Privacy Policy

Coloo AI — Published by BCL — Version 1.0 — Effective date: 22 May 2026

This Privacy Policy describes how BCL, a company incorporated under French law, having its registered office at 200 rue de la Croix Nivert, 75015 Paris, France ("BCL", "we" or "our"), acting as data controller, collects and processes your personal data in connection with your use of the Coloo AI service (the "Service").

BCL is committed to protecting your privacy and to processing your personal data in accordance with Regulation (EU) 2016/679 of 27 April 2016 ("GDPR"), French Law n° 78-17 of 6 January 1978 as amended ("French Data Protection Act"), and any applicable regulation.

1. Definitions

• "Data" or "Personal Data": any information relating to an identified or identifiable natural person within the meaning of Article 4 of the GDPR.
• "Processing": any operation performed on Personal Data.
• "User": the adult natural person using the Service, acting in their own name or as the holder of parental authority over a minor.
• "Minor": any natural person under eighteen (18) years of age, and "Child": any minor under fifteen (15) years of age, in accordance with Article 45 of the French Data Protection Act.
• "Third-Party Platforms": social networks and other online services accessible via URLs that the User may submit to the Service.

2. Data controller

The data controller within the meaning of Article 4(7) of the GDPR is:

• Company: BCL
• Registered office: 200 rue de la Croix Nivert, 75015 Paris, France
• Email: jake@coloo.ai

3. Data Protection Officer (DPO)

For any question regarding the processing of your Personal Data or the exercise of your rights, you may contact BCL's data protection officer:

• Email: jake@coloo.ai
• Postal address: DPO Coloo AI, BCL, 200 rue de la Croix Nivert, 75015 Paris, France

4. Data collected, purposes and legal bases

The Personal Data we collect, the purposes for which they are processed, and the corresponding legal bases are as follows:

4.1 Account creation and management data

• Data collected: first name (or pseudonym), email address, password (hashed), date of account creation, sworn declaration of age (majority) and of legal guardian status where applicable.
• Purpose: to enable account creation and management, to identify and authenticate you.
• Legal basis: performance of the contract (Article 6.1.b GDPR).
• Retention period: for the duration of the account, then intermediate archiving for three (3) years for evidentiary purposes.

4.2 Payment and billing data

• Data collected: cardholder name and surname, billing address, card type and last digits (the full card number is never transmitted to or stored by BCL), transaction history.
• Purpose: to process payments, manage billing, perform tax and accounting obligations, prevent fraud.
• Legal basis: performance of the contract (Article 6.1.b GDPR) and compliance with a legal obligation (Article 6.1.c GDPR — accounting and tax obligations).
• Retention period: ten (10) years from the close of the accounting year, in accordance with Article L.123-22 of the French Commercial Code.
• Recipients: secure payment service provider; chartered accountant; tax authorities upon legal request.

4.3 Submitted URLs and Coloring Page generation data

• Data collected: URLs submitted by the User, technical metadata (timestamp, processing duration, conversion parameters), generated Coloring Pages.
• Purpose: provision of the Service, technical processing of the User's request, storage of Coloring Pages in the private account space.
• Legal basis: performance of the contract (Article 6.1.b GDPR).
• Retention period: Coloring Pages are kept on the User's account for as long as the User does not delete them or close their account. URLs and technical metadata are retained for up to thirty (30) days for support, debugging and abuse prevention purposes.
• Important: BCL does not permanently store or retain source video files extracted from Third-Party Platforms. Technical processing is ephemeral and intermediate files are deleted upon completion of processing.

4.4 Connection and usage data

• Data collected: IP address (anonymized after 13 months), session identifier, device type, operating system, browser, language, pages viewed, timestamps, technical performance data, error logs.
• Purpose: to ensure the security of the Service, prevent and detect fraud and abuse, measure audience, improve the Service.
• Legal basis: BCL's legitimate interest in ensuring the security, improvement and audience measurement of the Service (Article 6.1.f GDPR), balanced with the rights and freedoms of Users.
• Retention period: thirteen (13) months for technical logs; six (6) months for anonymized audience data.

4.5 Support communications

• Data collected: email, content of exchanges with support.
• Purpose: to handle your request and ensure customer support follow-up.
• Legal basis: performance of the contract (Article 6.1.b) or legitimate interest (Article 6.1.f).
• Retention period: three (3) years from the last exchange.

4.6 Marketing communications (newsletter, push)

• Data collected: email, communication preferences, open and click status.
• Purpose: to send you commercial information about new features, offers and capabilities of the Service or of BCL's similar products.
• Legal basis: consent (Article 6.1.a GDPR) or legitimate interest for existing customers regarding similar products (Article L.34-5 of the French Postal and Electronic Communications Code).
• Retention period: up to three (3) years after the last active contact or withdrawal of consent.
• You may unsubscribe at any time via the link present in each communication or by contacting us.

5. Cookies and trackers

The Service uses cookies and similar technologies. On your first visit, a consent management banner allows you to accept, refuse or configure each purpose, in accordance with the recommendations of the French Data Protection Authority (CNIL) and the ePrivacy directive.

• Strictly necessary cookies: authentication, session, security, load balancing (exempt from consent).
• Audience measurement cookies: anonymized statistics (depending on configuration, exempt from consent) or detailed statistics (subject to consent).
• Marketing/advertising cookies: strictly subject to prior consent and revocable at any time.

You may change your preferences at any time via the preference center accessible from the Service.

6. Minors and special protection of Children

THE SERVICE IS INTENDED FOR FAMILY USE UNDER ADULT SUPERVISION. NO ACCOUNT MAY BE CREATED BY A MINOR UNDER EIGHTEEN (18) YEARS OF AGE. THE VIDEO IMPORT FEATURE IS DESIGNED TO BE TRIGGERED EXCLUSIVELY BY THE ADULT ACCOUNT HOLDER (PARENT-GATING).

In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, for Children under fifteen (15) years of age, any processing of Personal Data based on consent requires the joint, express consent of the holder(s) of parental authority.

If you are a parent or holder of parental authority and you find that a Child has provided Personal Data to BCL, please contact us at jake@coloo.ai so that we may proceed with immediate deletion.

BCL actively minimizes the collection of data concerning end-user children: no collection of the child's first name, no photographs of the child, no advertising profiling of children, no open chat, no social features exposing the child to third parties.

7. Recipients and subprocessors

Your Personal Data is accessible to BCL personnel authorized within the strict limits of their duties, and to subprocessors acting on behalf of and under the instructions of BCL in accordance with Article 28 of the GDPR. These subprocessors include, in particular:

• Hosting and infrastructure provider: GoDaddy
• Payment service provider
• Transactional email service provider
• Customer support tool
• Audience measurement tool
• Technical observability and fraud prevention tools

Each subprocessor is bound to BCL by a subprocessing contract compliant with Article 28 of the GDPR, ensuring an adequate level of protection. An up-to-date list of subprocessors may be obtained upon request at jake@coloo.ai.

Your Data is never sold, rented or exchanged with third parties for commercial purposes.

8. Transfers outside the European Union

BCL prioritizes hosting and processing of Data within the European Union. Where a transfer outside the EU is necessary (in particular via a subprocessor), BCL ensures that such transfer is governed by one of the mechanisms provided in Articles 44 et seq. of the GDPR:

• Adequacy decision of the European Commission;
• Standard contractual clauses (SCC) adopted by the European Commission;
• Additional technical and organizational measures (encryption, pseudonymization, access controls) supplementing the SCCs, in accordance with EDPB Recommendations 01/2020.

The list of ongoing transfers and applicable safeguards may be obtained upon request at jake@coloo.ai.

9. Security

BCL implements appropriate technical and organizational measures to ensure the security, confidentiality, integrity and availability of Personal Data, taking into account the state of the art, implementation costs, the nature, scope and purposes of the processing, and the risks to the persons concerned.

• Encryption of Data in transit (TLS) and at rest (where technically applicable);
• Password hashing using state-of-the-art algorithms;
• Strict access controls, logging of access to sensitive Data;
• Regular backups and disaster recovery plan;
• Training of authorized personnel in security and Data protection;
• Documented procedure for Data breach management and notification to the supervisory authority within 72 hours in case of a breach likely to result in a risk to the rights and freedoms of persons.

10. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your Personal Data:

• Right of access: to obtain confirmation that your Data is being processed and to receive a copy.
• Right of rectification: to have inaccurate or incomplete Data corrected.
• Right to erasure ("right to be forgotten"): to have your Data deleted under the conditions of Article 17 of the GDPR.
• Right to restriction of processing: to have processing restricted under the conditions of Article 18.
• Right to portability: to receive your Data in a structured and commonly used format.
• Right to object: to object, on grounds relating to your particular situation, to processing based on legitimate interest, and at any time to processing for direct marketing purposes.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to set post-mortem directives regarding the fate of your Data after your death.
• Right not to be subject to automated individual decision-making producing legal effects or similarly significantly affecting you (Article 22). Note: Coloo AI does not make automated decisions producing such effects.

To exercise these rights, contact the DPO at jake@coloo.ai or by postal mail to the address indicated in Article 3, providing proof of identity. BCL will respond within one (1) month, extendable by two (2) months for complex requests.

11. Right to lodge a complaint with a supervisory authority

If you consider that the processing of your Data does not comply with applicable regulations, you have the right to lodge a complaint with the French Data Protection Authority (CNIL):

• Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France
• Phone: +33 1 53 73 22 22
• Website: www.cnil.fr

You may also lodge a complaint with the data protection authority of your habitual country of residence within the European Union.

12. Advertising profiling and generative AI

BCL does not engage in any advertising profiling of Children. BCL does not use Coloring Pages generated by Users or source content submitted by Users to train its own artificial intelligence models, unless the User gives explicit, revocable consent.

The Service uses third-party AI models for the technical conversion of frames into Coloring Pages. The terms of use and data processing by such third-party models are governed by the subprocessing agreements provided in Article 7.

13. Modifications to the Policy

BCL may modify this Privacy Policy at any time, in particular to reflect legal, regulatory or technical developments. Any substantive modification will be notified to you by email and/or via a notice displayed within the Service at least thirty (30) days before entry into force. Continued use of the Service after that date constitutes acceptance.

14. Contact

For any question relating to this Privacy Policy or your Personal Data:

• DPO: jake@coloo.ai
• Support: jake@coloo.ai
• Postal address: BCL — DPO Coloo AI — 200 rue de la Croix Nivert, 75015 Paris, France

END OF PRIVACY POLICY — Version 1.0 — 22 May 2026