Your Data Rights

For the purposes of GDPR, CodeSec acts as the Data Controller for personal data you provide when creating an account, joining our waitlist, or using our Service.

When you run security scans on your own systems, CodeSec acts as a Data Processor on your behalf. You remain the data controller for the target data and scan results related to your systems.

Contact our Data Protection contact at [email protected].

We process your personal data under the following legal bases:

• Contract: Processing necessary to provide the Service you subscribed to
• Legitimate Interests: Security monitoring, fraud prevention, product improvement
• Legal Obligation: Retaining billing records for tax and financial compliance
• Consent: Analytics tracking, marketing communications (you can withdraw at any time)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, including:

• The categories of data we hold
• The purposes of processing
• Any third parties we share data with
• How long we retain your data
• The source of data not collected directly from you

To request access, email [email protected] with subject: Data Access Request. We respond within 30 days.

You have the right to correct inaccurate personal data or complete incomplete data we hold about you.

You have the right to request deletion of your personal data ("right to be forgotten") in certain circumstances.

You have the right to receive your personal data in a structured, commonly-used, machine-readable format and to transmit that data to another service.

To request a data export, email [email protected] with subject: Data Portability Request. We provide exports in JSON format within 30 days.

Your export includes: account information, scan history, reports, and usage records.

You may request restriction of processing your personal data in certain situations:

• You contest the accuracy of your data (during the verification period)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of legitimate grounds

When processing is restricted, we will only store your data and process it with your consent, for legal claims, or to protect others' rights.

You have the right to object to processing of your personal data based on legitimate interests, including profiling. You can also object to direct marketing at any time.

CodeSec does not make decisions with significant legal or similarly significant effects on you based solely on automated processing. AI-powered scan analysis is advisory and requires human review before remediation action.

Your data may be transferred to and processed in the United States by our service providers (Supabase on AWS, Anthropic, OpenAI). These transfers are made under:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with all sub-processors

If you are not satisfied with how we handle your data rights request, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is typically the data protection authority of your country of residence.

We encourage you to contact us first — we take data rights requests seriously and will work to resolve your concern directly.