Skip to content
Privacy

Privacy Policy

Last updated

What personal data cloudscode collects, why we collect it, how we use it, and the rights you have under GDPR and CCPA. Plain English, no dark patterns.

1. Overview

This Privacy Policy explains how cloudscode ("we", "us", "our") collects, uses, stores, and shares personal data when you use cloudscode.com or any of our hosted services (the "Service"). It applies to everyone who visits our website, signs up for an account, or uses our cloud terminal.

We are a small team. We collect only what we need to run the Service, never sell personal data to third parties, and treat your information as if it were our own. If anything below is unclear, email privacy@cloudscode.com and a human will reply.

The short version: we collect your email + name (sign-in), basic usage analytics (aggregate), and what you type into your own cloud terminal (stored only in your dedicated container). We never sell, never train AI on your prompts, never read your code. You can export or delete everything in one click.

2. Information We Collect

2.1 Account information

When you sign in via Google OAuth, we receive your email address and display name from Google. We do not receive your Google password. We store your tenant subdomain, plan tier, and account creation timestamp in our control-plane database.

2.2 Usage data

We log aggregate Service activity to keep the Service running, prevent abuse, and improve reliability. This includes:

  • API request paths, response codes, and timestamps (no request bodies)
  • Container start/stop events and resource usage (CPU, memory, disk)
  • Approximate geolocation derived from IP address (country + region only)
  • Browser user-agent string for compatibility diagnostics

We do not log the contents of terminal sessions, the code you write, the files in your container, or the prompts you send to AI models.

2.3 Payment information

We do not currently process payments. The Service is free during MVP. No card numbers, no billing addresses, and no payment metadata are collected. If we introduce paid tiers in the future, we will update this policy at least 30 days in advance and any future processor will be PCI-compliant.

2.4 Communications

If you email us or fill out a form, we keep that correspondence for as long as needed to support you, plus a reasonable retention window for our records.

3. How We Use It

We use personal data only for these purposes:

  • Provide the Service: authenticate sign-ins, provision your dedicated container, route API requests to your tenant.
  • Keep the Service safe: detect abuse, throttle obvious attacks, investigate security incidents.
  • Operate the business: send transactional emails (sign-in links, security alerts). The Service is currently free; no billing emails are sent.
  • Improve reliability: aggregate metrics that show us where the Service is slow or broken.
  • Comply with law: respond to lawful requests from authorities, but only when legally required.

We never use your data, prompts, code, or terminal sessions to train AI models — ours or anyone else's. We do not sell or rent personal data. We do not share it with advertisers.

4. Data Retention

We keep data only as long as we need it:

  • Account data: for the lifetime of your account, plus 30 days after deletion to handle billing reconciliation.
  • Container filesystem: for as long as your account is active. When you delete your account, your container and all volumes are destroyed within 30 days.
  • Aggregate usage logs: 90 days, then automatically purged.
  • Audit logs (security events): 12 months, then automatically purged.
  • Backups: rolling 30-day window in Cloudflare R2 (region-pinned). Backups follow the same deletion timeline.
  • Email correspondence: 24 months unless you ask us to delete sooner.

5. Cookies

We use the smallest possible set of cookies. We do not use third-party advertising cookies, cross-site trackers, or fingerprinting.

  • Strictly necessary: session cookie to keep you signed in (HttpOnly, Secure, SameSite=Lax).
  • Preference: a local storage entry (cc-theme) that remembers light/dark mode. This is not transmitted to our servers.
  • No analytics cookies on the marketing site. We rely on edge-side aggregate metrics only.

You can disable cookies in your browser, but the sign-in flow will not work without the session cookie.

6. Third-Party Services

To run the Service, we rely on a deliberately small set of subprocessors. Each one is bound by a written data-processing agreement and inherits its own audited certifications. The current list:

  • Cloudflare — edge proxy, DNS, TLS termination, Workers, D1, KV, R2 storage. SOC 2 Type II, ISO 27001, GDPR. Touches encrypted HTTP traffic and tenant metadata.
  • Hetzner Cloud — compute infrastructure (Singapore, EU, US). SOC 2 Type II, ISO 27001, GDPR. Hosts your dedicated container and named volumes.
  • Google (OAuth) — sign-in only. We receive your email and display name; we never receive your Google password. SOC 2 Type II, ISO 27001, GDPR.
  • Resend — transactional email delivery (sign-in links, security alerts, billing notices). SOC 2 Type II, GDPR. Receives your email address and message body.

A complete, always-current list of subprocessors with their roles, regions, and certifications lives at cloudscode.com/compliance. We commit to 14 days advance notice before adding or changing a subprocessor.

7. Your Rights

Depending on where you live, you have legal rights over your personal data. We honor these rights regardless of jurisdiction — we believe everyone deserves the same protections.

7.1 GDPR (European Economic Area, UK, Switzerland)

  • Right of access: request a copy of all personal data we hold about you.
  • Right to rectification: correct inaccurate data we hold about you.
  • Right to erasure ("right to be forgotten"): delete your account and all associated data within 30 days.
  • Right to data portability: export your container, audit logs, and account metadata in a machine-readable format.
  • Right to restrict processing: ask us to pause processing of your data while a complaint is reviewed.
  • Right to object: object to processing based on legitimate interests.
  • Right to lodge a complaint: with your local supervisory authority.

7.2 CCPA / CPRA (California)

  • Right to know: what personal information we collect, use, disclose, and the categories of third parties we share with.
  • Right to delete: request deletion of personal information we collected from you.
  • Right to correct: correct inaccurate personal information.
  • Right to opt-out of sale or sharing: we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right is yours.
  • Right to non-discrimination: we will not deny service, charge different prices, or provide a different quality of service because you exercised your rights.
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes outside what is reasonably necessary to provide the Service.

7.3 How to exercise your rights

Email privacy@cloudscode.com from the address associated with your account. We respond within 30 days. We will never ask for unnecessary verification documents — confirming control of the account email is enough for most requests.

8. International Transfers

cloudscode operates infrastructure in Singapore, the European Union (Falkenstein, Helsinki), and the United States (Ashburn). When you sign up, your data is pinned to the region you choose and stays there.

Our control-plane database (Cloudflare D1) replicates tenant metadata across Cloudflare's global edge to keep sign-ins fast. Where personal data leaves your home region, transfers are governed by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries without an adequacy decision.
  • UK International Data Transfer Addendum for transfers from the UK.
  • Subprocessor certifications (Cloudflare, Hetzner, Google) that include their own GDPR-compliant transfer mechanisms.

A copy of our Data Processing Agreement (DPA), including SCCs, is available at cloudscode.com/dpa.

9. Children's Privacy

cloudscode is a developer tool not directed at children. The Service is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe a child has provided us with personal data, email privacy@cloudscode.com and we will delete it.

10. Changes to Policy

We may update this Privacy Policy when our practices change, when we add a subprocessor, or when laws change. When we make a material change:

  • We update the "Last updated" date at the top of this page.
  • We email all account holders at least 14 days before the change takes effect.
  • For minor edits (typo fixes, clarifications that do not change practices), we update the date without an email.

Older versions are kept in our public Git history at github.com/cloudscode. You can diff any two versions to see exactly what changed.

11. Contact

Questions, complaints, or requests about this Privacy Policy:

If you are in the EEA or UK and feel we have not addressed your concern, you may also lodge a complaint with your local supervisory authority. We hope you will give us a chance to resolve it first — we read every email.