CollabSafe
Back to Home

Privacy Policy

Last updated: May 30, 2026

1. Information We Collect

When you use CollabSafe, we collect the following information:

  • Account information: Name, email address, and social media handles you provide during signup.
  • Agreement data: Brand names, creator details, payment amounts, deliverables, and other information you enter when creating agreements.
  • Usage data: Pages visited, features used, and general interaction patterns to improve our service.
  • Connected Gmail / Google account data (only if you connect Gmail): your Google account email address, Google user ID (sub), OAuth access token, refresh token, token expiry, and granted scopes. We request only the minimum scopes required: openid, email, profile, and https://www.googleapis.com/auth/gmail.send.
  • SMTP credentials (only if you connect a custom SMTP server): SMTP host, port, username, and password, used solely to send your reminder and follow-up emails on your behalf.

2. Gmail OAuth, Email Automation & Google API Services

Summary: CollabSafe uses the Google Gmail API solely for sending emails on behalf of authenticated users. We do not read, access, store, or modify users' inbox data. The Gmail permission requested is limited to: https://www.googleapis.com/auth/gmail.send.

CollabSafe lets you connect your Gmail or Google Workspace account so that reminder, follow-up, and notification emails (for example: brand task reminders, invoice payment reminders, agreement signing reminders) are sent from your own inbox instead of from CollabSafe's shared sender. This makes deliverability better and keeps the conversation in your sent folder.

Scopes we request

  • openid, email, profile — to identify the connected Google account and display it in your settings.
  • https://www.googleapis.com/auth/gmail.send — to send emails on your behalf when you trigger a reminder or follow-up inside CollabSafe.

We do not request, read, list, search, modify, or delete any messages, threads, drafts, labels, settings, or contacts in your Gmail account. We have no read access to your inbox. Each email we send is one you explicitly initiated from within CollabSafe (manually or via reminder schedules you configured).

Limited Use compliance

CollabSafe's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained through Google APIs is:

  • used only to provide the user-facing email-sending feature you enabled;
  • never used to serve advertising;
  • never sold or transferred to third parties for purposes unrelated to the feature;
  • never used to train generalized AI / ML models;
  • never accessed by humans except (a) with your explicit consent, (b) for security or abuse investigations, or (c) when required by law.

3. Token Storage & Security

  • OAuth access tokens, refresh tokens, and SMTP credentials are stored encrypted at rest in our managed database (Lovable Cloud, powered by Supabase) in a row scoped to your user account.
  • Row-Level Security policies ensure no other user can read your tokens. Tokens are decrypted only inside server-side functions that send email on your behalf.
  • Tokens are transmitted only over TLS / HTTPS.
  • Refresh tokens are used solely to renew an expired access token so reminders you scheduled continue to work.
  • If a token becomes invalid (for example, you revoke access in your Google account), we mark the connection as disconnected and prompt you to reconnect.

4. How We Use Your Information

We use the information described above strictly to provide and improve the CollabSafe app's core functionality. Specifically, we use it to:

  • Provide, operate, and maintain the CollabSafe service.
  • Generate, store, and deliver your brand deal agreements, invoices, media kits, and related documents you create in the app.
  • Send the reminder, follow-up, and notification emails that you configure inside the app (via your connected Gmail account, your custom SMTP server, or CollabSafe's default sender if you have not connected one).
  • Authenticate you, secure your account, and send essential service-related communications (login, billing, security).
  • Diagnose, fix, and improve the in-app features you use (for example, fixing a failed send, debugging a template rendering issue).

Specific use of Google user data

Data obtained from Google APIs (your Google account email, Google user ID, OAuth tokens, and the act of sending email via gmail.send) is used only to provide and improve the user-facing email-sending feature you explicitly enabled inside CollabSafe. Google user data is:

  • Not used for advertising, marketing, profiling, or analytics of any kind.
  • Not sold, rented, or transferred to any third party.
  • Not used to train, fine-tune, or evaluate any generalized AI / ML model.
  • Not used to improve unrelated features, products, or templates — only the Gmail sending feature itself.
  • Not read or accessed by any human at CollabSafe, except (a) with your explicit consent, (b) when strictly necessary for security or abuse investigations, or (c) when required by law.

CollabSafe's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Storage & Security

Your data is stored securely using industry-standard encryption (TLS in transit, encryption at rest) on Lovable Cloud (powered by Supabase). Row-Level Security policies ensure each user can only access their own data. Only you can access your agreements — we do not share your data with brands or third parties except as described below.

6. Third-Party Integrations & Sub-processors

We rely on a small number of carefully chosen sub-processors to operate CollabSafe. These providers process data only on our instructions and under contractual confidentiality:

  • Lovable Cloud / Supabase — database, authentication, file storage, and serverless functions.
  • Google (Gmail API) — only when you connect your Gmail account, used to send emails on your behalf via the gmail.send scope.
  • Brevo — default transactional email delivery when you have not connected your own Gmail/SMTP.
  • Razorpay — payment processing for paid plans.
  • Cloudflare — DNS, CDN, and edge network.

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We may disclose data only when required by law or legal process.

7. Data Deletion & Your Rights

You are in full control of the data CollabSafe stores on your behalf. You may at any time:

  • Disconnect your Gmail account — go to Settings → Connected Accounts and click Disconnect. We will (a) call Google's token revocation endpoint (https://oauth2.googleapis.com/revoke) to invalidate the refresh and access tokens, and (b) delete the stored tokens, scopes, and Google account identifiers from our database. After disconnection, CollabSafe can no longer send email from your Gmail account.
  • Disconnect a custom SMTP server — same screen, Disconnect button. SMTP credentials are deleted from our database immediately.
  • Revoke access from Google directly — visit myaccount.google.com/permissions and remove "CollabSafe". Our stored tokens will become invalid on next use and the connection will be marked disconnected.
  • Delete an individual agreement, invoice, or document — from the dashboard, open the item and choose Delete.
  • Delete your entire account and all associated data — email contact@collabsafe.in from the address on your account, or write to the postal address below. We will permanently delete your profile, agreements, invoices, documents, OAuth tokens, SMTP credentials, sender logs, and any other personal data within 30 days of a verified request, except where retention is required by law (for example, GST/tax records for paid invoices). Backups are purged on their normal rotation cycle (no later than 60 days).
  • Access, export, or correct your data — write to the same address and we will respond within 30 days.

Data obtained via the Gmail API is subject to the same deletion guarantees and is removed immediately when you disconnect, when you delete your account, or when Google revokes our access.

8. Cookies

We use essential cookies to keep you logged in and maintain your session. We do not use tracking or advertising cookies.

9. Children

CollabSafe is not intended for users under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Founded by Gulzar Ahmed