Privacy Policy

Last updated: 11 March 2026

1. Who we are

Kodeo Work is a software service operated by Kodeo Labs Ab (“Kodeo”, “we”, “us”, “our”).

Company details

• Legal entity: Kodeo Labs Ab
• Company registration number: 3122668-6
• Registered address: Småholmavägen 3B 1, 22120 Mariehamn, Åland, Finland
• Contact email: support@kodeo.io
• VAT number: FI31226686

For the purposes of data protection law, we act as:

• Controller for personal data we process to run our website, accounts, billing, support, security, and business operations.
• Processor for customer content that our customers upload, store, or manage in Kodeo Work on behalf of their own clients, contacts, or team members.

2. Scope of this policy

This Privacy Policy explains how we process personal data when you:

• visit our website,
• create or use a Kodeo Work account,
• contact us for support,
• receive product or transactional emails from us,
• interact with future billing flows,
• use Kodeo Work as an invited user, workspace member, customer, or contact.

This policy does not replace any separate Data Processing Agreement that may apply where we process personal data on behalf of our customers.

3. Categories of personal data we collect

Depending on how you use Kodeo Work, we may collect and process:

a. Account and profile data

• Name
• Email address
• Passwordless login identifiers or authentication metadata
• Sign-in method information, such as email OTP or Google sign-in
• Workspace name and settings
• Preferred language and locale

b. Billing and subscription data

If and when we introduce paid plans, we may process billing information such as:

• Billing name and address
• VAT or tax number
• Subscription plan, status, invoices, and payment metadata
• Limited payment-related information provided by our payment processor

We do not store full card details ourselves.

c. Product usage and technical data

• IP address
• Device/browser information
• Log files and timestamps
• Security events
• Session data
• Error and diagnostic data

We do not currently use product analytics tools for user behavior tracking.

d. Support communications

• Messages you send to us
• Attachments you provide
• Support history

e. Customer content

If you use Kodeo Work to manage business information, you may upload or generate data such as:

• client names and contact details,
• invoice details,
• project information,
• time entries,
• notes,
• documents or files,
• other business records.

When we process this customer content for a workspace owner or business customer, we typically act as a processor.

4. How we use personal data

We use personal data to:

• provide and maintain Kodeo Work,
• create and manage user accounts,
• authenticate users and secure access,
• process subscriptions, billing, and renewals,
• respond to support requests,
• monitor performance, fix bugs, and improve reliability,
• prevent fraud, abuse, or unauthorized access,
• comply with legal obligations,
• send service-related communications,
• where permitted, send limited product updates or marketing communications.

5. Legal bases for processing

Depending on the context, we process personal data on one or more of these legal bases:

• Contract: to provide the service you requested, administer your account, and fulfill our Terms.
• Legitimate interests: to secure, improve, and support our service, prevent abuse, and manage our business.
• Legal obligation: to comply with accounting, tax, consumer, and regulatory obligations.
• Consent: where required, for example for certain cookies or optional marketing communications.

6. When we act as processor

If a customer uses Kodeo Work to process personal data relating to their own clients, contractors, employees, or other contacts, that customer is generally the controller and we act as their processor.

In that context:

• we process customer content only on documented instructions from the customer,
• we require our subprocessors to protect personal data appropriately,
• we assist customers with reasonable requests related to security and data subject rights where required by law.

7. Sharing personal data

We may share personal data with:

• hosting and infrastructure providers, including Render and Netlify,
• authentication providers, including Google where you choose to sign in with Google,
• payment processors, where paid plans are introduced in the future, such as Stripe or another payment provider,
• email service providers used to deliver authentication, transactional, and support emails, including Resend,
• professional advisers,
• public authorities or regulators where legally required,
• potential buyers or successors in connection with a merger, acquisition, or asset sale.

We do not sell personal data.

8. International transfers

If personal data is transferred outside the EEA/UK/Switzerland, we take appropriate safeguards such as:

• adequacy decisions,
• Standard Contractual Clauses,
• or other lawful transfer mechanisms.

You may contact us for more information about applicable safeguards.

9. Data retention

We keep personal data only as long as necessary for the purposes described in this policy, including to:

• provide the service,
• maintain security and backups,
• comply with legal, tax, and accounting obligations,
• resolve disputes,
• enforce agreements.

Retention periods vary depending on the type of data. For example:

• account data: while the account is active and for a reasonable period afterward,
• billing and tax records: as required by applicable law,
• logs and diagnostics: for a limited period appropriate for security and troubleshooting,
• customer content: until deleted by the customer or removed under our retention schedule.

10. Security

We take reasonable technical and organizational measures designed to protect personal data, including measures relating to access control, encryption where appropriate, backups, and monitoring.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Your rights

Depending on your location and the applicable law, you may have rights to:

• access your personal data,
• rectify inaccurate data,
• erase data,
• restrict processing,
• object to certain processing,
• receive data portability,
• withdraw consent where processing is based on consent,
• lodge a complaint with a supervisory authority.

To exercise your rights, contact us at support@kodeo.io. We may need to verify your identity before processing certain requests.

If you would like to delete your account or request a copy of the personal data we hold about you, you can contact us at support@kodeo.io.

Please note that we may retain certain information where necessary to comply with legal obligations, resolve disputes, prevent fraud or abuse, enforce our agreements, or maintain security records.

If we process personal data on behalf of a Kodeo Work customer, you may need to contact that customer directly first. We will assist where required and appropriate under applicable law.

12. Cookies and similar technologies

We use strictly necessary cookies and similar technologies to operate Kodeo Work, including for login, security, session management, and related core functionality.

We do not currently use non-essential analytics or advertising cookies. If that changes, we will update this Privacy Policy and, where required by law, request consent before placing such cookies or similar technologies.

You can manage cookie choices through our cookie banner, if shown, or through your browser settings.

13. Children

Kodeo Work is intended for business use and is not directed to children.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the date above and, where appropriate, provide additional notice.

15. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

Kodeo Labs Ab Småholmavägen 3B 1, 22120 Mariehamn, Åland, Finland support@kodeo.io