Legal

Privacy Policy

Last updated: May 31, 2026 · Effective date: May 31, 2026

1. Introduction

CodeOak ("we", "us", or "our") is operated as a sole trader and runs the website codeoakai.com along with related services (collectively, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over your data.

By using our Service, you agree to the collection and use of information as described here. If you do not agree, please do not use the Service. This policy covers requirements under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

2. Information We Collect

Information you provide directly

Account details: email address, display name, and password (stored as a secure hash via Supabase).
Profile preferences: preferred coding track (Python, SQL, or both), self-reported experience level, and goal role.
Code submissions: the code solutions you write and run in coding workspaces and assessments.
AI conversations: the prompts, questions, and code you send to AI-assisted practice and roadmap features, together with the AI-generated responses returned to you.
Feedback and support: any messages you send us through in-app feedback forms or direct email.

Information collected automatically

Usage data: pages visited, features used, assessment results, code submissions, batch completions, and performance metrics.
Device and browser data: IP address, browser type and version, operating system, screen resolution, language preference, and time zone.
Log data: server access logs including timestamps, request paths, and HTTP response codes, retained by our hosting provider.
Time zone and locale: detected at account setup to personalise your experience; stored server-side.
Cookies and local storage: see Section 7 and our Cookie Policy for the full list.

Information from third parties

OAuth sign-in: if you sign in with Google or GitHub via Supabase Auth, we receive your email address, display name, profile picture URL, and a unique identifier. We request only the minimum permissions needed.
Analytics (planned): when third-party analytics are enabled in a future release this policy will be updated before rollout.

3. How We Use Your Information

To authenticate accounts and maintain sessions.
To deliver coding practice, roadmap guidance, and other product features.
To enforce quotas, plan limits, and abuse protections.
To send transactional email such as verification and password reset messages.
To debug issues, improve reliability, and protect the service.
To meet our legal obligations under applicable law.

We do not use your data to train AI or machine learning models. We do not sell your personal data.

4. Legal Basis for Processing (EEA & UK Users)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

Purpose	Legal Basis
Account creation and Service delivery	Performance of contract
Subscription management and billing	Performance of contract
Transactional emails	Performance of contract
Analytics and service improvement	Legitimate interests
Security and fraud prevention	Legitimate interests
Legal compliance	Legal obligation

5. Service Providers

We share data only with providers needed to operate CodeOak. Each provider is contractually bound to use your data only for the purposes we specify.

Provider	Purpose	Typical data shared
Supabase	Authentication and database	Account data, session data, profile and product records
Hetzner / Cloudflare	Hosting, delivery, and edge protection	Request metadata such as IP address and timestamps
Groq	LLM inference for AI features	Prompt content for question and roadmap generation; usage metadata
Resend	Transactional email delivery	Email address and message content for verification or password reset

We may also disclose information (a) to comply with a legal obligation or lawful government request; (b) to protect our rights, property, or safety; or (c) in connection with a business transfer or acquisition, with prior notice to you.

6. International Data Transfers

Our infrastructure is hosted on Hetzner, a German company with data centres in the EU. Server-side data therefore stays within the European Economic Area. Some service providers — specifically Supabase, Groq, and Resend — operate infrastructure in the United States or other countries outside the EEA.

For EEA and UK users, we ensure appropriate safeguards are in place for any transfers outside the EEA, including reliance on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

7. Cookies and Tracking

The current public launch uses essential authentication cookies and limited browser local storage for product preferences. A cookie consent banner is shown so you can set analytics and marketing preferences. Third-party analytics (Google Analytics 4) and advertising (Google Ads) cookies are not active at launch — they are planned for a future release and will load only after we enable them and you opt in via the banner. See our Cookie Policy for the full list and management instructions.

When we enable analytics or advertising cookies, this policy and our Cookie Policy will be updated before rollout.

8. Data Retention

Data type	Retention period	Reason
Account and profile data	Until deletion, then 30 days	Service provision
Practice, assessment, and code submissions	Until account deletion	Personalised progression
AI prompts & usage records (sent to our LLM provider)	Personal/identifying fields scrubbed after 30 days	AI feature delivery, quality and abuse review
AI conversation (chat) message content	Until account deletion	Conversation history and continuity
Subscription records	7 years	Tax and legal requirements
Server access logs	90 days	Security and debugging
Analytics data (when enabled)	26 months	Service improvement

When data is no longer required, we securely delete or anonymise it. You may request early deletion at any time — see Section 9.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

HTTPS/TLS encryption for all data in transit.
Encryption at rest for database data via Supabase.
Row-level security policies on database tables.
Access controls — production credentials are not exposed in client-side code.

No system is 100% secure. If you discover a security vulnerability, please report it to support@codeoakai.com.

10. Your Rights and Choices

All users

Access and portability: request a copy of the personal data we hold about you.
Correction: update inaccurate information from your account settings.
Deletion: request deletion of your account and associated data.
Cookie preferences: manage cookies via your browser settings or our cookie banner.

EEA and UK users (GDPR)

In addition to the rights above, you have the right to restrict or object to certain processing, withdraw consent at any time (which does not affect past processing), and lodge a complaint with your local data protection authority. To exercise GDPR rights, email support@codeoakai.com with "GDPR Request" in the subject line. We will respond within 30 days.

California residents (CCPA/CPRA)

California residents have the right to know what categories of personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell personal information.

Category	Collected	Purpose
Identifiers (email, name)	Yes	Authentication, account management
Internet activity (usage logs)	Yes	Service improvement, security
Geolocation (time zone only, no GPS)	Yes	Personalisation
Commercial information (plan status)	Yes	Billing and access control
Sensitive personal information	No	—

To exercise CCPA rights, email support@codeoakai.com with "CCPA Request" in the subject line. We will respond within 45 days.

11. Children's Privacy

The Service is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16 (or under 13 in the US). If you believe a child has created an account, please contact us at support@codeoakai.com and we will promptly delete the account and associated data.

12. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies before providing any information.

13. Changes

We may update this policy when product behaviour or providers change. For material changes, we will notify you by email or in-app notice at least 14 days before the change takes effect.

14. Contact

CodeOak

Email: support@codeoakai.com