Privacy policy
Effective from 30 May 2026.
This policy explains what personal data Codexroom collects, how we use it, and the rights you have under the Personal Data Protection Act 2012 (Singapore), the EU and UK GDPR, the California Consumer Privacy Act (CCPA), and similar regimes. A lawyer-reviewed version replaces this draft before public launch.
1.Who we are
Codexroom Pte. Ltd., a company registered in Singapore. Data Protection Officer: dpo@codexroom.com. General legal contact: legal@codexroom.com.
2.What we collect
From customers. Account information from Clerk: user ID, email, name. Workspace activity: tokens, slot types, templates, assets, decks, shares, audit log. Billing: plan, status, Stripe identifiers.
From share recipients. Per-event records in the share_views table: timestamp, share ID, deck ID, slide index, session ID (a UUID scoped to one viewing session), geography parsed to country, region, and city, user agent parsed to browser and OS, referrer if present.
From visitors to this website. Standard web analytics with privacy-respecting tooling.
3.What we never collect
Raw IP addresses retained past the request lifecycle.
Cross-share fingerprinting of recipients.
Third-party tracker data.
Recipient identity beyond what the share creator supplied.
4.How we use it
To provide the service. To bill the customer. To improve the product. To respond to support and security requests.
5.Lawful basis and consent
Under the PDPA, processing is conducted with consent (deemed or expressed) for the purposes notified at collection. Under the GDPR, performance of contract covers service delivery, legitimate interest covers analytics and security, and consent is sought where required for marketing. Under the CCPA, processing is conducted as a service provider on behalf of the customer; Codexroom does not sell personal information.
6.Sharing
We share data with the subprocessors listed on the trust page. Each one is bound by a data processing agreement.
7.Your rights
Access, correction, deletion, portability, restriction, objection, and (under the PDPA) withdrawal of consent. Email dpo@codexroom.com to exercise any of them. We respond inside 30 days under the PDPA and the GDPR.
8.Data residency and international transfers
Asia-Pacific customers land in the Singapore region by default. EU customers land in the EU region. US customers land in the US region. Region pinning is available on Enterprise. Cross-border transfers of Singapore-originating personal data follow PDPA Section 26 with contractual safeguards. Transfers of EU- and UK-originating personal data follow the EU Standard Contractual Clauses and the UK addendum.
9.Retention
Workspace data is retained while the workspace is active and for 30 days after cancellation, then deleted. Audit log entries follow the same window. Billing records are retained for 7 years as required by Singapore Income Tax Act and GST Act record-keeping rules, and the equivalent law in other jurisdictions where Codexroom invoices.
10.Changes
We will notify customers and visitors of material changes with 30 days notice.
Questions: legal@codexroom.com. PDPA / GDPR / CCPA requests: dpo@codexroom.com.