Data Protection & Privacy Practices
TLS 1.3 + AES-256
We never sell your data
Export, delete anytime
GDPR, CCPA, SOC 2
ChaozCode Inc. ("ChaozCode," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your data when you access or use our AI-powered development platform and related services.
This Privacy Policy applies to:
This Privacy Policy is incorporated into and subject to our Terms of Service. Terms not defined here have the meanings given in the Terms of Service.
ChaozCode Inc. is the data controller responsible for your personal data. For questions about this policy or your data rights, contact our Data Protection Officer at dpo@chaozcode.com.
Our Promise: We collect only what we need, protect what we collect, and give you control over your data. We never sell your personal information to third parties.
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Name, email, password (hashed), username | Account creation, authentication |
| Payment Data | Card details (via Stripe), billing address | Process subscriptions, invoicing |
| Profile Data | Preferences, settings, avatar, timezone | Personalize your experience |
| Content Data | Code, prompts, projects, files you create | Provide platform services |
| Communication Data | Support tickets, feedback, survey responses | Customer support, product improvement |
| Category | Data Elements | Purpose |
|---|---|---|
| Device Data | Browser type, OS, device identifiers | Optimize experience, security |
| Usage Data | Features used, session duration, actions | Improve services, analytics |
| Log Data | IP address, timestamps, error logs | Security, troubleshooting |
| Location Data | Country, region (from IP) | Compliance, localization |
Important: We do NOT use your code or content to train our AI models without explicit opt-in consent. Your intellectual property remains yours. General usage patterns (not content) may be used to improve service performance.
We process your personal data under the following legal bases (as applicable under GDPR and similar laws):
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Account management, service delivery, billing, support |
| Legitimate Interests | Security, fraud prevention, analytics, product improvement |
| Consent | Marketing communications, AI training opt-in, cookies |
| Legal Obligation | Tax compliance, law enforcement requests, regulatory requirements |
You may withdraw consent at any time without affecting prior processing. Contact us to exercise your rights.
In the event of a data breach affecting your personal data, we will:
You are responsible for maintaining the security of your account credentials, using strong passwords, and enabling two-factor authentication when available.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 30 days | Allow data recovery |
| Content/Code | Duration of account + 30 days | Service provision, export window |
| Billing Records | 7 years after transaction | Tax and legal compliance |
| Support Tickets | 3 years after resolution | Service quality, legal protection |
| Security Logs | 90 days | Security investigation |
| Analytics Data | 26 months (aggregated) | Trend analysis |
When you delete your account or request deletion, we permanently erase your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention).
Depending on your location, you may have the following rights regarding your personal data:
Request a copy of your personal data
Correct inaccurate or incomplete data
Request deletion of your data
Export data in JSON or CSV format
Limit how we process your data
Object to certain processing activities
Revoke consent at any time without affecting prior processing
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to opt out of the "sale" or "sharing" of personal information. ChaozCode does not sell your personal information and does not share it for cross-context behavioral advertising. If this practice ever changes, we will provide a clear "Do Not Sell or Share My Personal Information" link and notify you in advance. To submit a CCPA request, email privacy@chaozcode.com with the subject line "CCPA Request."
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session / 1 year |
| Functional | Remember preferences, settings | 1 year |
| Analytics | Understand usage patterns (privacy-focused) | 26 months |
You can control cookies through your browser settings. Blocking essential cookies may affect platform functionality. For more details, see our Cookie Policy.
We use automated processing for:
These decisions may be appealed by contacting support. No solely automated decisions significantly affect your legal rights without human review.
Opt-Out: You can request that your content not be used for AI improvement. Contact privacy@chaozcode.com to opt out. This does not affect core service functionality.
ChaozCode services are not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13 in compliance with COPPA (Children's Online Privacy Protection Act). Users must be at least 18 years of age (or the age of majority in their jurisdiction) to create an account, as specified in our Terms of Service.
If you believe we have inadvertently collected data from a child under 13, please contact us immediately at privacy@chaozcode.com. We will promptly delete such information.
Educational institutions using ChaozCode for students under 18 must obtain appropriate parental/guardian consent. For students under 13, institutions must ensure compliance with COPPA and FERPA. We support school-managed accounts where the institution acts as the consenting party on behalf of the student.
Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place:
Enterprise customers may request data residency in specific regions (EU, US). Contact sales@chaozcode.com for options.
Enterprise customers and organizations subject to GDPR or other data protection regulations may request a Data Processing Agreement (DPA) by contacting legal@chaozcode.com. Our standard DPA includes Standard Contractual Clauses (SCCs) for international data transfers and addresses data security, breach notification, subprocessor management, and data subject rights.
Previous versions of this policy are available upon request. Contact privacy@chaozcode.com for historical versions.
If you disagree with changes, you may close your account before the new policy takes effect. Continued use after the effective date constitutes acceptance.
For questions about this policy or to exercise your privacy rights:
If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.
We acknowledge all privacy inquiries within 5 business days. Data subject access requests are completed within 30 days. Complex requests may be extended by an additional 15 days with prior notice.
ChaozCode is not a HIPAA covered entity and does not offer Business Associate Agreements (BAAs). Our Services are not designed for processing, storing, or transmitting Protected Health Information (PHI) as defined by HIPAA. If you are subject to HIPAA, you should not use our Services to process PHI.
Our privacy team is here to help with any data protection inquiries.