Privacy Policy

Effective Date: 14 May 2025

Introduction

This Privacy Policy governs how we collect, use, and protect your personal data when you use our SaaS application www.codifast.com (the "Service"). We operate as a data controller under GDPR and are committed to protecting the privacy of users who upload files and interact with our platform.

Data Controller Information

We are CODIFAST Inc., process personal data in accordance with GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Types of Data We Process

User-Provided Data

  • Account information: name, email address, company details
  • Uploaded files: documents, images, and other content you voluntarily submit to our Service
  • User preferences and configuration settings
  • Support communications and feedback

Automatically Collected Data

  • Technical identifiers: IP address, browser fingerprint, device information
  • Usage analytics: feature interactions, session duration, error logs
  • Authentication tokens and session data
  • Cookie preferences and consent status

Cookie Policy and Consent Levels

Our Service implements a three-tier cookie consent system:

Level 1: No Cookies

  • No cookies or local: Storage data stored on your device
  • Service functionality is severely limited; you cannot log in or save preferences
  • Essential temporary session data stored only in memory and deleted when you close the browser

Level 2: Minimal (Essential Cookies Only)

  • Stores authentication tokens to maintain your login session
  • Saves application state and user preferences (theme, language, UI layout)
  • Enables file upload session management and progress tracking
  • Stores CSRF protection tokens for security
  • Legal Basis: Contractual necessity - these are strictly necessary for the Service to function

Level 3: Full (Essential + Analytics Cookies)

  • Includes all Level 2 cookies
  • Google Analytics cookies for aggregated usage analysis (_ga, _gid, _gat)
  • Tracks page views, feature usage patterns, and performance metrics
  • Helps us improve Service functionality and user experience
  • Legal Basis: Your explicit consent, which can be withdrawn at any time

Note: You can change your cookie preferences at any time through the cookie settings panel. Essential cookies (Level 2) cannot be disabled if you wish to use the Service, as they are required for core functionality.

File Uploads and User Content

Important: When you upload files to our Service, you retain full ownership and control over your content. We act as a data processor for your uploaded files; you are the data controller for this content.

  • We store your files on secure servers located in Denmark, EU
  • Files are encrypted at rest using AES-256 encryption standard
  • We process file metadata (name, size, type, upload timestamp) for service functionality
  • We do not access file contents unless required for technical support with your explicit permission
  • Files are retained until you delete them or terminate your account, whichever comes first

Data Retention Periods

Data Type Retention Period
Account Data Duration of active account + 1 year after deletion
Uploaded Files Until you delete them or terminate your account
Backup Copies Up to 30 days after deletion for disaster recovery
Analytics Data Automatically deleted after 14 months from collection
Cookie Data Essential: 6 months; Analytics: 12 months

Your GDPR Rights

Under GDPR, you have the right to:

  • Access: Obtain a copy of your personal data in structured, machine-readable format
  • Rectification: Correct inaccurate or incomplete personal information
  • Erasure: Request deletion of your account and uploaded files ("right to be forgotten")
  • Restriction: Limit processing of your data under certain circumstances
  • Portability: Receive your data in JSON or CSV format for transfer to another service
  • Object: Opt-out of processing based on legitimate interests

How to Exercise Your Rights: Email dpo@example.com with "GDPR Request" in the subject line. We will verify your identity and respond within 30 days.

Security Measures

We implement appropriate technical and organizational security measures to protect your data:

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest for all stored files and databases
  • Regular security audits and penetration testing
  • Access controls with principle of least privilege
  • Automated monitoring for suspicious activities
  • Employee training on data protection protocols

Contact and Complaints

Data Protection Officer: dpo@example.com

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

We may update this Privacy Policy periodically. The "Effective Date" at the top indicates the latest version. Continued use after changes constitutes acceptance of the updated policy.