Privacy Policy
Woad Code ("we", "us") provides an AI-assisted coding tool. This page explains what data we collect and why. If anything here is unclear, email privacy@woadcode.com.
1. What we collect
- Account data: email address and authentication identifiers from your sign-in provider (Supabase / Google).
- Usage metering: counters for chat, proposal, autofix, and apply actions, used to enforce plan limits.
- Billing data: handled by Stripe. We never see or store your full card number — we only receive a subscription status and a Stripe customer ID.
- Audit log (hosted mode only): a redacted record of which actions ran, kept for security and rate-limiting.
2. What we do NOT collect by default
- Your code is not uploaded to our servers in desktop / extension mode. The model call goes from your machine directly to whichever LLM endpoint you configure.
- No advertising trackers, no third-party analytics scripts.
3. Where data lives
Customer data is stored on EU servers (Hetzner, Falkenstein, Germany). Stripe and Supabase host their own data globally per their respective policies.
4. Legal basis for processing
| Data | Legal basis |
|---|---|
| Account and subscription data | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Billing records | Legal obligation — 7-year retention required by UK tax law (Art. 6(1)(c)) |
| Usage metering and audit log | Legitimate interests — abuse prevention, rate-limiting, fraud detection (Art. 6(1)(f)) |
| Session cookie | Strictly necessary for the service to function (UK PECR Reg. 6(4)) |
5. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Until subscription ends + 30 days (then deleted on request or automatically) |
| Billing records | 7 years (required by HMRC / UK tax law) |
| Usage events (token counts, costs) | 12 months rolling |
| Chat session history | 12 months rolling |
| Workspace checkpoints | 30 days rolling |
6. Sub-processors
We share data with the following third-party processors:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and billing | US / EU |
| Supabase | Authentication | EU |
| Hetzner | Cloud server hosting (database, API) | Germany, EU |
7. Your rights
Under UK GDPR you have the right to:
- Access your data — download a full JSON export instantly from Account Settings, or email privacy@woadcode.com.
- Erasure — delete your account and all associated data instantly from Account Settings. Note: billing records are retained for 7 years as required by law.
- Rectification — email us to correct inaccurate data.
- Restriction and objection — email us at privacy@woadcode.com.
- Portability — use the JSON export link in Account Settings.
- Complaint — you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
We respond to all data requests within 30 days as required by UK GDPR.
8. Cookies
We set one essential session cookie after you sign in (a Supabase JWT stored in
localStorage). We do not use tracking or advertising cookies. See our
Cookie Policy for full details.
9. Changes
Material changes to this policy will be announced at least 14 days before they take effect, via the email on your account.
10. Data controller
The data controller for personal data collected through Woad Code is:
Woad Code Ltd — a private limited company registered in England &
Wales.
Company number: 17216566
Registered office:
[registered office address — update before going live], United Kingdom
Contact: privacy@woadcode.com
UK GDPR / ICO registration: pending (within statutory grace period).