Skip to content

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Coda One ("we", "us") collects, uses, and protects your information when you use codaone.ai ("the Service") and the Coda One Chrome extension.

1. Analytics

We use four analytics sources, each with a specific purpose:

  • First-party event tracking — our own endpoint /api/track records usage events (which tool was used, when a daily limit was hit, checkout intent, install and update events from the extension) into our database. Each event row stores the event name, event metadata (for example tool: "humanizer"), a salted hash of your IP address, user agent, referrer, and page path. We never record the text you process with the tools.
  • Plausible Analytics — privacy-friendly aggregate pageviews. Plausible does not use cookies and does not collect personal data.
  • Google Analytics 4 (GA4) — helps us understand acquisition channels and device breakdowns. GA4 runs with page_view auto-send disabled; we fire custom events for the same funnel signals described above. GA4 uses cookies (_ga, _gid) when present.
  • Ahrefs Web Analytics — complements Plausible with SEO-specific signals (organic search traffic, Core Web Vitals). Cookie-free.

None of these analytics sources receive the text you paste into our tools. Event payloads are metadata only (tool name, mode, plan tier, referrer, hashed IP).

Legal basis: Legitimate interest (understanding site usage to improve the Service).

2. Cookies

For full details, see our Cookie Policy. In summary, we use a single essential cookie for authentication:

  • codaone_session — A session identifier set when you log in. HttpOnly, Secure, SameSite=Lax. Expires after 30 days or when you log out. This cookie is strictly necessary for the Service to function for logged-in users and does not require consent under GDPR.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Affiliate destination sites may set their own cookies when you click outbound links.

3. User Accounts

You may create an account using Google OAuth, Telegram Login, or email and password. When you create an account, we store the following in Cloudflare D1 (edge database):

  • Profile data: email address, display name, avatar URL (from your OAuth provider, if applicable)
  • Authentication: for email/password users, a salted PBKDF2 hash of your password (we never store plaintext passwords); for OAuth users, provider ID
  • Sessions: server-side session records linked to your account, stored in D1
  • Activity data: favorites, collections, reviews you write

Telegram Login: When you sign in with Telegram, we receive your Telegram user ID, first name, last name, username, and profile photo URL from Telegram's servers. Telegram does not provide your phone number or email address to us.

Legal basis: Contractual necessity (providing the Service you signed up for).

4. Email Subscribers

If you subscribe to our newsletter, we store your email address to send you updates about AI tools and pricing changes. You can unsubscribe at any time via the link in every email. We never sell or share your email with third parties.

Legal basis: Consent (you actively subscribe).

5. User-Generated Content (Reviews)

When you submit a review, the following is stored: your display name, star rating, review text, and submission date. Reviews are publicly visible and associated with your account.

We apply anti-spam measures: reviews from new accounts with low ratings may be held for moderation. Reviews with multiple community reports are automatically hidden pending review.

You can edit or delete your own reviews at any time. If you delete your account, all your reviews are permanently deleted.

Legal basis: Consent (you choose to submit reviews) and legitimate interest (maintaining content quality).

6. Contact Form & Tool Submissions

When you contact us or submit a tool, we store your name, email, and message content. Contact messages are retained for 12 months, then deleted. Tool submissions are retained as part of our directory operations.

Legal basis: Consent (you choose to contact us) and legitimate interest (operating the directory).

7. Payment Processing

We use Stripe to process subscription payments. When you subscribe to a paid plan:

  • What Stripe receives: your name, email, payment card details, and billing address
  • What we store: Stripe customer ID, subscription ID, plan type, and billing status — we do not store your full card number, CVV, or other sensitive payment data
  • What Stripe stores: your payment method details are stored securely on Stripe's PCI DSS Level 1 certified infrastructure

Stripe may use your data in accordance with their Privacy Policy. We share only the minimum data necessary to process your payments.

Legal basis: Contractual necessity (processing payments for the Service you subscribed to).

8. Affiliate Links

Some links on this site are affiliate links routed through /go/[tool-name]. We log aggregate click counts (not personally identifiable). The destination site may use cookies to track the referral, governed by their own privacy policy.

Legal basis: Legitimate interest (sustaining the Service through affiliate revenue).

9. Chrome Extension

The Coda One Chrome extension runs locally in your browser and only contacts https://www.codaone.ai. It requests the following permissions:

  • activeTab — read the current tab's selected text when you right-click or press a keyboard shortcut, so the selected text can be sent to the chosen tool.
  • contextMenus — show the "Coda One" submenu inside the right-click menu.
  • storage — remember your preferred translate language, last-used writing mode, daily usage counter (for the popup display), and a short-lived cache of your Coda One plan tier so paid users don't see a free-tier counter inside the extension.
  • scripting — read the selected text via keyboard shortcut from any page.
  • host_permissions: https://www.codaone.ai/* — the only network destination the extension talks to.

What the extension sends to our servers:

  • The text you select and run a tool on (Humanize, Grammar, Detect, Translate) is sent over HTTPS to /api/tools/* for processing and is not stored after the response is returned.
  • Anonymous usage events (tool name, whether a daily limit was hit, when you opened the popup, install and update signals) are sent to /api/track. These events contain metadata only — the text you process is never part of an event payload.
  • If you are logged in to codaone.ai in the same browser profile, the extension will read your session cookie so the popup can show your paid plan status. No token or cookie leaves codaone.ai's domain.

What the extension never sends:

  • The full HTML or text of the pages you visit.
  • Your browsing history.
  • Anything at all when you use Word Count — that tool runs entirely locally in your browser.

Remove the extension at any time from chrome://extensions/. Removal clears all extension-local storage (counters, preferences, plan cache).

10. Bot Protection

We use Cloudflare Turnstile on forms to prevent automated spam. Turnstile is a privacy-preserving alternative to CAPTCHA — it does not use cookies, does not collect personal data, and works by analyzing browser signals. Learn more at cloudflare.com/products/turnstile.

11. Security

We protect the Service using HTTPS, Content Security Policy headers, rate limiting, PBKDF2 password hashing (100,000 iterations), and HttpOnly session cookies. No security measure is perfect — if you believe your account has been compromised, contact us immediately.

12. Data Storage & International Transfers

Data is stored in Cloudflare D1 (edge database) and processed on Cloudflare's global network, which means your data may be processed in countries outside your country of residence, including countries outside the European Economic Area (EEA).

Cloudflare is certified under the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses for international transfers. For details, see Cloudflare's Privacy Policy.

13. Data Retention

  • User accounts: until you delete your account
  • Reviews: until you delete them or your account
  • Newsletter subscriptions: until you unsubscribe
  • Contact form messages: 12 months, then deleted
  • Tool submissions: retained indefinitely as part of our directory
  • Sessions: 30 days, or until you log out
  • Payment records: retained as long as your account exists or as required by tax/legal obligations
  • First-party event records (page_events): kept for 18 months, then purged. Contains hashed IP, user agent, referrer, page path, event name, and event metadata — never the text you processed.
  • Plausible Analytics: aggregated, no personal data retained
  • Google Analytics 4: GA4 default retention (14 months), then auto-purged
  • Ahrefs Web Analytics: aggregated, no personal data retained

14. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the right to:

  • Access your personal data
  • Rectify inaccurate personal data
  • Erase your personal data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time for consent-based processing

You can exercise most of these rights directly: delete your account from Dashboard settings, unsubscribe from emails, or delete your reviews. For other requests, [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

15. Your Rights (CCPA — California Residents)

If you are a California resident, you have the right to:

  • Know what personal data we collect and how it is used
  • Request deletion of your personal data
  • Opt out of the sale of personal data — we do not sell personal data
  • Non-discrimination for exercising your rights

Contact [email protected] to exercise these rights.

16. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us and we will delete it promptly.

17. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Article 33 and 34.

18. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users or through a notice on the Service. The "Last updated" date at the top reflects the most recent revision.

19. Data Controller & Contact

The data controller is Coda Web3 Creative Ltd, a company registered in the United Kingdom, operating the Coda One service at codaone.ai.

For privacy-related inquiries: [email protected]
For general inquiries: Contact form or [email protected]