Privacy Policy

This Privacy Policy applies to codara.net(the “Site”) and the limited services we offer there today: waitlist sign-ups, the contact form, and this marketing surface generally.

Codara's SaaS platform — accessible via tenant subdomains and authenticated sign-in — is not yet generally available. A separate privacy notice and Data Processing Addendum will apply to the platform when it launches. This policy is not that notice.

“Codara,” “we,” “us,” and “our” refer to Codara, Inc., a Delaware corporation. “You” means a visitor to the Site.

We collect three kinds of information.

(a) Information you give us directly

• Waitlist sign-ups. Email address. Optionally, anything else you choose to send us about your interest in early access.
• Contact form submissions. Name, work email, company, optional company size, optional role, and the message you write.
• Direct correspondence. Information you provide if you email us at hello@codara.net, privacy@codara.net, or any other channel.

(b) Information collected automatically

• Usage data. Pages you visit on the Site, links you click, the time and approximate duration of your visit, the referring URL that brought you to the Site, and the country / region your IP address resolves to (we do not store full IP addresses).
• Device and browser data. Browser type and version, operating system, screen size, and language.
• Bot-protection signals.When you submit the waitlist or contact form, Cloudflare Turnstile evaluates technical signals from your browser to confirm you're human. See “Sub-processors” below for details and the applicable privacy addendum.
• Cookies and similar technologies. See our Cookie Policy for the specifics. In summary, we use strictly necessary cookies, and analytics cookies only with your consent in regions where consent is required.

(c) Information from third parties

We do not buy lists, scrape contact data, or enrich your record with information from data brokers. The Site is not integrated with social-login providers.

We use the information described above to:

• Operate, maintain, and improve the Site, including diagnosing technical issues and preventing abuse.
• Add you to our waitlist when you sign up and email you about Codara's launch progress and early-access availability.
• Respond to contact-form submissions and other inquiries you send us.
• Measure how the Site is performing in aggregate — what content resonates, where traffic comes from, what converts to waitlist sign-ups — so we can improve it.
• Comply with applicable laws, respond to lawful requests from government authorities, and enforce our legal rights.

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising or targeted advertising.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following are our lawful bases under GDPR Article 6 for each processing activity:

• Waitlist sign-ups: consent (Article 6(1)(a)). You opt in by submitting the form; you may withdraw at any time by emailing privacy@codara.netor by clicking “unsubscribe” in any email we send you.
• Contact-form responses: our legitimate interest in responding to business inquiries (Article 6(1)(f)).
• Site analytics: consent (Article 6(1)(a)) where required by local law. In regions that do not require consent for analytics, our legitimate interest in understanding Site performance (Article 6(1)(f)).
• Security and abuse prevention: our legitimate interest in protecting the Site and our visitors (Article 6(1)(f)).
• Legal compliance: compliance with applicable law (Article 6(1)(c)).

We share information only as described below.

• With sub-processors — third-party service providers that operate on our behalf, under written agreements that limit their use of the data to providing services to us. The list is in the next section.
• For legal reasons — when we believe disclosure is reasonably necessary to comply with law, legal process, or government requests; to enforce applicable terms; to detect or prevent fraud, abuse, or security issues; or to protect the rights, property, or safety of Codara, our users, or the public.
• With your consent — for any purpose disclosed to you at the time of collection or that you otherwise authorise.
• In a business transfer — if Codara is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to the same protections as in this policy.

We currently use these sub-processors for the Site:

• Amazon Web Services (USA). Hosting and content delivery.
• Cloudflare (USA).Bot-protection on our forms via Cloudflare Turnstile, which we operate in invisible mode. To distinguish humans from bots, Turnstile processes limited technical signals from your browser (such as your IP address and basic browser/device characteristics). Cloudflare's handling of that data is governed by the Cloudflare Turnstile Privacy Addendum.
• MailerLite (Lithuania, EU). Waitlist subscriber storage and email delivery for launch-update communications. Receives the email address you submit through the waitlist form and any consent metadata associated with it.
• PostHog (USA cloud region). Product analytics — pageviews, custom events, and aggregate funnel data. Loaded only after consent in regions that require it.
• Google Search Console (USA). Search performance data for queries that surface the Site in Google search. Does not load client-side scripts.

When the SaaS platform launches, additional sub-processors will apply (for example, Anthropic and OpenAI for AI inference, Stripe for billing). Those are covered by the platform privacy notice, not this one.

We maintain a current list and will provide reasonable advance notice — at least 30 days where practical — before adding a new sub-processor that materially changes how we process your information. Email privacy@codara.net to subscribe to sub-processor change notifications.

Codara, Inc. is established in the United States. Most of our sub-processors are also US-based. When your personal information moves from the EEA, the UK, or Switzerland to the United States or another country, we rely on appropriate safeguards.

• Standard Contractual Clauses approved by the European Commission (and the equivalent UK International Data Transfer Addendum) with sub-processors who are not certified under another approved framework.
• EU-US Data Privacy Framework certifications where our sub-processors maintain them.

You can request a copy of the safeguards in place for a specific transfer by emailing us.

We keep your information only as long as we need it.

• Waitlist sign-ups:until Codara launches and we've emailed you about access, or until you ask us to delete your record — whichever comes first.
• Contact-form submissions: up to three (3) years from the date of your last interaction with us, then deleted or anonymised.
• Analytics data:aggregated event data is retained for up to 365 days; individual session data is retained per PostHog's default retention.
• Direct correspondence: for as long as necessary to address the matter and meet any legal-record-keeping obligations.

We may retain information longer where required by law, to resolve disputes, or to enforce our agreements.

We take security seriously and apply reasonable administrative, technical, and physical safeguards designed to protect your information. Today these include:

• Encryption of data at rest and in transit (HTTPS / TLS everywhere).
• Multi-tenant data isolation at the database layer using Postgres row-level security, so one customer's data is unreachable from another customer's session.
• Principle-of-least-privilege access controls for the small Codara team that needs to operate the Site.
• Audit logging of administrative actions.

Codara is committed to obtaining a SOC 2 Type II report within 12–18 months of the platform's general availability. No system can be perfectly secure; we do not warrant absolute security.

Depending on where you live, you may have some or all of the following rights with respect to your personal information.

For EEA / UK / Swiss residents (under GDPR / UK GDPR)

• Right of access to the personal data we hold about you.
• Right to rectify inaccurate or incomplete data.
• Right to erasure (the “right to be forgotten”), subject to certain exceptions.
• Right to restrict processing.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time, where processing relies on consent.
• Right to lodge a complaint with your local supervisory authority. In the UK, that's the Information Commissioner's Office (ico.org.uk).

For California residents (under CCPA / CPRA)

• Right to know what categories of personal information we have collected about you, the sources, the purposes, and the categories of third parties we share it with.
• Right to delete personal information we have collected, subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioural advertising; you have nothing to opt out of, but the right exists.
• Right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes that would require an opt-out under CCPA.
• Right to non-discrimination for exercising your privacy rights.

For other US state residents

Residents of Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws have substantially the same rights as California residents. We honour those rights on the same basis described above.

How to exercise your rights

Email privacy@codara.net from the address associated with the request. We will verify your identity using a reasonable method proportionate to the sensitivity of the request and respond within the time required by applicable law (typically 30–45 days). If we deny a request, we will explain why and tell you how to appeal.

You can also authorise an agent to act on your behalf; we may request reasonable documentation showing the agent's authority.

Codara is intended for use by individuals 18 years of age or older. The Site is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, email privacy@codara.net and we will delete it promptly.

We use a small number of cookies and similar technologies. For the full list, what they do, and how to manage them, see our Cookie Policy. We only set analytics cookies after you consent in regions where consent is required.

We honour the Global Privacy Control (globalprivacycontrol.org) signal as a valid opt-out of analytics and sharing under CCPA.

The PostHog SDK is configured to respect the Do Not Track browser setting; when DNT is on, we do not capture analytics events from your visit.

When you sign up for the waitlist, you opt in to receive emails about Codara's launch progress, early-access availability, and product news. We do not share your email address with marketing partners.

Every marketing email includes a one-click “unsubscribe” link. You can also email privacy@codara.net at any time to be removed from the list. We honour opt-outs within 10 business days, as required by the CAN-SPAM Act, and immediately where required by EU/UK law.

Transactional emails — for example, confirming a contact-form submission you initiated — are not marketing and are not affected by an unsubscribe.

The Site itself does not make automated decisions that have a legal or similarly significant effect on you. We do not profile visitors for ad targeting.

Codara's SaaS platform — when it launches — will use AI agents that interact with content you provide. Those will be governed by a separate privacy notice and Data Processing Addendum that disclose the AI sub-processors involved (currently planned: Anthropic and OpenAI under their no-training enterprise agreements) and the human-review controls that gate every AI-generated artifact.

We may update this policy from time to time. When we do, we'll update the “Effective” date at the top. For material changes — those that materially change how we collect, use, or share your information — we will notify you by email to the address you provided (if any) and post a prominent notice on the Site for a reasonable period before the change takes effect. Continued use of the Site after the effective date constitutes acceptance of the updated policy.

For any privacy-related question or request:

Email: privacy@codara.net
Postal:
Codara, Inc.
Attn: Privacy
300 Lenora Street #4130
Seattle, WA 98121
United States

For security-specific reports, please email security@codara.net.

EU/UK Representative.Codara's processing of EU and UK residents' personal data via the Site is presently occasional and low-risk, and we rely on the Article 27(2)(a) exemption from the requirement to designate an EU representative. We will designate an EU representative (and, where applicable, a UK representative) before commencing systematic monitoring or large-scale processing of EU/UK personal data, and will update this policy with the representative's contact details at that time.