Colofon is a privacy-preserving compliance product. We hold ourselves to the same standard the product asks of vendors: publish what we collect, keep it minimal, and only retain what a clear purpose justifies.

This page is the authoritative description of what colofon.tech collects from visitors today. If we add anything that materially changes the picture, we’ll update this page and date the change.

Nothing in your browser. The colofon.tech landing site sets no cookies, runs no analytics, and embeds no third-party trackers. There is no consent banner because there is nothing to consent to.

Standard server logs. Our hosting provider (Vercel) records request metadata for every page load: timestamp, requested path, IP address, user agent, referrer. These are operational logs used for incident debugging and abuse mitigation. We do not link them to any other identity we hold about you.

Email you send us. If you contact hello@colofon.tech or any other Colofon address, the contents of that email arrive in our inbox. We retain it for as long as it is useful to whatever you wrote about, and no longer.

Demo bookings. If you book a demo through the Cal.com link in the navigation, Cal.com receives the information you give them (name, email, optional notes, chosen time). We see what Cal.com forwards to us; their own privacy practices are governed by their notice.

• Vercel — hosts the landing, the docs, and the verifier. Receives request metadata as above.
• Cal.com — hosts demo booking; receives whatever you provide on its booking form.
• Email forwarding provider — relays mail sent to colofon.tech addresses to our inbox. The provider sees envelope metadata required to deliver the message.

We do not use Google Analytics, Meta pixels, Hotjar, Segment, or any other product whose business model is identity-based tracking.

Some links on this site (e.g. github.com/colofonhq, regulator pages on gov.uk and EUR-Lex) take you to third-party sites. We don’t embed scripts or content from those sites on colofon.tech, so they don’t process data about you on our behalf — but once you follow the link, that site’s own privacy notice governs from there. We have no control over what they collect.

The privacy properties of the Colofon product (the agent, the SDK, the prover, the verifier) are described in the whitepaper and the per-circuit deep-dives. The headline: a Colofon bundle proves a specific compliance claim and carries the cryptographic commitment for that claim. The underlying evidence (your SBOM, your signers, your customer list, your incident contents) never leaves your infrastructure.

The hosted prover service operates under additional guarantees described in its repository, including witness scrubbing on completion. A formal cryptographic audit is in progress; the whitepaper is the current authoritative reference for the privacy model.

If you are in the UK or EU, the UK GDPR and EU GDPR give you the right to know what personal data we hold about you, ask us to correct or delete it, object to processing, and lodge a complaint with a supervisory authority (in the UK, the Information Commissioner’s Office). Email hello@colofon.tech with the request.

In practice, the only personal data we are likely to hold about you is correspondence you have initiated with us, plus booking details if you used Cal.com. We will tell you what we have, and delete it if you ask us to.

If we add data collection (a contact form, a newsletter sign-up, product analytics), we will update this page before the change goes live and note the change date below. Changes are append-only — older versions remain referenced.