Privacy Policy

1.1 Information You Provide

• Account Data: name, email, company name, password (hashed via Supabase Auth);
• Profile Data: avatar, language preference, role;
• Audit Data: business information you submit during the AI audit, including industry, team size, region, business challenges, and goals;
• Communications: messages submitted in scoping conversations, AI assistant interactions, support requests;
• Payment Data: handled directly by Stripe; we receive only payment status, last four digits of card, and Stripe customer ID. We do not store full payment card details.

1.2 Information Collected Automatically

• Usage Data: pages visited, features used, time spent, click patterns;
• Device Data: IP address, browser type, operating system, device identifier;
• Cookies and Similar Technologies: see our Cookie Policy;
• Approximate Location: country and city derived from IP at the time of audit submission (used for the public LiveMap on our marketing site).

1.3 Information from Third Parties

• Authentication providers (when you sign in via magic link);
• Payment processors (transaction status from Stripe);
• Analytics providers (aggregated usage statistics).

1.4 Customer Content

When you use Services to interact with your own end users (CRM, AI Assistant, marketing campaigns, repeat-sales flows), you may upload or process personal data of those end users. You are the data controller for such data; we are the data processor. See the Data Processing Addendum.

We use information to:

• provide, operate, and maintain the Services;
• generate audit reports and AI recommendations;
• process payments and manage subscriptions;
• communicate with you about the Services, updates, and support;
• improve the Services through analytics and aggregated data;
• detect, prevent, and respond to fraud, abuse, security incidents, and legal violations;
• comply with legal obligations and enforce our agreements;
• train internal models on aggregated, anonymized data only — we do not use your individual identifiable Customer Content to train AI models.

Where required by law, we process personal data based on:

• Contract: to perform our agreement with you (Terms of Service);
• Legitimate Interest: to operate, secure, and improve the Services;
• Consent: where you have provided consent (e.g., marketing emails, analytics cookies);
• Legal Obligation: to comply with tax, accounting, and regulatory requirements.

You may withdraw consent at any time without affecting prior processing.

4.1 Service Providers (Sub-processors)

We use the following sub-processors who process data on our behalf under contractual data protection terms:

• Supabase (database, authentication, file storage) — United States;
• OpenAI (AI processing of prompts and responses) — United States;
• Stripe (payment processing) — United States;
• Resend (transactional email delivery) — United States;
• Vercel (hosting and edge infrastructure) — United States;
• Cal.com (booking) — United States;
• Google Workspace (operational email) — United States.

The current list and any updates will be maintained at codeova.ai/ legal/dpa. We do not authorize sub-processors to use personal data for their own purposes beyond providing services to us.

4.2 Legal Compliance

We may disclose information when required by law, court order, government request, or to enforce our legal rights, prevent harm, or investigate fraud or security incidents.

4.3 Business Transfers

If Codeova is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality obligations.

4.4 With Your Consent

We may share information when you direct us to do so.

4.5 No Sale of Personal Information

Codeova does not sell personal information for monetary consideration.

We retain personal data only as long as necessary for the purposes described in this Policy, to comply with legal obligations, resolve disputes, and enforce agreements. Specifically:

• Account Data: while your account is active, plus 90 days after closure;
• Audit Data: indefinitely unless you request deletion;
• Customer Content: as long as your subscription is active, plus 30 days post-termination for export; thereafter deleted unless retention required by law;
• Payment Records: 7 years (US tax requirements);
• Audit Logs: minimum 1 year, longer where required by law or legitimate security interests.

After applicable retention periods, data is deleted or anonymized.

We implement commercially reasonable safeguards including:

• encryption in transit (TLS) and at rest;
• row-level security on multi-tenant data;
• role-based access controls;
• append-only audit logs;
• two-factor authentication for administrative access;
• point-in-time database recovery (PITR);
• regular security reviews of code and infrastructure;
• incident response procedures.

No security measure is perfect. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for safeguarding your account credentials.

7.1 Access and Correction

You may access and update your account information through the dashboard at any time.

7.2 Deletion

You may request deletion of your account and associated personal data by emailing privacy@codeova.ai. We will process deletion requests within 30 days, subject to legal retention requirements.

7.3 Export

You may request an export of your personal data in a machine-readable format by emailing privacy@codeova.ai.

7.4 Marketing Communications

You may opt out of marketing emails using the unsubscribe link in each email. Transactional emails (account, billing, security) cannot be opted out of while your account is active.

7.5 Cookie Preferences

You may manage cookies via the cookie banner or your browser settings. See the Cookie Policy.

7.6 Do Not Track

We do not respond to “Do Not Track” browser signals at this time, as no consensus standard exists.

7.7 Region-Specific Rights

California (CCPA/CPRA): You have rights to know, delete, correct, and limit certain processing. Submit requests to privacy@codeova.ai. We will not discriminate against you for exercising these rights.

EU/UK/Swiss (GDPR/UK GDPR): You have rights of access, rectification, erasure, restriction, portability, and objection. You may lodge complaints with your supervisory authority. To exercise rights, email privacy@codeova.ai.

Other Jurisdictions: We will respond to lawful requests under applicable privacy laws.

Codeova is based in the United States. By using the Services, you understand that your information may be transferred to, stored, and processed in the United States and other countries where we or our sub-processors operate.

For transfers from the EU/UK/Switzerland, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

The Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided information, contact privacy@codeova.ai for deletion.

The Services include AI-generated outputs. We do not make decisions producing legal effects or similarly significant effects on individuals based solely on automated processing. AI outputs are advisory; human review is the responsibility of the Customer.

We may update this Privacy Policy. Material changes will be communicated via email or through the Services at least 15 days before they take effect. Continued use after the effective date constitutes acceptance.

Privacy questions and requests: privacy@codeova.ai

Codeova LLC
[REGISTERED ADDRESS]
Texas, USA

For California residents only: you may designate an authorized agent to make requests on your behalf. We will require verification.