Legal · Privacy · updated Jun 2026
Privacy Policy
1. Who We Are
ColPort Mill ("Mill", "we", "us") is an AI-powered SCORM course generator operated by ColPort, which is the data controller for the personal data described in this policy. Our platform and database are hosted on EU servers in Germany. You can reach us about any privacy matter at privacy@colport.io.
2. Data We Collect
- Account data: Name, email, password (hashed), organization name
- Course data: Topics, content, generated courses, audio files, images
- Usage data: Credits used, courses created, login timestamps
- Payment data: Processed by Stripe (we don't store card numbers)
3. How We Use Your Data
- To provide the course generation service
- To process payments and manage subscriptions
- To monitor and improve the reliability and quality of the service, using aggregated, non-content usage metrics
- To send service-related communications
- To keep the service secure and prevent abuse or fraud
4. Legal Bases for Processing
Under the GDPR we rely on the following legal bases (Article 6):
- Performance of a contract (Art. 6(1)(b)) — to create your account, generate your courses, and provide the service you signed up for.
- Legal obligation (Art. 6(1)(c)) — to keep payment and invoicing records required by tax and accounting law.
- Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, and improve reliability using aggregated metrics. We balance these against your rights and you may object (see Section 10).
- Consent (Art. 6(1)(a)) — for any optional feature that asks for it. You can withdraw consent at any time.
5. AI and Your Content
We do not use your content to train AI models — not ours, and not our providers'. Mill generates courses by sending your prompts and content to third-party AI providers over their business APIs purely to return a result to you. Anthropic (Claude) and Google process this content under data-processing agreements that exclude using API inputs or outputs to train their models, and Mill does not train, fine-tune, or build any model of its own. Your content is used to produce your course, and for nothing else.
6. Third-Party Processors
- Anthropic (Claude AI): Content generation — US-based; processed under a DPA with EU Standard Contractual Clauses, and excluded from model training
- Google Cloud: Translation, TTS audio, image generation — EU processing where available; any transfer outside the EEA is covered by Standard Contractual Clauses
- Hetzner Online GmbH: Database + application hosting — Falkenstein, Germany (EEA)
- Stripe: Payment processing — PCI DSS Level 1 certified
- Resend: Transactional email delivery (verification, billing, course notifications) — name + email address only
- HeyGen: AI avatar video rendering (only when the avatar feature is used) — script text only, no account PII
- Upstash: Rate limiting infrastructure — anonymised request counters only, no personal content
7. International Data Transfers
Your personal data is stored within the EEA (Germany). Some processors (for example Anthropic, and Google where EU processing is not available) may process data in the United States. Where that happens, the transfer is protected by the European Commission's Standard Contractual Clauses together with supplementary safeguards, so your data keeps an equivalent level of protection. A copy of the relevant safeguards is available on request at privacy@colport.io.
8. Data Retention
We retain your data for as long as your account is active. After subscription cancellation, course data is retained for 30 days, then permanently deleted. You can request immediate deletion at any time. Payment and invoicing records are kept for as long as tax and accounting law requires.
9. Cookies
Mill uses only strictly necessary cookies: a session cookie (sign-in), a language preference, a theme preference, and a short-lived access token when you open a course shared with you. We do not use analytics, advertising, or cross-site tracking cookies, and we do not load third-party trackers. Because every cookie we set is essential for the service to function, no consent banner is shown; if we ever introduce optional cookies, we will ask for your consent first.
10. Your Rights (GDPR)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Portability: Export your data in a machine-readable format
- Restriction: Ask us to limit how we process your data
- Objection: Object to processing based on our legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time (this does not affect prior processing)
To exercise any of these rights, email privacy@colport.io. We respond within one month. You also have the right to lodge a complaint with a data protection supervisory authority — typically the one in your country of residence or where you believe the issue occurred.
11. Children
Mill is a workplace and training tool that is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Security
We use industry-standard security measures including HTTPS encryption, bcrypt password hashing, and EU-hosted infrastructure. All data is processed within the EU where possible.
13. Changes to This Policy
We may update this policy as the service evolves or the law changes. When we do, we will revise the "updated" date above, and for material changes we will give you reasonable notice (for example by email or an in-app notice) before they take effect.
14. Contact
For privacy inquiries: privacy@colport.io