Privacy Policy

1. Introduction

Kodus ("Company," "we," "us," or "our") is committed to protecting your privacy and personal information. This Privacy Policy describes our practices regarding the collection, use, storage, sharing, and protection of information we collect through our terminal-native autonomous coding agent platform, including the Kodus CLI, relay backend, web dashboard, and related services (collectively, the "Services").

This Privacy Policy applies to:

• Visitors to our website and platform;
• Users who register for and use our Services;
• End users whose information is processed through our Services;
• Any person who interacts with our Services.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account Registration Information: Name, email address, password (stored only as a salted hash using bcrypt or argon2), and optional profile information such as an avatar or display name;
• Invite Information: Signup is invite-only; we record the invite code used and the identity of the inviter;
• Billing Information: Square customer identifier and payment-method metadata returned by Square (such as card brand and the last four digits). We do not store full payment card numbers, CVVs, or bank-account numbers on our servers; payment instruments are tokenized by Square;
• Support Communications: Messages, emails, and support tickets you send us;
• Agent Prompts and Workspace Content: The prompts you submit and the portions of your workspace files the agent selects, reads, or generates in the course of executing a session.

2.2 Information Collected Automatically

When you use our Services, we automatically collect certain information, including:

• CLI and Session Telemetry: Command invocations, tool calls, tool results, error reports, CLI version, operating system and architecture, and timing data associated with agent sessions;
• Chat and Session History: Conversations between you and the agent, including messages, tool calls, and agent outputs, stored so you can review prior sessions from the Dashboard;
• Usage and Metering Data: AI Model Provider token counts, tool-call counts, plan-gated feature access, and other usage metrics used for billing and capacity management;
• Device and Log Data: IP address, user-agent, access times, and request logs;
• Cookies: Session and authentication cookies set by the Dashboard (see Section 12 and our Cookie Policy).

2.3 Information from Third Parties

We may receive limited information about you from third parties, including:

• Authentication Providers: Information from OAuth identity providers you use to sign in;
• Square: Payment, subscription, and billing event data returned by Square for accounts that purchase paid plans;
• Error and Crash Reporting Services: Diagnostic information from services such as Sentry when the CLI or Dashboard encounters an error.

2.4 AI Model Provider Processing

When you use the agent, the content of your prompts, selected workspace files, tool results, and other context the agent needs to perform a task is transmitted to one or more third-party AI Model Providers (such as Anthropic, OpenAI, or Google) for inference. This processing is governed by the applicable providers' data-processing terms. The AI Model Providers we use have committed, on their API tiers, not to use such content to train their foundation models; however, providers may retain content for a limited period for abuse monitoring and for compliance with law. We encourage you to review the relevant providers' privacy and data-processing policies for details.

2.5 What We Do Not Collect

Because Kodus is a developer tool and is not a CRM, marketing, advertising, telephony, or messaging platform, we do not collect or process: telephony recordings, SMS message content, contact or lead databases, advertising pixel events, marketing-automation profiles, or similar marketing/telecom data. You should not upload such data to the Services.

2.6 Competitive Monitoring and Compliance Verification

We monitor login patterns, IP addresses, and account activity specifically for the purpose of identifying unauthorized competitive access and ensuring compliance with our Terms of Service.

This monitoring includes, but is not limited to:

• IP Address Analysis: Cross-referencing login IP addresses with known corporate networks of competing software companies;
• Professional Identity Verification: Cross-referencing user registration data with public professional databases (e.g., LinkedIn, corporate websites, business registries) to verify legitimate business use and identify potential affiliations with competitors;
• Access Pattern Analysis: Monitoring for access patterns consistent with competitive scouting, including systematic feature exploration, bulk documentation access, and API probing;
• Email Domain Analysis: Identifying registrations from email domains associated with known competing entities;
• Behavioral Fingerprinting: Analyzing user behavior patterns to distinguish legitimate business use from competitive research activities.

This monitoring is conducted to protect our proprietary Trade Secrets and intellectual property as described in our Terms of Service. By using our Services, you consent to this monitoring and acknowledge that:

• We may investigate accounts that exhibit suspicious activity patterns;
• We may suspend or terminate accounts identified as potentially engaged in competitive scouting;
• Evidence gathered through this monitoring may be used in legal proceedings to enforce our Trade Secret rights;
• We reserve the right to share evidence of suspected Trade Secret misappropriation with legal counsel and law enforcement.

3. How We Collect Information

We collect information through the following methods:

• Direct Collection: Information you provide when registering, making purchases, or contacting us;
• Automated Collection: Information collected automatically through cookies, pixels, and similar technologies;
• Third-Party Sources: Information received from partners, authentication providers, and public sources;
• Integrations: Information synced from third-party services you connect to our platform;
• API Access: Information accessed through APIs when you authorize connections.

4. Use of Information

4.1 Primary Purposes

We use the information we collect to:

• Provide, maintain, and improve the Services;
• Process transactions and send related information;
• Send technical notices, updates, security alerts, and support messages;
• Respond to your comments, questions, and requests;
• Provide customer service and technical support;
• Monitor and analyze trends, usage, and activities;
• Detect, investigate, and prevent fraudulent transactions and security breaches;
• Personalize and improve your experience;
• Develop new products and services.

4.2 Marketing and Communications

With your consent, we may use your information to:

• Send promotional communications about products, services, and events;
• Deliver targeted advertising based on your interests;
• Conduct surveys and gather feedback;
• Send newsletters and marketing materials.

You may opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails or contacting us.

4.3 Legal Bases for Processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

5. Disclosure of Information

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud hosting and infrastructure providers;
• Square (payment processing and subscription billing);
• AI Model Providers (Anthropic, OpenAI, Google, and similar) solely to produce agent responses;
• Error and crash reporting services (such as Sentry);
• Content delivery network providers;
• Transactional email service providers used for account verification, password reset, invites, and billing notices.

5.2 Business Transfers and Corporate Partners

We may share information with professional advisors (accountants, lawyers, auditors) where reasonably necessary, and in connection with a merger, acquisition, reorganization, or sale of assets, as described in Section 5.5.

5.3 No Sharing with Advertising or Marketing Platforms

Kodus does not operate advertising, marketing, or retargeting features. We do not share your personal information, prompts, workspace content, or session history with advertising networks or data brokers.

5.4 Legal Requirements

We may disclose information if required by law, legal process, or government request, or if we believe disclosure is necessary to:

• Comply with applicable laws or legal processes;
• Protect the rights, property, or safety of Company, our users, or others;
• Enforce our terms and agreements;
• Detect, prevent, or address fraud, security, or technical issues.

5.5 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as a business asset. We will notify you of any such change.

5.6 With Your Consent

We may share information with third parties when you have given us consent to do so.

6. Data Retention

We retain your information for as long as necessary to:

• Provide the Services you have requested;
• Fulfill the purposes described in this Privacy Policy;
• Comply with legal obligations;
• Resolve disputes and enforce agreements;
• Meet legitimate business needs.

Specific retention periods:

• Account Data: Retained while your account is active and for 30 days after deletion request;
• Transaction Records: Retained for 7 years for tax and accounting purposes;
• Usage Logs: Typically retained for 90 days to 2 years;
• Marketing Preferences: Retained until you update your preferences;
• Legal Claims: Retained as long as necessary for legal proceedings.

After the applicable retention period, we will securely delete or anonymize your information.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/HTTPS with HSTS) and at rest (AES-256-GCM);
• Multi-Factor Authentication (MFA) using Time-based One-Time Passwords (TOTP);
• Automatic session timeout after 30 minutes of inactivity;
• Comprehensive audit logging of security-relevant events;
• Access controls and role-based authorization;
• Regular security assessments and penetration testing;
• Employee training on data protection;
• Secure data centers with physical security controls;
• Incident response procedures;
• Encrypted backups and disaster recovery planning.

7.2 Multi-Factor Authentication

We offer Time-based One-Time Password (TOTP) authentication as an additional security layer. When enabled, you will need both your password and a code from an authenticator app to access your account. We also provide single-use backup codes for account recovery.

7.3 Biometric Authentication

When using our Progressive Web App (PWA), you may use your device's built-in biometric authentication (such as Face ID, Touch ID, or fingerprint) to access the application. We do not collect, store, or process any biometric data. All biometric authentication is handled entirely by your device's operating system. We only receive a confirmation that authentication was successful; we never receive or have access to your actual biometric information.

7.4 Audit Logging

We maintain comprehensive audit logs of security-relevant activities, including login attempts, data access, and configuration changes. These logs are used for security monitoring, compliance purposes, and incident investigation. Audit logs are retained in accordance with our data retention policies and applicable legal requirements.

7.5 Limitations

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and enabling MFA for enhanced protection.

7.6 Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request access to your personal information;
• Correction: Request correction of inaccurate information;
• Deletion: Request deletion of your information;
• Portability: Request a copy of your data in a portable format;
• Restriction: Request restriction of processing;
• Objection: Object to certain types of processing;
• Withdraw Consent: Withdraw consent for consent-based processing;
• Opt-Out: Opt out of marketing communications and certain data sharing.

To exercise these rights, please contact us at privacy@kodus.ai. We will respond to your request within the timeframe required by applicable law.

9. European Users (GDPR)

9.1 Data Controller and Processor

For personal data we collect directly from users, we act as the data controller. For Client Data processed on behalf of our clients, we act as a data processor.

9.2 Additional Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

• The right to lodge a complaint with a supervisory authority;
• The right not to be subject to automated decision-making;
• The right to information about international data transfers.

9.3 Data Protection Officer

For GDPR-related inquiries, please contact our Data Protection Officer at privacy@kodus.ai.

9.4 International Transfers

We transfer data to the United States and other countries outside the EEA. Such transfers are protected by Standard Contractual Clauses, adequacy decisions, or other approved mechanisms.

10. California Residents (CCPA)

10.1 California Consumer Privacy Act Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected;
• Right to Delete: Request deletion of your personal information;
• Right to Opt-Out: Opt out of the sale of your personal information;
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights.

10.2 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, phone number, IP address);
• Commercial information (transaction history, services purchased);
• Internet or network activity (browsing history, usage data);
• Geolocation data (general location from IP address);
• Professional information (company name, job title);
• Inferences drawn from the above.

10.3 Do Not Sell My Personal Information

We do not sell personal information in the traditional sense. However, we may share information with advertising partners in ways that could be considered a "sale" under CCPA. To opt out, please contact us or use the "Do Not Sell My Personal Information" link on our website.

10.4 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. Contact us for more information.

11. International Data Transfers

We operate globally and may transfer your information to countries other than your own. When we transfer information internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission;
• Adequacy decisions for certain countries;
• Binding Corporate Rules where applicable;
• Your explicit consent for specific transfers.

By using our Services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

12. Cookies and Tracking Technologies

12.1 Types of Cookies

We use the following types of cookies:

• Essential Cookies: Required for the Dashboard to authenticate you and maintain your session (for example, kodus_session, kodus_remember, and CSRF tokens);
• Functionality Cookies: Remember preferences such as theme or layout settings;
• Payment iframe Cookies: Set by Square within its embedded payment iframe to process subscription payments securely.

We do not set advertising or third-party tracking cookies.

12.2 Your Choices

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from signing in to the Dashboard. For additional detail, please see our Cookie Policy.

13. Third-Party Services

Our Services integrate with third-party services, including:

• Anthropic, OpenAI, Google, and other AI Model Providers: For model inference that powers the agent;
• Square: For payment processing, subscription billing, and plan management;
• Sentry (or comparable): For error and crash reporting;
• Content Delivery Networks: For delivery of the Dashboard, signed release binaries, and checksums;
• OAuth Identity Providers: Where you elect to sign in via a third-party provider;
• Source-Control Providers: Where you elect to connect a Git hosting provider to your workspace.

These third parties have their own privacy policies. We encourage you to review their policies before using their services through our platform.

14. Analytics

14.1 No Advertising

Kodus does not serve advertising, does not use advertising pixels, and does not sell personal information to advertisers. Please see our Do Not Sell or Share page and our Cookie Policy for additional detail.

14.2 Product Analytics

We use a limited set of first-party analytics to understand aggregate usage of the Dashboard and CLI, to detect errors, and to improve the product. Where possible, analytics data is aggregated and anonymized. We do not combine product analytics with third-party advertising profiles.

15. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

If you believe we have collected information from a child, please contact us immediately at privacy@kodus.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this policy;
• For material changes, we will provide notice through the Services or via email;
• Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within the timeframe required by applicable law, typically within 30 days.