Product

Pricing
Get started free

Legal

Privacy Policy

Last updated: May 17, 2025

1. Who We Are

codeflo.studio is a software-as-a-service product operated by codeflo.studio(“we”, “us”, or “our”). We are the data controller for personal data processed through the Service.

Contact: kontakt@codeflo.pl

2. What Data We Collect

Account & Identity

  • Email address and display name provided during registration
  • Password hash (never stored in plaintext; managed by Supabase Auth)
  • Profile avatar (if provided)
  • OAuth tokens for Google (Calendar, Drive) when you connect those integrations — stored encrypted

Project & Workspace Data

  • All content you create inside the Service: tasks, bugs, roadmap items, client records, finance entries, knowledge base articles, documents, and AI agent conversations
  • Project membership and role information
  • Files uploaded to project storage (via Supabase Storage)

Third-party Integration Credentials

  • GitHub access tokens (when you connect GitHub)
  • Telegram bot configuration (when you enable the Telegram integration)
  • AI provider API keys (when you bring your own key — stored encrypted at rest using AES-256)

Payment Data

  • Billing email and subscription status (processed and stored by Stripe)
  • We never store credit card numbers or payment instrument details on our servers

Usage & Technical Data

  • IP address and browser user-agent (collected by Vercel infrastructure and Supabase for security purposes)
  • Session recordings and click heatmaps via Microsoft Clarity (see Section 7)
  • Rate-limiting counters stored ephemerally in Upstash Redis (no personally identifiable data beyond IP)
  • Error logs and performance traces (no personal content logged)

3. Legal Basis for Processing (GDPR)

PurposeLegal basis
Creating and managing your accountPerformance of a contract (Art. 6(1)(b))
Delivering the Service and its featuresPerformance of a contract (Art. 6(1)(b))
Processing paymentsPerformance of a contract (Art. 6(1)(b))
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))
Product analytics and UX improvementLegitimate interests (Art. 6(1)(f))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

4. How We Use Your Data

  • To authenticate you and maintain your session
  • To store, display, and process the workspace content you create
  • To route AI agent requests to the configured AI provider (Anthropic Claude or OpenAI) using your project’s credentials
  • To synchronise data with connected third-party services (Google Calendar, Google Drive, GitHub) at your direction
  • To deliver Telegram bot notifications you have configured
  • To process subscription payments and enforce plan limits
  • To send transactional emails (account confirmation, password reset, billing receipts)
  • To improve the Service through aggregated, anonymised analytics
  • To comply with legal obligations and protect our legitimate interests

We do not sell your personal data. We do not use your workspace content to train AI models.

5. Data Retention

  • Active accounts: data is retained for the duration of your subscription plus 30 days after account deletion to allow recovery
  • Deleted accounts: all personal data and workspace content is permanently deleted within 30 days of your deletion request
  • Payment records: billing records are retained for 5 years to comply with Polish accounting law
  • Security logs: IP-level rate-limiting data is retained for a maximum of 7 days

6. Third-Party Processors

We share data with the following sub-processors to operate the Service:

ProcessorPurposeLocation
Supabase, Inc.Database, authentication, file storageEU / US
Vercel, Inc.Application hosting and CDNUS
Stripe, Inc.Payment processingUS
Upstash, Inc.Rate limiting (Redis)EU
Microsoft CorporationSession analytics (Clarity)US
Anthropic, PBCAI inference (when using Anthropic Claude via BYOK)US
OpenAI, LLCAI inference (when using OpenAI via BYOK)US
Google LLCCalendar & Drive integration (at your direction)US
Telegram Messenger LLPBot notifications (when enabled)UAE / US

Transfers to processors outside the European Economic Area are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or adequacy decisions where applicable.

7. Cookies & Analytics

We use Microsoft Clarity to understand how users interact with the Service. Clarity may record mouse movements, clicks, and page scrolls. It does not capture passwords, payment card numbers, or sensitive form fields. Session recordings are associated with an anonymous Clarity identifier, not your account email.

We also use functional cookies necessary for authentication (session tokens managed by Supabase Auth) and user preferences. These are essential and cannot be disabled without breaking the Service.

You can opt out of Clarity tracking at any time by enabling “Do Not Track” in your browser, or by contacting us at kontakt@codeflo.pl.

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) — request deletion of your account and all associated data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to restriction — request that we limit processing in certain circumstances
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, email us at kontakt@codeflo.pl. We will respond within 30 days. You also have the right to lodge a complaint with the Polish supervisory authority, Urząd Ochrony Danych Osobowych (UODO), at uodo.gov.pl.

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+
  • All data at rest is encrypted by Supabase (AES-256)
  • Third-party API keys are encrypted with an application-level key before storage
  • Row-Level Security (RLS) policies in the database ensure users can only access their own project data
  • Rate limiting prevents brute-force attacks on authentication endpoints

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay.

10. Children

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or requests:

codeflo.studio
Email: kontakt@codeflo.pl

Terms of Service →← Back to home