Privacy Policy

Last updated: 2026-04-20 · Effective: 2026-04-20

This Privacy Policy explains what personal data Codeddit ("we", "us") collects, why we collect it, how we use it, and the rights you have over it. Codeddit is built around data minimisation: we collect only what the product needs to function, and we self-host our observability stack so your data stays within infrastructure we control.

Plain-English draft. A counsel-reviewed version will replace this before public launch; material changes will be announced under §12.

1. Who we are

The data controller is the Codeddit operating entity (to be specified before public launch). For any privacy request, write to privacy@codeddit.com. We do not currently have a statutory Data Protection Officer; if that changes we will update this page.

2. Data we collect

We group the data we hold about you into five categories.

Account data. email, username, hashed password (scrypt), email-verification status, role, and timestamps for account creation, Terms acceptance and Privacy acceptance.
Content data. posts, comments, votes, saves, reports and any other contributions you make; their timestamps and edit history.
Payout data. the Bitcoin address you supply in Settings, used only to pay out bounties you have earned.
Operational data. signed session cookies, IP address and user-agent (for rate-limiting, abuse defence, and audit logs), and error traces captured when something breaks (self-hosted via GlitchTip).
Communications. the contents of any email you send us (e.g. a support or privacy request) and our replies.

We do not collect or store: third-party ad-network identifiers, precise geolocation, biometric data, government IDs, browsing history off our site, or any special-category data within the meaning of GDPR Art. 9.

3. How we use it

Operate the Service — authenticate you, render feeds, route payouts, send transactional email.
Keep it safe — rate-limit, detect abuse, investigate security incidents, maintain audit trails.
Debug & improve — error traces, aggregate performance metrics, privacy-respecting analytics (Plausible by default; PostHog only if you opt in to product research).
Communicate — respond to your emails; send critical account notices (security, payout receipts, Terms/Privacy changes). We do not send marketing email without your opt-in.
Comply with law — respond to valid legal process; enforce our Terms.

4. Legal bases (GDPR)

Contract (Art. 6(1)(b)) — account, content delivery, payout processing.
Legitimate interests (Art. 6(1)(f)) — rate-limiting, spam and abuse defence, debugging and product improvement, informational security logging. Where we rely on this basis you can object (see §11).
Legal obligation (Art. 6(1)(c)) — responding to valid legal requests, tax and anti-fraud record-keeping.
Consent (Art. 6(1)(a)) — optional analytics enhancements, if any, and anything else the UI explicitly asks you to opt into.

5. Sharing & sub-processors

We do not sell personal data and do not share it for cross-context behavioural advertising. We share data only with service providers acting on our instructions under written contracts ("sub-processors"). Current and likely sub-processors:

Cloudflare, Inc. — edge delivery, DDoS protection, R2 object storage for uploads.
Resend, Inc. — transactional email (verification, password reset, payout receipts).
Stripe, Inc. — any future paid-feature billing (none live today).
Trigger.dev, Inc. — background-job orchestration (self-hosted instance; covered only if we fall back to the hosted control plane).
Sentry / GlitchTip — error tracing (default: self-hosted GlitchTip so traces stay on our infra).
Plausible Analytics — privacy-friendly, cookieless pageview analytics (self-hosted).
PostHog, Inc. — product analytics, only if enabled and with user-level consent.

We may also disclose data (a) to comply with law or valid legal process, (b) to enforce our Terms or protect rights and safety, or (c) in connection with a merger, acquisition or asset sale — with notice and, where required, your consent.

6. Cookies & similar technologies

We use a small set of first-party cookies for functionality:

Session cookie — signed, httpOnly, SameSite=Lax, rotates periodically; expires 7 days after last use.
CSRF token — scoped to form submissions.
Preferences — theme, feed-sort, and similar UI state (no identifiers).

We do not set third-party advertising or cross-site tracking cookies. Our default analytics (Plausible) is cookieless. You can clear cookies from your browser at any time; the site will still work but you will need to sign in again.

7. International transfers

Your data may be processed in countries outside your own, including in the United States and the European Union, depending on which data-centre region the sub-processors listed in §5 route your request through. Where we transfer personal data out of the EEA or UK, we rely on Standard Contractual Clauses and / or the EU-US Data Privacy Framework (where the recipient is certified) as the transfer mechanism.

8. Retention

Account & content — kept while your account is open. After deletion, personal identifiers are removed within 30 days; posts and comments are tombstoned unless you request full erasure.
Sessions — expire 7 days after last use, or sooner on sign-out.
Error traces — 30 days.
Security logs (IP, user-agent for rate-limiting) — up to 90 days.
Payout ledger — retained while legally required (typically 5–7 years) for tax and anti-fraud purposes, even after account deletion.
Email correspondence — up to 2 years unless you ask us to purge it sooner.

9. Security

We apply reasonable, risk-appropriate technical and organisational measures:

TLS 1.2/1.3 in transit; at-rest encryption where the storage layer supports it.
Passwords hashed with scrypt; session tokens are signed and rotated.
Least-privilege access to production; audit logging of admin actions.
Self-hosted observability so traces do not leave our infrastructure by default.
Vulnerability disclosure: security@codeddit.com.

No system is perfectly secure. If a breach affects your personal data and is likely to result in a high risk to your rights, we will notify you and, where required, the competent supervisory authority, in line with Art. 33–34 GDPR.

10. Children

Codeddit is not directed to children under 13 (or under 16 in jurisdictions that set a higher digital-consent age, such as parts of the EU). We do not knowingly collect personal data from children. If you believe a child has given us data, email privacy@codeddit.com and we will delete it.

11. Your rights

Subject to applicable law (GDPR, UK-GDPR, CCPA/CPRA, LGPD and similar) you have the right to:

Access — ask us for a copy of the data we hold about you.
Rectify — correct inaccurate data, directly in Settings or via request.
Erase — delete your account and personal identifiers (see §8 on retention carve-outs).
Port — receive your posts, comments and account data in a machine-readable export.
Restrict or object to processing based on legitimate interests.
Withdraw consent at any time where processing is based on consent — without affecting the lawfulness of earlier processing.
Non-discrimination (CCPA) — we will not deny service, charge different prices, or provide a lesser experience because you exercised a right.
Complain — lodge a complaint with your local supervisory authority. In the EU that's your country's Data Protection Authority; in the UK, the ICO; in California, the California Privacy Protection Agency.

To exercise any right, email privacy@codeddit.com from the address on your account (or provide equivalent proof of ownership). We respond within 30 days; complex requests may be extended by up to two further months with notice.

12. Changes & contact

We may update this Policy. Material changes will be announced on the site and/or emailed to registered users at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Questions, requests or feedback: privacy@codeddit.com. Security reports: security@codeddit.com.

See also Terms & Conditions. By continuing to use Codeddit you acknowledge this Policy.