Skip to main content
codaflo.ai

Privacy Policy

Last updated: February 23, 2026

1. Introduction

This Privacy Policy describes how SmartWorks Labs LLC ("SmartWorks Labs," "we," "us," or "our") collects, uses, stores, and protects information when you use the codaflo.ai platform ("the Platform"), the codaflo.ai marketing website ("the Website"), or any related services (collectively, "the Service").

codaflo.ai is a developer command center designed to help software developers manage projects, store credentials securely, track development sessions, and organize documentation. We are committed to protecting your privacy and being transparent about our data practices.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create a codaflo.ai account, we collect the following information that you provide directly:

  • Contact Information: First name, last name, and email address
  • Authentication Credentials: A password (stored as a cryptographic hash; we never store your password in plaintext)
  • Account Preferences: Display settings, theme preference, and notification preferences

2.2 Information You Store on the Platform

When you use the Platform, you create and store various types of project-related content across the following categories:

  • Project Identity: Project names, descriptions, statuses, priorities, tags, and display preferences
  • Domain and Deployment: Domain names, hosting configurations, and deployment-related information
  • Technical Architecture: Technology stack details, frameworks, and architectural notes
  • Service Accounts: Records of which service accounts (e.g., Google, AWS, GitHub accounts) are associated with which services and credentials
  • Credentials and Keys: API keys, passwords, OAuth credentials, tokens, connection strings, SSH keys, webhook secrets, license keys, and other sensitive authentication data you choose to store
  • Development Sessions: Session notes, closure summaries, continuation prompts, and session history
  • Current Blockers: Issues, dependencies, or obstacles associated with your projects
  • Tasks: Next actions, to-do items, and task-related notes
  • Documentation and Resources: URLs, descriptions, and organizational metadata for external resources (GitHub repositories, Google Drive documents, Figma files, and similar)
  • Notes and Ideas: Freeform notes, ideas, and reference information associated with your projects
  • Business Information: Business-related context, client details, or commercial notes you choose to associate with projects

Important — Credential Vault Encryption: All credential values stored in the credential vault are encrypted using AES-256 encryption. SmartWorks Labs does not access the contents of your encrypted credential vault in the ordinary course of business. Encryption keys are managed separately from the encrypted data. For a description of our key management approach, see Section 4.2.

Important — Metadata Visibility: Certain project data outside the credential vault — including project names, descriptions, session notes, documentation links, service account references, blockers, tasks, notes, and business information — may be stored in a human-readable format to enable Platform functionality such as search, display, and organization. We recommend that you avoid placing sensitive information (such as passwords or secret keys) in description fields or notes; use the encrypted credential vault for all sensitive values.

2.3 Information Collected Automatically

When you access the Service, certain information is collected automatically:

  • Usage Data: Login timestamps, feature usage patterns, and session duration
  • Technical Data: IP address, browser type and version, operating system, device type, and referring URL
  • Cookie Data: Information collected through cookies and similar technologies (see our Cookie Policy for details)

2.4 Payment Information

We do not directly collect, process, or store your payment card information. All payment processing is handled by Stripe, Inc., our third-party payment processor. When you subscribe to a paid plan, Stripe collects your payment details directly. We receive only a customer identifier, subscription status, and billing period information from Stripe. Please refer to Stripe's Privacy Policy for details on how Stripe handles your payment information.

2.5 Lead Generation and Marketing

If you provide your email address through a lead-generation form, newsletter signup, or other marketing interaction on the Website, we collect your email address and any additional information you voluntarily provide. This information is managed through Mailchimp for email marketing purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

  • Authenticating your identity and maintaining your account
  • Storing and displaying your project data, credentials, sessions, and documentation
  • Enabling search, filtering, and organizational features within the Platform
  • Processing subscription payments and managing billing through Stripe
  • Sending transactional emails (account verification, password resets, subscription confirmations, and billing notifications)

3.2 Aggregate Analytics and Capacity Management

We collect and analyze data in aggregate form to understand how users interact with the Platform and to manage our infrastructure. This includes aggregate metrics such as total number of projects managed across the Platform, total number of credentials stored, total number of sessions and documentation links, and general feature usage patterns.

This aggregate data is used to understand how the Platform is used so we can improve it, monitor infrastructure capacity and plan for scaling, make informed decisions about pricing and resource allocation, and identify and fix bugs or performance issues.

Certain automatically collected data (such as login timestamps and feature usage described in Section 2.3) may also be used at the individual account level for operational purposes, including responding to support requests, investigating security incidents, troubleshooting technical issues, and managing billing. This is distinct from aggregate analytics and is limited to operating the Service.

We use your data only for the purposes described in this Privacy Policy. As of the effective date of this policy, we do not sell your personal information to third parties, we do not use individual user data for advertising profiling, and we do not provide individual user data to third parties for their own marketing purposes. Our data practices are limited to operating, improving, and securing the Service and fulfilling our legal obligations. If our data practices change materially, we will update this Privacy Policy and notify you as described in Section 11.

3.3 Safety, Security, and Abuse Prevention

We may access or review account-level information (not encrypted credential values) when reasonably necessary to investigate potential violations of our Terms of Service, respond to support requests you initiate, detect and prevent fraud or abuse that threatens the security of the Service, and comply with legal obligations.

3.4 Marketing Communications

If you have opted in to marketing communications by creating an account or submitting your contact information through a lead-generation form, we may send you product updates and announcements, feature release notifications, educational content related to developer workflows, and promotional offers related to the Service.

You may opt out of marketing communications at any time by clicking the "Unsubscribe" link in any marketing email or sending a request to hello@codaflo.ai. Opting out of marketing communications does not affect transactional emails necessary for operating your account.

3.5 Legal and Safety

We may use your information to comply with applicable laws, regulations, or legal processes; respond to lawful requests from public authorities, including law enforcement; enforce our Terms of Service; and protect the rights, safety, or property of SmartWorks Labs, our users, or the public.

4. How We Store and Protect Your Information

4.1 Infrastructure and Data Storage

SmartWorks Labs does not directly host or store user data on its own servers. Your data is stored and managed by our third-party infrastructure provider, Supabase, which provides PostgreSQL database hosting with enterprise-grade security controls. The Platform application is hosted on Vercel's global content delivery network.

4.2 Encryption

  • Credentials at Rest: All credential values in the vault are encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies. Encryption keys are stored separately from the encrypted data in environment-level configuration. While SmartWorks Labs manages the encryption infrastructure, we do not access decrypted credential values in the ordinary course of business and have no operational reason to do so.
  • Data in Transit: All connections to the Service use HTTPS/TLS encryption. We enforce HTTP Strict Transport Security (HSTS) headers.
  • Authentication Data: Passwords are hashed using industry-standard cryptographic algorithms. We never store passwords in plaintext.

4.3 Access Controls

We implement access controls and security measures designed to protect your data, including:

  • Row-Level Security: Database access policies that restrict users to their own data
  • Session Management: Sessions that expire after a period of inactivity, with secure, HttpOnly cookies for session handling
  • Rate Limiting: Throttling on authentication endpoints to help prevent brute-force attacks

The specific implementation of these measures may evolve as we improve the Service, but we are committed to maintaining security controls appropriate to the sensitivity of the data we store.

4.4 Limitations

While we employ industry best practices and take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. Where data is stored in a human-readable format to enable Platform functionality (such as project names, session notes, and credential metadata), SmartWorks Labs applies access controls and security best practices but cannot guarantee absolute security. We balance comprehensive security with Platform usability.

5. Third-Party Services

We use the following third-party services that may process your data. Each service operates under its own privacy policy:

ServicePurposeData ProcessedPrivacy Policy
SupabaseDatabase hosting and authenticationAccount data, project data, encrypted credentials, session datasupabase.com/privacy
VercelApplication hosting and CDNRequest data, IP addressesvercel.com/legal/privacy-policy
StripePayment processingPayment information, billing detailsstripe.com/privacy
ResendTransactional email deliveryEmail addresses, email contentresend.com/legal/privacy-policy
MailchimpMarketing email and lead managementEmail addresses, engagement metricsmailchimp.com/legal/privacy/
Google AnalyticsWebsite analyticsPseudonymous usage data, cookie identifierspolicies.google.com/privacy
Microsoft ClarityUX analytics (if implemented)Pseudonymous interaction dataprivacy.microsoft.com
GitHubSource code hostingN/A (no user data processed)docs.github.com/en/site-policy/privacy-policies

5.1 Sale of Personal Information

As of the effective date of this policy, SmartWorks Labs does not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes. Our business model is based on subscription revenue, not data monetization. If this ever changes, we will update this Privacy Policy and notify you at least 30 days in advance as described in Section 11, giving you the opportunity to make informed decisions about your continued use of the Service.

6. Data Retention and Deletion

6.1 Active Accounts

Your data is retained for as long as your account is active, whether on a paid subscription or the Free tier.

6.2 Subscription Cancellation

When you cancel a paid subscription, you retain access to Professional features until the end of your current billing period. After the billing period ends, your account reverts to the Free tier. Your data is not deleted. All projects, credentials, sessions, documentation, and other stored content remain on your account. Projects beyond the 2-project Free tier limit become read-only until you either resubscribe to a Professional plan or reduce your active projects to within the Free tier limit.

SmartWorks Labs does not delete user accounts or data as a result of subscription cancellation. Your account remains active on the Free tier indefinitely.

6.3 Account Deletion

If you choose to delete your account, the deletion process removes your data from all active systems promptly. This includes all projects, credentials, sessions, documentation links, notes, and account information. Account deletion is permanent and cannot be reversed.

Residual copies of your data may persist in encrypted backups or system logs for a limited period as part of standard infrastructure operations. These residual copies are overwritten on a rolling schedule and are not used for any purpose other than disaster recovery. We make commercially reasonable efforts to ensure deleted data is fully purged from all systems within 90 days of account deletion.

Please export any data you wish to retain before deleting your account.

6.4 Third-Party Retention

Certain third-party services may retain data according to their own policies. For example, Stripe retains billing and transaction history as required by financial regulations. We do not control third-party retention practices. Please refer to the respective privacy policies listed in Section 5.

7. Your Rights

7.1 All Users

Regardless of your location, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Delete your account and all associated data (subject to Section 6.3)
  • Export your data in standard formats (JSON, CSV, Markdown, or PDF, depending on your subscription tier)
  • Opt Out of marketing communications at any time

7.2 Rights Under the General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the GDPR, including:

  • Right to Erasure ("Right to Be Forgotten"): You may request deletion of your personal data. Account deletion (Section 6.3) fulfills this right, subject to the backup retention timeline described therein.
  • Right to Restrict Processing: You may request that we limit how we use your data.
  • Right to Data Portability: You may request your data in a structured, machine-readable format. The Platform's export features enable this.
  • Right to Object: You may object to our processing of your data for certain purposes, including direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

Lawful Basis for Processing (GDPR): We process your personal data on the following bases: performance of a contract (providing the Service you signed up for), legitimate interest (aggregate analytics, security, abuse prevention, and Platform improvement), consent (marketing communications and non-essential cookies), and legal obligation (compliance with applicable laws).

To exercise your GDPR rights, contact us at hello@codaflo.ai. We will respond within 30 days.

7.3 Rights Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following rights under the CCPA:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information. Account deletion (Section 6.3) fulfills this right.
  • Right to Opt Out of Sale: As of the effective date of this policy, we do not sell your personal information. If our practices change, we will provide a mechanism to opt out and update this policy accordingly.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at hello@codaflo.ai.

8. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users without undue delay and in accordance with applicable law. Our target is to provide notification within 72 hours of confirming the scope and impact of a breach, though the timeline may vary depending on the nature of the incident and the requirements of relevant regulatory authorities.

Notification will be sent via email to the address associated with your account and will include a description of the nature of the breach, the types of data affected, the steps we are taking in response, and recommendations for protecting yourself.

Because user data is stored and managed by our third-party infrastructure providers (primarily Supabase), a data breach would most likely involve a breach of our service provider's systems rather than SmartWorks Labs' systems directly. In such an event, we will work with the affected service provider to assess the scope of the breach and communicate transparently with affected users. Our ability to provide notification is dependent in part on timely disclosure from our service providers.

9. Children's Privacy

The Service is designed for software developers and is not directed at children under the age of 13. You must be at least 13 years of age to create an account or use the Service. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

If you are between the ages of 13 and 18, we strongly recommend that you obtain parental or guardian consent before using the Service or providing any personal information. If a parent or guardian becomes aware that their child has created an account or provided personal information without appropriate consent, please contact us at hello@codaflo.ai and we will work with you to address the situation.

10. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers maintain facilities.

For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and the data protection commitments of our service providers to ensure adequate protection of personal data transferred internationally. We encourage you to review the data processing practices of our third-party providers listed in Section 5, as they maintain their own transfer mechanisms and compliance documentation.

By using the Service, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your country of residence.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or applicable law. If we make material changes — including changes to how we use, share, or process your personal information — we will notify you by email at least 30 days before the changes take effect. We will also update the "Last Updated" date at the top of this document.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with a material change, you may delete your account before the change takes effect.

12. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, please contact us:

SmartWorks Labs LLC Email: hello@codaflo.ai

This Privacy Policy applies to the codaflo.ai platform and website, products of SmartWorks Labs LLC. codaflo.ai is not a separate legal entity.

Related Legal Pages

Terms of ServiceCookie Policy

For questions, contact hello@codaflo.ai