Privacy Policy

1. Who We Are

Company Name: Codeer Inc.

Contact: hi@codeer.ai

Address: 1F, No. 24, Alley 2, Lane 397, Mingshui Rd, Zhongshan District, Taipei City

2. Scope and Roles (Controller / Processor)

We operate a B2B2C model, serving both "enterprise clients" and their "end users" (such as students, employees, or customers).

• When enterprise clients use our products/platform to serve their end users, the enterprise client is typically the data controller, and Codeer acts as the data processor, processing data according to client instructions.
• When we directly provide Codeer products to you (such as through website registration), Codeer may act as the data controller for that portion.

If a service has a separate agreement (such as a DPA/Data Processing Agreement) or product settings, those terms and settings take precedence.

3. Types of Data We Collect and Process

We collect data only when necessary and follow the "minimum necessary" principle.

• Account and Identity Data: Name, email, avatar, job title, organization/workspace, roles and permissions.
• Content Data: Content you or your organization voluntarily submit (e.g., document text, uploaded files, conversation commands, annotations and feedback).
• Interaction Records and Learning History: Questions/instructions you enter in the interface, system responses, timestamps, course/workspace and Agent identifiers; accessible by teachers/administrators in the dashboard (within authorized scope only).
• Usage and Telemetry Data: Feature usage, error logs, performance and reliability metrics; used for security, debugging, and service improvement, not for third-party advertising or behavioral tracking.
• Device and Technical Information: Browser type, operating system, IP address (approximate location), cookies/local storage, etc.
• Payment and Billing (if applicable): Purchase records, invoice information, transaction IDs (processed by payment processors or third-party payment services).
• Customer Support: Communications between you and us (tickets, emails, meeting recordings/transcripts with your consent).

Important: If services integrate with third-party platforms (such as Google Drive, Notion), we only access data within the scope you or your organization has authorized, in a read-only and necessary manner, following that platform's policies and your settings.

4. Data Sources

• Data you or your organization voluntarily provide when using our services.
• Data you authorize us to obtain from third-party integrations (e.g., Google Docs/Drive, SaaS systems).
• System logs and telemetry data generated during service operation.

5. How We Use Data (Processing Purposes)

• Service Provision and Operation: Execute the functions you request (e.g., process submitted content through backend/AI agents and return responses).
• Account and Access Management: Registration, login, authentication, permission control, workspace/course management.
• Teaching/Business Feedback and Analytics (B2B2C): Display interaction records and learning history in teacher/admin dashboards, provide personalized recommendations, quality assurance, and course management.
• Security and Protection: Detect abuse, block spam, investigate suspicious activity, ensure service availability and integrity.
• Product Improvement: Improve reliability and experience based on aggregated or de-identified usage statistics, error and performance metrics.
• Communication: Provide service notifications, change announcements, customer support, and compliance information.
• Legal Compliance: Comply with applicable laws, regulatory requirements, and government directives.

Model Training and Continuous Improvement

We do not use customer-uploaded content and conversations as training data for foundational models.

We may use de-identified and aggregated telemetry and error data to improve security, reliability, and abuse prevention; not for advertising purposes.

6. Legal Basis (GDPR/UK GDPR if applicable)

• Contract Necessity (Art. 6(1)(b)): Provide the functions and services you request.
• Legitimate Interest (Art. 6(1)(f)): Security protection, product improvement, internal management (without overriding your rights).
• Consent (Art. 6(1)(a)): Optional features (such as workspace-level long-term retention). You may withdraw at any time.
• Legal Obligation (Art. 6(1)(c)): Comply with legal, accounting, and audit requirements.

7. Data Sharing and Disclosure

• Your Organization/Workspace: Based on permission design, teachers/administrators can view interaction records and necessary information in the dashboard.
• Subprocessors: Cloud and service providers that assist in operations (e.g., cloud hosting, databases, email, error tracking). We review and sign data protection agreements.
• Third-Party Integrations: We only exchange necessary data with third parties when you or your organization authorizes and uses the integration.
• Legal or Compliance Requirements: Disclose when required by law or legitimate requests.
• Corporate Transactions: Transfer when reasonably necessary and legally justified during company restructuring, mergers, or asset transactions.

We do not sell personal data, nor do we use third-party advertising or behavioral tracking SDKs.

8. Storage Location and Retention Period

Local/Browser: Login tokens and preference settings (e.g., localStorage/chrome.storage) are deleted when you log out or remove the extension.

Server-side: Conversation and interaction records are retained short-term (ephemeral) by default; if organization/course requires semester/regulatory audit purposes, administrators can set long-term retention (persistent). Uploaded/converted files and metadata are retained according to workspace settings and contract terms. Logs and telemetry are retained short-term for security and debugging, and used in aggregated/de-identified form for improvement.

You can delete your data (conversations, files, agents) directly on the platform at any time. Deleted data may remain in system backups for a limited period for disaster recovery purposes, but we do not keep additional copies beyond that. We do not retain deleted data for any other purpose.

9. Security

• Encryption in transit and at rest (e.g., TLS, storage encryption), least privilege access control, audit logs.
• Vulnerability Management and Backup: Regular patching, backups, and drills.
• Confidentiality Obligations: Only authorized personnel access data on a need-to-know basis, bound by confidentiality obligations.

10. Minors and Educational Settings

In school/educational institution settings, the school or course administrator is typically the data controller, able to set retention periods and visibility scope.

We only process data to the extent necessary to provide educational functions, not for advertising purposes. Use by minors requires arrangement by guardians or schools in compliance with regulations.

11. International Data Transfers and Regional Settings

Data may be processed outside your jurisdiction. We will take appropriate safeguards (e.g., Standard Contractual Clauses SCC, data minimization, encryption) and comply with applicable laws. If your contract requires data regionalization or localization, we will provide it as agreed.

12. Cookies and Similar Technologies

We may use essential cookies/local storage to maintain login and basic functions. If analytics cookies are used, they will be de-identified/aggregated, with opt-out options provided when feasible.

13. Your Rights

Under applicable laws (such as GDPR/UK GDPR, CCPA/CPRA, Taiwan's Personal Data Protection Act, Japan's APPI), you may have rights to: access, deletion, correction, restriction, portability, objection to processing, and withdrawal of consent.

How to Exercise: Please submit your request via hi@codeer.ai (include your account email and organization/workspace to help locate your data). If your data is primarily controlled by an enterprise client, please contact that client (your organization/school) first, and we will cooperate with their instructions.

14. Customer/Administrator Configurable Settings

• Roles and Permissions: Organization and workspace-level roles (Owner, Admin, Member) with least-privilege access control.
• Audience Access: Control who can interact with your agents — open access or whitelist-only mode.
• Data Deletion: Delete conversations, files, and agents directly on the platform. Deleted data may persist in system backups temporarily for disaster recovery only.
• API Key Management: Issue, name, set expiration, and revoke API keys for programmatic access.
• Conversation Histories: Review all conversation records, filter by agent or user, and use them for quality assurance.
• Version Control: Manage agent versions with draft, staging, and published states; roll back to previous versions at any time.

15. Third-Party Integrations and Google API (if applicable)

We only exchange necessary data with third parties after you enable the integration and authorize it.

If using Google API Services: We comply with their User Data Policy (including Limited Use), accessing/using only for your explicit use cases, not sharing with third parties for advertising or sale; you may revoke authorization at any time.

16. Automated Decision-Making

We do not conduct purely automated decision-making with legal or significant effects. Important scenarios use human-in-the-loop and appeal mechanisms.

17. Policy Updates

We may update this policy due to legal or service changes; material changes will be notified appropriately. Updated versions take effect from the "Effective Date."

18. Contact Us

General Support: hi@codeer.ai

Address: 1F, No. 24, Alley 2, Lane 397, Mingshui Rd, Zhongshan District, Taipei City

Appendix A: Processor Commitment Summary

For reference only; actual terms per DPA

• Process personal data only according to client instructions; implement appropriate technical and organizational security measures.
• Work only with reviewed subprocessors and sign corresponding agreements.
• Assist clients in responding to data subject requests.
• Report data incidents and cooperate with notifications within reasonable time.
• Delete or return data upon contract termination or client request.
• Support audits (within reasonable scope and frequency).

Appendix B: Regional Terms Summary

If applicable

• GDPR/UK GDPR: Controller/processor roles, SCC safeguards, data rights and complaint mechanisms.
• CCPA/CPRA: We do not sell or share personal data for behavioral advertising; provide rights pathways for "know/delete/correct/limit use of sensitive data."
• Taiwan Personal Data Protection Act: Notify collection purposes, data categories, usage period/region/recipients/methods, and how to exercise data subject rights as required by law.
• APPI (Japan): Disclose overview of receiving country's protection system and safeguards taken (such as SCC, encryption) for cross-border third-party transfers.

Appendix C: Channel-Specific Notes

If applicable

• Web Channel: Hosted chat experience on a Codeer subdomain or custom domain. Conversations are stored server-side and accessible to workspace operators.
• LINE Channel: Connects to your LINE Official Account via Messaging API. Messages are relayed between LINE and Codeer; Codeer stores conversation records in your workspace.
• Slack Channel: Connects to your Slack workspace via Slack App. Messages are relayed between Slack and Codeer; Codeer stores conversation records in your workspace.
• API Access: The caller determines the content and parameters transmitted; we process requests and return results. API keys are workspace-scoped.
• Chrome Extension: Only accesses selected content when you actively operate; tokens and preferences stored locally; unselected documents are not read.
• Dashboard: Only authorized personnel within the same workspace can access conversation records and analytics. Data can be deleted directly on the platform.

If you have custom agreements (such as DPA, SCC, data residency terms, industry regulations), those documents take precedence.