Legal · (PRIV/01)

Privacy Policy

Effective date: 19 May 2026 · Version 1.0 · GDPR (Regulation (EU) 2016/679)

1. Data controller

The data controller is Codego Group LTD, 152 / No. 9, Triq In-Naxxar, San Gwann, SGN 9030, Malta. Privacy requests: support.codegotech.com.

2. Data we collect

Category	Examples
Account	Email address, name, company, country, account status
Authentication	Password (stored only as a salted hash), Google account identifier if you sign in with Google, passkey public keys (WebAuthn — we never receive a private key or biometric), one-time codes / 2FA state
Technical & usage	API keys (stored as a hash), the IP addresses/CIDRs you allowlist, request metadata and audit logs (timestamp, endpoint, chain, method, status, response size, user-agent), rate-limit counters
Billing	Plan, invoices, payment references and status (card details are handled by the payment processor, not stored by us)
WaaS	Wallet metadata (chain, type, public address, label). Custodial signing keys are held in an isolated vault; for DeFi wallets we keep only an encrypted disaster-recovery backup
Communications	Support requests and related correspondence

We do not knowingly collect special-category data and we do not run advertising/behavioural tracking.

3. How and why we use your data (legal bases)

Provide the Service — account, API access, WaaS, webhooks, billing (performance of a contract).
Security & abuse prevention — IP allowlisting, rate limiting, fraud/abuse detection, audit logs (legitimate interest).
Legal compliance — accounting, tax, responding to lawful requests (legal obligation).
Support & service communications — operational emails, OTP codes (contract / legitimate interest).
Optional features (e.g. Google Sign-In) — processed on the basis of your choice/consent.

4. Cookies & local storage

We use minimal, strictly-functional client storage: a session token in your browser's localStorage to keep you signed in, Cloudflare Turnstile (anti-bot) on signup/login, and Google Identity Services if you choose Google Sign-In. We do not use advertising or cross-site tracking cookies.

5. Sharing & processors

We share data only with service providers acting on our instructions, including: Cloudflare (CDN, WAF, bot protection), Google (only if you use Google Sign-In — to verify your identity token), the Codego merchant gateway / payment processor (to process plan payments), and infrastructure/email providers used to operate the Service. We do not sell your personal data.

6. International transfers & hosting

The Service runs on Codego-operated infrastructure (including a data centre in Al Ain, UAE) and EU-based systems. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.

7. Retention

We keep account and billing data for the life of your account and as required by law (e.g. tax/accounting retention). Security and usage logs are kept for a limited period for abuse-prevention and troubleshooting, then deleted or anonymised. You may request earlier deletion subject to legal retention obligations.

8. Security

We apply technical and organisational measures including password hashing, an isolated signing vault for WaaS keys, HMAC-signed webhook deliveries, mandatory API-key IP allowlisting, optional 2FA and passkeys (WebAuthn), TLS in transit and Cloudflare protection. No system is perfectly secure; you are responsible for safeguarding your own credentials and wallet secrets.

Blockchain notice: any wallet address, transaction, or on-chain activity you create through the Service is recorded on a public, immutable blockchain. That data is outside Codego's control, cannot be modified or erased by us, and is not covered by deletion rights.

9. Your rights (GDPR)

Subject to applicable law you may request: access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interest, and you may withdraw consent for optional processing at any time. To exercise these rights contact us via support.codegotech.com. You also have the right to lodge a complaint with a data-protection supervisory authority — in particular the Maltese Information and Data Protection Commissioner (idpc.org.mt), or the supervisory authority of your country of residence in the EU/EEA.

10. Children

The Service is not directed to, and may not be used by, anyone under 18.

11. Changes

We may update this Policy; the “Effective date” will change and material updates will be notified. Continued use after the effective date constitutes acceptance.

12. Contact

Codego Group LTD — 152 / No. 9, Triq In-Naxxar, San Gwann, SGN 9030, Malta · support.codegotech.com · See also our Terms of Service.