Privacy Policy

Effective date: 27 April 2026

This Privacy Policy explains how chatcode.dev (the “Service”) collects and uses personal data, what choices you have, and how we keep that data safe. It's written to be human-friendly while still covering the requirements of the EU General Data Protection Regulation (GDPR) and other relevant rules for AI-enabled services.

If you only read one section, read “Key points” below.

Key points

  • We collect only what we need to operate the Service.
  • Your code lives on your VPS, not on our servers. We do not store your repositories.
  • We do not store your private SSH keys. Optional time-limited support access uses a public key you grant from the dashboard.
  • The control plane today acts as a trusted relay for terminal traffic – see “What we can technically see”.
  • We do not sell your data.
  • You can access, correct, export, or delete your personal data, subject to legal and operational limits.

Who we are

Controller: Holy Traction OÜ
Address: Sepapaja tn 6, 15551 Tallinn, Estonia
Email: privacy@chatcode.dev

“Controller” means we decide why and how your personal data is processed.

What chatcode.dev is

chatcode.dev provides a browser-based terminal that opens persistent AI coding sessions on infrastructure you own (typically a Linux VPS). A small daemon (the “gateway”) runs on your server and connects to a control plane hosted on Cloudflare Workers. From the browser you can manage VPS connections, run AI coding agents (Claude Code, Codex CLI, Gemini CLI, OpenCode), upload files into the workspace, and optionally route the same session through a Telegram bot.

Personal data we collect

1) Data you provide

  • Account details – email address used for magic-link sign-in.
  • Server connection metadata – gateway identifiers, gateway version, hostname, OS, installed agent versions, and similar diagnostic information you can see in the dashboard.
  • SSH public keys you choose to add for shell access to your own VPS.
  • Communications – anything you send us by email or other support channels.
  • OAuth tokens for any integrations you explicitly connect (for example, DigitalOcean for droplet provisioning, or Telegram for chat continuity).

2) Data collected automatically

  • Usage and event data – sign-ins, session creation/termination, gateway connect/disconnect events, feature usage, performance and reliability metrics.
  • Device and log data – IP address, user agent, approximate location derived from IP, error logs.
  • Cookies for session management and security (see “Cookies” below).

3) Data from third parties

When you connect a third party (DigitalOcean OAuth, Telegram, an AI provider you sign in to from inside a session), that service may share identifiers, account metadata, and the specific data you authorize.

What we can technically see

We try to be specific because vague language in this section is the worst kind.

  • Your code is not on our servers. Files, environment variables, and tool state stay on the VPS you provisioned. The control plane never persists workspace files; file uploads and downloads are streamed in transit.
  • Terminal traffic is relayed by the control plane. Today there is no end-to-end encryption between your browser and your gateway. TLS protects each hop, but the control plane terminates those connections, which means an operator with control plane access could in theory inspect terminal payloads. We do not do this as a routine, and we do not store this traffic, but the technical capability exists. A payload-encrypted mode is on our roadmap.
  • We do not store your AI provider API keys centrally. Agents sign in inside the session with your credentials, on your VPS.
  • We do not store private SSH keys. The control plane only ever sees public keys you choose to push.

Why we process personal data

  1. Provide and operate the Service – sign you in, route session traffic, manage gateway connections.
  2. Provide support – respond to requests, troubleshoot, run a temporary support SSH session if you explicitly grant access.
  3. Maintain security and prevent abuse – detect fraud, rate-limit auth, secure infrastructure.
  4. Improve the product – understand which features are used, fix bugs, improve performance.
  5. Comply with legal obligations – accounting, tax, lawful requests.
  6. Communicate with you – service emails for important updates and security notices. Marketing communications are opt-in only.

Legal bases (GDPR)

  • Contract – to provide the Service you request.
  • Legitimate interests – for security, reliability, and product improvement, balanced against your rights.
  • Consent – for non-essential cookies, marketing emails, and optional features that require it.
  • Legal obligation – for tax, accounting, and lawful requests.

AI-related processing

chatcode.dev itself does not run AI inference. Instead, it lets you run AI coding agents inside a session on your own server, signed in with your own account.

What that means in practice

  • Prompts and outputs flow from the agent CLI on your VPS to the AI provider you chose (for example Anthropic, OpenAI, Google), under that provider's terms.
  • The control plane sees these prompts and outputs only because it relays the terminal stream – see “What we can technically see”.
  • AI outputs may be wrong. Treat them as assistance, not ground truth, and review code changes before deploying.
  • We do not make automated decisions that produce legal or similarly significant effects under GDPR Article 22.

Sharing data with others

Service providers

We rely on a small number of trusted vendors:

  • Cloudflare – hosting for the control plane, marketing site, and CDN.
  • Email delivery providers – to send magic-link sign-in emails and service notifications.
  • Payments and billing – only if and when paid plans launch.
  • Analytics and error monitoring – privacy- respecting product analytics and error tracking, where used.

Integrations you connect

When you connect DigitalOcean, we exchange OAuth tokens to provision droplets you've authorized. When you connect Telegram, we operate a per-user managed bot to deliver session messages. AI providers (Anthropic, OpenAI, Google and others) receive prompts and context only when you run their CLI inside a session, on your VPS.

Legal disclosures

We may disclose data if required by law or to protect rights, safety, and security.

International data transfers

We're based in Estonia (EU). Some service providers may process data outside the European Economic Area (EEA). For those transfers we use appropriate safeguards such as European Commission adequacy decisions, Standard Contractual Clauses (SCCs), and supplementary measures where needed.

How long we keep data

  • Account data – for the life of your account and as required for legal/tax purposes.
  • Connection and session metadata – kept only as long as needed for operation, debugging, and abuse prevention.
  • Workspace files – never persisted by us. They live on your VPS.
  • Logs – typically a short window for incident investigation.

Security

We apply technical and organizational measures appropriate to the Service, including:

  • TLS in transit on every hop (browser ⇄ control plane ⇄ gateway).
  • Per-gateway authentication tokens, hashed at rest.
  • No central storage of private SSH keys.
  • Least-privilege access controls and audit logging for operators.
  • Vendor security reviews and contractual safeguards.

No system is perfectly secure. Keep your account credentials safe and use strong authentication.

Cookies

We use cookies and similar technologies for:

  • Essential functionality – sign-in sessions, CSRF protection, security.
  • Analytics – to understand how the Service is used and improve it.

Where required (for example, in the EEA/UK) we ask for consent for non-essential cookies. You can also control cookies via your browser settings. If your browser sends the Global Privacy Control signal, we treat it as an opt-out from forms of data sharing for targeted advertising where required by law.

Your rights (GDPR)

If you are in the EEA/UK (and often elsewhere), you may have rights to:

  • Access – know what data we have about you.
  • Rectification – correct inaccurate data.
  • Erasure – request deletion (subject to legal/operational limits).
  • Restriction – limit processing in certain cases.
  • Objection – object to processing based on legitimate interests.
  • Portability – receive your data in a usable format.
  • Withdraw consent – where processing is based on consent.

To exercise rights, email privacy@chatcode.dev. We may verify your identity before fulfilling requests. You can also lodge a complaint with your local data protection authority. In Estonia, that's the Estonian Data Protection Inspectorate.

Children

chatcode.dev is not intended for children. We do not knowingly collect personal data from children under 16 (EEA/UK) or under 13 (US COPPA). If you believe a child has provided personal data to us, contact privacy@chatcode.dev and we'll take appropriate steps.

US privacy disclosures

If you are a resident of certain US states (including California), you may have additional rights under state privacy laws.

  • No sale of personal information. We do not sell your personal information.
  • Sharing for targeted advertising. If we ever enable advertising pixels or similar technologies, we'll provide a way to opt out where required by law.

Depending on your state, you may have rights to access, delete, correct, opt out of targeted advertising, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights. To exercise these rights, email privacy@chatcode.dev.

Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we'll provide notice through the Service or by email. The “Effective date” at the top shows when this version began to apply.

Contact

Questions or requests about privacy:
privacy@chatcode.dev
Holy Traction OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia