Privacy Policy

ScopePoland / European Union

Version24 May 2026

CompanyNova Group Sp. z o.o.

This Privacy Policy explains how Nova Group Sp. z o.o. processes personal data in connection with CodexFlow, the website at https://codexflow.io, and related checkout, license, delivery, support, analytics, security, and marketing operations.

1. Controller

The controller of personal data is:

Nova Group Sp. z o.o.
Żurawia 6/12 Lok. 745
00-503 Warszawa, Poland
Tax ID / VAT ID: PL7011215529
KRS: 0001117840
REGON: 529224431
Website: https://codexflow.io
Privacy contact: privacy@codexflow.io
Support contact: support@codexflow.io

2. Scope

This Policy applies when you visit the website, interact with CodexFlow pages, create or access an account, purchase or evaluate a digital product, receive a license or activation file, download protected materials, contact support, consent to analytics or marketing cookies, or communicate with CodexFlow.

CodexFlow is a developer workflow product. Unless expressly requested for support, you should not send repository secrets, passwords, private keys, card data, credentials, confidential customer data, or unnecessary sensitive personal data.

3. Categories of personal data

CodexFlow may process the following categories of personal data:

identification and contact data, such as name, email address, company name, VAT number, and billing details;
account and authentication data, such as account identifiers, login session data, access status, and security events;
order and payment-related data, such as selected tier, price, currency, payment status, transaction identifiers, tax status, invoice data, refund status, and dispute status;
license and fulfillment data, such as license tier, activation status, access token metadata, signed activation records, download records, hashes, manifest access, access timestamps, and evidence snapshots;
technical data, such as IP address, device identifiers, browser type, operating system, approximate location inferred from IP, logs, timestamps, referrer, and security signals;
website usage data, such as page views, consent choices, conversion events, product interactions, docs visits, and checkout funnel events;
support data, such as messages, attachments, issue history, refund requests, complaint records, and responses;
marketing and advertising data, such as campaign source, ad click identifiers, consent status, remarketing eligibility, and conversion metadata where permitted;
compliance and fraud-prevention data, such as risk signals, audit logs, payment-provider metadata, and security records.

4. Purposes and legal bases

CodexFlow processes personal data for the following purposes:

Purpose	Examples	Legal basis
Providing the website and digital product	account access, secure customer page, license delivery, activation file, payload access, install documentation	performance of a contract or steps before a contract
Processing orders and payments	checkout, payment confirmation, invoices, refunds, disputes, payment evidence	performance of a contract, legal obligation, legitimate interests
License and access management	tier rights, activation, secure downloads, access revocation, evidence logs	performance of a contract, legitimate interests
Customer support and complaints	responding to support, access, refund, and complaint requests	performance of a contract, legitimate interests, legal obligation
Tax, accounting, and compliance	invoices, accounting records, VAT records, statutory retention	legal obligation
Security and fraud prevention	abuse detection, access logs, suspicious payment handling, incident response	legitimate interests, legal obligation
Analytics and product measurement	traffic measurement, funnel analysis, aggregate performance statistics	consent where required; legitimate interests for strictly necessary or privacy-preserving measurement where lawful
Advertising and remarketing	Google Ads conversion tracking, remarketing, campaign performance	consent where required
Consent management	recording and honoring cookie and tracking choices	legal obligation, legitimate interests
Legal claims and enforcement	chargeback evidence, dispute handling, license misuse response	legitimate interests, legal obligation

5. Payment processing

CodexFlow does not store full card details. Payments may be processed by Stripe, Worldline, or another payment provider shown at checkout. Payment providers may collect and process card details, payment authentication data, fraud-prevention data, billing data, transaction identifiers, and compliance records.

Payment providers may act as processors for some activities and as independent controllers for activities they determine themselves, such as payment security, fraud prevention, compliance, reporting, and legal obligations.

CodexFlow may use Cookiebot CMP, Google Consent Mode v2, GA4, Google Ads conversion tracking and remarketing, Plausible Analytics, PostHog, Clerk, Stripe, Worldline, and similar tools.

Where consent is required, analytics, advertising, remarketing, and non-essential storage are used only according to your consent choices. You can change or withdraw consent by reopening the cookie settings widget available on the website.

Google Consent Mode v2 may send consent signals to Google services, including consent status for analytics storage, advertising storage, ad user data, and ad personalization, depending on configuration and your choices.

7. Cookies and local storage

The website uses cookies and similar technologies for essential website operation, consent management, authentication, payment security, analytics, advertising, fraud prevention, and support of digital delivery. Details are provided in the Cookies Policy.

8. Recipients and processors

Personal data may be shared with:

payment providers, including Stripe and Worldline;
authentication and account providers, including Clerk where enabled;
consent management providers, including Cookiebot;
analytics and advertising providers, including Google, Plausible, and PostHog where enabled;
hosting, database, storage, security, logging, and infrastructure providers;
email and transactional messaging providers;
customer support, accounting, legal, tax, compliance, and fraud-prevention service providers;
public authorities, courts, payment schemes, banks, or regulators where legally required;
professional advisers and service providers supporting CodexFlow operations.

Data is shared only where needed for the purposes described in this Policy.

9. International transfers

Some providers may process data outside the European Economic Area. Where required, CodexFlow relies on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, transfer impact assessments, supplementary security measures, or another lawful transfer mechanism.

10. Retention periods

CodexFlow keeps personal data only as long as needed for the purpose for which it was collected, unless a longer period is required or permitted by law.

Data category	Typical retention
Account data	for the life of the account and a reasonable period after closure
Order, invoice, and accounting records	for the period required by tax and accounting law, usually at least 5 years from the end of the relevant tax year
License, activation, fulfillment, and access evidence	for the license period and limitation periods for claims, refunds, chargebacks, and disputes
Payment, refund, and dispute metadata	for payment-provider, accounting, anti-fraud, and legal-claim periods
Support and complaint correspondence	for the time needed to handle the case and limitation periods for related claims
Security logs	typically 6 to 24 months, unless longer retention is needed for investigation or legal claims
Analytics data	according to tool settings and consent choices, commonly 13 to 24 months
Marketing consent and cookie consent records	for as long as needed to prove and respect consent choices
Newsletter or marketing contact data	until consent is withdrawn or objection is made, unless retention is needed to prove compliance

11. Data subject rights

Subject to conditions under GDPR and applicable law, you may have the right to:

access your personal data;
receive a copy of your data;
correct inaccurate data;
request erasure of data;
restrict processing;
object to processing based on legitimate interests;
withdraw consent where processing is based on consent;
request data portability;
object to direct marketing;
lodge a complaint with a supervisory authority.

To exercise rights, contact privacy@codexflow.io. CodexFlow may need to verify your identity before acting on a request.

12. Complaint to supervisory authority

If you believe your data protection rights have been violated, you may lodge a complaint with the President of the Personal Data Protection Office in Poland.

13. Automated decision-making

CodexFlow does not intend to make decisions based solely on automated processing that produce legal effects or similarly significant effects for customers.

Payment providers, fraud-prevention tools, advertising systems, and security tools may use automated risk or eligibility signals. These tools support payment security, fraud prevention, ad measurement, and platform integrity.

14. Security

CodexFlow applies administrative, technical, and organizational measures designed to protect personal data, including access controls, protected delivery flows, hashed or masked identifiers where appropriate, logging, secure payment-provider handling, and restricted access to operational systems.

No internet service can guarantee absolute security. Customers should protect their own accounts, devices, repositories, access links, activation files, and secrets.

15. Children

CodexFlow is intended for developers and business or individual users capable of entering into a contract. It is not directed to children.

16. Changes to this Policy

CodexFlow may update this Privacy Policy when the website, product, providers, legal obligations, or data practices change. The current version is identified by the date at the top of this page.