Privacy Policy

This Privacy Policy explains how Kodus LLC (“Kodus”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you use our websites, products and services, including the Kody AI code review platform (together, the “Services”).

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, you should stop using the Services.

1. Who we are and how to contact us

We are Kodus LLC, a company organized under the laws of the State of Delaware, United States of America, with registered address at:

1007 N Orange St, 4th Floor, 1139
Wilmington, DE 19801, USA

Email: help@kodus.io

We have appointed a Data Protection Officer (DPO). For questions or requests about this Privacy Policy or the use of your personal data, you can contact:

Data Protection Officer (DPO)
Wellington Santana
Email: wellington.santana@kodus.io

For residents of the European Economic Area, United Kingdom and Brazil, Kodus acts as a data controller for the personal data described in this Privacy Policy.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

• Visitors of our websites, such as kodus.io.
• Users of the Kody AI code review platform and related dashboards, APIs and integrations.
• Contacts who interact with us via forms, support channels, email or marketing communications.

It does not apply to third party services that you connect to the Services, such as GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Slack or others. Their privacy practices are governed by their own policies.

3. Data we collect

We collect and process different categories of data depending on how you interact with us and the Services.

3.1 Account and contact information

When you create an account, sign in through an integration, or contact us, we may collect:

• Name and surname

• Email address

• Company name and role

• Authentication identifiers (for example from GitHub, GitLab, Bitbucket or Azure DevOps)

• Workspace and organization details

• Communication preferences

3.2 Service usage and technical data

When you access the Services, we automatically collect:

• Log data (such as IP address, browser type, operating system, date and time of access)

• Device and session identifiers

• Events and interaction data, such as pages viewed, features used, and configuration changes

• Approximate location based on IP (city or region level)

We may use cookies and similar technologies on our websites and application to remember your preferences, secure your session and understand how the Services are used.

3.3 Integration and repository data

To provide AI code review and related features, the Services may access information from developer tools and platforms that you connect, such as:

• Source code and repository contents

• Commit history and metadata

• Pull and merge requests, including titles, descriptions, comments and reviews

• Branch names, file paths and diffs

• Issues, tickets and related metadata where integrated

This information may include personal data, such as author names, usernames, email addresses and comments written by individuals.

3.4 Support, feedback and communications

If you contact us through support channels, email, chat or forms, we collect:

• The content of your messages and any files you provide

• Metadata related to the communication (date, time, channel)

We may also collect feedback about the quality of AI suggestions and code reviews, including whether specific comments were helpful or not.

3.5 Billing and payment data

For paid plans, our payment processor (such as Stripe) collects and processes:

• Name and contact details of the billing contact

• Payment method details (for example tokenized card information)

• Billing address, VAT or tax identifiers where applicable

• Transaction history and invoices

We do not store full credit card numbers on our systems. Payment data is processed and stored by our payment provider.

4. How we use your data and legal bases

We use personal data for the following purposes and legal bases:

4.1 To provide and operate the Services

• Creating and managing your account and workspace

• Providing AI code review, suggestions and summaries

• Integrating with repositories and developer tools at your request

• Allowing you to configure rules, prompts and settings

Legal basis: performance of a contract with you or with the organization you represent.

4.2 To secure the Services and prevent abuse

• Authenticating users and managing access

• Detecting and preventing fraud, abuse or security incidents

• Monitoring for unusual activity that may indicate threats

Legal basis: legitimate interest in keeping the Services secure and compliant, and where applicable legal obligations.

4.3 To improve and develop the Services

• Analyzing aggregated or pseudonymized usage patterns

• Evaluating and improving the accuracy and usefulness of AI suggestions

• Developing new features and product improvements

Where possible, we use aggregated or anonymized data for these purposes so that it does not identify you or your organization.

Legal basis: legitimate interest in improving and developing our products.

4.4 To communicate with you

• Responding to your support requests, questions and feedback

• Sending important operational or security notices about the Services

• Sending product updates, tips and relevant content, where permitted

For marketing communications, we rely on your consent where required by law, and you can opt out at any time using the unsubscribe link or by contacting us.

4.5 To comply with legal obligations

• Keeping records required by accounting, tax or regulatory rules

• Responding to lawful requests from public authorities where we are legally required to do so

Legal basis: compliance with legal obligations.

5. AI processing and model training

We use AI models to analyze code, diffs and related metadata in order to generate code review suggestions, summaries and insights.

We may send portions of code, prompts and metadata to third party AI providers such as Anthropic, OpenAI or Novita for this purpose, subject to data protection terms.

We do not:

• Sell your personal data

• Use your customer code or personal data to train or fine tune foundation models operated by Anthropic, OpenAI, Novita or other model providers, unless you have expressly enabled such a feature in writing or via the Services

We may log prompts and AI outputs in a controlled way, including through tools like LangSmith, to monitor quality, troubleshoot issues and prevent abuse, with appropriate safeguards and access controls.

6. Cookies and similar technologies

We use cookies and similar technologies on our websites and application to:

• Keep you signed in

• Remember your preferences

• Analyze how the Services are used

• Improve performance and security

Where required by law, we ask for your consent before placing non essential cookies. You can manage your cookie preferences through your browser settings or, where available, through our cookie banner or preferences center.

7. How we share your data

We do not sell your personal data.

We may share personal data with:

1. Service providers and subprocessors
   Third parties that help us deliver the Services, such as:

   • Cloud infrastructure and hosting providers (for example AWS, GCP, DigitalOcean)

   • Error monitoring and logging (for example Sentry)

   • Analytics (for example PostHog)

   • Communication and email providers (for example Customer.io)

   • Payment processing (for example Stripe)

   • AI model providers (for example Anthropic, OpenAI, Novita)

   • Integration and automation providers (for example Composio)

   A current list of our subprocessors is available on our website and in our Data Processing Agreement.

2. Professional advisors
   Such as lawyers, accountants and auditors, where necessary for legitimate business purposes and subject to confidentiality obligations.

3. Legal and regulatory authorities
   Where required by law, regulation or valid legal process, or to protect our rights, users or the public.

In all cases, we only share the data that is necessary for the specific purpose and we require our service providers to protect personal data and use it only in accordance with our instructions.

8. International transfers

We are based in the United States and many of our subprocessors are also located in the United States. This means that personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction.

When we transfer personal data from the European Economic Area, the United Kingdom or Brazil to countries that do not have an adequacy decision, we implement appropriate safeguards, such as:

• Standard Contractual Clauses approved by the European Commission

• Equivalent contractual mechanisms where required by UK or Brazilian law

You can contact us if you would like more information about these safeguards.

9. Data retention

We retain personal data for as long as necessary to:

• Provide the Services

• Comply with our legal and contractual obligations

• Resolve disputes and enforce our agreements

In general:

• Account and workspace data is retained for the life of the account and for a reasonable period after closure, unless you request deletion earlier and no legal obligation requires retention.

• Logs and technical data are retained for a limited period that is appropriate for security and troubleshooting, after which they are deleted or anonymized.

• Billing and transaction records are retained for periods required by tax and accounting laws.

More detailed retention rules are defined in our internal Data Protection and Data Retention Policy. When data is no longer needed, we delete or anonymize it in a secure manner.

10. Your rights

Depending on your location and applicable law (for example GDPR or LGPD), you may have the right to:

• Access the personal data we hold about you

• Correct inaccurate or incomplete data

• Request deletion of your personal data in certain circumstances

• Restrict or object to certain types of processing

• Receive a copy of your data in a structured, commonly used and machine readable format (data portability)

• Withdraw consent where processing is based on consent

To exercise your rights, contact us at help@kodus.io. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with a data protection authority, such as:

• In the European Economic Area: your local supervisory authority

• In the United Kingdom: the Information Commissioner’s Office (ICO)

• In Brazil: the National Data Protection Authority (ANPD)

We encourage you to contact us first so that we can try to resolve your concerns.

Data Deletion Requests

You may request deletion of your personal data by contacting us at help@kodus.io. All data deletion requests are logged and tracked to ensure proper handling and auditability.

11. Children

The Services are not intended for and should not be used by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child has provided us with personal data, please contact us so that we can delete that information.

12. Security

We take security seriously and implement technical and organizational measures to protect personal data, including:

• Encryption of data in transit and at rest where appropriate

• Access controls based on least privilege and role based permissions

• Network and infrastructure security measures

• Secure software development practices and code review

• Logging, monitoring and incident response procedures

• Regular backup and recovery processes

We use reputable cloud providers such as Amazon Web Services (AWS) to host our infrastructure and rely on their security certifications, combined with our own controls, to protect your data.

No system can be guaranteed to be completely secure, but we work continuously to protect the Services against unauthorized access, use and disclosure.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we introduce new features or when laws change.

When we make material changes, we will update the “Last updated” date and, where appropriate, provide additional notice (for example by email or through the Services).

If you continue to use the Services after the updated Privacy Policy becomes effective, you agree to the new version. If you do not agree, you should stop using the Services.

14. How to contact us

If you have any questions, concerns or requests regarding this Privacy Policy or the way we handle personal data, you can contact us at:

• Email: help@kodus.io

• DPO email: wellington.santana@kodus.io

We will do our best to respond promptly and address your concerns.