Privacy Policy

Heksis, MB ("we", "us", or "our") operates Kodan ("the Service"). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable EU member state law.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have. Please read it carefully.

Data Controller: Heksis, MB

Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius

Contact: support@kodan.dev

We collect the following categories of personal data:

2.1 Account & Identity Information

• Full name
• Email address
• Password (stored in hashed form; never stored in plaintext)

2.2 Billing & Payment Information

We collect payment information to process subscriptions. Payment card details are processed exclusively by our third-party payment provider and are not stored on our servers. We retain transaction records (amount, date, plan) for accounting and legal compliance purposes.

2.3 Usage & Analytics Data

• Features used and actions taken within the Service
• Session duration and frequency of use
• Error logs and performance diagnostics
• Device type, browser, and operating system
• IP address

2.4 Cookies & Tracking Technologies

We use cookies and similar technologies for authentication, session management, and analytics. You can manage cookie preferences through your browser settings or our cookie consent interface.

2.5 Third-Party Integration Data

Kodan allows you to connect third-party services such as GitHub, Gmail, Slack, Discord, Jira, and others (the list of supported integrations continues to grow). When you authorise a connection, we access data from that service solely to deliver the functionality you have requested.

• Integration connection data (tokens, credentials, configuration) is retained for as long as the connection remains active.
• Upon removal of a connection, all related data is permanently deleted within 48 hours.
• Derived data produced from integration data (e.g. summaries, generated artefacts) is retained for up to 7 days and then automatically deleted.
• Deleting a project or organisation triggers immediate deletion of all data associated with it, including any derived data.

Under the GDPR, we rely on the following lawful bases:

• Performance of a contract (Article 6(1)(b)): to provide and manage your account and subscription
• Legitimate interests (Article 6(1)(f)): to improve, secure, and monitor the Service
• Consent (Article 6(1)(a)): for non-essential cookies and certain tracking, where required
• Performance of a contract / Consent: for each integration, on the basis of your explicit authorization
• Legal obligation (Article 6(1)(c)): where required by law (e.g. tax and accounting records)

We use your personal data to:

• Create and manage your Kodan account
• Provide, operate, and improve Kodan
• Process payments and manage your subscription
• Power the third-party integrations you have authorized
• Monitor usage patterns and diagnose technical issues
• Communicate with you about your account, updates, and support requests
• Comply with our legal obligations

We do not sell your personal data. We share data only with third-party service providers ("data processors") that help us operate the Service. All such providers are bound by Data Processing Agreements (DPAs) and are permitted to process your data solely on our behalf and in accordance with our instructions.

Our current sub-processors:

• OpenAI: OpenAI processes user-submitted content and queries through their LLM and embedding APIs, which may include personal data entered by users.
• Google: Google processes user-submitted content through their LLM and embedding APIs, and may store data as part of their cloud infrastructure services.
• Stripe: Stripe processes payment information, billing details, and subscription data on our behalf.
• Vercel: Vercel hosts our web application and processes request data, including IP addresses and usage metadata, as part of their hosting infrastructure.
• GitHub: GitHub stores our source code repositories, which may incidentally contain personal data.
• Digital Ocean: Digital Ocean provides cloud infrastructure on which we store and process application data, which may include personal data.
• Recall.ai: Recall.ai operates meeting bots that join calls on our behalf, capturing audio, video, and transcriptions which may contain personal data of meeting participants.

We may add or change sub-processors from time to time. We will notify you of material changes to this list.

We may also disclose personal data where required by applicable law, court order, or regulatory authority, or where necessary to protect the rights, safety, or property of Heksis, MB, its users, or the public.

Heksis, MB is established in the EU. Where any service provider processes personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place — such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law:

• Account data is retained for the duration of your account and deleted within 30 days of account closure.
• Payment transaction records are retained for 5 years to satisfy accounting and tax obligations.
• Integration connection data is deleted within 48 hours of connection removal.
• Derived data (summaries, artefacts) is deleted within 7 days of generation, or immediately upon user-initiated deletion.
• Project and organisation data is deleted within 48 hours of user-initiated deletion.
• Usage and analytics data is retained for 30 days and then anonymised or deleted.

As a data subject, you have the following rights:

• Right of access: to obtain a copy of the personal data we hold about you
• Right to rectification: to correct inaccurate or incomplete data
• Right to erasure: to request deletion of your data, subject to legal retention obligations
• Right to restriction of processing: to restrict how we process your data in certain circumstances
• Right to data portability: to receive your data in a structured, commonly used, machine-readable format
• Right to object: to object to processing based on legitimate interests
• Rights related to automated decision-making: we do not make solely automated decisions with significant legal or similarly significant effects on you

To exercise any of these rights, please contact us at support@kodan.dev. We will respond within 30 days as required by the GDPR.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. These include:

• Encryption of data in transit (TLS) and at rest
• Hashed password storage
• Access controls and the principle of least privilege
• Regular security reviews and monitoring

The Service is not directed at children under the age of 16 (or such lower age as permitted by the applicable EU member state). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@kodan.dev and we will take prompt steps to delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice within the Service prior to the change taking effect. The "Last updated" date at the top of this document reflects the most recent revision.

Your continued use of the Service after the effective date of any update constitutes your acknowledgement of the revised policy.

For any questions or concerns about this Privacy Policy or our data practices, please reach out:

Heksis, MB

Email: support@kodan.dev

Registered address: V. Nagevičiaus g. 3, LT-08237 Vilnius

You also have the right to lodge a complaint with your national data protection supervisory authority. As a company established in Lithuania, the relevant authority is:

State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)

Website: https://vdai.lrv.lt

Email: ada@ada.lt