Legal
Privacy Policy
Last updated June 3, 2026
Operator: Coldr LLC (“Coldr,” “we,” “us,” “our”).
Effective date: June 3, 2026
Contact: privacy@coldr.app · Coldr, Attn: Privacy, Massachusetts, USA
This Privacy Policy explains how Coldr LLC (“Coldr,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use the Coldr mobile apps and the websites at coldr.app and app.coldr.app(the “Service”). It is part of, and incorporated into, the Coldr Terms of Service. By using the Service you agree to this Privacy Policy.
The Service is hosted in the United States. If you access it from elsewhere, you understand your information is processed in the U.S.
1. Who we are
Coldr provides HVAC and refrigeration field-diagnostics tools: guided diagnostics, field calculators, OEM fault-code lookup, an AI assistant, live Bluetooth instrument readings, install/service guides, notes, and cross-device sync, for individual technicians and multi-seat shops (“Organizations”). Coldr is the controller of the personal information described here. Where you use Coldr through an Organization, the Organization may also act as a controller of data within its account.
2. Information we collect
2.1 Account information. Name, email address, password (stored hashed by our authentication provider), and, if you sign in with Google or Apple, the basic profile and identifier those services return. For Organizations: org name, role, seat assignment, and administrator details.
2.2 Billing information. Subscription plan, transaction history, and payment tokens. We do not store full payment card numbers. Web payments are processed by Stripe; in-app purchases are processed by Apple and Google (and managed via RevenueCat), which handle your card/payment-method data under their own terms.
2.3 Job and diagnostic data (“Service data”). Data you create or capture in the Service, including notes, equipment entries (brand/model/serial), calculator inputs and results, guided-diagnostic answers, fault codes, photos you add, and saved sessions/jobs.
2.4 Device and Bluetooth data. Device model, OS version, app version, language, and, when you connect Bluetooth instruments, the readings those instruments transmit (e.g., pressures, temperatures, superheat/subcool values) and basic identifiers needed to pair and stream from them.
2.5 AI prompt inputs. The text and context you submit to the AI assistant, and the responses generated. See Section 5 for how the AI provider processes these.
2.6 Usage and log data. Feature usage, in-app events, approximate request metadata, IP address, timestamps, crash and diagnostic logs, and analytics events used to operate and improve the Service.
2.7 Cookies and similar technologies. See Section 9.
We do not request precise GPS location, and we do not knowingly collect special categories of data. Do not enter customers’ sensitive personal data (such as full payment cards or government IDs) into notes or AI prompts.
3. How we use information, and our legal bases
We use personal information to:
| Purpose | Examples | Legal basis (where applicable) |
|---|---|---|
| Provide the Service | Authenticate you, sync data across devices, run calculators/flows, stream BLE readings, generate AI responses | Performance of our contract with you |
| Billing | Process subscriptions, renewals, credits, and receipts | Performance of contract; legal obligation |
| Security and integrity | Detect/prevent fraud, abuse, and unauthorized access; enforce the AUP and fair-use limits | Legitimate interests; legal obligation |
| Support and communications | Respond to requests; send service, billing, and auto-renewal notices | Performance of contract; legitimate interests |
| Improve the Service | Analytics, crash diagnostics, feature development (using de-identified/aggregated data where feasible) | Legitimate interests; consent where required |
| Marketing | Product emails you may opt out of; SMS only with consent | Consent / legitimate interests (see Section 8) |
| Legal | Comply with law, respond to lawful requests, establish or defend legal claims | Legal obligation; legitimate interests |
(Legal-basis labels reflect frameworks such as the GDPR for users to whom they apply; U.S. users are covered by the same practices.)
4. How we share information (sub-processors and recipients)
We do not sell your personal information for money. We share it only as described here:
4.1 Service sub-processors. We use trusted vendors that process personal information on our behalf under contracts that restrict their use of it:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication and primary database/hosting (U.S. region) | Account, Service data, usage |
| Stripe | Web payment processing | Billing, payment tokens |
| RevenueCat | In-app purchase management | Subscription/entitlement status |
| Apple | iOS in-app purchases; Apple Sign-In | Purchase data; Apple identifier |
| Google Sign-In (OAuth); Google Play in-app purchases | OAuth profile/identifier; purchase data | |
| Google (Gemini API) | AI assistant model provider | AI prompt inputs and generated outputs (see Section 5) |
4.2 Organizations.If you use Coldr under an Organization, your account status, role, seat usage, and Service data within that Organization’s scope may be visible to the Organization’s administrators and supervisors, consistent with the Organization’s settings.
4.3 Legal and safety. We may disclose information to comply with law or valid legal process, to enforce our agreements, or to protect the rights, safety, and property of Coldr, our users, or the public.
4.4 Business transfers. If Coldr is involved in a merger, acquisition, financing, or sale of assets, information may be transferred subject to this Policy.
5. AI assistant and your inputs
When you use the AI assistant, your prompts and the relevant context are transmitted to our LLM provider (currently Google’s Gemini API) to generate a response. Consistent with the provider’s API terms, AI inputs and outputs submitted through the API are processed to provide the service to you and are not used to train third-party (the provider’s) foundation models. AI output may be imperfect; see the Terms (Section 7) and the Disclaimer. Do not submit confidential third-party data or personal data you are not authorized to share.
6. Massachusetts data-security commitments (201 CMR 17.00)
Because we hold personal information of Massachusetts residents, we maintain a Written Information Security Program (WISP) and administrative, technical, and physical safeguards consistent with the Massachusetts Standards for the Protection of Personal Information, 201 CMR 17.00. These include, as applicable:
- a documented information-security program proportionate to our size and the data we handle;
- encryption of personal information transmitted across public networks and transmitted wirelessly, and encryption of personal information stored on laptops and other portable devices, as required by 201 CMR 17.04;
- access controls, authentication, and limits on who may access personal information;
- vendor oversight requiring our sub-processors to protect personal information; and
- monitoring, and periodic review of the program.
7. Data-breach notification (M.G.L. c. 93H)
If we discover a breach of security involving the unencrypted personal information of a Massachusetts resident (or encrypted information together with the means to decrypt it), we will provide notice as soon as practicable and without unreasonable delay to the affected resident(s), the Massachusetts Attorney General, and the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), as required by M.G.L. c. 93H, and will comply with the notice requirements of any other applicable state’s breach-notification law.
8. Marketing email and SMS
8.1 Email (CAN-SPAM). We may send you product and marketing emails. Consistent with the CAN-SPAM Act (15 U.S.C. §§ 7701–7713), our commercial emails identify themselves as advertising where required, include our valid physical postal address, use accurate header and subject lines, and include a clear way to opt out. You can unsubscribe at any time using the link in the email, and we will honor opt-outs promptly (and for at least 30 days as required). Service, billing, security, and transactional messages are not marketing and may still be sent.
8.2 SMS (TCPA). We send text messages only where we have your consent. Where we use SMS, message and data rates may apply, frequency varies, and you can opt out by replying STOP (and get help with HELP). Our SMS practices are designed to comply with the Telephone Consumer Protection Act (“TCPA,” 47 U.S.C. § 227) and its rules.
9. Cookies and similar technologies
On our websites we use:
- Strictly necessary cookiesfor authentication and security (for example, to keep you signed in and to support “Keep me signed in”);
- Functional storage (such as local storage) to remember preferences and preserve in-progress work; and
- Analytics to understand usage and improve the Service.
Mobile apps use device storage and SDKs for similar purposes. You can control cookies through your browser settings; disabling necessary cookies may break sign-in.
10. Children’s privacy (COPPA)
The Service is intended for adults (18+) in the trades and is not directed to children. Consistent with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us information, contact privacy@coldr.app and we will delete it.
11. Your California privacy rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.), gives you the following rights, subject to legal exceptions:
- Right to know / access the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of recipients.
- Right to delete personal information we collect, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of “sale” or “sharing” of personal information. We do not sell personal information for money, and we do not share it for cross-context behavioral advertising.
- Right to limit use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right).
- Right to non-discrimination for exercising these rights.
Categories collected map to Section 2 (identifiers; account/commercial information; internet/usage activity; device/Bluetooth data; and the content you submit). Categories of sources and recipients are described in Sections 2 and 4. To exercise rights, contact privacy@coldr.app; we will verify your request and respond within the timeframes the law requires. You may use an authorized agent.
12. Data retention
We retain personal information for as long as your account is active and as needed to provide the Service, then for a reasonable period to comply with legal, tax, accounting, security, and dispute-resolution obligations. We may retain de-identified or aggregated data that no longer identifies you. When data is no longer needed, we delete or de-identify it.
13. Your access and deletion rights (all users)
Regardless of where you live, you can:
- access and update most account and Service data within the app or at app.coldr.app;
- export or request a copy of your data by contacting privacy@coldr.app; and
- delete your account and data within the Service or by contacting privacy@coldr.app (residual backup copies are purged on our normal cycle).
If you use Coldr through an Organization, some requests may be directed to or coordinated with the Organization that controls the account.
14. Security
We use industry-standard administrative, technical, and physical safeguards (including encryption in transit, access controls, and our 201 CMR 17.00 WISP). No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. Protect your credentials and notify us at privacy@coldr.app of any suspected compromise.
15. Changes to this Policy
We may update this Policy. Material changes will be communicated by email or in-Service notice, with the updated effective date. Continued use after the effective date constitutes acceptance.
16. Contact us
Questions or privacy requests: privacy@coldr.app · Coldr, Attn: Privacy, Massachusetts, USA.
Massachusetts consumers may also contact the Massachusetts Attorney General’s Office and OCABR regarding privacy and consumer matters.