How we handle personal data.

This policy explains what personal data KoLabs collects, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Croatian Personal Data Protection Act.

Last updated: 26 May 2026 · Version 1.0

1. Who we are

KoLabs is a Croatian sole-trader business (obrt) that provides influencer marketing services to direct-to-consumer brands. For the purposes of this policy and the GDPR, we are the data controller for personal data we collect about site visitors and the personnel of our brand clients. For personal data we process about creators (influencers) on behalf of our brand clients, we act as a data processor.

Business name: KoLabs (obrt)
Owner: Katarina Landeka
Registered address: Lugarski Put II/10, 31220 Višnjevac, Croatia
OIB (tax number): 27985017213
Obrtnica (trade registration): 14010010688
Contact for privacy: katarina@kolabs.agency

2. Scope

This policy applies to:

Visitors to kolabs.agency and any sub-domain we operate.
Personnel of our brand clients — the people at companies that engage KoLabs for influencer marketing services (account managers, marketing leads, founders).
Creators (influencers) we contact on behalf of brand clients as part of campaign delivery. We process their data as a data processor; the brand client is the controller.
Job applicants and contractors who interact with us in connection with KoLabs's operations.

3. What personal data we collect

We collect only the data we need to run the business and deliver services. We do not collect special categories of data (health, religion, biometric data, etc.) unless a creator volunteers it in a reply we receive on a client's behalf.

Category	Examples	Source
Site visitor data	IP address, browser type, pages visited, referring URL, approximate location (country/city), session timestamps	Collected automatically when you visit the site
Client personnel data	Full name, business email, role, phone, login identifiers	Provided by the client during onboarding or platform sign-up
Creator (influencer) data	Full name, social handle (Instagram, TikTok, YouTube), public email address, follower count, niche, postal shipping address (when accepting gifted products), order history	Public profile sources, voluntary creator replies, CSV imports provided by clients
Email content	Subject lines, body content, attachments of emails exchanged between KoLabs and creators on a client's behalf	Created or received during campaign delivery
Job applicants	CV, cover letter, work history, contact details	Provided by the applicant

4. Why we use this data (purposes and legal basis)

Service delivery

We use client and creator data to plan and run influencer marketing campaigns: discovering creators, sending outreach emails on the client's behalf, tracking responses, coordinating gifted-product shipments, and reporting results. Legal basis: performance of a contract with the client (Art. 6(1)(b) GDPR); legitimate interest in fulfilling the client's instructions toward creators (Art. 6(1)(f) GDPR).

Meta advertising (Media Buying App)

For brand clients who use our internal Media Buying App (mediabuying.kolabs.agency), we connect the brand's own Meta (Facebook and Instagram) advertising account through Meta's official OAuth login. Once connected, we process data from the Meta Marketing API on the brand's behalf and at its direction: ad account details, ad and campaign performance insights, and the brand's Facebook Page list. We use this to create, upload, schedule, pause, and report on the brand's paid social campaigns. We store a single Meta access token per connected brand, encrypted at rest (AES-256); we never store a copy in plain text and we never request or store any person's Meta login password. For this processing the brand client is the data controller of its own ad-account data and we act as its processor (technology provider). The access token and any cached Meta data are deleted when the brand disconnects the integration, when the engagement ends, or on request — see "Your rights" below. Legal basis: performance of a contract with the client (Art. 6(1)(b) GDPR).

Communications with clients and prospects

We use business contact data to communicate with current and prospective clients about services, project status, and invoicing. Legal basis: contract performance; legitimate interest in business communications with B2B contacts.

Legal and accounting obligations

We retain invoicing and financial records for the period required by Croatian tax law. Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR).

Site analytics and security

We collect basic visitor data to keep the site secure and understand usage patterns. Legal basis: legitimate interest in maintaining a functioning, secure site.

5. Who we share data with (sub-processors)

To run our services, we use the following third-party processors. Each is bound by a data processing agreement and operates under industry-standard security measures. We do not sell personal data to anyone.

Clerk, Inc.

Authentication and user account management for our internal platform

United States · SCCs

Supabase, Inc.

Database, file storage, and serverless functions backing our internal platform

United States (AWS eu-central-1 region) · SCCs

Anthropic, PBC

AI processing of email content for classification and response drafting (no model training on inputs)

United States · SCCs

Google LLC

Gmail API for sending and receiving outreach emails; Google Drive API for document storage

United States · SCCs

Shopify Inc.

Order creation and fulfillment integration for gifted-product collaborations

Canada · adequacy decision

Vercel Inc.

Hosting for kolabs.agency public website

United States · SCCs

Meta Platforms, Inc.

Marketing API to manage and report on connected brands' paid Facebook/Instagram ad campaigns (Media Buying App); Instagram Graph API for tracking creator content mentions

United States · SCCs

Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or — where applicable — an adequacy decision in respect of the receiving country.

We may also disclose personal data to legal, accounting, or tax advisors bound by professional confidentiality, and to public authorities where required by law.

6. How long we keep data (retention)

Data type	Retention period
Site visitor logs	30 days, then deleted or anonymised
Client personnel data (active engagement)	For the duration of the engagement and up to 30 days after termination
Creator data processed for a client	For the duration of the campaign, plus the period set in the data processing agreement with the client (typically 12 months)
Email content (outreach and replies)	For the duration of the engagement, plus 12 months for dispute resolution
Invoices and financial records	11 years (as required by Croatian tax and accounting law)
Job applications	6 months after the role is filled or withdrawn, unless the applicant consents to longer retention

After the retention period ends, we delete personal data or irreversibly anonymise it so it can no longer be linked to an individual.

7. Your rights under GDPR

If we process your personal data, you have the following rights. To exercise any of them, email katarina@kolabs.agency and we will respond within one month (extendable by up to two further months for complex requests, with reasons given).

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your data where there is no overriding legal basis to keep it.
Restriction — ask us to pause processing in certain circumstances (e.g. while a rectification request is being reviewed).
Data portability — receive your data in a structured, machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interest, including direct marketing.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of past processing.
Lodge a complaint — with the Croatian supervisory authority (see Section 12).

If you are a creator whose data we are processing on behalf of a brand client, you can also exercise these rights against the brand directly as the data controller. We will forward your request to the relevant client if you reach out to us.

8. Cookies and similar technologies

We use a small number of cookies and local storage entries strictly necessary for the platform to function:

Clerk session cookie — keeps you signed in. Without it, you cannot use the internal platform.
localStorage — remembers your last active brand and UI preferences so the platform loads in a sensible state on return visits.

We do not use third-party advertising cookies, cross-site tracking pixels, or remarketing tags. Because all cookies we use are strictly necessary or first-party functional, no consent banner is required under the Croatian implementation of the ePrivacy Directive.

9. Security

We protect personal data with technical and organisational measures appropriate to the risk, including:

TLS encryption for all data in transit between browsers, our platform, and sub-processors.
Encryption at rest for the production database.
Strict access controls — only authorised personnel can access creator and client data, scoped per brand.
Multi-factor authentication on all administrative accounts.
Audit logging of significant actions (status changes, brand creation, sends, deletions).
Row-level security (RLS) policies that prevent any client's data from being accessible to another client.
Regular software updates and dependency monitoring.

No internet-connected system is fully immune to intrusion. If we ever become aware of a breach involving your personal data that creates a risk to your rights, we will notify you and the supervisory authority within 72 hours as required by Art. 33 GDPR.

10. International transfers

Several of our sub-processors are based outside the European Economic Area, primarily in the United States. Where this applies, we rely on:

Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to processors in countries without an adequacy decision.
Adequacy decisions for transfers to countries the European Commission has formally recognised as providing equivalent protection.
Additional supplementary measures (encryption in transit and at rest, access controls) where the receiving country presents specific risks.

11. Children

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at katarina@kolabs.agency and we will delete it without delay.

12. Supervisory authority

The supervisory authority responsible for data protection in Croatia is:

Name: Agencija za zaštitu osobnih podataka (AZOP)
Address: Selska cesta 136, 10000 Zagreb, Croatia
Website: azop.hr
Email: azop@azop.hr

If you believe we are processing your personal data in violation of the GDPR or Croatian law, you have the right to lodge a complaint with AZOP, without prejudice to any other remedy. We would appreciate the chance to address your concerns directly first — please reach out to katarina@kolabs.agency.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our services, legal requirements, or sub-processors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify users by email or via the platform.

14. Contact

Questions, requests, or complaints about this policy or our handling of your personal data: katarina@kolabs.agency.

Brand clients: we sign a separate Data Processing Agreement (DPA) with each client governing our role as processor of creator personal data on the client's behalf. Reach out if you'd like a copy of the current DPA template ahead of an engagement.