Privacy Policy

We collect information you provide directly, information generated as you use Codoer, and technical data from your devices and browsers.

Account data

• Name, email address, and password (hashed with bcrypt — we never store plaintext passwords)
• Profile information you add (profile photo, bio, role)
• Billing address and payment method details (handled by Stripe — we never see your raw card numbers)

Social account data

• OAuth access tokens for LinkedIn and X (Twitter) — stored encrypted at rest
• Your LinkedIn URL and X (Twitter) handle
• Publicly visible profile data fetched at connection time (name, bio, follower count)

Usage & content data

• Posts, drafts, and content generated or approved through Codoer
• Comments, replies, and engagement actions taken through our platform
• Settings and preferences (brand voice, niche, tone, content goals)
• Audit logs of agent actions performed on your behalf

Technical data

• IP address, browser type, operating system, and device identifiers
• Pages visited, session duration, and click paths within the app
• Error and crash reports to help us diagnose and fix issues

We use your data only for the purposes listed below. We do not sell your personal information.

• Providing, operating, and improving the Codoer service
• Generating AI-powered content in your brand voice on your behalf
• Authenticating your identity and securing your account
• Processing subscription payments and managing your billing
• Sending transactional emails (approval digests, security alerts, receipts)
• Diagnosing errors and monitoring platform performance
• Complying with legal obligations we are subject to
• Communicating product updates, if you have opted in

Codoer uses large language models (LLMs) — currently Claude, provided by Anthropic — to generate posts, replies, and content analyses on your behalf. Here is what that means in practice:

• Your brand voice settings, approved posts, and content goals are sent to the AI to produce contextually accurate output.
• AI requests are processed by Anthropic under their API terms. Anthropic does not use API data to train their models by default.
• We use prompt caching and batching to minimise the volume of data sent to AI providers.
• You can delete your content history at any time from Settings — this removes it from our database. Anthropic retains API logs for a limited period under their own retention policy.
• AI-generated content is always presented for your approval before being published, unless you have explicitly enabled autopilot for a given action type.

We share data only with the service providers necessary to operate Codoer. We do not share your data with advertisers or data brokers.

All sub-processors below are under data processing agreements (DPAs) that require them to protect your data to the same standard we do.

We may also disclose your information when required by law, court order, or to protect the rights, property, or safety of Codoer or its users.

We implement industry-standard technical and organisational measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• All data at rest is encrypted using AES-256
• OAuth tokens are stored encrypted in the database — never in plaintext
• Passwords are hashed using bcrypt with a cost factor of 12
• JWT access tokens expire after 7 days; refresh tokens after 30 days
• Database access is restricted to authenticated service accounts with least-privilege permissions
• We conduct periodic security reviews and dependency audits

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security. If a breach occurs that affects your data, we will notify you as required by applicable law.

We retain your data for as long as your account is active or as needed to provide you services.

• Account data — retained until you delete your account
• Generated content and post history — retained for the life of your subscription, then deleted 90 days after account closure
• OAuth tokens — deleted immediately upon account disconnection or deletion
• Payment records — retained for 7 years to comply with financial regulations
• Server and access logs — retained for 90 days
• Analytics events — retained in aggregate form (anonymised) for up to 2 years

You can request deletion of your data at any time. See Section 8 for your rights and how to exercise them.

We use a minimal set of cookies and similar technologies to operate Codoer:

• Session cookies — to keep you logged in during your browsing session (essential, cannot be disabled)
• Preference cookies — to remember your light/dark mode choice
• Analytics cookies — PostHog, used to understand how the product is used in aggregate (you can opt out in Settings)

We do not use advertising cookies, retargeting pixels, or third-party trackers beyond PostHog and Sentry.

You can manage cookie preferences through your browser settings. Disabling essential cookies will prevent Codoer from functioning.

Depending on where you are located, you have the following rights over your personal data. We honour all requests regardless of jurisdiction.

All users

• Access — request a copy of all personal data we hold about you
• Deletion — request that we delete your account and all associated data
• Portability — receive your content and data in a machine-readable format (JSON/CSV)
• Correction — request that we correct inaccurate data
• Objection — object to specific types of processing (e.g., analytics)

EU/EEA residents (GDPR)

• Our legal basis for processing your data is: contract performance (operating the service), legitimate interests (security, fraud prevention), legal obligation (financial records), and consent where explicitly obtained
• Right to lodge a complaint with your local data protection authority
• Right to restrict processing while a correction or objection is pending
• We will respond to verifiable requests within 30 days

California residents (CCPA / CPRA)

• Right to know what categories and specific pieces of personal information we collect
• Right to delete personal information (with exceptions for legal and security obligations)
• Right to opt out of the “sale” of personal information — we do not sell personal information
• Right to non-discrimination for exercising your privacy rights
• We do not engage in “sharing” of personal data for cross-context behavioural advertising

Codoer is based in the United States. If you access our service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into our sub-processor DPAs.

By using Codoer, you acknowledge that your data may be transferred internationally and consent to the processing activities described in this policy.

Codoer is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected data from a child under 16, we will promptly delete that information.

If you believe we have collected information from a child under 16, please contact us at codoer.team@gmail.com.

Codoer may contain links to third-party websites, platforms (LinkedIn, X/Twitter), or services. This Privacy Policy applies only to Codoer. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before sharing any personal information.

We may update this Privacy Policy from time to time. When we do, we will:

• Update the “Last updated” date at the top of this page
• Send an email notification to registered users if the changes are material
• Display an in-app notice for 14 days following material changes

Your continued use of Codoer after changes are posted constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you should stop using Codoer and may request deletion of your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out:

• Email: codoer.team@gmail.com
• Subject line for privacy requests: "Privacy Request"
• We aim to respond to all inquiries within 2 business days

For GDPR-specific inquiries, you may also contact your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

Questions about this policy?

We're a small team that takes privacy seriously. Email us — a real person will read and respond.