Privacy Policy

1. About this Policy

This Privacy Policy explains how codeseed.app ("codeseed.app", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our platform at codeseed.app (the "Service"). It applies to all users worldwide, including residents of the European Union, the United Kingdom, California (USA), Brazil, and Canada.

This Policy is written in compliance with the following legal frameworks, whichever applies to you based on your location:

• ◆EU General Data Protection Regulation (GDPR) 2016/679
• ◆UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• ◆California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• ◆Brazil's Lei Geral de Proteção de Dados (LGPD) — Federal Law No. 13,709/2018
• ◆Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• ◆EU ePrivacy Directive 2002/58/EC (Cookie Law)
• ◆Children's Online Privacy Protection Act (COPPA) — for US residents under 13

By using codeseed.app, you acknowledge that you have read and understood this Policy.

2. Who We Are (Data Controller)

codeseed.app is the data controller responsible for your personal data. We are based in Romania, a member state of the European Union, and operate under EU law.

Data Controller: codeseed.app
Contact: privacy@codeseed.app
Supervisory Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — Romania

3. What Personal Data We Collect

3.1 Account data (collected via GitHub OAuth)

• ◆GitHub user ID (numeric, used as unique identifier)
• ◆GitHub username / handle (e.g. @johndoe)
• ◆Display name (as set on your GitHub profile)
• ◆Primary email address associated with your GitHub account
• ◆Profile avatar URL (hosted on GitHub's servers)

3.2 Platform activity data

• ◆Projects you have claimed and their status (active, completed, abandoned)
• ◆Your current progress step within a claimed project
• ◆GitHub repository URL of your forked project repo
• ◆Number of commits pushed to your project repo (synced via GitHub webhooks)
• ◆AI review results and feedback for your pull requests
• ◆Your role on the platform (learner, mentor, or both)

3.3 Communication data

• ◆Messages exchanged between you and a mentor or learner — stored in our database, accessible only to the two participants in a claim. codeseed.app staff can access this data only in response to a valid legal order.
• ◆Notification content (e.g. 'Your PR was reviewed') — stored unencrypted.

3.4 Technical data

• ◆IP address (collected by our hosting infrastructure for security and abuse prevention — not stored persistently by codeseed.app)
• ◆Browser type and version (via server-side session logs — retained for 90 days)
• ◆Session tokens (stored in secure, HttpOnly cookies managed by Better Auth — expire after logout)
• ◆Timestamps of account creation and last activity

3.5 Data you choose to provide

• ◆Project ideas submitted as a mentor (title, description, steps, resources, tech stack)
• ◆Preferred programming language and experience level (set in Settings)

4. How We Collect Your Data

• ◆Directly from you when you sign in with GitHub (OAuth 2.0 flow via Better Auth)
• ◆Automatically via our platform as you use the Service (project claims, messages, notifications)
• ◆From GitHub, via our GitHub App installed on your account — when you push commits, open pull requests, or trigger webhooks on your forked repository

5. Legal Basis for Processing (GDPR Article 6)

If you are in the EU, EEA, or UK, we process your personal data under the following legal bases:

5.1 Performance of a contract (Art. 6(1)(b))

Processing your account data, project claims, and GitHub integration data is necessary to provide the Service you have requested. Without this data, we cannot create your account, fork repositories, or connect you with mentors.

5.2 Legitimate interests (Art. 6(1)(f))

We process certain technical data (IP addresses, session logs, error logs) based on our legitimate interest in securing the platform, preventing abuse, and improving the Service. We have carried out a balancing test and determined that our interests do not override your rights and freedoms, given the minimal and security-focused nature of this processing.

5.3 Compliance with a legal obligation (Art. 6(1)(c))

We may retain certain data if required by applicable EU or Romanian law (e.g. for tax or accounting purposes if applicable, or in response to a valid legal order).

5.4 Consent (Art. 6(1)(a))

Where we rely on your consent (e.g. for non-essential cookies, if any are introduced in the future), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

6. How We Use Your Data

• ◆Create and maintain your codeseed.app account
• ◆Display your profile (handle, avatar) to mentors and learners you interact with
• ◆Match you with appropriate projects based on your language and level preferences
• ◆Fork a GitHub repository to your account when you claim a project
• ◆Track your project progress and sync commit activity via GitHub webhooks
• ◆Deliver notifications about PR reviews, mentor messages, and claim updates
• ◆Enable encrypted messaging between learners and mentors
• ◆Generate AI-powered project ideas (submitted project ideas may be processed by our AI provider)
• ◆Generate AI code review feedback when you open a pull request
• ◆Send transactional emails (e.g. review notifications) via our email provider
• ◆Detect and prevent fraud, abuse, and security incidents
• ◆Comply with legal obligations applicable to us

7. Data Retention

7.1 Active accounts

We retain your personal data for as long as your account is active and as long as necessary to provide the Service.

7.2 After account deletion

• ◆Your profile, claims, and messages are marked for deletion immediately upon your request.
• ◆Data is permanently and irreversibly erased from our production database within 30 days (to allow for backup rotation).
• ◆Anonymised aggregate statistics (e.g. total claim counts per project) may be retained indefinitely as they cannot identify you.

7.3 Technical logs

• ◆Authentication session logs (Better Auth): 90 days
• ◆GitHub webhook delivery logs: 30 days
• ◆Error and security logs: 90 days

7.4 Legal holds

If we are required by law to retain data for a longer period (e.g. under Romanian accounting law or a valid legal order), we will retain only the minimum data required and for the minimum duration required.

8. Third-Party Processors & Data Sharing

We share your personal data with the following third-party processors, each bound by a Data Processing Agreement (DPA) and appropriate safeguards:

We do not share your personal data with any other third parties, except where required by law (e.g. in response to a valid court order or request from a competent authority). In such cases, we will notify you where legally permitted to do so.

9. International Data Transfers

codeseed.app is based in the EU (Romania). Our database runs on Hetzner infrastructure within Germany (EU). Some of our third-party processors — GitHub, Google, and Resend — are located in the United States, which does not have an EU adequacy decision covering all transfers. For transfers to the US, we rely on:

• ◆Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c) and incorporated in our DPAs with each US processor
• ◆Where applicable, the EU-US Data Privacy Framework (for processors certified under it)

For UK users: transfers are governed by the UK's International Data Transfer Agreements (IDTAs) or the Addendum to EU SCCs approved by the UK ICO.

For Brazilian users: transfers are carried out in accordance with LGPD Articles 33–36, using contractual mechanisms equivalent to SCCs.

10. Cookies & Local Storage

10.1 Strictly necessary cookies

We use only strictly necessary cookies, which do not require your consent under the ePrivacy Directive and GDPR:

• ◆better-auth.session_token: Better Auth session token. HttpOnly, Secure, SameSite=Lax. Expires after logout or after 7 days of inactivity.
• ◆better-auth.csrf_token: Protects against cross-site request forgery. Session-scoped.

10.2 Local storage

We do not store personal data in browser local storage or session storage. Session state is managed entirely server-side by Better Auth via the cookies listed above.

10.3 No tracking or advertising cookies

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technology. We do not use Google Analytics, Meta Pixel, or similar tools.

11. Your Rights

11.1 Rights for EU/EEA and UK residents (GDPR / UK GDPR)

Under the GDPR and UK GDPR, you have the following rights with respect to your personal data:

• ◆Right of access (Art. 15): Request a copy of the personal data we hold about you.
• ◆Right to rectification (Art. 16): Correct inaccurate or incomplete personal data — most profile data can be updated directly via GitHub or our Settings page.
• ◆Right to erasure (Art. 17): Request deletion of your personal data ('right to be forgotten'). You can delete your account at any time via Settings → Delete Account.
• ◆Right to restriction of processing (Art. 18): Ask us to restrict processing of your data in certain circumstances.
• ◆Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format. Use Settings → Export Data.
• ◆Right to object (Art. 21): Object to processing based on legitimate interests.
• ◆Rights related to automated decision-making (Art. 22): We do not carry out fully automated decision-making with legal or significant effects.
• ◆Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior processing.

11.2 Rights for California residents (CCPA/CPRA)

• ◆Right to know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• ◆Right to delete: Request deletion of your personal information — use Settings → Delete Account.
• ◆Right to correct: Request correction of inaccurate personal information we hold about you.
• ◆Right to opt out of sale or sharing: We do NOT sell or share your personal information for cross-context behavioural advertising. No opt-out mechanism is required.
• ◆Right to non-discrimination: We will not discriminate against you for exercising any CCPA rights.
• ◆Sensitive personal information: We do not collect or use sensitive personal information beyond what is necessary to provide the Service, and we do not use it for inferring characteristics.

11.3 Rights for Brazilian residents (LGPD)

• ◆Confirmation and access to your data
• ◆Correction of incomplete, inaccurate, or outdated data
• ◆Anonymisation, blocking, or deletion of unnecessary or excessive data
• ◆Data portability
• ◆Deletion of data processed with consent
• ◆Information about third-party entities with which your data is shared
• ◆Information about the possibility of denying consent and the consequences
• ◆Revocation of consent

11.4 Rights for Canadian residents (PIPEDA)

You have the right to access personal information we hold about you and to challenge its accuracy and completeness. Contact us at privacy@codeseed.app.

11.5 How to exercise your rights

To exercise any of the above rights, contact us at privacy@codeseed.app. We will respond within 30 days (or 45 days where permitted by law). We may ask you to verify your identity before processing your request.

12. Children's Privacy

codeseed.app is not directed at children. The minimum age to use codeseed.app is:

• ◆16 years in the EU/EEA and UK (digital consent age under GDPR Art. 8 — or the applicable age in your EU member state if lower, such as 13 in Germany or 14 in Austria and Italy)
• ◆13 years in the United States (subject to COPPA)
• ◆13 years in other jurisdictions, unless local law requires a higher age

Additionally, since codeseed.app requires a GitHub account, users must meet GitHub's minimum age requirement (13 years), which applies regardless of location.

We do not knowingly collect personal data from children below the applicable minimum age. If we become aware that we have collected data from a child below this age, we will delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@codeseed.app.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:

• ◆All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
• ◆Messages between learners and mentors are accessible only to the two participants in a claim — enforced at the application layer
• ◆Database access is controlled by application-level authorisation checks in our API — unauthenticated requests are rejected before reaching the database
• ◆Authentication is handled by Better Auth with GitHub OAuth — we never store passwords
• ◆Session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies — inaccessible to JavaScript
• ◆Security headers are set on all responses: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), and Permissions-Policy
• ◆API rate limiting is in place to prevent abuse — per-IP limits apply to all public write endpoints
• ◆Access to production infrastructure is restricted to authorised personnel only via SSH key authentication
• ◆Third-party processors are contractually required to implement equivalent security standards

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@codeseed.app.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. When we make material changes, we will:

• ◆Update the 'Last updated' date at the top of this page
• ◆Post a notice in the platform's Changelog
• ◆Send an email notification to registered users where required by law

We encourage you to review this Policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy, to the extent permitted by law.

15. Contact & Complaints

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@codeseed.app
Response time: Within 30 days

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. The lead supervisory authority for codeseed.app is:

ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 București, România
www.dataprotection.ro

UK residents may contact the Information Commissioner's Office (ICO). California residents may contact the California Attorney General.