CONELO

Legal

Privacy Policy

Effective Date: June 1, 2026

1. Who We Are

Conelo, an unincorporated business operated by its founders, with formal entity formation pending, doing business as Conelo ("Conelo," "we," "us," or "our"), provides an online marketplace that connects business buyers ("Buyers") with senior independent experts ("Experts") for paid engagements.

You can reach us at:

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

2. Scope

This policy applies to:

  • The Conelo website at https://www.conelo.co and any subdomains we operate.
  • The Conelo platform and the services we provide through it (account creation, marketplace browsing, Q&A engagements, video sessions, workshops, payments, and related features).
  • Transactional communications we send (for example, account, engagement, and security emails).

It does not apply to third-party websites, applications, or services that you reach through links from Conelo, even if they integrate with us. Those third parties have their own privacy practices.

3. Information We Collect

We collect the categories of information below. Some of it you give us directly; some we collect automatically; some we receive from third parties (for example, LinkedIn or Stripe).

3.1 Account Data

  • Name, email address, and password hash (for users who sign in with email and password).
  • For users who sign in with LinkedIn: the profile information LinkedIn returns through OAuth (typically name, email, profile photo, profile URL, headline).
  • Account role: Buyer, Expert, or Admin.
  • Account preferences and settings.

3.2 Expert-Specific Data

If you apply to be an Expert or operate an Expert account, we additionally collect:

  • Application materials (background, credentials, references, work samples).
  • Expert profile content: bio, headline, headshot or portrait media, services offered, pricing, availability windows, response-time SLA.
  • Stripe Connect onboarding data, including identity information, tax information, and bank or payout details. This information is collected and held by Stripe under Stripe's terms and privacy policy. Conelo receives only the metadata Stripe returns to us (for example, account status, payout status, and reference identifiers).
  • Tax forms and 1099 information facilitated through Stripe.

3.3 Buyer-Specific Data

If you use Conelo as a Buyer, we collect:

  • Engagement history: which Experts you have purchased from, engagement type (Q&A, video session, workshop), dates, status, and amounts.
  • Payment data: payment card and bank information you enter goes directly to Stripe; we receive only metadata such as a payment reference, the last four digits of a card, brand, billing ZIP, and authorization status.
  • Q&A message content you exchange with an Expert through the platform.
  • Calendar and meeting metadata for video sessions and workshops (scheduled time, duration, Google Meet link, attendance status). Conelo does not record video sessions or workshops, and Conelo does not access the audio or video stream.
  • Team information if you operate under a team account: team name, team members, role assignments, and team-level ledger entries.

3.4 Usage Data

When you visit or use Conelo we automatically collect:

  • IP address, used for rate limiting, abuse prevention, and approximate location.
  • User agent string, device type, operating system, and browser.
  • Referring URL and the pages you visited on Conelo.
  • Timestamps of requests.
  • Product analytics events sent to PostHog (for example, page views, button clicks, and engagement funnel events). Where you are signed in, these events may be associated with your account ID; where you are not signed in, we use a pseudonymous device identifier.

3.5 Communications

  • Transactional email we send to you through Resend (account confirmations, engagement notifications, payout notifications, security alerts).
  • Messages you send to our support address.

We do not currently send marketing email.

3.6 Cookies and Similar Technologies

We use a small set of cookies and similar storage technologies:

Cookie or storeTypePurpose
Auth.js session cookieFirst-party, httpOnly, secure, session or rollingKeeps you signed in to your Conelo account.
waitlist_bypassFirst-party, httpOnly, secureSet when an authorized founder enters the waitlist bypass secret during the pre-launch period; allows the bearer to view the marketplace behind the waitlist gate.
conelo_intentFirst-partyRemembers your intent (for example, "apply as Expert") across an OAuth round-trip so we can resume the flow you started.
PostHog cookies or local storageFirst-party (through our proxy)Product analytics: page views, feature usage, funnel events. Where regional law requires, we set these only after consent. Where you are not signed in, an anonymous device identifier is used.
Stripe cookiesThird-party, set when you open a Stripe checkout or onboarding pageFraud prevention and session continuity for payment flows. Governed by Stripe's privacy policy.
Vercel and infrastructure cookiesFirst-partyRouting, load balancing, and security.

You can clear or block cookies through your browser. Blocking the session cookie will sign you out and may break features that require an account.

3.7 Information from Third Parties

  • LinkedIn, when you sign in or connect: profile fields you authorize.
  • Stripe, for payments and Expert payouts: account status, payout status, dispute notifications, and tax reporting metadata.
  • Google, when you schedule a video session or workshop: Google Meet meeting metadata. We do not access the contents of the Meet session.

4. How We Use Personal Information

We use the information above to:

  1. Provide the Service. Create and authenticate accounts; let Buyers browse and purchase from Experts; route Q&A messages; create and manage video sessions and workshops; process payments and payouts through Stripe; deliver transactional emails.
  2. Security and fraud prevention. Rate-limit sensitive endpoints; detect abuse; investigate suspicious activity; enforce our Terms of Service and Acceptable Use Policy.
  3. Customer support. Answer questions and resolve disputes about engagements.
  4. Product analytics and improvement. Understand which features are used and how, fix bugs, and improve the platform.
  5. Legal compliance. Tax reporting (including 1099-K facilitated through Stripe), responses to lawful requests, retention obligations, and exercise or defense of legal claims.
  6. Communications. Send you transactional and service-related messages. If we later introduce marketing email, we will obtain consent where required and provide an unsubscribe option.

5. Lawful Bases (EU/UK/EEA Users)

If you are in the European Union, the United Kingdom, or the European Economic Area, we rely on the following lawful bases under the GDPR and UK GDPR:

  • Performance of a contract. Most operations needed to deliver the Service to you.
  • Legitimate interests. Security, fraud prevention, internal analytics, and improving the platform, balanced against your rights and interests.
  • Consent. Where required, for non-essential analytics cookies and any future marketing communications. You may withdraw consent at any time.
  • Legal obligation. Tax, accounting, and regulatory record-keeping.

6. Who We Share Information With

We share personal information with the following categories of recipients. A current list of named sub-processors, and the data each processes, is published at https://www.conelo.co/legal/sub-processors.

  • Infrastructure and hosting providers. Vercel (application hosting, edge functions, logs), Neon (managed Postgres), Upstash (Redis for rate limiting), and similar.
  • Authentication. LinkedIn (OAuth identity).
  • Payments and payouts. Stripe, including Stripe Connect for Expert payouts and Stripe-facilitated tax reporting.
  • Communications. Resend (transactional email delivery).
  • Meetings. Google (Google Meet) for video session and workshop links.
  • Product analytics. PostHog.
  • Professional advisors. Lawyers, accountants, and auditors, under duties of confidentiality.
  • Legal and safety. Government authorities, courts, or other parties where we believe in good faith that disclosure is required by law, necessary to enforce our agreements, or necessary to protect the rights, property, or safety of Conelo, our users, or the public.
  • Corporate transactions. A successor entity in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality protections.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, in each case as those terms are defined under the California Privacy Rights Act ("CPRA").

7. International Transfers

Conelo is operated from the United States. Our primary infrastructure is hosted in the United States (for example, Neon Postgres in the us-east-2 region and Vercel functions in U.S. regions by default). If you access Conelo from outside the United States, your information will be transferred to, stored, and processed in the United States and in other countries where our sub-processors operate.

For transfers of personal information from the EU, EEA, UK, or Switzerland to the United States or other jurisdictions that do not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Addendum, or other lawful transfer mechanisms, as appropriate. These are incorporated into the data processing agreements we maintain with our sub-processors.

8. Data Retention

We retain personal information only for as long as we need it to deliver the Service, to comply with legal obligations, to resolve disputes, and to enforce our agreements.

CategoryRetention
Account dataUntil you delete your account, plus a 30-day grace window during which the account can be restored. After the grace window we delete or anonymize the data, except where a longer retention is required for the categories below.
Engagement records (purchases, payouts, related metadata)Seven (7) years after the engagement closes, to comply with U.S. tax record-keeping obligations.
Expert application materials, where the application is rejected or withdrawnTwelve (12) months after the decision.
Server and security logsNinety (90) days.
Product analytics (PostHog)Identifying personal information is anonymized after twelve (12) months (subject to PostHog's then-current retention controls).
Communications (transactional email logs)Twelve (12) months.
BackupsBackups may retain copies for a short rolling window after deletion; backups are not used for any other purpose and are overwritten on the standard backup cycle.

If a legal hold, regulatory request, ongoing dispute, or active fraud investigation applies, we may retain relevant records for longer.

9. Your Rights

Depending on where you live, you have some or all of the following rights over the personal information we hold about you. To exercise any right, email support@conelo.co. We will verify your request and respond within the timeframes required by applicable law.

9.1 EU, EEA, and UK (GDPR / UK GDPR)

  • Right of access to your personal information.
  • Right to rectification of inaccurate or incomplete information.
  • Right to erasure ("right to be forgotten"), subject to legal retention obligations.
  • Right to restrict processing.
  • Right to data portability for information you provided to us.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with your local supervisory authority.

9.2 California (CPRA / CCPA)

If you are a California resident, you have the right to:

  • Know what categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Delete personal information we have collected, subject to permitted exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. Conelo does not sell or share personal information as those terms are defined under the CPRA. There is therefore no "Do Not Sell or Share My Personal Information" exchange to opt out of, but you may submit a request at support@conelo.co or at https://www.conelo.co/legal/privacy-request and we will treat it accordingly.
  • Limit the use and disclosure of "sensitive personal information," to the extent we process any.
  • Be free from discrimination for exercising any of these rights.

We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.

You may also designate an authorized agent to make a request on your behalf. We will verify the agent's authority before responding.

9.3 Other U.S. State Privacy Laws

If you reside in a U.S. state with a comprehensive privacy law (for example, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, or others as they take effect), you have similar rights of access, correction, deletion, portability, and to opt out of targeted advertising, sale of personal information, and certain profiling. Submit any such request to support@conelo.co.

10. Children

Conelo is a business-to-business service intended for users who are at least 18 years old and who are acting in a business capacity. We do not direct the Service to children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact support@conelo.co and we will delete it.

11. Security

We use reasonable administrative, technical, and organizational measures to protect personal information, including:

  • TLS for data in transit.
  • Industry-standard password hashing for credential-based accounts (we never store passwords in plain text).
  • Server-side rate limiting on sensitive endpoints (authentication, waitlist signup, support form, AI matching, media upload, and others).
  • A strict Content Security Policy that restricts which origins our pages may load resources from.
  • Encryption at rest provided by our infrastructure vendors.
  • Role-based access controls for internal staff, with access scoped to job function.

No system is perfectly secure. We cannot guarantee that unauthorized parties will never gain access to your information, and you use the Service at your own risk.

12. Cookies Summary

For a short summary of the cookies we set, see section 3.6 above. Where applicable law requires, we will request your consent before setting non-essential cookies through a cookie banner. You can change your cookie choices at any time through the cookie settings link in the website footer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version here and update the Effective Date above. If the changes are material, we will also notify you by email to the address associated with your account or by a prominent notice in the product before the changes take effect.

14. How to Contact Us

Questions, requests, and complaints about this Privacy Policy or about how we handle personal information can be sent to:

  • Email: support@conelo.co
  • Postal: Conelo, 1203 N. Washington Ave #1015, Durant, OK 74701

15. California-Specific Disclosures (CPRA)

This section supplements the rest of the policy for California residents.

15.1 Categories of Personal Information Collected (CPRA Categories)

In the 12 months preceding the Effective Date, we have collected the following CPRA-defined categories of personal information:

  • Identifiers (name, email, account ID, IP address, online identifiers).
  • Customer records (information you provide in your account or Expert application).
  • Commercial information (engagement history, transactions).
  • Internet or other electronic network activity information (interaction with the Service, pages visited, referring URLs).
  • Geolocation data (approximate location derived from IP).
  • Professional or employment-related information (Expert profile, credentials, work history).
  • Inferences drawn from the above to recommend Experts to Buyers and to improve the platform.

We collect this information from you directly, from your device when you use the Service, and from third parties identified in section 3.7.

15.2 Business Purposes

We use the information above for the business purposes described in section 4.

15.3 Disclosure for a Business Purpose

In the 12 months preceding the Effective Date, we have disclosed each of the categories above to the categories of recipients listed in section 6 for the business purposes listed in section 4.

15.4 No Sale or Sharing

We have not sold personal information and have not shared personal information for cross-context behavioral advertising in the 12 months preceding the Effective Date, and we have no plans to do so.

15.5 Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes that would trigger the right to limit under the CPRA.

15.6 How to Submit a Request

California residents (and authorized agents acting on their behalf) may submit a privacy rights request by email to support@conelo.co or through https://www.conelo.co/legal/privacy-request. We will respond within the timelines required by California law.