Privacy Policy

1. Data Controller

The data controller for the hosted service at kody.codai.app is:

Felix Beinßen
c/o IP-Management #5260
Ludwig-Erhard-Str. 18
20459 Hamburg
Deutschland / Germany

E-Mail: info@felixbeinssen.com

2. Overview

Kody is an open-source embeddable AI chat widget. This privacy policy explains what data is collected, how it is processed, and your rights as a data subject under the EU General Data Protection Regulation (GDPR). It applies to the hosted service at kody.codai.app, including the marketing website, the user dashboard, and the chat widget served from our infrastructure. Self-hosted instances are governed by their respective operators (see section 9).

3. Website Visitors

When you visit kody.codai.app without signing up or using the chat widget:

• Server logs — Our hosting provider (Vercel) may collect standard server access logs including IP address, browser user agent, and pages visited. These logs are used for security and operational purposes only.
• Cookies — The marketing website does not set any tracking cookies. No analytics, advertising, or profiling cookies are used.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating and securing the website).

4. Dashboard Users (Registered Accounts)

When you sign up for a Kody account to manage your sites through the dashboard, the following data is collected:

• Email address and password — Your email address is stored for authentication and communication purposes. Your password is hashed with argon2 before storage and is never stored in plaintext.
• Email verification — We use Resend (resend.com) as our email delivery provider to send verification emails when you sign up. Your email address is shared with Resend solely for the purpose of delivering the verification email. Resend processes this data as a data processor on our behalf.
• Session tokens — Session tokens are stored in the server's database and transmitted via httpOnly cookies to keep you logged in.
• Site configuration — Your site configuration, including AI provider settings, branding, guardrail rules, and knowledge sources, is stored in the database.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract / provision of the service).

5. Chat Widget Users (End Users)

When you interact with a Kody chat widget embedded on a website (either served from our hosted infrastructure or a self-hosted instance), the following data processing takes place:

• Chat messages — Your messages are sent to the Kody server, where they are processed in memory and forwarded to the AI provider configured by the site owner. Messages are not stored permanently on the server. In-memory conversations are cleared after session timeout.
• Local storage — The widget stores conversation history in your browser's localStorage. This data stays on your device and is not transmitted to the server unless you send a new message. You can clear it at any time by clearing your browser data.
• IP addresses — Your IP address is used for rate limiting to prevent abuse. It is not stored permanently.
• Cookies — No cookies are set for widget users.
• Support tickets — If you submit a support ticket through the widget, the information you provide (name, email, subject, description) is forwarded to the ticket provider configured by the site owner (e.g. Jira, GitHub, Linear, email, or a webhook). Kody does not store ticket data beyond the time needed to forward it.

The legal basis for processing chat messages is Art. 6(1)(f) GDPR (legitimate interest of the site owner in providing customer support). The legal basis for rate limiting is Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).

6. Third-Party Data Processors

The following third parties may process data:

• Vercel (vercel.com) — Hosts the kody.codai.app website. May process server access logs. Data processing is governed by Vercel's privacy policy.
• Resend (resend.com) — Delivers verification emails when users sign up. Processes email addresses as a data processor on our behalf.
• AI providers — Chat messages are forwarded to the AI provider configured by the site owner. Kody does not control which AI provider is used. Site owners are responsible for ensuring that their chosen AI provider complies with applicable data protection laws.
• Ticket providers — If tickets are enabled, ticket data is forwarded to the provider configured by the site owner (Jira, GitHub, Linear, email, or webhook endpoint).

Kody does not share personal data with any third parties for marketing, advertising, or analytics purposes.

7. Data Retention

• In-memory conversations — Cleared automatically after session timeout. Not persisted to disk.
• User accounts — Persist until the account is deleted by the user or an administrator. You can request deletion by contacting us.
• Site configurations — Persist until deleted by the site owner or an administrator.
• Conversation logs — Aggregate statistics (message counts, session counts) may be stored for analytics purposes. No individual message content is retained.

8. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — You have the right to request information about the personal data we hold about you.
• Right to rectification (Art. 16 GDPR) — You have the right to request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request restriction of processing of your personal data.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data based on legitimate interests.

To exercise any of these rights, please contact us at info@felixbeinssen.com. You also have the right to lodge a complaint with a supervisory authority.

9. Self-Hosted Instances

Kody is open-source software that can be self-hosted. When you self-host Kody, the operator of the instance is the data controller and is responsible for their own privacy compliance. This privacy policy applies only to the hosted service at kody.codai.app.

10. Hosting

The website at kody.codai.app is hosted on Vercel. The backend API at api.kody.codai.app runs on infrastructure located in Germany / the European Union. Chat messages and site configurations are processed on EU infrastructure. No data is transferred to third countries for core service purposes, though third-party services (Vercel, Resend) may process limited data in accordance with their own privacy policies.

11. Analytics and Tracking

Kody does not use analytics services, tracking pixels, or tracking cookies. No behavioral data is collected for advertising or profiling purposes.