Apply.Build — Privacy Policy (Beta)

Last updated 19 June 2025

1 Who is responsible for your data?

Role	Information
Controller	Codebite Oy Business-ID FI-31350249 Tyynylaavankuja 2 B35, Helsinki, Finland
Contact (privacy)	contact@codebite.fi
Data-Protection Officer	Johannes Peltola; johannes.peltola@codebite.fi

2 Why we process personal data and what we collect

Purpose	Data categories	Legal basis	Retention
Account creation & login	Name, e-mail, hashed password, organisation, 2-factor-auth secret	Contract performance (Art 6 (1)(b))	Account lifetime + 30 days
Billing & payments	Transaction ID, cardholder name, billing address (held by Stripe)	Contract (1)(b) & legal obligation (1)(c)	6 years
Platform security & diagnostics	Runtime logs (container IP, user-agent, token hashes) Control-plane audit logs	Legitimate interest (1)(f)	Runtime logs 7 days Audit logs 60 days
Threat-detection & virtual-patching	Source IP, HTTP headers, request path, timestamp	Legitimate interest (Art 6 (1)(f)) to secure the Service	7 days (malicious events may be retained indefinitely for block-listing)
Front-end telemetry	Error stack traces, anonymised UX metrics (highlight.io)	Legitimate interest (1)(f)	30 days
Support	E-mails to contact@codebite.fi	Legitimate interest (1)(f)	24 months
Service messages & product updates	Name, e-mail	Legitimate interest (1)(f)	Until opt-out
Container images & in-app data	Content supplied by you	Processor role (Art 28)	Current image + 30 days history

Additionally, we use Plausible Analytics to collect anonymous usage data for statistical purposes. We only track overall trends in our website traffic, not individual visitors.

Note: For any personal data processed inside your Applications, you are the Controller and Codebite Oy acts only as a Processor.

3 Where we store and process data

All compute, logs and object-storage buckets are hosted in the European Economic Area.
Payments are processed by Stripe, Inc. in the EU/US.
Error-telemetry is processed by Highlight, Inc. in the US under Standard Contractual Clauses.

4 Authorised sub-processors

Sub-processor	Purpose	Location	Safeguard
Hetzner Online GmbH	Compute & networking	Finland	Data in EEA
UpCloud Oy	Object-storage bucket	Finland	Data in EEA
Stripe, Inc.	Payment processing	EU / US	SCCs + DPF
Highlight, Inc.	Front-end telemetry	US	SCCs
CrowdSec SAS	Offline mode - no data transferred	n/a	n/a

We will give 30 days' notice before adding or replacing a sub-processor.

5 International transfers

Data transferred to Stripe and Highlight is protected by Standard Contractual Clauses (2021/914/EU); Stripe also participates in the EU-US Data Privacy Framework.

6 Security measures

Per-application micro-VM isolation
Automated virtual-patching; blocks known exploits before they hit customer containers.
eBPF network policies
TLS 1.2+ encryption in transit
Object-storage data encrypted at rest
24 × 7 infrastructure monitoring
No platform backups during beta - customers must maintain their own backups

7 Cookies & tracking

Dashboard/API: only a short-lived session cookie after login.
Website/docs: no advertising or analytics cookies.
Telemetry: Highlight (highlight.io) is configured not to store any data in your browser.

8 Marketing communications

We may send product updates or service announcements based on legitimate interest. You can unsubscribe at any time via the link in each e-mail.

9 Your GDPR rights

You have the right to access, rectify, erase and port your personal data, restrict or object to processing, and lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi). Requests: e-mail contact@codebite.fi - we respond within 30 days.

10 Automated decision-making

We do not perform automated decision-making that produces legal or similarly significant effects.

11 Changes to this Policy

We may update this Policy with 30 days' notice via e-mail or dashboard banner. Continued use after the effective date constitutes acceptance.