GDPR & Data Protection
Last updated: April 2026
1. Our Commitment
CODAIQ LTD is committed to protecting the personal data of our users and ensuring full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR 2016/679).
This page provides a detailed overview of our data protection practices. For our full privacy policy, including what data we collect and how we use it, please see our Privacy Policy.
2. Data Controller & Data Protection Contact
CODAIQ LTD acts as the data controller for personal data collected through the Codaiq platform.
- Data Controller: CODAIQ LTD
- Company No: 16537316 (Companies House, England & Wales)
- Registered Address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
- Data Protection Contact: Hasan Ali Badruk
- Contact Email: info@codaiq.com
- Phone: +971 58 560 6084
While CODAIQ LTD is not currently required to appoint a formally designated Data Protection Officer (DPO) under UK GDPR (as we do not engage in large-scale systematic monitoring or process special category data at scale), Hasan Ali Badruk is responsible for data protection matters and can be contacted at the address above.
3. Lawful Basis for Processing
Under UK GDPR Article 6, we process personal data on the following lawful bases:
| Lawful Basis | When We Rely On It |
|---|---|
| Contract (Art. 6(1)(b)) | Account management, providing the Service, billing, customer support |
| Legitimate Interests (Art. 6(1)(f)) | Security monitoring, fraud prevention, platform improvement, server-side analytics |
| Consent (Art. 6(1)(a)) | Marketing emails, optional product communications |
| Legal Obligation (Art. 6(1)(c)) | Financial record retention (HMRC requirements), responding to lawful requests from authorities |
4. Your Rights Under UK GDPR
You have the following rights regarding your personal data. To exercise any of them, contact us at info@codaiq.com. We will respond within 30 days.
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of it along with supplementary information about how we use it. To make a Subject Access Request (SAR), email us at info@codaiq.com with the subject line "Subject Access Request". We will need to verify your identity before processing the request.
Right to Rectification (Article 16)
If you believe we hold inaccurate or incomplete personal data about you, you have the right to have it corrected. Most account data can be updated directly in your account settings. For other data, contact us at info@codaiq.com.
Right to Erasure / Right to be Forgotten (Article 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the lawful basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been processed unlawfully
Note: We may be unable to erase data we are required to retain by law (e.g. financial records).
Right to Restriction of Processing (Article 18)
You may ask us to pause the processing of your personal data in certain circumstances, such as when you contest its accuracy or have objected to processing while we consider your objection.
Right to Data Portability (Article 20)
Where processing is based on contract or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims.
You have an absolute right to object to direct marketing at any time. You can unsubscribe from marketing emails at any time using the unsubscribe link in any email.
Rights Related to Automated Decision-Making (Article 22)
We do not make solely automated decisions that have legal or similarly significant effects on you. Our AI features generate website content but do not make decisions about your rights or legal status.
Right to Withdraw Consent
Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. To withdraw consent for marketing communications, use the unsubscribe link in any email or contact us at info@codaiq.com.
5. Data Processing Activities
| Activity | Data Processed | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Account Management | Name, email, password hash | Provide platform access | Contract | Duration of account + 30 days |
| Website Hosting | User-generated website content | Serve hosted websites | Contract | Duration of account + 30 days |
| Payment Processing | Billing address, Stripe IDs, transaction records | Process subscriptions | Contract + Legal obligation | 7 years (HMRC) |
| Server-Side Analytics | Anonymised usage data, page views | Improve platform | Legitimate interests | 90 days |
| Security Logging | IP addresses, access logs | Security & fraud prevention | Legitimate interests | 90 days |
| Email Communications | Email address | Transactional & marketing emails | Contract / Consent | Duration of account |
| Customer Support | Support correspondence | Resolve issues | Contract + Legitimate interests | 3 years |
6. Sub-Processors
We engage the following third-party sub-processors who may access or process personal data on our behalf. We have data processing agreements (DPAs) or rely on appropriate transfer mechanisms with each:
| Sub-Processor | Service | Location | Transfer Mechanism |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | SCCs / IDTA |
| Vercel, Inc. | Hosting & CDN | USA/Global | SCCs / IDTA |
| MongoDB Atlas (MongoDB, Inc.) | Database | USA/EU | SCCs / Adequacy |
| Anthropic, PBC | AI (Claude API) | USA | SCCs / IDTA |
| Fireworks AI, Inc. | AI inference | USA | SCCs / IDTA |
| Resend, Inc. | Transactional email | USA | SCCs / IDTA |
| Cloudflare, Inc. | DNS & network security | USA/Global | SCCs / IDTA |
SCCs = EU Standard Contractual Clauses. IDTA = International Data Transfer Agreement (UK). These mechanisms provide appropriate safeguards for personal data transferred outside the UK/EEA.
7. Data Breach Notification
In the event of a personal data breach, CODAIQ LTD will:
- Assess the breach and its likely impact on affected individuals
- Where the breach is likely to result in a risk to individuals' rights and freedoms, notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
- Where the breach is likely to result in a high risk to individuals, notify affected users directly without undue delay
- Document all breaches in our internal breach register, regardless of whether notification is required
If you believe your personal data has been compromised, please contact us immediately at info@codaiq.com.
8. International Data Transfers
As detailed in Section 6, some of our sub-processors are located outside the United Kingdom. We ensure that all international transfers of personal data are protected by appropriate safeguards, specifically:
- International Data Transfer Agreements (IDTAs) — the UK's equivalent of SCCs for transfers to non-adequate countries
- EU Standard Contractual Clauses (SCCs) — where these also apply (e.g. for EU residents' data)
- Adequacy decisions — where the ICO or European Commission has determined a country provides an adequate level of protection
9. Privacy by Design & by Default
We embed data protection into the design of our systems and practices:
- We collect only the minimum data necessary for each processing purpose (data minimisation)
- We default to the most privacy-protective settings for our users
- Our analytics are server-side, avoiding client-side tracking technologies
- Access to personal data is restricted to staff who need it (least privilege)
- We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities
10. Complaints & the ICO
If you are not satisfied with how we have handled your personal data or a data rights request, you have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
If you are in the EU, you may also contact your local data protection authority.
We encourage you to contact us first at info@codaiq.com and we will do our best to resolve any concerns promptly and fairly.
11. Contact
For data protection and GDPR enquiries:
- CODAIQ LTD — Data Protection
- Attn: Hasan Ali Badruk
- 71-75 Shelton Street, Covent Garden
- London, United Kingdom WC2H 9JQ
- Email: info@codaiq.com
- Phone: +971 58 560 6084