate feed telemetry	Counters per task or photo in the activity feed (total views, dwell events, thanks, claims) — no per-user record

About aggregate feed telemetry: when a task or photo is rendered in the activity feed, we increment counters on that task or photo (total views, thanks, etc.). We do not record who viewed or interacted with which item — only the aggregate total. This lets school managers see which commissions generate the most engagement without tracking individual reading behaviour. You cannot opt out because nothing personal is stored; the counters are a property of the task/photo, not of you.

2. How we collect your data

Directly from you — when you register, complete your profile, send messages, log hours, upload files or vote.
From your school — when a school manager adds you to a class, commission or family group.
Automatically — session cookies for authentication, language preference cookie, and error reports sent to Sentry.

3. Why we process your data and our legal basis

Purpose	Legal basis (GDPR Art. 6)
Provide the service (authentication, data storage, messaging)	Performance of contract
School administration (hours, tasks, attendance, voting)	Performance of contract
Security (rate limiting, audit logs)	Legitimate interest
Error monitoring (Sentry)	Legitimate interest
Language preference cookie	Legitimate interest (functional)

We do not process your data for advertising or profiling purposes.

4. Third-party processors

We use the following services to operate kolma.app. All are bound by data processing agreements:

Service	Purpose	Data location
Google Firebase (Firestore, Auth, Storage)	Database, authentication, file storage	EU (europe-west1)
Vercel	Hosting, serverless functions	EU
Sentry	Error tracking	EU (Frankfurt)
Resend	Transactional and digest email delivery	United States (DPF / SCC)

We do not sell, share or transfer your data to any other third party.

5. International data transfers

Your data is stored and processed primarily within the European Union. Some of our processors (Google, Resend) are US-based companies. Where data is processed outside the EU, transfers are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

6. Cookies

kolma.app uses only functional cookies:

Cookie	Purpose	Duration
`__session`	Authentication (keeps you signed in)	1 hour
`NEXT_LOCALE`	Language preference	1 year

We do not use advertising, analytics or tracking cookies. No cookie consent banner is required because all cookies are strictly necessary or functional.

7. Data retention

Account data — retained while your account is active. Deleted upon account deletion.
School data — retained per your school’s archival policy (configurable: keep, clean after review, or delete).
Audit logs — retained for up to 2 years, then automatically deleted.
Document agreement records— when you agree to a school document (policy, onboarding, consent, information), an audit row is preserved as legal proof of the act. On revocation or account deletion, the rendered personal context (e.g. your child’s name) is removed but the structural record (timestamps, document version, hashed network fingerprint, your role at the time of signing) is retained for up to 6 years for legal-defence purposes (Art. 17(3)(e) GDPR, Spanish CC Art. 1964), then automatically deleted by a daily retention sweep.
Error logs (Sentry) — automatically deleted after 90 days.

8. Your rights

Under GDPR and Spanish LOPDGDD, you have the right to:

Access — request a copy of your personal data.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data (“right to be forgotten”).
Restriction — limit how we process your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interest.

To exercise any of these rights, contact us at hello@kolma.app. We will respond within 30 days.

9. Data security

We protect your data with HTTPS encryption, secure HTTP-only session cookies, Content Security Policy headers, role-based access control, school-scoped data isolation, and audit logging of all administrative actions.

10. Children

kolma.app is designed for school communities. User accounts are created by adults (parents, teachers, school managers). Student names may be stored as part of class management, but students do not create accounts or interact with the platform directly. The minimum age to create an account is 14 years (per Spanish LOPDGDD Art. 7).

11. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes via the platform. The current version is always available at this page.

12. Contact

hello@kolma.app

13. Supervisory authority

If you believe we have not handled your data correctly, you may file a complaint with the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid.

← kolma.app