1. Introduction
Welcome to Codynex ("Company," "we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website codynex.com, use our services, or interact with us.
By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access our services.
This Privacy Policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
2. Information We Collect
2.1 Personal Information
We may collect personal information that you voluntarily provide to us when you:
- Fill out contact forms or request consultations
- Subscribe to our newsletter or marketing communications
- Create an account on our platform
- Engage our services or enter into a contract
- Communicate with us via email, phone, or other channels
Personal information may include:
- Name and contact information (email address, phone number, mailing address)
- Company name and business information
- Job title and professional details
- Payment and billing information
- Communication preferences
- Any other information you choose to provide
2.2 Automatically Collected Information
When you visit our website, we automatically collect certain information about your device and browsing actions, including:
- IP address and geolocation data
- Browser type and version
- Operating system
- Referring URLs
- Pages viewed and time spent on pages
- Device identifiers
- Cookies and similar tracking technologies
2.3 Information from Third Parties
We may receive information about you from third-party sources, including:
- Business partners and service providers
- Social media platforms (if you choose to connect your accounts)
- Publicly available sources
- Marketing and analytics providers
3. How We Use Your Information
3.1 Data Processing Principles
Data Minimization: We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the stated purposes. We do not collect excessive information beyond what is required to provide our services effectively.
Purpose Limitation: Personal data collected for one purpose will not be used for a different purpose that is incompatible with the original purpose, unless we obtain your explicit consent or are required by law to do so.
Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Please refer to Section 9 (Data Retention) for specific retention periods.
3.2 Purposes of Data Processing
We use the information we collect for various purposes, including:
- Service Delivery: To provide, maintain, and improve our AI solutions and services
- Communication: To respond to inquiries, send updates, and provide customer support
- Business Operations: To process transactions, manage accounts, and fulfill contracts
- Marketing: To send promotional materials, newsletters, and information about our services (you can opt-out at any time)
- Analytics: To understand how our website and services are used and to improve user experience
- Security: To detect, prevent, and address technical issues, fraud, and security threats
- Legal Compliance: To comply with applicable laws, regulations, and legal processes
- Business Development: To develop new products, services, and features
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and using your personal information depends on the specific context in which we collect it. We process your personal data under one or more of the following lawful bases:
4.1 Lawful Bases for Processing
- Consent (Article 6(1)(a) GDPR): You have given clear, informed, and freely given consent for us to process your personal data for one or more specific purposes. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Contract Performance (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (e.g., providing services you have purchased).
- Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax reporting, financial audits, regulatory requirements).
- Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of our legitimate business interests or those of a third party, except where such interests are overridden by your fundamental rights and freedoms which require protection of personal data (e.g., fraud prevention, network security, direct marketing to existing customers).
- Vital Interests (Article 6(1)(d) GDPR): Processing is necessary to protect the vital interests of you or another natural person (e.g., in emergency situations).
- Public Interest (Article 6(1)(e) GDPR): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (where applicable).
4.2 Data Processing Map
The following table maps the types of personal data we collect to their purposes, legal bases, and retention periods:
| Data Type |
Purpose |
Legal Basis |
Retention Period |
| Contact Information (Name, Email, Phone) |
Contact form inquiries, Service delivery, Customer support |
Consent, Contract Performance, Legitimate Interests |
3 years from last contact or until consent withdrawn |
| Business Information (Company Name, Job Title) |
B2B communication, Service customization |
Legitimate Interests, Contract Performance |
Duration of business relationship + 3 years |
| Payment & Billing Information |
Transaction processing, Invoicing, Tax compliance |
Contract Performance, Legal Obligation |
7 years (tax and legal requirements) |
| Client Project Data |
Service delivery, Project management |
Contract Performance |
7 years (professional liability and legal requirements) |
| Marketing & Newsletter Data |
Marketing communications, Newsletters, Promotions |
Consent |
Until consent withdrawn + 30 days |
| Website Analytics Data (IP, Browser, Device) |
Website optimization, User experience improvement |
Consent (via cookie consent), Legitimate Interests |
26 months (Google Analytics standard) |
| Account Credentials |
Account access, Authentication, Security |
Contract Performance |
Duration of account + 30 days after closure |
| Communication Records (Emails, Calls, SMS) |
Customer support, Quality assurance, Dispute resolution |
Legitimate Interests, Legal Obligation |
3 years or as required for legal disputes |
| Legal & Dispute-Related Data |
Legal compliance, Dispute resolution, Evidence preservation |
Legal Obligation, Legitimate Interests |
As required by law or until dispute resolution + 1 year |
Note: Where we rely on legitimate interests as the legal basis for processing, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time.
5. Information Sharing and Disclosure
We may share your information in the following circumstances:
5.1 Service Providers and Third-Party Processors
We engage carefully vetted third-party service providers to perform services on our behalf. All processors are contractually bound by Data Processing Agreements (DPAs) that comply with GDPR Article 28 requirements. These service providers include:
Hosting & Infrastructure Providers:
- Amazon Web Services (AWS) - Cloud hosting and storage
- Google Cloud Platform - Infrastructure and computing services
- Microsoft Azure - Cloud infrastructure (where applicable)
Communication & Email Service Providers:
- Email service providers (e.g., SendGrid, Mailchimp, or similar platforms) - Email delivery and newsletter management
- SMS providers (e.g., Twilio, Zoom Phone) - Text message communications
- Communication platforms - Customer messaging and support
Payment Processors:
- Stripe, PayPal, or other PCI-DSS compliant payment processors - Payment processing and transaction management
Analytics & Marketing Providers:
- Google Analytics - Website analytics and user behavior analysis
- Marketing automation platforms - Campaign management and lead tracking
- Social media advertising platforms (Facebook, LinkedIn, Twitter) - Targeted advertising where consent is provided
Customer Relationship Management (CRM) Systems:
- CRM platforms (e.g., Salesforce, HubSpot, or similar) - Customer data management and relationship tracking
Customer Support & Help Desk Tools:
- Support ticketing systems - Managing customer inquiries and support requests
- Live chat platforms - Real-time customer assistance
Security & Fraud Prevention:
- Cloudflare Turnstile - Bot detection and security
- Security monitoring tools - Threat detection and prevention
All third-party processors are required to:
- Process personal data only on our documented instructions
- Implement appropriate technical and organizational security measures
- Ensure confidentiality of persons authorized to process personal data
- Assist us in responding to data subject rights requests
- Delete or return personal data at the end of the provision of services
- Make available all information necessary to demonstrate compliance with GDPR obligations
5.2 Business Transfers
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
5.3 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government agencies, law enforcement).
5.4 Protection of Rights
We may disclose information to protect our rights, property, or safety, or that of our users or others, including to enforce our agreements, policies, and terms of service, or to respond to legal claims.
5.5 With Your Consent
We may share your information with third parties when we have your explicit, informed consent to do so.
6. Data Protection Contacts
6.1 Data Protection Officer (DPO)
Based on our current scale, business activities, and the nature of personal data we process, Codynex is not currently required to appoint a formal Data Protection Officer under Article 37 of the GDPR. Our data processing activities do not involve:
- Large-scale systematic monitoring of individuals
- Large-scale processing of special categories of data or criminal conviction data
- Core activities that require regular and systematic monitoring of data subjects on a large scale
However, we are committed to maintaining high standards of data protection and have designated internal privacy personnel responsible for overseeing data protection compliance and serving as the point of contact for privacy matters.
6.2 Privacy Contact Information
For all privacy-related inquiries, data protection questions, or to exercise your privacy rights, please contact our dedicated privacy team:
6.3 EU Representative
Codynex is established in the United States and does not have an establishment in the European Union. Under Article 27 of the GDPR, an EU representative is required for non-EU controllers or processors that:
- Offer goods or services to individuals in the EU (regardless of payment); or
- Monitor the behavior of individuals in the EU
Current Status: At this time, Codynex's processing activities do not trigger the mandatory requirement for an EU representative because:
- We do not specifically target or offer goods/services to EU residents
- We do not engage in systematic monitoring of EU residents' behavior
- Our data processing is occasional and limited in scope regarding EU residents
If our business activities expand to regularly target EU markets or process EU resident data on a larger scale, we will appoint an EU representative in accordance with GDPR requirements and update this policy accordingly.
EU residents can still contact us directly at hr@codynex.com for all privacy-related matters.
6.4 UK Representative
Following the UK's departure from the EU, similar representative requirements apply under the UK GDPR. Our current assessment is that we are not required to appoint a UK representative for the same reasons stated above regarding EU representation. UK residents may contact us directly at hr@codynex.com.
7. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and track information about your browsing activities. You can control cookies through your browser settings and other tools.
Types of Cookies We Use:
- Essential Cookies: Necessary for the website to function properly
- Analytics Cookies: Help us understand how visitors use our website
- Marketing Cookies: Used to track visitors across websites to display relevant ads
- Preference Cookies: Enable the website to remember your preferences
For more information about cookies, please refer to our Cookie Policy.
8. SMS and Text Messaging
8.1 SMS Consent and Purpose
By providing your mobile phone number to Codynex through any of our communication channels, you expressly consent to receive text messages (SMS/MMS) from us. These messages are used solely for service-related purposes, including but not limited to:
- Appointment confirmations and reminders
- Service updates and status notifications
- Account verification and authentication
- Customer support communications
- Transactional updates related to your services
- Important security alerts
Currently, we send transactional and informational messages only. We do not send promotional or marketing text messages unless you explicitly opt in to receive them.
8.2 How We Collect SMS Consent
We may collect your mobile phone number and SMS consent through the following methods:
- Website Forms: When you complete a contact form, consultation request, or account registration that includes a mobile phone number field with an SMS consent checkbox
- Email Inquiries: When you provide your mobile phone number in email communications with our team and express interest in receiving text updates
- Customer-Initiated Contact: When you initiate contact with Codynex by sending a text message to our business phone number
- Phone Conversations: When you verbally provide consent during phone calls with our representatives
In all cases, providing your mobile number and consenting to SMS communication is optional and not required to use our services. However, opting out may affect our ability to send you timely service notifications.
8.3 Important SMS Disclosures
By consenting to receive text messages from Codynex, you acknowledge and agree to the following:
- Message and Data Rates May Apply: Standard messaging and data rates from your mobile carrier may apply to all SMS messages sent and received. Codynex is not responsible for these charges.
- Message Frequency May Vary: The number of messages you receive will depend on your level of interaction with our services and the nature of your account activity. We strive to send only necessary and relevant messages.
- Carriers Supported: Our SMS service is compatible with all major U.S. mobile carriers and many international carriers. Delivery and timing may vary by carrier.
- No Guarantee of Delivery: While we use reliable SMS service providers, we cannot guarantee that every message will be delivered or delivered on time due to factors outside our control.
8.4 SMS Privacy and Data Sharing
We are committed to protecting your mobile phone number and SMS-related data:
- No Selling or Sharing: We do not sell, rent, or share your mobile phone number or SMS opt-in data with third-party marketers or advertisers.
- Service Providers Only: Your mobile phone number and SMS data are shared only with authorized service providers who are necessary to deliver SMS messages, such as our SMS platform provider (e.g., Zoom Phone, Twilio, or similar A2P-10DLC compliant services). These providers are contractually obligated to protect your data and use it only for SMS delivery purposes.
- Compliance with Regulations: We comply with the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and all applicable U.S. federal and state regulations governing SMS communications, including A2P-10DLC (Application-to-Person 10-Digit Long Code) requirements.
8.5 How to Opt Out (Unsubscribe)
You have the right to opt out of receiving text messages from Codynex at any time. You can unsubscribe using any of the following methods:
- Reply STOP: Reply with the word "STOP", "UNSUBSCRIBE", "CANCEL", "END", or "QUIT" to any text message from us. You will receive a confirmation message that you have been unsubscribed.
- Contact Us Directly: Email us at info@codynex.com or call +1 (281) 270-5900 and request to be removed from our SMS list.
- Update Your Preferences: If you have an account with us, you can update your communication preferences in your account settings.
Processing Time: Opt-out requests are typically processed immediately, but may take up to 48 hours to take full effect. You may receive one additional message confirming your opt-out.
Important Note: Opting out of SMS messages will not affect other forms of communication, such as email or phone calls. If you wish to opt out of all communications, please specify this in your request.
8.6 How to Get Help
If you have questions about our SMS program, need assistance, or want to update your mobile number, you can:
- Reply HELP: Reply with the word "HELP" or "INFO" to any text message from us to receive assistance and program information.
- Contact Support: Email us at support@codynex.com or call +1 (281) 270-5900 during business hours (Monday-Friday, 9 AM - 6 PM CT).
- Visit Our Website: Find more information about our services and contact options at codynex.com.
8.7 Updating or Removing Your Mobile Number
If your mobile phone number changes or you wish to update the number on file, please contact us immediately at info@codynex.com or +1 (281) 270-5900. This ensures you continue to receive important service notifications and helps prevent messages from being sent to the wrong recipient.
8.8 Changes to SMS Program
We reserve the right to modify or discontinue our SMS program at any time. If we make material changes to how we use your mobile phone number or the types of messages we send, we will notify you via SMS or email and provide you with an opportunity to opt out.
9. Data Security
We implement comprehensive technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. Our security framework includes:
9.1 Technical Security Measures
Encryption:
- Data at Rest: AES-256 encryption for all stored personal data on our servers and databases
- Data in Transit: TLS 1.3 (Transport Layer Security) protocol for all data transmitted over networks, ensuring secure communication between your browser and our servers
- End-to-End Encryption: Where applicable, sensitive communications are protected with end-to-end encryption
Access Controls & Authentication:
- Role-Based Access Control (RBAC): Access to personal data is granted on a need-to-know basis according to job function and responsibilities
- Multi-Factor Authentication (MFA): Required for all employees and contractors accessing systems containing personal data
- Least Privilege Principle: Users are granted the minimum level of access necessary to perform their duties
- Strong Password Policies: Complex password requirements with regular password rotation
- Session Management: Automatic timeout of inactive sessions to prevent unauthorized access
Network & Infrastructure Security:
- Firewalls and intrusion detection/prevention systems (IDS/IPS)
- Virtual Private Networks (VPNs) for remote access
- Regular security patching and system updates
- Secure configuration of servers and applications
- Network segmentation to isolate sensitive data
- DDoS (Distributed Denial of Service) protection
Application Security:
- Secure coding practices following OWASP guidelines
- Input validation and sanitization to prevent injection attacks
- Protection against Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
- Regular security code reviews
9.2 Organizational Security Measures
Regular Security Audits & Testing:
- Annual third-party security audits and assessments
- Periodic penetration testing to identify vulnerabilities
- Vulnerability scanning and remediation
- Security compliance reviews
- Regular risk assessments and threat modeling
Employee Training & Policies:
- Mandatory data protection and security training for all employees upon hire and annually thereafter
- GDPR and data privacy awareness programs
- Phishing awareness and social engineering prevention training
- Confidentiality agreements and non-disclosure agreements (NDAs) signed by all employees and contractors
- Clear data handling policies and procedures
- Background checks for employees with access to sensitive data
Physical Security Measures:
- Secure data centers with restricted physical access controls
- 24/7 surveillance and monitoring of facilities housing servers
- Biometric access controls where applicable
- Visitor logs and escort requirements
- Secure disposal of physical media containing personal data (shredding, degaussing)
- Environmental controls (fire suppression, climate control)
Vendor & Third-Party Security:
- Due diligence assessments of all third-party service providers
- Contractual data protection and security requirements (DPAs)
- Regular vendor security reviews
- Requirement for vendors to maintain industry-standard security certifications
9.3 Data Breach Notification Procedures
Despite our robust security measures, no system is completely immune to security breaches. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we have established the following procedures in compliance with GDPR Article 33 and 34:
Notification to Supervisory Authority:
- In the event of a personal data breach, Codynex will notify the relevant supervisory authority (e.g., the Information Commissioner's Office in the UK or relevant EU Data Protection Authority) within 72 hours of becoming aware of the breach, where feasible.
- If notification cannot be made within 72 hours, we will provide reasons for the delay.
- The notification will include:
- Nature of the personal data breach including categories and approximate number of data subjects affected
- Name and contact details of our data protection contact point
- Description of the likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate potential adverse effects
Notification to Affected Individuals:
- Affected individuals will be notified without undue delay when the personal data breach is likely to result in a high risk to their rights and freedoms (e.g., risk of identity theft, fraud, financial loss, or reputational damage).
- The notification to individuals will be in clear and plain language and include:
- Description of the nature of the breach
- Contact details of our data protection contact point for more information
- Description of the likely consequences of the breach
- Recommended measures individuals can take to protect themselves (e.g., changing passwords, monitoring accounts)
- Measures we have taken to address the breach
- Notification may be made via email, website notice, direct mail, or other appropriate means depending on the circumstances.
Internal Breach Response:
- Immediate containment and investigation of the breach
- Assessment of the scope and impact of the breach
- Documentation of the breach, including facts, effects, and remedial actions taken
- Implementation of corrective measures to prevent future breaches
- Post-incident review and lessons learned analysis
9.4 Security Limitations
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information using industry-standard security measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.
10. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our data retention practices comply with GDPR Article 5(1)(e) (storage limitation principle).
10.1 Specific Retention Periods by Data Category
Contact Form Inquiries & General Communications:
- Retention Period: 3 years from the date of last contact or communication
- Rationale: To maintain records of business inquiries, provide continuity in customer relationships, and respond to potential follow-up questions
- Deletion: Automatically deleted or anonymized after 3 years of inactivity unless you request earlier deletion
Client Project Data & Deliverables:
- Retention Period: 7 years after project completion or contract termination
- Rationale: To comply with professional liability requirements, tax obligations, and potential warranty or dispute resolution needs
- Legal Basis: Legal obligation (tax law), legitimate interests (professional liability, dispute resolution)
- Deletion: Securely deleted after 7 years unless longer retention is required for ongoing legal matters
Financial & Payment Information:
- Retention Period: 7 years from the end of the relevant financial year
- Rationale: Required by tax laws and financial regulations (e.g., IRS requirements in the United States)
- Legal Basis: Legal obligation
- Deletion: Securely deleted after 7 years in compliance with legal retention requirements
Marketing Data & Newsletter Subscriptions:
- Retention Period: Until consent is withdrawn + 30 days for processing
- Rationale: To honor your marketing preferences and maintain suppression lists to prevent future unwanted communications
- Legal Basis: Consent
- Deletion: Removed from active marketing databases immediately upon opt-out; complete deletion after 30-day grace period for processing and suppression list management
- Note: Email addresses may be retained in a suppression list (with minimal data) to ensure we don't accidentally contact you again
Website Analytics Data:
- Retention Period: 26 months (Google Analytics standard retention period)
- Rationale: To analyze website usage patterns, improve user experience, and understand long-term trends
- Legal Basis: Consent (via cookie consent banner), legitimate interests
- Deletion: Automatically deleted by analytics platforms after 26 months; anonymized data may be retained indefinitely for statistical purposes
Account Data & Credentials:
- Retention Period: Duration of active account + 30 days after account closure
- Rationale: To provide account services, maintain account security, and allow for account recovery during grace period
- Legal Basis: Contract performance
- Deletion: Account data permanently deleted 30 days after closure request; backup copies removed from all systems within 90 days
Legal, Dispute, and Litigation-Related Data:
- Retention Period: As required by applicable law or until dispute resolution + 1 year, whichever is longer
- Rationale: To defend legal claims, comply with court orders, meet regulatory requirements, and preserve evidence
- Legal Basis: Legal obligation, legitimate interests (establishment, exercise, or defense of legal claims)
- Deletion: Deleted 1 year after final resolution of disputes or expiration of statute of limitations periods
CCTV & Security Footage (if applicable):
- Retention Period: 30-90 days unless required for investigation or legal purposes
- Rationale: Security and safety of premises and individuals
- Deletion: Automatically overwritten after retention period unless flagged for investigation
Employee & Contractor Data (where applicable):
- Retention Period: Duration of employment/contract + 7 years
- Rationale: Employment law requirements, tax obligations, reference requests, dispute resolution
- Legal Basis: Legal obligation, contract performance, legitimate interests
10.2 Criteria for Determining Retention Periods
Retention periods are determined based on the following factors:
- Nature of the Information: Sensitivity and type of personal data (e.g., financial data requires longer retention than browsing data)
- Purpose of Collection: Why the data was originally collected and whether that purpose still exists
- Legal and Regulatory Requirements: Compliance with tax laws, employment laws, professional standards, and industry regulations
- Legitimate Business Interests: Business needs such as warranty periods, contract enforcement, and customer service continuity
- Statute of Limitations: Time periods within which legal claims can be brought
- User Expectations: Reasonable expectations about how long data should be kept
10.3 Data Anonymization & Pseudonymization
Where possible, we employ data minimization techniques to protect your privacy while retaining necessary information for legitimate purposes:
Anonymization:
- Personal data is irreversibly transformed so that individuals can no longer be identified directly or indirectly
- Anonymized data is no longer considered personal data under GDPR and may be retained indefinitely for statistical, research, and business intelligence purposes
- Examples: Aggregated analytics reports, statistical trends, anonymized survey responses
Pseudonymization:
- Personal data is processed in a manner that it can no longer be attributed to a specific individual without the use of additional information kept separately
- Reduces privacy risks while allowing data to remain useful for specific purposes
- Examples: Replacing names with unique identifiers, separating identifying information from other data
10.4 Secure Data Deletion Methods
When personal data reaches the end of its retention period or when you request deletion, we employ the following secure deletion methods:
Electronic Data Deletion:
- Secure Overwriting: Data is overwritten multiple times using industry-standard algorithms (e.g., DoD 5220.22-M standard)
- Cryptographic Erasure: Encryption keys are destroyed, rendering encrypted data permanently inaccessible
- Database Deletion: Records are permanently deleted from production databases and marked for removal from backups
- Backup Purging: Data is removed from backup systems according to backup rotation schedules (typically within 90 days)
- Cloud Storage Deletion: Data deletion requests are sent to cloud service providers, and we verify deletion according to their retention policies
Physical Media Destruction:
- Degaussing: Magnetic media is exposed to strong magnetic fields to destroy data
- Physical Destruction: Hard drives and storage media are shredded or incinerated
- Certified Destruction: Third-party vendors provide certificates of destruction for audit purposes
Verification & Audit:
- Deletion activities are logged and auditable
- Regular audits to ensure retention policies are properly implemented
- Documentation maintained to demonstrate compliance with data protection obligations
10.5 Exceptions to Deletion
In certain circumstances, we may be unable to delete your personal data immediately, including:
- When required to comply with legal obligations or regulatory requirements
- When necessary for the establishment, exercise, or defense of legal claims
- When data is stored in backup systems that follow scheduled deletion cycles (deleted within 90 days)
- When anonymized data is retained for statistical purposes
If any of these exceptions apply, we will inform you and specify when deletion will occur or explain why permanent retention is necessary.
11. Automated Decision-Making and Profiling
11.1 No Automated Decision-Making
Codynex does not engage in automated decision-making or profiling as defined by Article 22 of the GDPR. All decisions that produce legal effects concerning you or similarly significantly affect you are made by human representatives, not by automated systems.
This means:
- We do not use algorithms or automated systems to make decisions that would significantly affect you, such as:
- Whether to enter into a contract with you
- Pricing or terms of service offerings
- Eligibility for services
- Assessment of your creditworthiness or financial standing
- Human oversight and judgment are involved in all significant decisions affecting our clients and users
- You will not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
11.2 Use of AI and Analytics Tools
While we do not use automated decision-making that significantly affects individuals, we may use certain AI-powered and analytics tools for the following limited purposes:
Website Analytics & User Experience:
- Google Analytics and similar tools to understand aggregate user behavior, traffic patterns, and website performance
- These tools analyze browsing patterns to help us improve website design and user experience
- Important: These analytics tools do not make decisions about individual users. They provide aggregated, statistical insights to help us optimize our website for all users.
Chatbots & Customer Support Tools:
- AI-powered chatbots may be used to provide initial customer support and answer common questions
- These tools assist users but do not make binding decisions or judgments about individuals
- Human customer support representatives are always available, and users can escalate to human assistance at any time
Email Marketing Optimization:
- Marketing platforms may use AI to optimize email send times or suggest content based on aggregate engagement patterns
- These systems do not make decisions about your eligibility for services or significantly affect you; they simply help us communicate more effectively
Security & Fraud Detection:
- Automated security systems may flag suspicious activity for human review (e.g., bot detection via Cloudflare Turnstile)
- These systems do not make final decisions; suspicious activity is reviewed by human security personnel before any action is taken
11.3 Your Rights Regarding Automated Processing
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Since Codynex does not engage in such practices, this right is automatically protected.
If our practices change in the future, we will:
- Update this Privacy Policy to clearly explain any automated decision-making or profiling activities
- Provide you with meaningful information about the logic involved
- Explain the significance and envisaged consequences of such processing
- Obtain your explicit consent where required by law
- Implement safeguards including the right to obtain human intervention, express your point of view, and contest decisions
11.4 Transparency Commitment
We are committed to transparency about our use of technology. If you have any questions about whether specific tools or processes constitute automated decision-making, or if you would like more information about how we use AI and analytics, please contact us at hr@codynex.com.
12. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information. We are committed to facilitating the exercise of these rights in accordance with applicable data protection laws.
12.1 GDPR Rights (EEA, UK, and Swiss Residents)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:
Right to Access (Article 15 GDPR):
- What it means: You have the right to obtain confirmation of whether we process your personal data and, if so, to request a copy of that data.
- What we provide: We will provide you with information about the categories of data processed, purposes of processing, recipients of data, retention periods, and your rights.
- Example: You can request a copy of all personal information we hold about you, including contact details, project data, and communication records.
Right to Rectification (Article 16 GDPR):
- What it means: You have the right to request correction of inaccurate or incomplete personal data.
- What we do: We will correct or complete inaccurate data without undue delay.
- Example: If your email address, phone number, or company name has changed, you can request that we update our records.
Right to Erasure / "Right to be Forgotten" (Article 17 GDPR):
- What it means: You have the right to request deletion of your personal data in certain circumstances.
- When it applies:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required for compliance with a legal obligation
- Exceptions: We may retain data where necessary for legal obligations, legal claims, or other lawful purposes.
- Example: If you previously contacted us but no longer wish to have any relationship with us, you can request deletion of your contact information (subject to legal retention requirements).
Right to Restrict Processing (Article 18 GDPR):
- What it means: You can request that we limit how we use your personal data in certain circumstances.
- When it applies:
- You contest the accuracy of the data (restriction applies while we verify accuracy)
- Processing is unlawful but you prefer restriction rather than erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing (restriction applies pending verification of legitimate grounds)
- Example: If you dispute whether certain information we hold is accurate, you can request that we stop using that data until we verify its accuracy.
Right to Data Portability (Article 20 GDPR):
- What it means: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- When it applies: When processing is based on consent or contract performance and is carried out by automated means.
- What we provide: Data in formats such as CSV, JSON, or PDF, depending on the nature of the data.
- Example: You can request your contact information and project data in a CSV file to transfer to another service provider.
Right to Object (Article 21 GDPR):
- What it means: You have the right to object to processing of your personal data in certain circumstances.
- When it applies:
- Processing based on legitimate interests (we will cease processing unless we demonstrate compelling legitimate grounds that override your rights)
- Direct marketing purposes (we will cease processing immediately upon objection)
- Scientific, historical research, or statistical purposes (subject to exceptions)
- Example: You can object to receiving marketing emails from us. We will honor your request immediately and add you to our suppression list.
Right to Withdraw Consent (where processing is based on consent):
- What it means: Where we process your data based on your consent, you have the right to withdraw that consent at any time.
- Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.
- Example: If you consented to receive our newsletter, you can withdraw consent at any time by clicking the unsubscribe link or contacting us.
Right Not to be Subject to Automated Decision-Making (Article 22 GDPR):
- As stated in Section 11, we do not engage in automated decision-making that produces legal or similarly significant effects. This right is automatically protected.
12.2 CCPA Rights (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
Right to Know:
- Request information about the categories and specific pieces of personal information we have collected about you
- Request information about our data collection and use practices, including categories of sources, business purposes, and third parties with whom we share data
Right to Delete:
- Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention)
Right to Opt-Out of Sale:
- Opt-out of the sale of your personal information to third parties
- Note: Codynex does not sell personal information to third parties for monetary consideration.
Right to Non-Discrimination:
- You will not be discriminated against for exercising your CCPA rights, including:
- Denying you goods or services
- Charging different prices or rates
- Providing a different level or quality of services
12.3 Other Jurisdictions
Residents of other jurisdictions may have additional privacy rights under local laws. Please contact us at hr@codynex.com to inquire about your specific rights.
12.4 How to Exercise Your Rights
To exercise any of the above rights, please contact us using one of the following methods:
12.5 Identity Verification Procedures
To protect your personal information from unauthorized access or disclosure, we will verify your identity before processing your privacy rights request. The verification process may include:
- Confirming your email address by sending a verification link
- Requesting identifying information that matches the information we have on file (e.g., phone number, account details)
- For sensitive requests (e.g., deletion, data portability), we may require additional verification such as:
- Government-issued ID (with sensitive information redacted)
- Answering security questions about your account or previous interactions
- Multi-factor authentication if you have an account with us
We will only use the information you provide for verification purposes and will not retain it longer than necessary.
12.6 Response Timeframe
GDPR Requests: We will respond to your request within 30 days of receipt. In complex cases, we may extend this period by an additional 60 days, and we will inform you of any such extension and the reasons for it.
CCPA Requests: We will respond within 45 days of receipt. We may extend this period by an additional 45 days if necessary, with prior notice to you.
Other Jurisdictions: We will respond within the timeframe required by applicable local law, or within 30 days if no specific timeframe is mandated.
12.7 Fees
Exercising your privacy rights is free of charge. However, if your request is manifestly unfounded, excessive, or repetitive, we may:
- Charge a reasonable administrative fee based on the cost of providing the information or taking the action requested; or
- Refuse to act on the request
If we decide to charge a fee or refuse your request, we will explain our reasoning.
12.8 Right to Lodge a Complaint with a Supervisory Authority
If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.
Supervisory Authorities:
While we encourage you to contact us first to resolve any concerns, you have the right to lodge a complaint with a supervisory authority at any time without restriction.
12.9 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. To protect your privacy, we will require:
- Written authorization signed by you authorizing the agent to act on your behalf; or
- Proof of power of attorney; and
- Verification of your identity as described above
13. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at hr@codynex.com, and we will take steps to delete such information from our systems promptly.
If we become aware that we have collected personal information from a child without parental consent, we will take immediate steps to delete that information.
14. International Data Transfers
Codynex is based in the United States, and your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from the laws of your country.
14.1 Countries Where Data May Be Transferred
Your personal data may be transferred to and processed in the following countries:
- United States: Our primary operations, servers, and data storage are located in the United States
- European Union: We may use service providers with data centers in EU member states (e.g., Germany, Ireland, France) for users located in the EEA
- United Kingdom: Some data may be processed in the UK by service providers or as part of our operations
- Other Countries: Data may be transferred to other countries where our third-party service providers operate, such as:
- Canada (considered adequate by the European Commission)
- Israel (considered adequate by the European Commission)
- Japan (considered adequate by the European Commission)
- South Korea (considered adequate by the European Commission)
14.2 Data Storage Locations
We primarily use the following infrastructure providers for data storage and processing:
- Amazon Web Services (AWS): Data centers in the United States (primary), with options for EU-based storage where applicable
- Google Cloud Platform: Data centers in the United States and, where applicable, the European Union
- Microsoft Azure: Data centers in various regions, with options for US and EU-based storage
Where technically feasible and requested by clients in the EEA, we will store data in EU-based data centers to minimize international transfers.
14.3 Safeguards for International Transfers from the EEA/UK
When we transfer personal information from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of protection by the European Commission or UK authorities, we ensure appropriate safeguards are in place as required by GDPR Article 46:
Standard Contractual Clauses (SCCs):
- We use Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 (also known as the "new SCCs")
- SCCs are legally binding contracts between data exporters (us or our EEA/UK-based service providers) and data importers (US-based service providers) that ensure personal data receives adequate protection when transferred outside the EEA/UK
- All third-party processors that receive EEA/UK personal data are required to sign SCCs as part of their Data Processing Agreements
- Copies of the SCCs we use are available upon request by contacting hr@codynex.com
Adequacy Decisions:
- Where possible, we transfer data to countries that have received an adequacy decision from the European Commission, meaning those countries are deemed to provide an adequate level of data protection equivalent to the EEA (e.g., Canada, Japan, Israel, South Korea)
- Following Brexit, the UK has been granted an adequacy decision by the European Commission, allowing free flow of data between the EEA and UK
- The European Commission has also issued an adequacy decision for the EU-U.S. Data Privacy Framework (effective July 2023), which provides a mechanism for U.S. companies certified under the framework to receive personal data from the EU
EU-U.S. and Swiss-U.S. Data Privacy Framework:
- If Codynex or our service providers are certified under the EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework, this certification provides an additional mechanism for lawful transfers of personal data from the EU/Switzerland to the United States
- We will indicate our certification status on our website and in this policy if applicable
- Current Status: Codynex is not currently certified under the Data Privacy Framework, but we rely on SCCs and other appropriate safeguards for international transfers
14.4 Transfer Impact Assessments (TIAs)
In accordance with the guidance from the European Data Protection Board (EDPB) and the Schrems II decision (Case C-311/18), we conduct Transfer Impact Assessments (TIAs) to evaluate whether the laws and practices of the destination country provide an adequate level of protection for personal data transferred from the EEA/UK.
Our TIA process includes:
- Mapping all international data transfers, identifying countries and service providers involved
- Assessing the legal framework of destination countries, particularly government access laws and surveillance practices
- Evaluating the effectiveness of SCCs and supplementary measures in the context of destination country laws
- Implementing supplementary technical and organizational measures where necessary, such as:
- Enhanced encryption (AES-256 for data at rest, TLS 1.3 for data in transit)
- Pseudonymization and anonymization techniques
- Minimizing the data transferred to only what is necessary
- Contractual obligations for service providers to challenge disproportionate government data access requests
- Ongoing monitoring of legal developments in destination countries that may affect data protection
If you would like more information about our Transfer Impact Assessments or the safeguards we have implemented, please contact us at hr@codynex.com.
14.5 UK-Specific Provisions (Post-Brexit)
Following the United Kingdom's departure from the European Union:
- The UK has implemented the UK GDPR, which mirrors the EU GDPR with minor modifications
- The European Commission has granted the UK an adequacy decision (effective June 28, 2021, valid until June 27, 2025, subject to renewal), allowing personal data to flow freely between the EEA and UK
- For transfers from the UK to third countries (including the United States), we use the International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office (ICO)
- We comply with both EU GDPR and UK GDPR requirements for UK residents' data
14.6 Your Rights Regarding International Transfers
If you are located in the EEA, UK, or Switzerland, you have the right to:
- Obtain information about the countries to which your data is transferred
- Receive a copy of the safeguards we have implemented (e.g., Standard Contractual Clauses)
- Object to international transfers if you believe adequate safeguards are not in place
To exercise these rights or request more information, please contact us at hr@codynex.com.
14.7 Minimizing International Transfers
Where possible, we take steps to minimize international data transfers by:
- Selecting service providers with data centers in the EEA/UK for processing EEA/UK resident data
- Implementing data localization measures where technically feasible
- Limiting the categories of data transferred to only what is necessary for the specified purpose
- Regularly reviewing and updating our data transfer mechanisms to ensure compliance with evolving regulations
15. Third-Party Links
Our website may contain links to third-party websites, services, and social media platforms. We are not responsible for the privacy practices or content of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.
Third-party websites may collect information about you, use cookies, or track your activities independently of Codynex. Any information you provide to third-party websites is governed by their respective privacy policies, not this Privacy Policy.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:
- Posting the updated Privacy Policy on our website with a revised "Last Updated" date
- Sending you an email notification to the email address you have provided (for significant changes that materially affect your rights)
- Displaying a prominent notice on our website (for material changes)
- For changes requiring consent under GDPR, obtaining your renewed consent before the changes take effect
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after changes are posted constitutes your acceptance of the revised Privacy Policy, unless the changes require your explicit consent.
Material Changes: If we make material changes that significantly affect your rights or how we process your personal data, we will provide at least 30 days' advance notice before the changes take effect.
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
For EEA, UK, and Swiss residents: If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. Please see Section 12.8 for contact information for supervisory authorities.
Response Time: We will respond to your inquiries within 30 days (or as required by applicable law). For complex matters, we may require additional time and will inform you of any extensions.
18. Consent
By using our website and services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.
Where required by applicable law, we will obtain your explicit, informed consent before processing your personal data for specific purposes. You have the right to withdraw your consent at any time by contacting us at hr@codynex.com. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.