Privacy Notice
Last Updated: 25 January 2026
1. Introduction
CodeAlive Ltd ("we", "us", or "our") is committed to protecting your personal data. This Privacy Notice explains how we collect, use, and share information about you when you use our AI-powered code analysis platform (the "Service").
For the purposes of the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Data (Use and Access) Act 2025, CodeAlive Ltd is the Data Controller.
Company Details:
- Legal Entity: CodeAlive Ltd (Company No. 16517721)
- Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK
- Contact: security@codealive.ai
Governing Law: This Privacy Notice and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.
2. The Data We Collect
We collect data to provide our Service and comply with our legal obligations:
A. Information You Provide
- Identity & Contact: Name, email address, username.
- Account Credentials: Passwords (hashed) or OAuth tokens (GitHub/GitLab).
- Payment Data: Billing address and plan details. We do not store full card numbers. Payments are processed directly by Stripe.
B. Automated Information
- Technical Data: IP address, browser type, OS, and time zone.
- Usage Data: Feature usage, clickstream data, and logs.
- Source Code: When you connect a repository, we process code and metadata (commits, timestamps, author names) to provide the analysis. We do not use your private code to train our public AI models. We may use aggregated, anonymised, or de-identified usage patterns (such as feature adoption metrics and error rates) to improve our Service, but such data cannot be used to identify you or reconstruct your code.
C. Children's Data
Our Service is intended for users aged 16 and over, in accordance with Section 2.3 of our Terms of Service. Whilst UK data protection law permits children aged 13 and over to consent to data processing for online services, we have elected to set a higher age threshold given the professional and technical nature of our Service. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at security@codealive.ai and we will take prompt steps to delete it.
3. How We Use Your Data (Lawful Bases)
| Purpose | Lawful Basis |
|---|---|
| User Registration | Performance of Contract |
| Providing the Service (Analysis/AI) | Performance of Contract |
| Billing & Payments | Performance of Contract |
| Security & Fraud Prevention | Legitimate Interests (Network Security) |
| Service Improvement (Analytics) | Legitimate Interests (or Consent for Cookies) |
| Legal/Tax Compliance | Legal Obligation |
4. Disclosure of Data (Sub-Processors)
We share data with third-party vendors ("Processors") who support our operations. We have Data Processing Agreements (DPAs) with these providers.
Core Sub-Processors:
| Provider | Service | Location |
|---|---|---|
| Google Cloud | Cloud Infrastructure | EU (Netherlands) |
| AWS | Email Delivery (SES) | EU (Ireland) |
| Stripe | Payments | Global (US/EU) |
| PostHog | Product Analytics | EU |
| Grafana / Sentry | Monitoring & Errors | EU / US |
| Intercom | Customer Support | US |
AI Model Providers: To generate code analysis, snippets are processed by the following LLM providers. We strictly limit data shared with these providers to the specific context required for the response.
| Provider | Service | Location |
|---|---|---|
| Anthropic | AI Code Analysis | USA |
| OpenAI | AI Code Analysis | USA |
| AI Code Analysis | USA | |
| Scaleway | AI Code Analysis | EU (France) |
| Voyage AI | Vector Embeddings | USA |
Changes to Sub-Processors: We will provide reasonable advance notice of any material changes to the sub-processors listed above. Such notice will be given via email to the address associated with your account or by prominent notice on our website. If you have concerns about a new sub-processor, you may contact us at security@codealive.ai to discuss the matter. For Business Users, additional rights regarding sub-processor changes are set out in Section 9.4 of our Terms of Service.
5. Security Measures
We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. These include:
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Access Control: Strict "least privilege" access for internal staff.
- Vulnerability Scanning: Regular automated security scans of our infrastructure.
6. International Transfers
Where we transfer your data outside the UK/EEA (e.g., to US-based AI providers or Stripe), we ensure protection via:
- Adequacy Regulations (for countries deemed safe by the UK Gov).
- The UK Addendum to the EU Standard Contractual Clauses (SCCs), which contractually binds the provider to UK privacy standards.
7. Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for.
- Account Data: Retained while your account is active. Deleted within 90 days of account closure.
- Financial Data: Retained for 6 years to satisfy UK tax and accounting requirements (HMRC).
- Analytics Data: Retained in accordance with our retention settings in PostHog (typically 12 months).
8. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may request that we correct any inaccurate or incomplete data.
- Right to Erasure: You may request that we delete your personal data in certain circumstances.
- Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
- Right to Data Portability: You may request that we provide your data in a structured, commonly used, machine-readable format.
- Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
- Rights Relating to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significant effects concerning you, except where such processing is necessary for a contract, authorised by law, or based on your explicit consent.
To exercise any of these rights, please contact security@codealive.ai.
We will respond to your request within one month. If we require clarification to process your request, the response period may be paused until you provide the requested information. In complex cases, we may extend this period by a further two months, but we will inform you of any such extension within the initial one-month period.
Automated Decision-Making: We do not use automated decision-making that produces legal or similarly significant effects on you without human review. Our AI-powered code analysis features provide assistance and suggestions which you control and review before acting upon. No decisions affecting your legal rights, access to services, or similarly significant matters are made solely by automated means.
Making a Data Protection Complaint: If you wish to make a complaint about how we handle your personal data, please email security@codealive.ai with the subject line "Data Protection Complaint". We will:
- Acknowledge your complaint within 30 days of receipt;
- Investigate the matter thoroughly and provide you with a substantive response within 60 days of acknowledgment, or inform you if additional time is required and the reasons therefor.
US Residents (California/CCPA): If you are a California resident, the CCPA grants you specific rights, including the right to know what data we collect and the right to request deletion. We do not "sell" your personal data as defined by the CCPA. You may exercise your rights by contacting us at the email above.
Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by telephone on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
9. Cookies and Tracking
We use cookies to distinguish you from other users and to improve your experience.
- Essential Cookies: Required for login, security, and core functionality (e.g., authentication tokens, session management). These cookies are strictly necessary and do not require consent.
- Analytics & Optimisation Cookies: We use PostHog for product analytics to understand how users interact with our Service and to improve its performance. These cookies are used solely for statistical purposes, including counting page visits, identifying popular content, and detecting technical issues. Under the Data (Use and Access) Act 2025, such analytics and optimisation cookies are exempt from consent requirements. Notwithstanding this exemption, you retain the right to opt out of these cookies at any time.
- Support Cookies: Intercom cookies enable our customer support functionality.
In compliance with the Privacy and Electronic Communications Regulations (PECR) as amended by the Data (Use and Access) Act 2025, you may manage your cookie preferences and exercise your opt-out rights at any time via the settings accessible in the footer of our website. For further information on the cookies we use, please refer to our Cookie Policy.
Contact Us: If you have questions about this document, please write to: CodeAlive Ltd 71-75 Shelton Street, Covent Garden London, WC2H 9JQ, UK Email: security@codealive.ai