Privacy Policy

Effective Date: 2025/08/20 · Last Updated: 2025/08/20

This policy explains how Codeer (Codeer Inc.) collects, uses, stores, shares, and protects your data when providing our services, and informs you of your rights.

Scope: Codeer website, web applications, APIs, Agent/SDK, browser extensions, teacher/admin dashboards, and other related services.

1. Who We Are

Company Name: Codeer Inc.

Contact: hi@codeer.ai

Address: 1F, No. 24, Alley 2, Lane 397, Mingshui Rd, Zhongshan District, Taipei City

2. Scope and Roles (Controller / Processor)

We operate a B2B2C model, serving both "enterprise clients" and their "end users" (such as students, employees, or customers).

  • When enterprise clients use our products/platform to serve their end users, the enterprise client is typically the data controller, and Codeer acts as the data processor, processing data according to client instructions.
  • When we directly provide Codeer products to you (such as through website registration), Codeer may act as the data controller for that portion.

If a service has a separate agreement (such as a DPA/Data Processing Agreement) or product settings, those terms and settings take precedence.

3. Types of Data We Collect and Process

We collect data only when necessary and follow the "minimum necessary" principle.

  • Account and Identity Data: Name, email, avatar, job title, organization/workspace, roles and permissions.
  • Content Data: Content you or your organization voluntarily submit (e.g., document text, uploaded files, conversation commands, annotations and feedback).
  • Interaction Records and Learning History: Questions/instructions you enter in the interface, system responses, timestamps, course/workspace and Agent identifiers; accessible by teachers/administrators in the dashboard (within authorized scope only).
  • Usage and Telemetry Data: Feature usage, error logs, performance and reliability metrics; used for security, debugging, and service improvement, not for third-party advertising or behavioral tracking.
  • Device and Technical Information: Browser type, operating system, IP address (approximate location), cookies/local storage, etc.
  • Payment and Billing (if applicable): Purchase records, invoice information, transaction IDs (processed by payment processors or third-party payment services).
  • Customer Support: Communications between you and us (tickets, emails, meeting recordings/transcripts with your consent).

Important: If services integrate with third-party platforms (such as Google, Microsoft, LMS, KMS...), we only access data within the scope you or your organization has authorized, in a read-only and necessary manner, following that platform's policies and your settings.

4. Data Sources

  • Data you or your organization voluntarily provide when using our services.
  • Data you authorize us to obtain from third-party integrations (e.g., Google Docs/Drive, SaaS systems).
  • System logs and telemetry data generated during service operation.

5. How We Use Data (Processing Purposes)

  • Service Provision and Operation: Execute the functions you request (e.g., process submitted content through backend/AI agents and return responses).
  • Account and Access Management: Registration, login, authentication, permission control, workspace/course management.
  • Teaching/Business Feedback and Analytics (B2B2C): Display interaction records and learning history in teacher/admin dashboards, provide personalized recommendations, quality assurance, and course management.
  • Security and Protection: Detect abuse, block spam, investigate suspicious activity, ensure service availability and integrity.
  • Product Improvement: Improve reliability and experience based on aggregated or de-identified usage statistics, error and performance metrics.
  • Communication: Provide service notifications, change announcements, customer support, and compliance information.
  • Legal Compliance: Comply with applicable laws, regulatory requirements, and government directives.

Model Training and Continuous Improvement

We do not use customer-uploaded content and conversations as training data for foundational models.

We may use de-identified and aggregated telemetry and error data to improve security, reliability, and abuse prevention; not for advertising purposes.

6. Legal Basis (GDPR/UK GDPR if applicable)

  • Contract Necessity (Art. 6(1)(b)): Provide the functions and services you request.
  • Legitimate Interest (Art. 6(1)(f)): Security protection, product improvement, internal management (without overriding your rights).
  • Consent (Art. 6(1)(a)): Optional features (such as workspace-level training/long-term retention). You may withdraw at any time.
  • Legal Obligation (Art. 6(1)(c)): Comply with legal, accounting, and audit requirements.

7. Data Sharing and Disclosure

  • Your Organization/Workspace: Based on permission design, teachers/administrators can view interaction records and necessary information in the dashboard.
  • Subprocessors: Cloud and service providers that assist in operations (e.g., cloud hosting, databases, email, error tracking). We review and sign data protection agreements; the list will be published at [Subprocessor List URL or Appendix].
  • Third-Party Integrations: We only exchange necessary data with third parties when you or your organization authorizes and uses the integration.
  • Legal or Compliance Requirements: Disclose when required by law or legitimate requests.
  • Corporate Transactions: Transfer when reasonably necessary and legally justified during company restructuring, mergers, or asset transactions.

We do not sell personal data, nor do we use third-party advertising or behavioral tracking SDKs.

8. Storage Location and Retention Period

Local/Browser: Login tokens and preference settings (e.g., localStorage/chrome.storage) are deleted when you log out or remove the extension.

Server-side: Conversation and interaction records are retained short-term (ephemeral) by default; if organization/course requires semester/regulatory audit purposes, administrators can set long-term retention (persistent). Uploaded/converted files and metadata are retained according to workspace settings and contract terms. Logs and telemetry are retained short-term for security and debugging, and used in aggregated/de-identified form for improvement.

Specific retention periods are determined by workspace/contract; data is deleted or de-identified upon expiration or termination as agreed.

9. Security

  • Encryption in transit and at rest (e.g., TLS, storage encryption), least privilege access control, audit logs.
  • Vulnerability Management and Backup: Regular patching, backups, and drills.
  • Confidentiality Obligations: Only authorized personnel access data on a need-to-know basis, bound by confidentiality obligations.

10. Minors and Educational Settings

In school/educational institution settings, the school or course administrator is typically the data controller, able to set retention periods and visibility scope.

We only process data to the extent necessary to provide educational functions, not for advertising purposes. Use by minors requires arrangement by guardians or schools in compliance with regulations.

11. International Data Transfers and Regional Settings

Data may be processed outside your jurisdiction. We will take appropriate safeguards (e.g., Standard Contractual Clauses SCC, data minimization, encryption) and comply with applicable laws. If your contract requires data regionalization or localization, we will provide it as agreed.

12. Cookies and Similar Technologies

We may use essential cookies/local storage to maintain login and basic functions. If analytics cookies are used, they will be de-identified/aggregated, with opt-out options provided when feasible.

13. Your Rights

Under applicable laws (such as GDPR/UK GDPR, CCPA/CPRA, Taiwan's Personal Data Protection Act, Japan's APPI), you may have rights to: access, deletion, correction, restriction, portability, objection to processing, and withdrawal of consent.

How to Exercise: Please submit your request via [Privacy Contact Email] (include your account email and organization/workspace to help locate your data). If your data is primarily controlled by an enterprise client, please contact that client (your organization/school) first, and we will cooperate with their instructions.

14. Customer/Administrator Configurable Settings

  • Retention Period (e.g., 90/180/365 days, semester/annual, custom).
  • Training/Fine-tuning: Workspace-level opt-in/opt-out.
  • Data Residency/Routing (if contract allows).
  • Permissions and Audit: Role permissions, operation logs, export and deletion tools.
  • Data Minimization: Configure to retain only necessary fields and de-identification strategies.

15. Third-Party Integrations and Google API (if applicable)

We only exchange necessary data with third parties after you enable the integration and authorize it.

If using Google API Services: We comply with their User Data Policy (including Limited Use), accessing/using only for your explicit use cases, not sharing with third parties for advertising or sale; you may revoke authorization at any time.

16. Automated Decision-Making

We do not conduct purely automated decision-making with legal or significant effects. Important scenarios use human-in-the-loop and appeal mechanisms.

17. Policy Updates

We may update this policy due to legal or service changes; material changes will be notified appropriately. Updated versions take effect from the "Effective Date."

18. Contact Us

General Support: hi@codeer.ai

Address: 1F, No. 24, Alley 2, Lane 397, Mingshui Rd, Zhongshan District, Taipei City

Appendix A: Processor Commitment Summary

For reference only; actual terms per DPA

  • Process personal data only according to client instructions; implement appropriate technical and organizational security measures.
  • Work only with reviewed subprocessors and sign corresponding agreements.
  • Assist clients in responding to data subject requests.
  • Report data incidents and cooperate with notifications within reasonable time.
  • Delete or return data upon contract termination or client request.
  • Support audits (within reasonable scope and frequency).

Appendix B: Regional Terms Summary

If applicable

  • GDPR/UK GDPR: Controller/processor roles, SCC safeguards, data rights and complaint mechanisms.
  • CCPA/CPRA: We do not sell or share personal data for behavioral advertising; provide rights pathways for "know/delete/correct/limit use of sensitive data."
  • Taiwan Personal Data Protection Act: Notify collection purposes, data categories, usage period/region/recipients/methods, and how to exercise data subject rights as required by law.
  • APPI (Japan): Disclose overview of receiving country's protection system and safeguards taken (such as SCC, encryption) for cross-border third-party transfers.

Appendix C: Channel-Specific Notes

If applicable

  • Chrome Extension: Only access selected content when you actively operate; tokens and preferences stored locally; unselected documents are not read.
  • API/SDK/Agents: The caller determines the content and parameters transmitted; we process requests and return results.
  • Teacher/Admin Dashboard: Only authorized personnel within the same workspace/course can access interaction records and learning history; retention period and export/deletion can be configured.

Version Note: This document is a general-purpose template. If you have custom agreements (such as DPA, SCC, data residency terms, industry regulations), those documents take precedence, and key parameters (retention period, data scope, training consent, residency location) should be configured consistently in the dashboard or contract appendix.