Legal
Privacy Policy
Heksis, MB — Kodan
1. Introduction
Heksis, MB ("we", "us", or "our") operates Kodan ("the Service"). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable EU member state law.
This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have. Please read it carefully.
Data Controller: Heksis, MB
Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius
Contact: support@kodan.dev
2. Data We Collect
We collect the following categories of personal data:
2.1 Account & Identity Information
- Full name
- Email address
- Password (stored in hashed form; never stored in plaintext)
2.2 Billing & Payment Information
We collect payment information to process subscriptions. Payment card details are processed exclusively by our third-party payment provider and are not stored on our servers. We retain transaction records (amount, date, plan) for accounting and legal compliance purposes.
2.3 Usage & Analytics Data
- Features used and actions taken within the Service
- Session duration and frequency of use
- Error logs and performance diagnostics
- Device type, browser, and operating system
- IP address
2.4 Cookies & Tracking Technologies
We use cookies and similar technologies for authentication, session management, and analytics. You can manage cookie preferences through your browser settings or our cookie consent interface.
2.5 Third-Party Integration Data
Kodan allows you to connect third-party services such as GitHub, Gmail, Slack, Discord, and Jira. These integrations are brokered through our integration provider, Composio, which gives access to a large and growing catalogue of services (currently 980+). When you authorise a connection, we access data from that service solely at your direction and to deliver the functionality you have requested. We do not access any third-party service unless you explicitly connect it. The specific services available are determined by Composio's catalogue; Composio's own sub-processors are listed at https://trust.composio.dev
- Integration connection data (tokens, credentials, configuration) is retained for as long as the connection remains active.
- Upon removal of a connection, all related data is permanently deleted within 48 hours.
- Derived data produced from integration data (e.g. summaries, generated artefacts) is retained for up to 7 days and then automatically deleted.
- Deleting a project or organisation triggers immediate deletion of all data associated with it, including any derived data.
3. Legal Basis for Processing
Under the GDPR, we rely on the following lawful bases:
- Performance of a contract (Article 6(1)(b)): to provide and manage your account and subscription
- Legitimate interests (Article 6(1)(f)): to improve, secure, and monitor the Service
- Consent (Article 6(1)(a)): for non-essential cookies and certain tracking, where required
- Performance of a contract / Consent: for each integration, on the basis of your explicit authorization
- Legal obligation (Article 6(1)(c)): where required by law (e.g. tax and accounting records)
4. How We Use Your Data
We use your personal data to:
- Create and manage your Kodan account
- Provide, operate, and improve Kodan
- Process payments and manage your subscription
- Power the third-party integrations you have authorized
- Monitor usage patterns and diagnose technical issues
- Communicate with you about your account, updates, and support requests
- Comply with our legal obligations
5. Data Sharing & Third Parties
We do not sell your personal data. We share data only with third-party service providers ("data processors") that help us operate the Service. All such providers are bound by Data Processing Agreements (DPAs) and are permitted to process your data solely on our behalf and in accordance with our instructions.
Our current sub-processors:
- OpenAI: Processes user-submitted content and queries through its LLM and embedding APIs, which may include personal data entered by users.
- Anthropic: Processes user-submitted content through its Claude LLM APIs to power code generation, analysis, and conversational features.
- Google: Processes user-submitted content through its Gemini LLM and embedding APIs, and stores data as part of its cloud storage infrastructure.
- Microsoft Azure: Provides Azure OpenAI models that power our code-generation agents, and Azure Key Vault for secure secrets management.
- Perplexity: Processes search and research queries, which may include content you submit, to return up-to-date information within the Service.
- Clerk: Provides authentication and user identity management, processing account data such as your name and email address.
- Composio: Brokers the third-party integrations you connect (see Section 2.5), processing OAuth tokens, credentials, and connection configuration on your behalf. Composio maintains its own sub-processor list at https://trust.composio.dev
- MongoDB: MongoDB Atlas is our primary application database, storing account, project, and Service data, which may include personal data.
- Qdrant: Stores vector embeddings derived from your content to power search and retrieval features.
- Daytona: Provides cloud development sandboxes that execute code on our behalf as part of automated code-generation and testing workflows.
- Digital Ocean: Provides cloud infrastructure on which we store and process application data, which may include personal data.
- Vercel: Hosts our web application and processes request data, including IP addresses and usage metadata, as part of its hosting infrastructure.
- GitHub: Stores source code repositories, which may incidentally contain personal data, and powers source-control integrations you authorize.
- Stripe: Processes payment information, billing details, and subscription data on our behalf.
- Recall.ai: Operates meeting bots that join calls on our behalf, capturing audio, video, and transcriptions which may contain personal data of meeting participants.
- PostHog: Provides product analytics, processing usage events, device information, and IP addresses to help us understand and improve the Service.
- Sentry: Provides error monitoring and performance diagnostics, processing technical data and error reports that may incidentally contain personal data.
- Pydantic Logfire: Provides application observability and request tracing, processing diagnostic data that may incidentally contain personal data.
We may add or change sub-processors from time to time. We will notify you of material changes to this list.
We may also disclose personal data where required by applicable law, court order, or regulatory authority, or where necessary to protect the rights, safety, or property of Heksis, MB, its users, or the public.
6. International Data Transfers
Heksis, MB is established in the EU. Where any service provider processes personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place — such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law:
- Account data is retained for the duration of your account and deleted within 30 days of account closure.
- Payment transaction records are retained for 5 years to satisfy accounting and tax obligations.
- Integration connection data is deleted within 48 hours of connection removal.
- Derived data (summaries, artefacts) is deleted within 7 days of generation, or immediately upon user-initiated deletion.
- Project and organisation data is deleted within 48 hours of user-initiated deletion.
- Usage and analytics data is retained for 30 days and then anonymised or deleted.
8. Your Rights Under the GDPR
As a data subject, you have the following rights:
- Right of access: to obtain a copy of the personal data we hold about you
- Right to rectification: to correct inaccurate or incomplete data
- Right to erasure: to request deletion of your data, subject to legal retention obligations
- Right to restriction of processing: to restrict how we process your data in certain circumstances
- Right to data portability: to receive your data in a structured, commonly used, machine-readable format
- Right to object: to object to processing based on legitimate interests
- Rights related to automated decision-making: we do not make solely automated decisions with significant legal or similarly significant effects on you
To exercise any of these rights, please contact us at support@kodan.dev. We will respond within 30 days as required by the GDPR.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These include:
- Encryption of data in transit (TLS) and at rest
- Hashed password storage
- Access controls and the principle of least privilege
- Regular security reviews and monitoring
10. Children's Data
The Service is not directed at children under the age of 16 (or such lower age as permitted by the applicable EU member state). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@kodan.dev and we will take prompt steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice within the Service prior to the change taking effect. The "Last updated" date at the top of this document reflects the most recent revision.
Your continued use of the Service after the effective date of any update constitutes your acknowledgement of the revised policy.
12. Contact & Supervisory Authority
For any questions or concerns about this Privacy Policy or our data practices, please reach out:
Heksis, MB
Email: support@kodan.dev
Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius
You also have the right to lodge a complaint with your national data protection supervisory authority. As a company established in Lithuania, the relevant authority is:
State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)
Website: https://vdai.lrv.lt
Email: ada@ada.lt