Legal

Privacy Policy

Effective date: 25 March 2026  ·  Kodepo

This policy is written in plain language. It describes what personal data Kodepo collects, why we collect it, how we protect it, and what rights you have over it — regardless of where you are in the world.

Who we are

Kodepo is a trust evaluation platform for application software. When this policy says "we", "us", or "Kodepo", it refers to the entity operating kodepo.com. We determine the purpose and means of processing your personal data and are responsible for it.

For any privacy-related queries, reach us at privacy@kodepo.com.

What data we collect and why

We only collect data you explicitly provide to us. We do not use cookies, tracking pixels, or third-party analytics tools.

  • Early access requests: your first name, last name, work email, company name, and use case. We use this to evaluate your request, get in touch, and manage our waitlist.
  • Contact messages: your email address and the message you write to us. We use this solely to respond to your enquiry.
  • Account registration and login: when you create an account, we store your email address and authenticate you via a third-party identity provider (such as Google or GitHub). We do not store passwords. We also store session tokens to keep you signed in, and usage logs to maintain an audit trail of activity within your account — for example, which evaluations were run and when. These logs exist for security and operational integrity, not for marketing or profiling.

We do not collect sensitive personal data such as financial information, health data, or government identifiers.

Data we process on your behalf

When you submit an application for evaluation, Kodepo reads and analyses the source code and dependency files from the repository you connect. This data is not personal data in the usual sense — it belongs to your organisation — but we want to be explicit about how we handle it.

  • Source code and dependencies: read in full during the evaluation run and discarded immediately after. We do not store, index, or train on your code.
  • AI-assisted analysis: parts of the evaluation are processed using OpenAI's API. This may involve sending code snippets or derived analysis to OpenAI's servers. OpenAI does not use API data to train its models, and retains it only transiently for abuse monitoring — consistent with standard practice across cloud API providers.
  • Evaluation reports: the structured output of each evaluation is stored indefinitely and linked to your account. You can access and delete these reports at any time from within the product. With your explicit consent, a summarised version of a report — covering trust scores and overall verdict, without individual findings — can be shared with another organisation on Kodepo as part of vendor attestation. You control this sharing and can revoke consent at any time.

We do not share your code or the detailed findings in your evaluation reports with any third party. The CRM tool mentioned below only receives the personal data from your account and forms — never your repository content or report details.

Our basis for processing your data

We process your personal data on the basis of consent. By submitting the early access or contact form, you consent to us processing your data for the purposes described above. You may withdraw this consent at any time by writing to us at privacy@kodepo.com — we will stop processing and delete your data within 30 days.

How we store and protect your data

Your data is stored on servers located in India. We apply reasonable technical and organisational safeguards to protect it from unauthorised access, loss, or disclosure — including access controls and encrypted storage where applicable.

We retain your data only for as long as necessary to fulfil the purpose it was collected for. Once that purpose is met, or upon your request, we delete it within 30 days.

Third parties we share data with

Form submissions pass through Formspark, a form backend service, which receives and forwards the data to us. We then store and organise it in a CRM tool. These are the only third parties your data is shared with. We do not sell, rent, or trade your personal data to anyone, for any purpose.

Any tool we use is required to handle your data under terms consistent with this policy. If we change either provider, we will update this page.

Your rights

Regardless of where you are located, you have the following rights over your personal data:

  • Access: you can ask us what personal data we hold about you.
  • Correction: you can ask us to correct inaccurate or incomplete data.
  • Erasure: you can ask us to delete your personal data. We will do so within 30 days unless we are legally required to retain it.
  • Restriction: you can ask us to stop processing your data while a dispute is resolved.
  • Portability: you can ask us to provide your data in a commonly used, machine-readable format.
  • Objection: you can object to our processing at any time, and we will stop unless we have a compelling legitimate reason to continue.

To exercise any of these rights, write to us at privacy@kodepo.com. We will respond within 30 days. We will never charge a fee for handling these requests.

Changes to this policy

If we make material changes, we will update the effective date at the top of this page. For changes that significantly affect how we use your data, we will notify you by email if we hold your contact details.

Contact us

For privacy queries or to exercise your rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction.