Codex
Sign in

Privacy Policy

Last updated: 29 April 2026 · Version 1.0

This Privacy Policy explains how Codex ("we", "us") collects, uses, stores and shares personal data of visitors and registered users. We act as a data controller under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who we are

Codex operates a wellness marketplace connecting clients with coaches, studios, and wellness products. Contact: privacy@thecodex.world.

Because we are established outside the EU but offer services to EU/UK data subjects, we have appointed an EU representative under Article 27 GDPR. Contact details for the representative are available on request via the email above.

2. What we collect

  • Account data: name, email, password hash, role.
  • Profile data: bio, photo, location, social handles.
  • Booking & payment data: bookings, orders, invoices. Card data is held by Stripe — we never see full card numbers.
  • Content you submit: messages, reviews, intake answers.
  • Technical data: IP-derived country, browser, device, pages viewed.
  • Consent records: your cookie and marketing choices, with timestamps.

3. Why we use it (lawful bases)

  • Contract (Art. 6(1)(b)): creating your account, processing bookings and payments.
  • Legitimate interest (Art. 6(1)(f)): securing the service, preventing fraud, contacting wellness professionals about joining the platform via publicly available business contact details.
  • Consent (Art. 6(1)(a)): marketing emails, analytics cookies, marketing cookies. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, anti-money-laundering.

4. Who we share with (sub-processors)

We share data only with vetted sub-processors under data processing agreements:

  • Supabase (hosting, database, authentication) — EU region
  • Stripe (payment processing) — global
  • Lovable Cloud / Cloudflare (hosting, edge runtime) — global
  • Resend / Lovable Email (transactional email) — global
  • Google Workspace (operations email) — global
  • OpenAI, Google AI, Anthropic (AI matching & enrichment) — global, no training on your data

5. International transfers

Some sub-processors are located outside the EU/UK. Where required, transfers are protected by the European Commission's Standard Contractual Clauses or an adequacy decision.

6. Retention

  • Account data: until you delete your account.
  • Booking and payment records: 7 years (tax law).
  • Marketing data: until you unsubscribe + 30 days.
  • Consent records: 3 years.
  • Audit logs: 12 months.
  • Outreach prospect data: deleted after 90 days of no engagement, or 7 days after opt-out.

7. Your rights

Under GDPR you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with your supervisory authority

Most rights can be exercised directly at /account/privacy. For anything else, email privacy@thecodex.world — we respond within 30 days.

8. Cookies

See our Cookie Policy.

9. Security

Data is encrypted in transit (TLS) and at rest. Access is row-level restricted and admin actions on user data are logged. We notify the relevant authority within 72 hours of becoming aware of a personal data breach where required.

10. Children

Codex is not intended for users under 16. We do not knowingly collect data from children.

11. Changes

Material changes will be announced on this page and, where required, by email. The version date at the top reflects the latest revision.