Privacy Policy

Last updated: April 2026

1. Who We Are

Codaiq is an AI-powered website builder operated by CODAIQ LTD, a company registered in England and Wales.

  • Company: CODAIQ LTD
  • Registration No: 16537316 (Companies House, England & Wales)
  • Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom WC2H 9JQ
  • Email: info@codaiq.com
  • Phone: +971 58 560 6084
  • Website: codaiq.com

CODAIQ LTD is the data controller for personal data collected through our services. We are committed to protecting your privacy and processing your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable, the EU General Data Protection Regulation (GDPR).

2. Data We Collect

2.1 Account Data

When you register for a Codaiq account, we collect:

  • Full name and email address
  • Password (stored as a secure hash — we never store plaintext passwords)
  • Profile information you choose to provide
  • Date of account creation and last login

2.2 Website Content & AI Prompts

When you use our AI website builder, we collect:

  • Prompts and descriptions you submit to generate websites
  • Generated website content, code, and assets
  • Custom domain configurations
  • Website settings and preferences

2.3 Payment Data

Payment processing is handled entirely by Stripe, Inc. We do not store your full card number, CVV, or sensitive payment credentials. We retain:

  • Stripe Customer ID and subscription references
  • Billing address (as provided to Stripe)
  • Transaction history and invoice records
  • Subscription plan and renewal dates

2.4 Usage and Analytics Data

We collect server-side analytics to understand how our platform is used:

  • Pages visited and features used within the platform
  • IP address (anonymised after processing)
  • Browser type and operating system
  • Referring URL and session duration
  • PageView events recorded server-side (not via client-side cookies)
  • Error logs and crash reports

2.5 Communications

If you contact us or subscribe to communications, we collect:

  • Email correspondence and support tickets
  • Email preferences and marketing consent

3. Legal Basis for Processing

We process your personal data under the following lawful bases:

  • Contract Performance (Article 6(1)(b) UK GDPR): Processing your account data, website content, and billing information is necessary to provide the Codaiq service you have contracted with us.
  • Legitimate Interests (Article 6(1)(f) UK GDPR): We process usage analytics and server logs to maintain service security, improve our platform, and prevent fraud. We have assessed that these interests do not override your fundamental rights.
  • Consent (Article 6(1)(a) UK GDPR): Where you have opted in to marketing communications, we process your email address on the basis of consent. You may withdraw consent at any time.
  • Legal Obligation (Article 6(1)(c) UK GDPR): We retain billing and transaction records to comply with UK financial regulations and tax obligations.

4. How We Use Your Data

  • Provide and operate the Codaiq service — account management, website generation, hosting, and domain management.
  • Process payments — billing, invoicing, subscription management, and fraud prevention via Stripe.
  • Communicate with you — transactional emails (account confirmations, password resets, billing receipts) via Resend.
  • Improve our AI models and platform — we may use anonymised, aggregated prompt and usage data to improve service quality. We will not use your identifiable personal data to train third-party AI models without your explicit consent.
  • Platform analytics — understanding feature usage to improve the product, debug issues, and plan development.
  • Security and fraud prevention — detecting and preventing abuse, unauthorised access, and policy violations.
  • Legal compliance — meeting our obligations under applicable law.
  • Marketing (with consent only) — product updates, newsletters, and promotional communications where you have opted in.

5. Third-Party Services (Sub-Processors)

We share your data with the following trusted third-party providers who process data on our behalf:

ProviderPurposeLocation
Stripe, Inc.Payment processing & billingUSA
Vercel, Inc.Platform hosting & CDNUSA/Global
MongoDB Atlas (MongoDB, Inc.)Database storageUSA/EU
Anthropic, PBCAI website generation (Claude API)USA
Fireworks AI, Inc.AI model inferenceUSA
Resend, Inc.Transactional email deliveryUSA
Unsplash (Unsplash Inc.)Stock image library for generated sitesCanada/USA

We do not sell your personal data. We do not share your data with advertising networks or data brokers.

6. Data Retention

  • Account data: Retained for as long as your account is active. If you delete your account, personal data is removed within 30 days, except where retention is required by law.
  • Website content: Retained while your account is active and for 30 days after account deletion, giving you time to export your data.
  • Billing records: Retained for 7 years to comply with UK financial regulations (HMRC requirements).
  • Server logs: Retained for up to 90 days for security and debugging purposes.
  • Marketing consent records: Retained until you withdraw consent, plus 3 years thereafter as evidence of consent.

7. Your Rights

Under UK GDPR and GDPR, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
  • Right to Restrict Processing: You can ask us to pause the processing of your data in certain circumstances.
  • Right to Data Portability: You can request your data in a structured, machine-readable format.
  • Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making: We do not make solely automated decisions with significant legal effects on you.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at info@codaiq.com. We will respond within 30 days. We may need to verify your identity before processing the request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

We use a minimal number of essential cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

  • next-auth.session-token (Essential): Used to keep you authenticated while using the platform. This cookie is strictly necessary for the service to function and cannot be disabled.

Our analytics are collected server-side via PageView events — not through client-side cookies. This means we can understand usage patterns without placing tracking cookies on your device.

Stripe may set cookies during the checkout process. These are governed by Stripe's Privacy Policy.

For full details, see our Cookie Policy.

9. International Data Transfers

CODAIQ LTD is based in the United Kingdom. Some of our sub-processors (listed in Section 5) are based in the United States and other countries outside the UK. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

  • International Data Transfer Agreements (IDTAs) approved by the ICO
  • EU Standard Contractual Clauses (SCCs) where applicable
  • Transfers to countries that have received UK adequacy decisions

You can request details of the transfer mechanisms in place by contacting us at info@codaiq.com.

10. Children's Privacy

Codaiq is not directed at or intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at info@codaiq.com and we will take steps to delete that information.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Password hashing using bcrypt
  • Access controls and least-privilege principles
  • Regular security reviews

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to info@codaiq.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a prominent notice within the platform at least 14 days before changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of Codaiq after changes constitutes acceptance of the revised policy.

13. Contact Us

For any privacy-related queries, to exercise your rights, or to raise a concern, please contact:

  • CODAIQ LTD
  • 71-75 Shelton Street, Covent Garden
  • London, United Kingdom WC2H 9JQ
  • Email: info@codaiq.com
  • Phone: +971 58 560 6084