Privacy Policy
1. Controller and Scope
This Privacy Policy describes how Codia Tech, LLC ("Codia," "we," "us"), a Delaware limited liability company with its registered address at 1111B S Governors Ave STE 21043, Dover, DE 19904, United States, collects, uses, discloses and protects personal information when you use codia.ai, Codia Studio, NoteSlide, our Figma plugins, our APIs and any other product or service we make available (collectively, the "Services").
For the purposes of the EU/UK General Data Protection Regulation ("GDPR"), the Brazilian Lei Geral de Proteção de Dados ("LGPD"), the Korean Personal Information Protection Act ("PIPA"), the Japanese Act on the Protection of Personal Information ("APPI"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") and similar laws, Codia is the controller of personal information processed under this Policy.
We have written this policy in plain language and made concrete commitments — on AI training, data retention, storage location, and third-party sharing — so that you know exactly what happens to your data.
2. Information We Collect
Information you provide
- Account information — name, email, password (hashed), profile picture, language preference.
- Payment information — billing name, address, VAT/tax ID, card brand and last-four digits, transaction history. Full card numbers are handled by our PCI-DSS-compliant payment processors (Stripe and others) and are not stored by Codia.
- User Content — files, images, PDFs, PSD/AI files, Office documents, Notion exports, URLs, text prompts, reference images and other material you submit.
- Communications — messages you send to support, sales, DMCA, DSA, privacy or security channels.
Information collected automatically
- Usage data — pages viewed, features used, clicks, actions, timestamps, session duration, referrer.
- Device and network data — browser type, operating system, device type, screen resolution, language, IP address, approximate geolocation derived from IP, crash logs.
- Cookies and similar technologies — see Section 10.
Information from third parties
- OAuth providers — if you sign in via Google or GitHub, we receive your name, email and profile picture as authorized by you.
- SSO / OIDC providers — for enterprise customers using single-sign-on.
- Figma plugin environment — limited plugin-permission data as described in the plugin manifest.
3. Legal Bases (EEA / UK / Switzerland / Brazil)
| Purpose | Legal basis (GDPR) | Legal basis (LGPD) |
|---|---|---|
| Providing the Services and processing User Content | Performance of a contract (Art. 6(1)(b)) | Execução de contrato (Art. 7, V) |
| Billing, fraud prevention, security | Legal obligation + legitimate interest (Art. 6(1)(c), (f)) | Cumprimento de obrigação legal + legítimo interesse (Art. 7, II, IX) |
| Product improvement and analytics | Legitimate interest (Art. 6(1)(f)) — we use aggregated or pseudonymized data | Legítimo interesse (Art. 7, IX) |
| Marketing communications | Consent (Art. 6(1)(a)) | Consentimento (Art. 7, I) |
| Non-essential cookies | Consent (ePrivacy Directive + GDPR) | Consentimento |
| Complying with law, defending legal claims | Legal obligation / establishment of legal claims (Art. 6(1)(c), 9(2)(f)) | Cumprimento de obrigação legal (Art. 7, II) |
We rely on Article 49(1)(b) GDPR (contractual necessity) for ad-hoc transfers to third-party integrations that you explicitly enable (e.g., Notion, Canva, Figma).
4. How We Use Your Information
We use personal information to: (a) provide, maintain and secure the Services; (b) process transactions, manage subscriptions, prevent fraud and comply with tax law; (c) authenticate users and detect abuse; (d) generate AI outputs in response to your prompts; (e) send transactional email (verification, password reset, billing, incident notifications); (f) send marketing, where you have opted in or where applicable law allows us to rely on legitimate interest subject to an opt-out; (g) analyze usage trends in aggregated form; (h) comply with law and enforce our Terms.
We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising within the meaning of the CCPA/CPRA. We honor Global Privacy Control (GPC) signals for California residents.
5. AI Training and Model Improvement
We do not use your User Content, prompts, uploaded files, or AI-generated outputs to train, fine-tune, or improve any AI models — our own or those of any third-party foundation-model provider.
- Inputs are transmitted under encryption, processed only for the purpose of generating your requested output, and not added to any training corpus.
- Our AI sub-processors operate under contractual no-training commitments for API inputs and outputs (e.g., the OpenAI API default policy, Google Gemini API commercial terms), except where you explicitly opt in.
- Aggregated and fully de-identified metrics (e.g., counts of generations per day, latency) may be used to measure and improve system performance; such metrics do not contain your User Content or personal information.
- The Services do not make automated decisions producing legal or similarly significant effects about you without meaningful human review (GDPR Art. 22, LGPD Art. 20).
6. How We Share Your Information
We do not sell, rent, trade or share your personal data or User Content with any third party for their own commercial, marketing, advertising or AI-training purposes.
To operate the Services, we rely on a limited set of sub-processors who act strictly on our behalf, under written data-processing agreements incorporating GDPR Article 28 terms and, where applicable, the 2021 EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Brazil-adapted SCCs, and PIPA Article 28-compliant cross-border transfer terms.
Current principal sub-processors (a full and up-to-date list is maintained at /docs/subprocessors):
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, object storage (S3), databases | United States (us-west-1) |
| Stripe, Inc. | Payment processing | United States / EEA |
| OpenAI, LLC | Foundation models (LLM, image) | United States |
| Google LLC (Gemini / Imagen) | Foundation models (LLM, image) | United States |
| Anthropic, PBC | Foundation models (LLM) | United States |
| Black Forest Labs GmbH | Image foundation models (FLUX) | Germany / United States |
| Recraft AI | Image foundation models | United States |
| Ideogram, Inc. | Image foundation models | United States |
| ByteDance (SeeDream) | Image foundation models | Singapore (routed via regional endpoint; no China processing for non-China users) |
| Amazon SES (Amazon Web Services, Inc.) | Transactional email delivery | United States |
We will provide at least 30 days' advance notice of any material change to this list. If you object to a new sub-processor on reasonable data-protection grounds, you may terminate your paid subscription and receive a pro-rated refund.
We may also disclose information: (a) when required by law, regulation, valid legal process or governmental request (we push back on overbroad requests and, where legally permitted, notify affected users); (b) to protect rights, property or safety of Codia, our users or the public; (c) in connection with a merger, acquisition or asset sale, with advance notice; and (d) with your consent.
7. Data Retention
| Category | Retention |
|---|---|
| Transient processing data — temporary copies of uploaded files, prompts, and generated outputs that are not saved to your account | Automatically deleted within 7 days after processing completes |
| Account and profile data | For the life of the account + 30 days' grace after deletion, then deleted or anonymized |
| Saved projects / User Content you explicitly save to your account | For the life of the account; deleted within 30 days of account closure |
| Billing records (invoices, tax) | As required by applicable tax law (typically 7–10 years) |
| Security and abuse logs | Up to 90 days, longer where needed to investigate an active incident |
| Backups | Rolled off within 90 days |
| Aggregated / anonymized analytics | May be retained indefinitely, as it is no longer personal information |
You may request earlier deletion at any time — see Section 9.
8. Data Location and International Transfers
Personal information is stored and processed on Amazon Web Services (AWS) infrastructure located in the United States (us-west-1) and in other countries where our sub-processors operate. Those countries may not provide the same level of protection as your own.
We rely on the following transfer mechanisms:
| From | To | Mechanism |
|---|---|---|
| EEA | USA | 2021 EU Standard Contractual Clauses (Module 2 Controller→Processor) with documented supplementary measures — encryption in transit and at rest, VPC isolation, Schrems-II Transfer Impact Assessment. We are evaluating EU–US Data Privacy Framework self-certification. |
| United Kingdom | USA | International Data Transfer Agreement (IDTA) or 2021 SCCs + UK Addendum (ICO-issued B.1.0). UK Extension to the DPF under evaluation. |
| Switzerland | USA | Swiss FDPIC-recognized SCCs with supplementary measures. Swiss–US Data Privacy Framework under evaluation. |
| South Korea | USA / other | Explicit user consent under PIPA Article 28 collected at sign-up, plus a written agreement with the recipient meeting PIPA standards |
| Brazil | USA / other | LGPD Article 33 — specific contractual clauses (SCCs adapted for Brazil), and where necessary, your explicit consent |
| Japan | USA / other | APPI Article 28 disclosure and consent where the recipient is outside an "adequate" jurisdiction |
| Singapore | USA / other | PDPA Transfer Limitation Obligation — comparable protection via contract |
| Hong Kong SAR / Taiwan / others | USA / other | Standard contractual safeguards, data-subject rights preserved |
You may request a copy of the relevant SCCs or IDTA by emailing [email protected].
9. Your Rights
Regardless of where you live, you have the right to:
- Access the personal information we hold about you
- Rectify inaccurate or incomplete data
- Erase your personal information ("right to be forgotten")
- Restrict or object to processing
- Data portability — receive your data in a structured, commonly-used, machine-readable format
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
- Not be subject to significant automated decisions without human review (see §5)
- Lodge a complaint with your supervisory authority
9.1 How to exercise
Email [email protected] or use the privacy request link in your account settings. We will verify your identity (to avoid disclosing data to impostors) and respond within:
| Region | Response time |
|---|---|
| EEA / UK / Switzerland (GDPR) | 30 days (extendable by 60 days for complex requests) |
| California (CCPA / CPRA) | 45 days (extendable by 45 days) |
| Brazil (LGPD) | 15 days |
| Korea (PIPA) | 10 days |
| Japan (APPI) | Reasonable period, typically within 30 days |
| Other jurisdictions | 30 days |
We will not discriminate against you for exercising any of these rights.
9.2 Representatives and supervisory authorities
- Chief Privacy Officer (all regions, including Korea PIPA Art. 31 / Brazil LGPD Art. 41 Encarregado / Japan APPI contact): Chief Privacy Officer, Codia Tech, LLC —
[email protected] - EU representative (GDPR Art. 27): In the process of being appointed. In the interim, please direct EU-specific requests to
[email protected]. - UK representative (UK GDPR Art. 27): In the process of being appointed. In the interim, please direct UK-specific requests to
[email protected]. - United Kingdom supervisory authority: Information Commissioner's Office — ico.org.uk
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
- Korea: Personal Information Protection Commission — pipc.go.kr
- Japan: Personal Information Protection Commission — ppc.go.jp
- Taiwan: 國家發展委員會個人資料保護委員會
- Hong Kong: Office of the Privacy Commissioner for Personal Data — pcpd.org.hk
- Singapore: Personal Data Protection Commission — pdpc.gov.sg
9.3 Region-specific notes
- European Economic Area / United Kingdom (GDPR). You may object to processing based on legitimate interests at any time. You may complain to your local supervisory authority.
- California (CCPA / CPRA). We do not "sell" or "share" personal information. You may designate an authorized agent to make a request, subject to identity verification. You may limit the use of sensitive personal information.
- Other US state residents (Nevada, Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, etc.). You have similar rights under applicable state privacy laws; use the same channel.
- Brazil (LGPD). You have the nine rights in LGPD Article 18, including confirmation of processing, data portability and information about shared entities.
- Korea (PIPA). Cross-border transfers are made pursuant to your explicit consent collected at sign-up.
- Japan (APPI). For cross-border transfers we provide information about U.S. data-protection practices on request.
- Singapore (PDPA), Hong Kong (PDPO), Taiwan (個人資料保護法). Access and correction requests may be directed to [email protected].
10. Cookies
| Category | Purpose | Examples |
|---|---|---|
| Essential | Authentication and core security; cannot be disabled | Codia.AuthKey, Codia.UserId, CSRF tokens |
| Preference | Remember language, theme, UI state | locale, theme |
| Analytics | Aggregate usage metrics (only with consent in EEA/UK/Brazil/Switzerland) | First-party product telemetry |
| Marketing | Measure campaign effectiveness (only with consent) | Conversion tracking |
EEA, UK, Swiss and Brazilian users are shown a consent banner on first visit. You can change your choices at any time via the Cookie Preferences control in our footer. Essential cookies are always active.
11. Security
We apply technical and organizational measures appropriate to the risk, including TLS 1.2+ in transit, AES-256 at rest for stored artifacts, AWS VPC network isolation, role-based access control, least-privilege provisioning, secret rotation, security logging, vulnerability management, annual penetration testing and continuous monitoring. A vulnerability-disclosure channel is available at [email protected].
In the event of a personal-data breach affecting your information, we will notify the relevant supervisory authority within 72 hours where required (GDPR Art. 33; LGPD Art. 48; similar laws) and affected users without undue delay.
No system is 100% secure; we cannot guarantee absolute security.
12. Children
The Services are not directed to children below the minimum age of digital consent in their country:
- under 13 (United States — COPPA)
- under 14 (South Korea — PIPA; Brazil requires parental consent under 12, independent consent from 18)
- under 16 (most EEA countries — GDPR; UK uses 13; Japan recognizes adulthood at 18 since 2022)
Where parental consent is required by local law, we require it before account creation. If we learn that we have collected information from a child without required consent, we will delete it promptly.
13. Third-Party Links and Integrations
The Services may link to or integrate with third-party products (Figma, Notion, Canva, payment processors, analytics, etc.). Their privacy practices are governed by their own policies, which we encourage you to review.
14. Changes to this Policy
We may update this Policy. Material changes will be notified at least 30 days in advance by email and/or in-product banner, and the "Last updated" date will change.
15. Contact
- Controller: Codia Tech, LLC
- Registered address: 1111B S Governors Ave STE 21043, Dover, DE 19904, United States
- Privacy team: [email protected]
- Chief Privacy Officer (serves as LGPD Encarregado, Korea CPO 개인정보 보호책임자, and Japan APPI contact): [email protected]
- EU GDPR Art. 27 representative: In the process of being appointed — contact [email protected]
- UK GDPR Art. 27 representative: In the process of being appointed — contact [email protected]
- Security issues: [email protected]
- B2B / DPA requests: [email protected]