Privacy Policy

This Privacy Policy informs you about the nature, scope and purpose of the processing of personal data (hereinafter "data") in the context of our offering Codaiq, a software-as-a-service platform for AI-assisted creation and hosting of websites (hereinafter "Platform"). It applies to all processing operations we carry out in connection with the use of our Platform as well as our other online presences.

The controller is Codaiq LTD, a Private Limited Company registered in England & Wales with its registered office in London. Since we offer our Platform to European users and are oriented towards the European market, the General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR), supplemented by the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG), applies to the processing of personal data of persons resident in the EU (Art. 3(2) GDPR). In addition, the UK GDPR in conjunction with the Data Protection Act 2018 applies to UK-related processing.

2.1 Controller within the meaning of Art. 4 No. 7 GDPR

2.2 Data Protection Officer

Codaiq LTD has not currently appointed a Data Protection Officer within the meaning of Art. 37 GDPR, as the appointment obligations set out in Art. 37(1) GDPR or § 38 BDSG do not apply (no core activity involving extensive regular monitoring of data subjects or extensive processing of special categories of personal data; fewer than 20 persons permanently engaged in automated processing). As soon as the conditions are met, a Data Protection Officer will be appointed and named here.

2.3 Data Protection Requests

For all data protection requests and the exercise of data subject rights, you can reach us at:

• Codaiq LTD — Data Protection
• Email: info@codaiq.com

Note on the EU representative pursuant to Art. 27 GDPR: Insofar as there is an obligation to designate a representative in the Union, this representative will be named here; the designation takes place after the market-entry phase and will be updated at this point.

We process your data exclusively on the basis of one of the following legal bases under Art. 6(1) GDPR:

• Contract (Art. 6(1)(b) GDPR): Processing for the performance of the usage contract for the Codaiq Platform and for carrying out pre-contractual measures.
• Consent (Art. 6(1)(a) GDPR): Processing on the basis of an express, freely revocable consent (e.g. newsletter, optional telemetry, setting of non-essential cookies — cf. § 25(1) TTDSG).
• Legitimate interest (Art. 6(1)(f) GDPR): Processing for the purposes of ensuring the secure and stable operation of our services, for misuse and fraud prevention, and for reach and product analysis on the basis of pseudonymised data.
• Legal obligation (Art. 6(1)(c) GDPR): Processing to comply with statutory retention and notification obligations (in particular HGB, AO, GoBD).
• Vital interests / public interest (Art. 6(1)(d) and (e) GDPR): Generally not applicable; exceptionally in the event of acute security incidents.

4.1 Account and Contract Data

Data: Email address, name, password hash (bcrypt), selected plan, Stripe customer ID, billing address, language preference, timestamps for registration and last login.

Purpose: Provision of the user account, authentication, handling of the SaaS subscription, invoicing, support.

Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (commercial and tax retention obligations).

Storage period: For the duration of the contract plus the statutory retention periods (generally 6 or 10 years under § 257 HGB / § 147 AO for invoicing and accounting data). Other master data is deleted at the latest 90 days after the contract ends.

4.2 Generation Data (Prompts and AI Content)

Data: Text inputs (prompts), generated website content (code, texts, layouts), iteration history, feedback on generation results.

Purpose: Provision of the AI-assisted generation service, error analysis, improvement of model quality (exclusively on an aggregated, anonymised basis).

Legal basis: Art. 6(1)(b) GDPR (contract); for model improvement, Art. 6(1)(f) GDPR (legitimate interest in product improvement).

Storage period: Generated content is stored until the associated project is deleted by the user. Prompts are stored for the duration of the respective iteration phase and anonymised at the latest 90 days after successful generation.

We do not pass on your identifiable prompts or generated content to third parties for training external AI models.

4.3 Telemetry and Error Logs

We use the following telemetry and monitoring tools. Third-party telemetry is deactivated by default (gated) and only becomes active if you have consented:

• Sentry (error tracking): Captures stack traces, browser and device information, the affected URL and user ID. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability); storage period 30 days. Provider: Functional Software, Inc., USA / Sentry GmbH, Germany.
• PostHog / Plausible (product analytics, optional, consent-based): Captures pseudonymised events relating to the use of the Platform. Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TTDSG.
• Codaiq Analytics (first-party): Server-side capture of page views, session and visitor IDs (see section 5). Legal basis: Art. 6(1)(f) GDPR; pseudonymised; storage period 90 days.

4.4 Server Logs

When our Platform is accessed, technically necessary data is stored in server logs: IP address (truncated after 7 days), date and time, the requested resource, referrer, user agent, HTTP status code. Legal basis: Art. 6(1)(f) GDPR (security, stability, abuse prevention). Storage period: 90 days; longer in the case of security incidents for the purpose of investigation.

4.5 Communication and Support

Email and support communication is stored in order to process and trace requests. Legal basis: Art. 6(1)(b) and (f) GDPR. Storage period: 3 years after completion of the matter, unless longer statutory retention obligations apply.

We use cookies and comparable technologies. A complete overview can be found in our Cookie Policy. In overview:

5.1 Technically Necessary Cookies (§ 25(2) No. 2 TTDSG)

• next-auth.session-token — authentication (NextAuth session)
• __Secure-next-auth.session-token — authentication (HTTPS variant)
• next-auth.csrf-token — protection against cross-site request forgery
• cdq_ref / cdaq_ref — affiliate attribution (30-day storage period; insofar as deemed technically necessary for contract initiation)

5.2 Functional Cookies (consent-based, § 25(1) TTDSG)

• codaiq_visitor_id — pseudonymous visitor identifier (90 days)
• codaiq_session_id — session ID (session)

5.3 Third-Party Cookies

During the payment process, cookies from Stripe may be set (fraud prevention, 3D Secure). If you sign in with Google, Google sets cookies as part of its OAuth procedure. The privacy policies of the respective providers apply additionally in this regard.

You can adjust your consent at any time via the cookie settings banner or withdraw it via your browser settings. If technically necessary cookies are disabled, use of the Platform is not possible.

We only pass on your data where this is necessary for the performance of the contract, you have consented, a legal obligation exists, or a legitimate interest applies. We have concluded contracts pursuant to Art. 28 GDPR with all processors. We keep a complete list of sub-processors available for our B2B customers.

We do not sell your data. No disclosure to advertising networks or data brokers takes place.

Transfers to third countries (in particular the USA) take place only if an adequate level of data protection is ensured. We base third-country transfers on:

• the EU-US Data Privacy Framework (Art. 45 GDPR), insofar as the provider is certified (e.g. Stripe, Google);
• the Standard Contractual Clauses (SCC) of the European Commission (Decision 2021/914) pursuant to Art. 46(2)(c) GDPR, supplemented by additional safeguards (encryption, access controls, transparency reports);
• express consent in justified individual cases (Art. 49(1)(a) GDPR).

You can request a copy of the safeguards we maintain at info@codaiq.com.

• Account data: Contract duration + up to 90 days after termination; invoicing/accounting data 6 or 10 years (§§ 257 HGB, 147 AO).
• Generated website content: Until deletion by the user; after the contract ends, a 30-day export window, followed by deletion.
• Server logs: 90 days.
• Telemetry/error logs: 30 days (Sentry); Codaiq Analytics 90 days.
• Marketing consent: Until withdrawal plus 3 years of evidence.
• Support correspondence: 3 years after completion of the matter.

You have the following rights vis-à-vis the controller:

• Access (Art. 15 GDPR) — You can request information about the data stored about you.
• Rectification (Art. 16 GDPR) — You can request the rectification of inaccurate data.
• Erasure (Art. 17 GDPR) — You can request the erasure of your data, insofar as no statutory retention obligations stand in the way.
• Restriction of processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR) — You can receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21 GDPR) — against processing based on legitimate interests, in particular for direct marketing at any time without giving reasons.
• Withdrawal of consent (Art. 7(3) GDPR) with effect for the future.
• Complaint to a supervisory authority (Art. 77 GDPR) — In particular, the data protection supervisory authority of your habitual residence or place of work within the EU has jurisdiction. For UK-related processing, the Information Commissioner's Office (ICO) has jurisdiction, as the controller's registered office is in the United Kingdom.

We do not use any decision-making based solely on automated processing within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. AI-assisted content is a tool; the decision on its publication is made exclusively by you as the user.

We implement appropriate technical and organisational measures within the meaning of Art. 32 GDPR, in particular TLS encryption of transmission, encryption of sensitive data at rest, bcrypt password hashing, least-privilege access, multi-factor authentication for internal accounts, regular backups, and an incident-response procedure.

Our offering is aimed at persons aged 16 and over. We do not knowingly collect data from minors under 16. If such a case comes to your attention, please notify info@codaiq.com; the data concerned will be deleted promptly.

We reserve the right to adapt this Privacy Policy in order to keep it aligned with current legal requirements at all times or to implement changes to our services. We will inform you of material changes at least 14 days before they take effect by email or via a prominent notice in the Platform. The version valid at the time of processing applies in each case.

For data protection requests, please contact: