Privacy Policy
Last updated: April 4, 2026
⚠️ These documents are frameworks and should be reviewed by legal counsel before being considered final.
1. Roles & Responsibilities
KodexR operates in two distinct roles depending on context:
- Data Processor — For customer data. When you subscribe to KodexR, we process data on behalf of your business (SEO data, keywords, articles, rankings). You are the data controller for your customers' data. See our Data Processing Agreement (DPA).
- Data Controller — For our own leads and prospects. When we collect publicly available business information for marketing purposes, KodexR is the data controller. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
2. Data We Collect
Contact Information
Email address, company name, and domain — provided via contact form or Stripe Checkout.
Payment Information
Card information is processed directly by Stripe. We never store card numbers — only Stripe customer ID and subscription status.
SEO & Website Data
Domain, keywords, rankings, technical SEO data, articles, competitor analyses. This data is gathered from public sources (Google search, your website).
Usage Data
Server logs (IP address, timestamp, request type). We do not use third-party tracking or analytics tools.
3. Purpose & Legal Basis
| Purpose | Legal Basis |
|---|---|
| Deliver SEO services | Contract — Art. 6(1)(b) |
| Send reports & follow-ups | Contract — Art. 6(1)(b) |
| Improve the service | Legitimate interest — Art. 6(1)(f) |
| Prospecting / cold email | Legitimate interest — Art. 6(1)(f) |
| Accounting & invoicing | Legal obligation — Art. 6(1)(c) |
4. Third Parties & Sub-processors
| Service | Purpose | Location |
|---|---|---|
| Stripe | Payments | USA (SCCs) |
| Supabase | Database | EU (Frankfurt) |
| OpenAI | AI content generation | USA (SCCs) |
| Resend | Email delivery | USA (SCCs) |
| Serper.dev | Search results | USA (SCCs) |
| Instantly.ai | Cold email | USA (SCCs) |
| Hetzner | Hosting | EU (Finland) |
SCCs = Standard Contractual Clauses (EU-approved transfer mechanism).
5. Data Retention & Deletion
- Active customers: Data is retained for the duration of the subscription.
- After cancellation: Data is retained for 12 months, then automatically deleted.
- Upon request: Deletion is completed within 30 days of receiving a request.
- Leads: Prospect data is deleted within 6 months of last contact.
- Accounting: Invoice data is retained for 5 years as required by law.
6. Your Rights
Under GDPR (and similar laws), you have the following rights:
- Access — Request a copy of all data we hold about you.
- Rectification — Correct inaccurate information.
- Erasure — Request deletion of your data ("right to be forgotten").
- Portability — Receive your data in a machine-readable format.
- Object — Object to processing based on legitimate interest.
- Complaint — File a complaint with your local data protection authority.
To exercise your rights, contact us at hello@kodexr.com. We respond within 30 days.
8. CCPA Supplement (California/USA)
For users in California and other US states with privacy legislation:
- We do not sell personal information to third parties.
- We do not share data for cross-context behavioral advertising.
- You have the right to know what data we collect, request deletion, and opt out of sales.
- We do not discriminate against users who exercise their rights.
For CCPA requests, contact hello@kodexr.com.
9. Security
- All data transmission is encrypted via TLS/HTTPS.
- Database (Supabase) is encrypted at rest and in transit.
- Access control via Row Level Security (RLS) and service role keys.
- Regular updates to dependencies and server infrastructure.
- No storage of card numbers or plaintext passwords.
10. Contact
For privacy questions, contact us:
Email: hello@kodexr.com
Website: kodexr.com