Privacy Policy — EU / EEA / UK
This Privacy Policy explains how we process personal data when you visit kodel.ai ("the Site") or subscribe to Kodel product updates from the European Union, European Economic Area, or United Kingdom. It is written to comply with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
1. Data controller
The data controller responsible for your personal data is:
- Yury Tyurin, trading as an autónomo (self-employed) in Spain
- Email: [email protected]
- Place of establishment: Spain. NIF/Identification number available on request to the email above.
We expect to migrate the controller role to a Delaware (USA) C-Corporation operating under the Kodel brand before public launch. We will publish an updated version of this Policy and, where required, notify existing subscribers before that change takes effect.
2. What personal data we collect
When you subscribe to product updates through the form on the Site, we collect:
- Email address — provided directly by you.
- Consent record — the time you ticked the consent box, the IP address from which you submitted the form, the version of this Privacy Policy you accepted, and which regional policy was shown to you.
- Country and region — derived from your IP address at the moment of submission, via Cloudflare's edge geolocation. We do not store your IP address beyond the consent record.
- Campaign attribution — UTM parameters (
utm_source,utm_medium,utm_campaign) present in the URL, if any. - Submission metadata — the source URL and page title at the moment of submission.
We also use a privacy-friendly, cookieless analytics tool to count page views, referrers, country (country-level only), and aggregate events such as "subscribe submitted". This analytics does not identify you and does not store cookies. We do not build profiles, run behavioural advertising, or sell data.
3. Why we process this data (purposes & legal bases)
- To send you product updates you asked for — legal basis: your consent (Article 6(1)(a) GDPR). You can withdraw consent at any time.
- To prove your subscription was lawfully obtained — legal basis: our legitimate interest in maintaining a defensible audit trail (Article 6(1)(f) GDPR) and compliance with our accountability obligations (Article 5(2) GDPR).
- To run, secure, and improve the Site — legal basis: our legitimate interest in operating a functioning service (Article 6(1)(f) GDPR). We use aggregate, non-identifying analytics for this purpose.
4. Who receives your data (processors)
We share your personal data only with the service providers we need to operate the subscription, and only to the extent necessary. Each acts as a processor under a written data processing agreement:
- Cloudflare, Inc. — hosting of the Site and the subscription database (Cloudflare Pages, Workers, D1). Cloudflare provides EU data residency options where available and is certified under the EU-US Data Privacy Framework.
- Resend (Resend, Inc.) — sends the confirmation email and subsequent product updates. Resend processes your email address and basic delivery metadata.
Some of these providers may transfer data outside the EU/EEA. Where they do, transfers are protected by the European Commission's Standard Contractual Clauses and/or the EU-US Data Privacy Framework.
5. How long we keep your data
- Confirmed subscribers — we keep your email and consent record until you unsubscribe, plus an additional period of up to 12 months thereafter as proof that the unsubscribe was honoured.
- Unconfirmed subscriptions — if you do not click the confirmation link within 30 days, we delete the pending record automatically.
- Aggregate analytics — retained for up to 24 months.
6. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to processing;
- portability of the data you provided to us;
- withdraw your consent at any time (this does not affect the lawfulness of processing carried out before the withdrawal);
- lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (www.aepd.es); in the UK, the Information Commissioner's Office (ico.org.uk); or the supervisory authority of your country of residence.
To exercise any of these rights, email [email protected]. You can also unsubscribe at any time using the link in any product update email — this acts as a withdrawal of consent.
7. Automated decision-making
We do not make any automated decisions that produce legal or similarly significant effects about you.
8. Children
The Site is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age.
9. Changes to this Policy
We may update this Policy as Kodel evolves (for example, when we migrate the controller to a corporate entity, add a new processor, or change retention periods). We will update the version number and effective date above. For material changes that affect existing subscribers, we will notify you by email before the change takes effect.
10. Contact
Questions or complaints: [email protected].