Privacy Policy

This Privacy Policy describes how Coday, Inc. ("Coday", "we", "us") collects, uses, shares, and protects information when you use the Coday platform (the "Service").

Coday does not sell your personal data. We do not use your data to train AI models.

We collect the following categories of information:

• Account information: email, name, hashed password, and two-factor authentication state.
• GitHub data: repository metadata and source code that you authorize us to access for deployment. Source code is cloned at build time and not retained beyond what is needed to run your deployment.
• Project and deployment data: build logs, runtime logs, environment variables, custom domains, and deployment configuration.
• Billing information: payment method tokens and invoices, processed by Stripe. We do not store full card numbers.
• Usage and security telemetry: login history, IP address, device user agent, and error logs.
• Communications: support inquiries and any other correspondence you send to us.

We use the information described above to:

• Operate the Service, including building, deploying, and monitoring your applications.
• Process payments, prevent fraud, and bill cloud infrastructure usage.
• Communicate with you about your account, billing, security, and Service updates.
• Improve the Service through aggregated, de-identified analytics.
• Comply with applicable law.

We share information only with the service providers we rely on to run the Service:

• Cloud infrastructure providers that host your applications on our behalf.
• Stripe, Inc. for payment processing.
• Resend for transactional email delivery.
• Aggregated, de-identified analytics and error tracking tools.

We may also disclose information when legally required (for example in response to a subpoena or court order) or where necessary to protect rights, property, or safety. We do not sell personal data.

Account data is retained while your account is active.

After account deletion, personal data is retained for 30 days to allow recovery, then permanently deleted unless retention is required for legal, tax, or audit purposes.

Login history and security logs are retained for up to 12 months.

Backups are retained for 30 days from creation.

Depending on where you live, you may have rights over the personal data we hold about you.

GDPR (EEA, UK, Switzerland) — rights to:

• Access the personal data we hold about you (Art. 15).
• Rectify inaccurate or incomplete data (Art. 16).
• Erase your data, subject to retention exceptions (Art. 17).
• Restrict processing in defined situations (Art. 18).
• Receive your data in a portable format and have it transmitted to another controller where technically feasible (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Withdraw any consent you previously gave, without affecting the lawfulness of processing prior to withdrawal (Art. 7).
• Lodge a complaint with the data protection authority of the EU member state where you live, work, or where the alleged infringement took place (Art. 77).

CCPA (California): rights to know what we collect, to delete your personal information, to opt out of any sale (we do not sell), and to non-discrimination.

Contact [email protected] to exercise any of these rights. We respond within the timeframes required by applicable law.

For data subjects in the EU/UK/Switzerland, Coday relies on the following lawful bases under Article 6(1) of the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service to you and bill your subscription.
• Legitimate interests (Art. 6(1)(f)) — to operate security monitoring, prevent fraud and abuse, and maintain the integrity of the platform. We have balanced these interests against your rights and freedoms; you may object as described in "Your rights".
• Legal obligation (Art. 6(1)(c)) — to meet tax, accounting, and other statutory requirements.
• Consent (Art. 6(1)(a)) — where you have specifically opted in to a particular use of your data (limited cases such as marketing).

For data Coday collects to provide and bill the Coday platform — your account, billing, login telemetry, and support correspondence — Coday acts as the Controller.

For personal data your deployed applications collect from their own end users (the "End-User Data"), you act as the Controller and Coday acts as the Processor on your documented instructions. The terms of that processing are set out in the Data Processing Agreement.

We use commercially reasonable technical and organizational measures to protect personal data, including TLS in transit, encryption at rest for sensitive fields, password hashing with bcrypt, and least-privilege access controls.

No method of transmission or storage is perfectly secure. You are responsible for safeguarding your account credentials.

Coday operates globally. Coday account and platform-operational data — your Coday account identity, billing, audit logs, support correspondence — is stored in the United States (AWS us-east-1, N. Virginia).

For transfers of personal data from the EU, UK, or Switzerland to the United States, Coday relies on the Standard Contractual Clauses (Module Two: Controller-to-Processor) under European Commission Implementing Decision (EU) 2021/914, supplemented by the technical and organizational measures described in our Data Processing Agreement.

Personal data of end users of applications you deploy in the EU region (AWS eu-central-1, Frankfurt) is stored and processed exclusively in the European Union. No transfer to the United States occurs for EU-region project data.

We use essential cookies only — for authentication and session management. The Coday platform does not currently run third-party analytics or advertising trackers, so no cookie consent banner is required under ePrivacy.

If we add analytics or other non-essential cookies in the future, we will publish a separate cookie policy and update this section.

When you deploy an application with Coday that collects data from your own end users, you are the controller of that end-user data.

Coday acts as a processor for that data and processes it only as instructed by you. You are responsible for complying with applicable privacy laws (such as GDPR or CCPA) for your end users.

The terms of that processing are governed by the Coday Data Processing Agreement.

For data protection inquiries — including the exercise of any GDPR right — contact [email protected].

Coday has not appointed a Data Protection Officer under Article 37 of the GDPR, because our processing does not currently meet the thresholds in Article 37(1). We will reassess this if our processing scale or nature changes materially.

The Service is not directed to children under 13 (or under 16 where required by GDPR).

We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice in the dashboard at least 14 days before they take effect.

Privacy inquiries: [email protected]

General support: [email protected]

Operating entity: Coday, Inc., a Delaware corporation (United States).