Privacy Notice

Who we are

The CoLab is a product of decodeCoLab, an impact evaluation and facilitation practice. When you use The CoLab, decodeCoLab is the data controller — meaning we are responsible for how your data is handled.

Our legal basis for processing

decodeCoLab operates primarily in Malawi and processes personal data in accordance with the Malawi Data Protection Act 2024. Where users are based in the UK or EU, we also comply with UK GDPR and the EU General Data Protection Regulation (GDPR).

We process your personal data on the following legal bases:

• Contract — processing your account information and project data is necessary to provide the service you have requested
• Legitimate interests — we review platform usage and AI-generated outputs during the pilot to ensure quality and improve the service. We have assessed that this does not override your privacy rights given the limited and controlled nature of the pilot
• Legal obligation — we may retain certain records where required by law

If you are based in Malawi and have concerns about how we handle your data, you may contact the Malawi Communications Regulatory Authority (MACRA), which oversees data protection under the 2024 Act. If you are based in the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk. EU-based users may contact their local data protection authority.

What we collect

When you request access or use The CoLab, we collect:

• Your name, email address, organisation and country
• The reason you gave for wanting access
• Content you and your team enter into the platform — including responses to questions, problem statements, outcomes and impact pathways
• Basic usage information — when you last signed in, whether certain features have been used

How we use your information

We use your information to:

• Provide and improve The CoLab platform
• Communicate with you about your account
• Review and approve access requests
• Monitor platform usage and quality during the pilot period

AI processing

The CoLab uses Decode, an AI assistant powered by Anthropic's Claude. When your team's responses are used to generate outputs, that content is sent to Anthropic's API for processing. Anthropic processes this data as a data processor on our behalf. You can read Anthropic's privacy policy at anthropic.com/privacy.

We do not use your data to train AI models.

Who we share data with

We do not sell your data or share it with third parties for marketing purposes. We use the following trusted service providers to operate the platform:

• Supabase — database and authentication
• Anthropic — AI processing (Decode)
• Vercel — hosting and infrastructure
• Resend — email delivery

Each of these providers processes data only as necessary to deliver the service.

How long we keep your data

We keep your account and project data for as long as your account is active. If you request deletion of your account, we will remove your personal data and project content within 30 days.

Your rights

Under the Malawi Data Protection Act 2024, UK GDPR and EU GDPR you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request erasure of your personal data (the right to be forgotten)
• Restrict or object to how we process your data
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at the address below. We will respond within one calendar month.

Cookies and tracking

The CoLab uses session storage and local storage in your browser to keep you signed in and remember your preferences. We do not use third-party advertising cookies or tracking pixels.