Privacy Notice
Last Updated: 17 July 2026
1. Introduction
CodeAlive Ltd ("we", "us", or "our") is committed to protecting your personal data. This Privacy Notice explains how we collect, use, and share information about you when you use our AI-powered code analysis platform (the "Service").
For the purposes of the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Data (Use and Access) Act 2025, CodeAlive Ltd is the Data Controller.
Company Details:
- Legal Entity: CodeAlive Ltd (Company No. 16517721)
- Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK
- Contact: security@codealive.ai
Governing Law: This Privacy Notice and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.
2. The Data We Collect
We collect data to provide our Service and comply with our legal obligations:
A. Information You Provide
- Identity & Contact: Name, email address, username.
- Account Credentials: Passwords (hashed) or OAuth tokens (GitHub/GitLab).
- Payment Data: Billing address and plan details. We do not store full card numbers. Payments are processed directly by Stripe.
- Blog Newsletter: Email address, selected language, double opt-in consent proof (including the form, consent wording, time and IP address), and delivery status such as accepted, bounced, complained or unsubscribed. We do not track newsletter opens or clicks.
B. Automated Information
- Technical Data: IP address, browser type, OS, and time zone.
- Usage Data: Feature usage, clickstream data, and logs.
- Source Code: When you connect a repository, we process code and metadata (commits, timestamps, author names) to provide the analysis. We do not use your private code to train our public AI models. We may use aggregated, anonymised, or de-identified usage patterns (such as feature adoption metrics and error rates) to improve our Service, but such data cannot be used to identify you or reconstruct your code.
C. Children's Data
Our Service is intended for users aged 16 and over, in accordance with Section 2.3 of our Terms of Service. Whilst UK data protection law permits children aged 13 and over to consent to data processing for online services, we have elected to set a higher age threshold given the professional and technical nature of our Service. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at security@codealive.ai and we will take prompt steps to delete it.
3. How We Use Your Data (Lawful Bases)
| Purpose | Lawful Basis |
|---|---|
| User Registration | Performance of Contract |
| Providing the Service (Analysis/AI) | Performance of Contract |
| Billing & Payments | Performance of Contract |
| Security & Fraud Prevention | Legitimate Interests (Network Security) |
| Service Improvement (PostHog Analytics) | Consent |
| Blog Article Notifications | Consent |
| Legal/Tax Compliance | Legal Obligation |
4. Disclosure of Data (Sub-Processors)
We share data with third-party vendors ("Processors") who support our operations. We have Data Processing Agreements (DPAs) with these providers.
Core Sub-Processors:
| Provider | Service | Location |
|---|---|---|
| Google Cloud | Cloud Infrastructure | EU (Netherlands) |
| AWS | Email Delivery (SES) | EU (Ireland) |
| Mailjet | Blog newsletter forms, consent records and delivery | EU (Germany and Belgium) |
| Cloudflare | Turnstile anti-abuse checks for newsletter forms | Global |
| Stripe | Payments | Global (US/EU) |
| PostHog | Product Analytics | EU |
| Grafana / Sentry | Monitoring & Errors | EU / US |
| Intercom | Customer Support | US |
AI Model Providers: To generate code analysis, snippets are processed by the following LLM providers. We strictly limit data shared with these providers to the specific context required for the response.
| Provider | Service | Location |
|---|---|---|
| Anthropic | AI Code Analysis | USA |
| OpenAI | AI Code Analysis | USA |
| AI Code Analysis | USA | |
| Scaleway | AI Code Analysis | EU (France) |
| Voyage AI | Vector Embeddings | USA |
Changes to Sub-Processors: We will provide reasonable advance notice of any material changes to the sub-processors listed above. Such notice will be given via email to the address associated with your account or by prominent notice on our website. If you have concerns about a new sub-processor, you may contact us at security@codealive.ai to discuss the matter. For Business Users, additional rights regarding sub-processor changes are set out in Section 9.4 of our Terms of Service.
5. Security Measures
We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. These include:
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Access Control: Strict "least privilege" access for internal staff.
- Vulnerability Scanning: Regular automated security scans of our infrastructure.
6. International Transfers
Where we transfer your data outside the UK/EEA (e.g., to US-based AI providers or Stripe), we ensure protection via:
- Adequacy Regulations (for countries deemed safe by the UK Gov).
- The UK Addendum to the EU Standard Contractual Clauses (SCCs), which contractually binds the provider to UK privacy standards.
7. Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for.
- Account Data: Retained while your account is active. Deleted within 90 days of account closure.
- Financial Data: Retained for 6 years to satisfy UK tax and accounting requirements (HMRC).
- Analytics Data: Retained in accordance with our retention settings in PostHog (typically 12 months).
- Blog Newsletter: Active consent proof is retained while you remain subscribed. After unsubscribe, we retain the minimum suppression record needed to ensure we do not send again unless you complete a new double opt-in.
8. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may request that we correct any inaccurate or incomplete data.
- Right to Erasure: You may request that we delete your personal data in certain circumstances.
- Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
- Right to Data Portability: You may request that we provide your data in a structured, commonly used, machine-readable format.
- Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
- Rights Relating to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significant effects concerning you, except where such processing is necessary for a contract, authorised by law, or based on your explicit consent.
To exercise any of these rights, please contact security@codealive.ai.
We will respond to your request within one month. If we require clarification to process your request, the response period may be paused until you provide the requested information. In complex cases, we may extend this period by a further two months, but we will inform you of any such extension within the initial one-month period.
Automated Decision-Making: We do not use automated decision-making that produces legal or similarly significant effects on you without human review. Our AI-powered code analysis features provide assistance and suggestions which you control and review before acting upon. No decisions affecting your legal rights, access to services, or similarly significant matters are made solely by automated means.
Making a Data Protection Complaint: If you wish to make a complaint about how we handle your personal data, please email security@codealive.ai with the subject line "Data Protection Complaint". We will:
- Acknowledge your complaint within 30 days of receipt;
- Investigate the matter thoroughly and provide you with a substantive response within 60 days of acknowledgment, or inform you if additional time is required and the reasons therefor.
US Residents (California/CCPA): If you are a California resident, the CCPA grants you specific rights, including the right to know what data we collect and the right to request deletion. We do not "sell" your personal data as defined by the CCPA. You may exercise your rights by contacting us at the email above.
Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by telephone on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
9. Cookies and Tracking
We use strictly necessary storage to provide the Service and remember your privacy choice. Optional analytics starts only after you actively consent.
- Essential Cookies: Required for login, security, and core functionality (e.g., authentication tokens, session management). These cookies are strictly necessary and do not require consent.
- Analytics & Optimisation Cookies: If you select "Accept analytics", we use PostHog across codealive.ai and app.codealive.ai for page and product analytics and privacy-masked session recording. We do not rely on the Data (Use and Access) Act 2025 statistical exception for this individual-level PostHog processing. The lawful basis is your consent.
- Support Cookies: Intercom cookies enable our customer support functionality.
You can reject optional storage without losing access to the site, blog, newsletter or signup. You may withdraw analytics consent at any time through "Cookie settings" in the footer; this stops capture and removes PostHog browser identifiers. For details, see our Cookie Policy.
10. Blog Article Notifications
The blog newsletter is separate from cookie consent, product marketing preferences and the Terms of Service. We add an address to the selected English or Russian list only after double opt-in confirmation. Each message contains one new article and an immediate unsubscribe link. We use Mailjet operational delivery metadata but disable open tracking, click tracking, link rewriting, UTM decoration and per-recipient engagement automation. We do not import product users, CRM contacts or other addresses without separate newsletter consent.
Cloudflare Turnstile may process limited technical data as a strictly necessary anti-abuse measure on the form. A switch to another CAPTCHA provider would be disclosed in this notice and the Cookie Policy before launch.
Contact Us: If you have questions about this document, please write to: CodeAlive Ltd 71-75 Shelton Street, Covent Garden London, WC2H 9JQ, UK Email: security@codealive.ai