Last updated: 2026-06-04 | Effective date: 2026-06-04
Cobalt ("Cobalt", "we", "us", "our") is a hosted visual moodboard service operated at app.cobalt.photos (marketing site cobalt.photos). The data controller responsible for your personal data is:
Jakub Ludwig, IČO 88711111
U Obory 1004, 675 71 Náměšť nad Oslavou, Czech Republic, Czech Republic
Sole trader (OSVČ / podnikající fyzická osoba).
Contact for privacy matters: privacy@cobalt.photos
(A working, monitored mailbox at this address must exist before publication.)
For any privacy enquiry, data-subject request, or complaint, write to the address above. We will respond within one month of receiving your request (extendable by up to two further months for complex or numerous requests, with notice to you), as required by GDPR Art. 12(3).
This policy applies to personal data we process when you access or use Cobalt — when you sign in, create and store content, use public share links, view or contribute to a shared board, contact us for support, or subscribe to a paid plan. It does not cover third-party sites linked from boards, or the practices of an AI provider you choose to connect (see Section 5).
We use "Sign in with Google" (Google OAuth) as the only sign-in method for end users. When you sign in, Google provides us the data you authorise: your email address, display name, profile picture URL, and Google account identifier (Google id). We do not receive or store your Google password. We assign you an internal user ID and store your account creation date, plan/subscription tier, and storage usage.
You may upload images (which can include photographs of people) and create notes, hyperlinks, board layouts, and column structures. We store this content in Google Cloud object storage (see Section 7). You are the primary party responsible for ensuring uploaded content complies with applicable law, including obligations arising from images of identifiable individuals (see Section 12).
When you create a public share link we record its creation time and the permissions you set (view-only or contributor). When someone accesses a share link, our servers and our CDN (Cloudflare) process the visitor's IP address, request metadata (browser type, referrer), and a view-count increment. We do not build persistent profiles of anonymous visitors. Anonymous visitors are data subjects of Cobalt in their own right (not only of the board owner); we process their connection data on the basis of our legitimate interest in delivering and securing the Service (see Section 4).
If you enable "contributor" access on a share link, anyone with the link can add images, notes, or comments without an account. We store the submitted content and a timestamp. Where contributed content contains personal data, both Cobalt and the board owner have roles: Cobalt is the controller for hosting and securing the platform, while the board owner determines what is collected on their board and is responsible for that content under our Terms. We provide a route for affected individuals to exercise their rights (see Section 12.1).
If you email us, we retain your email address, the content of your message, and follow-up correspondence for as long as reasonably necessary to handle your query and a limited period thereafter.
Paid subscriptions are sold through our Merchant of Record, Polar, which acts as the seller of record and collects and processes your billing details, payment method, and tax data directly. We do not receive or store your full card number or bank details. From Polar we receive a customer/transaction reference and your subscription status, plan, and billing-period dates.
To keep you signed in and to secure sign-in, we use a small number of strictly necessary technologies (an authentication token stored in your browser's local storage, and a short-lived sign-in security cookie). We do not use third-party advertising or cross-site tracking cookies. These are described in full in our separate Cookie / GDPR Consent Notice. [Analytics: state the chosen tool here, or "we do not use analytics". If a cookie-based analytics tool is ever added, update the cookie notice and add a consent banner.]
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and maintain your account; authenticate you via Sign in with Google | Email, display name, profile picture, Google id, internal user ID | Art. 6(1)(b) — performance of a contract |
| Provide and operate the Service (store and display boards, images, content) | User Content, uploaded images | Art. 6(1)(b) — performance of a contract |
| Enable and serve public share links to viewers and contributors you invite | Share-link metadata, view counts, contributor content | Art. 6(1)(b) — performance of a contract (for you, the board owner) |
| Capture connection data of anonymous share-link visitors; security and abuse prevention; server/access logging | IP address, request metadata, server and security logs, session data | Art. 6(1)(f) — legitimate interests in delivering, securing, and protecting the Service against fraud and abuse. Balancing test documented internally (data minimised, short retention, no profiling); you may object under Art. 21. |
| Provision and manage paid plans; reconcile subscription status from Polar | Customer/transaction reference, subscription status, plan, period dates | Art. 6(1)(b) — performance of a contract |
| Respond to support requests | Support email correspondence | Art. 6(1)(f) — legitimate interest in helping users (or Art. 6(1)(b) where your request concerns the contract) |
| Enforce storage quotas; communicate plan limits and the over-quota grace window | Account data, storage-usage metrics | Art. 6(1)(b) — performance of a contract |
| Keep accounting and tax records | Billing reference and account data | Art. 6(1)(c) — compliance with a legal obligation (Czech accounting/tax law) |
| Analytics / service improvement (only if a tool is in use) | [State data, or "not applicable — no analytics"] | [Art. 6(1)(a) consent if cookie-based, or Art. 6(1)(f) for privacy-friendly aggregate analytics — confirm once a tool is chosen] |
Cobalt offers an optional integration that lets you connect an external AI assistant (for example, Claude by Anthropic) to your account using an access token you generate in the Service. When enabled, the assistant can read and write boards on your behalf, strictly according to your instructions.
We do not send your data to AI providers on our own initiative. When your connected assistant requests board data, our servers transmit that data to the assistant only in response to your token-authorised request. In that flow the AI provider receives the personal data contained in the boards you expose to it; you decide the scope of access, and you should review the AI provider's own privacy policy, which may involve a transfer to a provider outside the EEA. [Lawyer: confirm the recipient/onward-transfer characterisation for the AI provider(s) you officially support, and whether they should be listed as recipients.] The legal basis for this feature is Art. 6(1)(b) (the integration you chose to activate).
We do not sell personal data and do not share it with third parties for their own marketing. We disclose personal data only:
We rely on the following sub-processors, each bound by a data-processing agreement (DPA) and, where required, EU Standard Contractual Clauses (SCCs) or another valid transfer mechanism:
| Sub-processor | Role | Data processed | Location / transfer basis |
|---|---|---|---|
| Polar [Polar legal entity — confirm] |
Merchant of Record / seller of record; payment processing, invoicing, EU VAT | Billing name, email, billing address, payment method, tax data (collected by Polar directly), transaction reference | [Confirm Polar's processing locations and transfer mechanism (SCCs / adequacy / DPF) and link its DPA] |
| Google Cloud Platform (Google Cloud EMEA Ltd / Google Ireland Ltd / Google LLC) |
Application hosting (compute) and object storage for uploaded content | All User Content, uploaded images, account data, application and security logs | [Confirm GCP region, e.g. EU — and link the Google Cloud DPA / SCCs for any non-EEA support access] |
| PostgreSQL database on a Google Cloud VM | Primary application database (accounts, board metadata, subscription status, the storage ledger) | Account data, board/element metadata, subscription and usage records (not card data) | Runs on Google Cloud infrastructure (same region as hosting). [Confirm region] |
| Cloudflare, Inc. | CDN, DNS, DDoS/WAF protection, and delivery of the marketing site and app (Cloudflare Pages) | Visitor IP addresses, HTTP request metadata; TLS termination at the edge | [Global edge network with US parent — confirm Cloudflare's current DPF certification status and rely on SCCs as fallback; link the Cloudflare DPA] |
| Google (Google Ireland Ltd / Google LLC) | "Sign in with Google" (OAuth) identity provider | Email, display name, profile picture URL, Google account id (received at sign-in) | [Confirm transfer basis for Google identity services; link the relevant Google terms/DPA] |
| [Email/support provider — e.g. Gmail/Google Workspace, Fastmail] | Transactional email and support inbox | Email address, transactional and support correspondence | [Confirm provider, location, and DPA] |
We may change sub-processors; how we notify you is described in our separate Data Processing Addendum (DPA).
Our primary hosting and database are on Google Cloud [in the EU — confirm region]. Some sub-processors (notably Cloudflare, and Google's identity services, and an AI provider you connect) may process data outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on an appropriate safeguard for the specific recipient:
[Lawyer/founder: state the specific mechanism per recipient (Polar, Cloudflare, Google, GCP, AI provider) once confirmed — GDPR Art. 13(1)(f) requires identifying the safeguard and how to obtain a copy.] You may request a copy of the applicable safeguards by contacting privacy@cobalt.photos.
| Category | Retention |
|---|---|
| Account and profile data | Kept while your account exists. On deletion, deleted or anonymised within 90 days, except where law requires longer retention. |
| User Content (boards, notes, images) | Kept while your account is active. Deleted from live systems within 90 days of account deletion; backups purge within a further 30 days. Content is never automatically deleted because of an exceeded storage quota — the account becomes upload-restricted instead, with a 30-day informational grace window. |
| Share-link metadata and view counts | Deleted with the associated board or account. |
| Contributor content | Kept as part of the board; deleted when the board owner deletes the board or closes their account, subject to the 90-day cycle. |
| Support emails | Kept for up to 3 years after a thread is closed, or longer if needed for a legal claim. |
| Accounting / tax records | Polar retains billing records per its own policies as seller of record. We keep our transaction reference and accounting records for the statutory period required of a Czech sole trader. [Confirm period with a tax adviser — accounting records are generally 5 years under Act No. 563/1991 Coll.; VAT-related documents are 10 years where applicable. State the correct figure here.] |
| Security and server logs (incl. IP addresses) | Kept for a short period for security and troubleshooting, then deleted or anonymised. [State the actual period — keep as short as practicable, e.g. up to 90 days; tie to the Art. 6(1)(f) basis.] |
We apply technical and organisational measures proportionate to the risk, including:
No system is perfectly secure. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the Czech supervisory authority (ÚOOÚ) within 72 hours of becoming aware, and affected individuals without undue delay where required.
Cobalt is a paid service intended for adults and is not directed at children. For data-protection consent purposes, the relevant age of digital consent in the Czech Republic is 15 years, as set by § 7 of Act No. 110/2019 Coll. (lowering the GDPR Art. 8 default of 16). We do not knowingly process personal data of children below the applicable age of digital consent in their country. Separately, our Terms of Service set a minimum contractual account age of 16 (with full legal capacity, generally 18, required to purchase a paid plan). If you believe a child has provided us personal data, contact privacy@cobalt.photos and we will delete it promptly.
Photographers using Cobalt may upload images depicting identifiable individuals. Ordinary photographs of people are personal data, but mere storage and display of opaque image files does not, by itself, amount to processing of biometric special-category data under GDPR Art. 9. We do not perform facial recognition or any automated biometric processing of images.
As the uploader, you are responsible for ensuring that:
As a data subject in the EU/EEA you have the right to:
To exercise a right, contact privacy@cobalt.photos. We respond within one month (extendable as noted in Section 1). We may need to verify your identity proportionately before acting (Art. 12(6)).
Right to complain. You may lodge a complaint with the Czech supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
www.uoou.cz
You may also complain to the supervisory authority where you live or work.
We may update this policy. For material changes we will notify registered users by email and update the "Last updated" date above. Continued use after the effective date indicates you have read the update. Where a change introduces new processing that requires your consent, we will obtain that consent affirmatively — we do not treat continued use as consent to new processing for which consent is the lawful basis.
Privacy enquiries, subject-access requests, and other data-protection matters:
Jakub Ludwig, IČO 88711111
U Obory 1004, 675 71 Náměšť nad Oslavou, Czech Republic, Czech Republic
privacy@cobalt.photos
© 2026 Jakub Ludwig — Cobalt (cobalt.photos). Last updated: 4 June 2026.