← Back to Codeforless

Privacy Policy

Last updated: May 5, 2026

This policy explains what personal data Codeforless collects when you visit codeforless.net or use the AI coding session service, why we collect it, who we share it with, and the rights you have over it. It is written to satisfy the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, and the ePrivacy Directive (2002/58/EC).

1. Who is the controller of your data

The data controller is Codeforless Technology, based in Dubai, United Arab Emirates. You can reach us about anything in this policy at hello@codeforless.net.

We are a small team and have not appointed a Data Protection Officer — our processing is not of a kind that requires one under GDPR Art. 37. Privacy questions and rights requests are handled by our founders directly via the email above.

2. What we collect, why, and on what legal basis

Under GDPR Art. 13 we have to tell you the legal basis for each piece of processing. Here it is, in plain English:

  • Email address. Collected when you book a session or sign up for early access. Used to send you session links, receipts, and important service notices. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) for paid sessions; consent (Art. 6(1)(a)) for the early-access waitlist, which you can withdraw any time by emailing us.
  • Payment data. Card details are entered directly on Stripe and never reach our servers. We retain transaction metadata (amount, currency, plan, status, last 4 digits, country). Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)) for tax and accounting records.
  • Session data. Files, prompts, and outputs you create in a coding session live inside the isolated workspace provisioned for you and are destroyed when the session ends. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Service logs. We log basic technical events (session start/end, duration, errors, IP address, user-agent) to run, secure, and improve the service. Legal basis: legitimate interests (Art. 6(1)(f)) — keeping the platform stable and protecting it from abuse. You can object at any time (see §6).
  • Cookies and similar storage. See §5 below and our cookie policy. Non-essential cookies (chat widget, referral attribution) are set only with your consent (Art. 6(1)(a) and ePrivacy Art. 5(3)). You can change or withdraw consent any time using the “Cookie settings” link in the footer.

3. What we do not do

We do not sell your personal data. We do not access your code to train AI models. We do not read or share your session contents except where strictly required to operate the service or comply with the law. We do not subject you to automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).

4. Subprocessors and international transfers

We use a small number of third-party providers to run the service. Each one is a processor acting on our instructions under a written agreement. The current list:

  • Stripe — payment processing. Card data is collected by Stripe directly under their own controller relationship with you for fraud and regulatory compliance.
  • AI model providers (e.g. Anthropic, OpenAI) — used for in-session inference. Prompts and outputs are transmitted to them for the duration of the session only.
  • PostHog (EU) — product analytics and the floating support-chat widget. PostHog collects pageviews, autocaptured clicks, and whatever you type into the chat. Data is hosted in the EU.
  • Cloud hosting and email delivery — to run the platform itself and to send transactional emails (receipts, session links).

Some of these providers are based in the United States or other countries outside the EEA / UK. Where we transfer personal data of users in the EEA or UK to such a country, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) as the transfer mechanism under GDPR Chapter V. You can request a copy of the relevant clauses by writing to us.

5. Cookies

We set a small “essential” cookie to remember your consent choice. The referral-attribution cookie and Google Analytics cookies load only after you grant marketing consent in our cookie banner. PostHog (which powers our product analytics and the floating support-chat bubble) loads on every visit so the chat is available before consent — you can refuse it by not opening the widget. Full details, including each cookie's name, purpose, and lifetime, are in our cookie policy.

6. Your rights

Under GDPR Arts. 15–22 (and the UK equivalents) you have the following rights with respect to your personal data:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything that is inaccurate or incomplete.
  • Erasure (“right to be forgotten”) — ask us to delete your data, subject to retention obligations listed below.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — get your data in a machine-readable format you can move elsewhere.
  • Object — to processing based on legitimate interests, including service-log analysis.
  • Withdraw consent — for anything based on consent (cookies, marketing email), without affecting processing that already happened. Cookie consent can be withdrawn from the “Cookie settings” link in the footer.

To exercise any of these, email hello@codeforless.net. We will respond within 30 days (GDPR Art. 12(3)). We may need to verify your identity first, especially for access and erasure requests.

If you believe we have mishandled your data you also have the right to lodge a complaint with a supervisory authority — typically the one in the EU member state where you live or work. The list is at edpb.europa.eu/about-edpb/about-edpb/members. UK residents can complain to the ICO at ico.org.uk.

7. Retention

Session contents — code you write, files you upload, prompts and responses — exist only inside your isolated environment for the duration of the session and are destroyed when the session ends. We keep no copy.

Account-level data is kept only as long as necessary:

  • Email address and session balance: for as long as you have an active account, plus 30 days after deletion to handle late refund requests.
  • Payment and invoice records: 7 years from the end of the relevant tax year, to comply with accounting and tax law.
  • Service logs: 90 days, then deleted or anonymised.
  • Cookie consent record: 12 months, then we ask again.

8. Security

We use TLS for all traffic, isolate every session in its own environment, encrypt data at rest where technically feasible, and restrict admin access to named personnel. No system is perfectly secure; if we ever discover a personal-data breach affecting you we will notify you and our supervisory authority as required by GDPR Arts. 33–34.

9. Children

The service is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has given us data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page with a new “last updated” date, and where required by law we will notify you directly.

11. Contact

Questions or requests: hello@codeforless.net.