Privacy Policy
Last updated: 2026-05-17 · Version: 1.0.0
Koda Vision (“we”, “us”) processes personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the Digital Personal Data Protection Act 2023 of India (DPDP), and the California Consumer Privacy Act (CCPA / CPRA). This page describes what we collect, why, with whom we share it, and how you can exercise your rights.
1. Data We Collect
We collect personal data in the following categories:
- Account data — name, work email, organization, password hash, passkey credentials, role assignments.
- Billing data — billing address, VAT/GST number, last four digits of the payment method (full PAN data is held by our payment processor, not by us).
- Content data — the URLs you submit, the posts and pages we ingest, the AI-generated drafts you produce.
- Connection data — encrypted tokens for WordPress, Shopify, Strapi, Google Search Console, and other integrations you connect.
- Usage data — page views, feature interactions, API call traces, error events, IP address, user agent.
- Communication data — emails you send us, support tickets, and survey responses.
2. How We Use It (Purposes & Legal Bases)
- To provide the Service — contract performance (GDPR Art. 6(1)(b), DPDP §5(1)).
- To bill you and prevent fraud — legal obligation and legitimate interest.
- To improve product reliability — legitimate interest in operating a secure, performant Service. Error and analytics events are governed by your consent (see Cookies).
- To send transactional and product emails — contract performance. Marketing emails are sent only with your explicit opt-in and can be unsubscribed at any time.
3. Third Parties (Sub-processors)
We share personal data with the following processors. Each is contractually bound by a Data Processing Agreement and audited annually. The complete list with attestations and sub-processor chains:
| Vendor | Category | Data classification | Attestation | DPA | Sub-processors |
|---|---|---|---|---|---|
| Neon (Postgres) | database | restricted | link | link | link |
| Cloudflare R2 | object-storage | confidential | link | link | link |
| Resend | transactional-email | confidential | link | link | link |
| Sentry | error-monitoring | confidential | link | link | link |
| OpenAI | ai-inference | confidential | link | link | link |
| Anthropic | ai-inference | confidential | link | link | link |
| Twilio | voice-sms | confidential | link | link | link |
| ElevenLabs | tts | internal | link | link | link |
4. Your Rights (DSAR)
You may exercise the following rights at any time, free of charge, and we will respond within 30 days (extendable by a further 60 days for complex requests):
- Right of access — copy of the personal data we hold.
- Right to rectification — correct inaccurate data.
- Right to erasure — delete your account and personal data.
- Right to data portability — receive your data in JSON.
- Right to object / restrict processing.
- Right to withdraw consent — re-open the cookie banner from the footer.
- California & DPDP rights — right to know, right to delete, right to non-discrimination (CCPA); right to grievance redressal (DPDP) — contact details below.
File a request via our DSAR portal. You may also lodge a complaint with your local Data Protection Authority — for EU residents this is the supervisory authority of your member state; for India, the Data Protection Board.
5. Data Residency
We operate regional databases and route your data based on the country detected at signup. Account data, billing data, and content data are stored in the region matching your residency:
- EU/EEA + UK — Neon Postgres, EU-West region.
- India — Neon Postgres, AP-South region.
- US and rest of world — Neon Postgres, US-East region.
Australia and Canada currently route to the US region; this will change as we open regional projects (target Q3 2026). Backups are held in the same region as the primary store. Cross-region access is restricted to incident response and is logged in the audit log.
6. Cookies
We use a small number of strictly-necessary cookies and, with your consent, analytics and (when active) marketing cookies. See our Cookie Policy for the complete catalog. You can manage preferences from the banner that appears on your first visit and any time later via the footer link.
7. Retention
- Account & billing data — life of the account + 7 years (tax).
- Content data — life of the account; deleted within 30 days of account closure.
- Audit log — 2 years (extendable to 7 for enterprise customers).
- Server logs — 30 days rolling.
8. Children’s Privacy
Koda Vision is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@koda-vision.com and we will delete it.
9. Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256 envelope encryption). Access is gated by passkey-based MFA for staff and scoped tokens for production systems. Annual penetration testing is performed by an independent third party.
10. International Transfers
Transfers of EU/UK personal data outside the EEA rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. Transfers of Indian personal data follow DPDP cross-border guidance once the central government publishes a notified list of permitted countries.
Contact
Privacy questions: privacy@koda-vision.com.
Data Protection Officer: dpo@koda-vision.com.
Grievance Officer (India, DPDP §8): grievance@koda-vision.com.