GDPR & Data Protection Compliance

Codaiq LTD (Companies House Number 16537316, with registered office in London, United Kingdom) processes personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR; applicable under Art. 3(2) GDPR, since we offer our Platform to persons in the EU), the UK GDPR in conjunction with the Data Protection Act 2018, and supplementarily the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG). We follow the principles of privacy by design and privacy by default (Art. 25 GDPR) and carry out a data protection impact assessment (DPIA) pursuant to Art. 35 GDPR for high-risk processing.

• Controller: Codaiq LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
• Legal form: Private Limited Company (England & Wales)
• Director: Hassan Hasso
• Companies House Number: 16537316
• Data Protection Officer: Currently not appointed (the appointment obligation under Art. 37 GDPR / § 38 BDSG does not currently apply); see Privacy Policy § 2.2.
• Data protection email: info@codaiq.com
• Phone: +971 58 560 6084

You have the right to receive your personal data in a structured, commonly used and machine-readable format (generally JSON). This includes in particular:

• account master data (name, email, plan, billing address);
• generated projects with associated websites, sections and assets;
• lead data collected via the Platform (insofar as you are the controller of the lead processing);
• invoicing and transaction history.

You can start the export via the account settings or informally by email to info@codaiq.com. We process requests within the statutory period of one month (Art. 12(3) GDPR).

In the event of an erasure request, your data is removed in a controlled cascade:

1. User record: email, name, authentication data — immediate anonymisation or deletion.
2. Organisation and membership records: memberships are removed; if the account is the sole owner of an organisation, the organisation is deleted along with all dependent records.
3. Projects and websites: all projects created under the account are deleted, including associated website sections, assets, custom domain configurations and deploy artefacts.
4. Leads: lead records collected via generated sites are deleted. Insofar as a separate data processing agreement with business customers exists for these leads, the treatment set out in the DPA additionally applies.
5. Telemetry and logs: server logs are rotated out with the regular retention (90 days); targeted deletion requests for IDs still within the retention window are additionally implemented.
6. Sub-processors: we forward deletion instructions to our sub-processors (e.g. Stripe for customer metadata — statutory retention periods remain unaffected).

Exception: Invoicing and accounting data are subject to the statutory retention periods under §§ 257 HGB / 147 AO (6 or 10 years). During the retention period, this data is blocked against other processing.

Insofar as Codaiq processes personal data on behalf of a business customer — in particular data of end users collected by the customer via generated websites (e.g. contact forms, lead capture) — we conclude a data processing agreement (DPA) with the customer pursuant to Art. 28 GDPR.

• We provide the model DPA text to business customers in the self-service area or on request at info@codaiq.com .
• The DPA governs in particular the subject matter and duration, the nature and purpose of the processing, the obligations of the processor, technical and organisational measures (TOMs), the use of sub-processors, and notification obligations.
• The DPA runs concurrently with the main contract (see Terms § 9); separate termination is not possible.

We use the following sub-processors. A contract pursuant to Art. 28 GDPR has been concluded with all of them; third-country transfers are safeguarded by Standard Contractual Clauses (SCC) or the EU-US Data Privacy Framework.

An update of the sub-processors is communicated to business customers in advance. A right of objection exists within the scope of the respective concluded DPA.

In the event of a personal data breach ("data breach"), our internal incident-response procedure applies with the following notification chain:

• 0–24 h: detection, containment, initial assessment of severity and likely affected persons. Entry in the internal incident register.
• ≤ 72 h from becoming aware: notification to the competent supervisory authority pursuant to Art. 33 GDPR, provided there is a risk to the rights and freedoms of affected persons. Unconfirmed incidents are registered without a notification obligation existing.
• Without undue delay in case of high risk: direct notification of the affected persons pursuant to Art. 34 GDPR in plain and clear language, describing the incident, the type of data affected and the recommended protective measures.
• Business customers: data processing customers are informed without delay after we become aware, pursuant to Art. 33(2) GDPR, so that they can in turn fulfil their notification obligations towards their supervisory authority.
• Post-mortem: within 14 days of containment, we prepare a root-cause analysis and define technical or organisational follow-up measures.

If you suspect a security incident, please report it immediately to info@codaiq.com.

To exercise your data subject rights (access, rectification, erasure, restriction, data portability, objection) and for DPA requests, please contact:

You also have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). The data protection authority of your habitual residence or place of work within the EU has jurisdiction. For UK-related processing, the Information Commissioner's Office (ICO) can be addressed as the authority with jurisdiction at the controller's registered office.