Skip to content

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Coda Web3 Creative Ltd. ("we", "us", "Coda One") collects, uses, and protects your information when you use codaone.ai ("the Service").

1. Analytics

We use Plausible Analytics, a privacy-friendly analytics tool. Plausible does not use cookies and does not collect personal data. We see aggregate page views and referrer data — nothing that identifies you personally.

Legal basis: Legitimate interest (understanding site usage to improve the Service).

2. Cookies

We use a single essential cookie for authentication:

  • codaone_session — A session identifier set when you log in. HttpOnly, Secure, SameSite=Lax. Expires after 30 days or when you log out. This cookie is strictly necessary for the Service to function for logged-in users and does not require consent under GDPR.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Affiliate destination sites may set their own cookies when you click outbound links.

3. User Accounts

You may create an account using Google OAuth, Telegram Login, or email and password. When you create an account, we store the following in Cloudflare D1 (edge database):

  • Profile data: email address, display name, avatar URL (from your OAuth provider, if applicable)
  • Authentication: for email/password users, a salted PBKDF2 hash of your password (we never store plaintext passwords); for OAuth users, provider ID
  • Sessions: server-side session records linked to your account, stored in D1
  • Activity data: favorites, collections, reviews you write

Telegram Login: When you sign in with Telegram, we receive your Telegram user ID, first name, last name, username, and profile photo URL from Telegram's servers. Telegram does not provide your phone number or email address to us.

Legal basis: Contractual necessity (providing the Service you signed up for).

4. Email Subscribers

If you subscribe to our newsletter, we store your email address to send you updates about AI tools and pricing changes. You can unsubscribe at any time via the link in every email. We never sell or share your email with third parties.

Legal basis: Consent (you actively subscribe).

5. User-Generated Content (Reviews)

When you submit a review, the following is stored: your display name, star rating, review text, and submission date. Reviews are publicly visible and associated with your account.

We apply anti-spam measures: reviews from new accounts with low ratings may be held for moderation. Reviews with multiple community reports are automatically hidden pending review.

You can edit or delete your own reviews at any time. If you delete your account, all your reviews are permanently deleted.

Legal basis: Consent (you choose to submit reviews) and legitimate interest (maintaining content quality).

6. Contact Form & Tool Submissions

When you contact us or submit a tool, we store your name, email, and message content. Contact messages are retained for 12 months, then deleted. Tool submissions are retained as part of our directory operations.

Legal basis: Consent (you choose to contact us) and legitimate interest (operating the directory).

7. Affiliate Links

Some links on this site are affiliate links routed through /go/[tool-name]. We log aggregate click counts (not personally identifiable). The destination site may use cookies to track the referral, governed by their own privacy policy.

Legal basis: Legitimate interest (sustaining the Service through affiliate revenue).

8. Bot Protection

We use Cloudflare Turnstile on forms to prevent automated spam. Turnstile is a privacy-preserving alternative to CAPTCHA — it does not use cookies, does not collect personal data, and works by analyzing browser signals. Learn more at cloudflare.com/products/turnstile.

9. Security

We protect the Service using HTTPS, Content Security Policy headers, rate limiting, PBKDF2 password hashing (100,000 iterations), and HttpOnly session cookies. No security measure is perfect — if you believe your account has been compromised, contact us immediately.

10. Data Storage & International Transfers

Data is stored in Cloudflare D1 (edge database) and processed on Cloudflare's global network, which means your data may be processed in countries outside your country of residence, including countries outside the European Economic Area (EEA).

Cloudflare is certified under the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses for international transfers. For details, see Cloudflare's Privacy Policy.

11. Data Retention

  • User accounts: until you delete your account
  • Reviews: until you delete them or your account
  • Newsletter subscriptions: until you unsubscribe
  • Contact form messages: 12 months, then deleted
  • Tool submissions: retained indefinitely as part of our directory
  • Sessions: 30 days, or until you log out
  • Analytics (Plausible): aggregated, no personal data retained

12. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the right to:

  • Access your personal data
  • Rectify inaccurate personal data
  • Erase your personal data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time for consent-based processing

You can exercise most of these rights directly: delete your account from Dashboard settings, unsubscribe from emails, or delete your reviews. For other requests, [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO).

13. Your Rights (CCPA — California Residents)

If you are a California resident, you have the right to:

  • Know what personal data we collect and how it is used
  • Request deletion of your personal data
  • Opt out of the sale of personal data — we do not sell personal data
  • Non-discrimination for exercising your rights

Contact [email protected] to exercise these rights.

14. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us and we will delete it promptly.

15. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Article 33 and 34.

16. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users or through a notice on the Service. The "Last updated" date at the top reflects the most recent revision.

17. Data Controller & Contact

The data controller is Coda Web3 Creative Ltd., registered in England and Wales.

For privacy-related inquiries: [email protected]
For general inquiries: Contact form or [email protected]