Privacy Policy

Effective date: 21 May 2026

This Privacy Policy explains how chatcode.dev (the “Service”) collects and uses personal data, what choices you have, and how we keep that data safe. It is written to be human-friendly and to explain our approach under the EU General Data Protection Regulation (GDPR), UK GDPR, US state privacy laws, and other rules that may apply to our users.

This policy explains what we do with data in Chatcode. It is not legal advice for your own use of Chatcode: if you process other people's personal data through a terminal session, you are responsible for deciding whether Chatcode is appropriate for that workflow.

If you only read one section, read “Key points” below.

Key points

  • We collect only what we need to operate, secure, bill, and improve the Service.
  • Your code lives on your VPS, not on our servers. We do not store your repositories.
  • We do not store your private SSH keys. Optional time-limited support access uses a public key you grant from the dashboard.
  • The control plane today acts as a trusted relay for terminal traffic – see “What we can technically see”.
  • Voice transcription sends your audio to our transcription provider only when you choose to record or send a voice prompt.
  • Billing uses Stripe for web subscriptions and Telegram Stars for Telegram Starter subscriptions. We do not store full card numbers.
  • We do not sell your data or share it for targeted advertising.
  • Public landing-page Google Analytics is optional and loads only after you allow analytics cookies.
  • Authenticated app analytics uses PostHog for pageviews, product events, and privacy-masked session replay. We do not use it to capture raw terminal content.
  • You can access, correct, export, or delete your personal data, subject to legal and operational limits.

Who we are

Controller: Holy Traction OÜ
Address: Sepapaja tn 6, 15551 Tallinn, Estonia
Email: privacy@chatcode.dev

“Controller” means we decide why and how your personal data is processed for account, billing, security, support, and product-operation purposes.

When you use Chatcode for your own work

You decide what code, files, prompts, credentials, customer data, and other content you put on your VPS or send through a terminal session. For that session content, you are responsible for having the right to process it. Where privacy law treats us as a processor or service provider for that content, we process it only to provide Chatcode, secure the Service, troubleshoot issues, and follow your lawful instructions.

Do not use Chatcode for highly regulated or unusually sensitive data unless you have reviewed the technical model, signed any required data processing terms with us, and decided it is suitable for your use case.

What chatcode.dev is

chatcode.dev provides a browser-based terminal that opens persistent AI coding sessions on infrastructure you own (typically a Linux VPS). A small daemon (the “gateway”) runs on your server and connects to a control plane hosted on Cloudflare Workers. From the browser you can manage VPS connections, run AI coding agents (Claude Code, Codex CLI, Gemini CLI, OpenCode), upload files into the workspace, use voice transcription where your plan allows it, and optionally route the same session through Telegram bots and Mini Apps.

Personal data we collect

1) Data you provide

  • Account and identity details – email address, linked login providers (Google, GitHub, Telegram), Telegram public profile details if you link Telegram, and authentication session metadata.
  • Server connection metadata – gateway identifiers, gateway version, hostname, OS, installed agent versions, and similar diagnostic information you can see in the dashboard.
  • SSH public keys you choose to add for shell access to your own VPS.
  • Session metadata – session IDs, selected workspace folder, title, status, active server, terminal client state, and related routing metadata. We use this to reconnect you to the right running session.
  • Agent usage metrics – token counts reported by supported agent CLIs, agent type, model, timestamp, and dedupe/source metadata. We use this for usage views and the Telegram leaderboard. We do not need raw transcript text for the leaderboard score.
  • Onboarding survey answers – short setup answers such as what you build, your role, approximate team size, coding agents you use, messaging preference, discovery source, and country. We use these to understand who Chatcode is helping and to improve onboarding.
  • Billing records – plan, subscription status, billing interval, Stripe customer/subscription/invoice/payment identifiers, Telegram Stars payment identifiers, renewal dates, refunds, discounts, and billing event history. Card data is handled by Stripe, not stored by Chatcode.
  • Telegram data – Telegram user ID, username or display name, chat/topic IDs, bot connection state, message metadata needed for session routing, Telegram Stars payment payloads, and short-lived file-preview/download tokens.
  • Voice audio and transcripts – when you record or send a voice prompt, we receive the audio long enough to transcribe it and return or post the transcript. We do not use voice input to identify you biometrically.
  • Communications – anything you send us by email or other support channels.
  • OAuth tokens for any integrations you explicitly connect (for example, DigitalOcean for droplet provisioning). We encrypt sensitive integration tokens at rest where they must be stored.

2) Data collected automatically

  • Usage and event data – sign-ins, session creation/termination, gateway connect/disconnect events, server creation/removal, feature usage, plan-limit checks, billing lifecycle events, third-party API failures, performance and reliability metrics, and coarse terminal-input activity such as whether input or paste happened. We do not store or send the actual terminal text, command text, filenames, workspace paths, or labels for product analytics. File-upload analytics uses only coarse counts and size buckets, not filenames, paths, file content, or media metadata. Voice transcription analytics uses only provider/model and coarse duration/latency/size buckets, not audio or transcript text.
  • Authenticated app pageviews and replay metadata – when you are signed in, we may record sanitized pageview events and privacy-masked session replay through PostHog to understand navigation, UI errors, and product friction. We mask all text and inputs, block terminal DOM, disable console-log recording, and remove query strings and raw server/session IDs from pageview URLs before sending them.
  • Acquisition and attribution data – first-touch and last-seen timestamps, anonymous browser identifier, UTM/source fields, landing page, referrer, partner key, Telegram /start or Mini App startapp payloads, country, and capped raw attribution metadata. Where ad-click identifiers such as gclid, gbraid, wbraid, msclkid, or fbclid are present, we store them only where permitted by law and consent state.
  • Optional landing-page analytics – if you allow analytics cookies on chatcode.dev, Google Analytics may collect page and campaign reporting data for our public marketing pages. We do not enable Google advertising storage.
  • Device and log data – IP address, user agent, approximate location derived from IP, error logs.
  • Cookies for session management and security (see “Cookies” below).

3) Data from third parties

When you connect a third party (DigitalOcean, Google, GitHub, Telegram, Stripe checkout, or an AI provider you sign in to from inside a session), that service may share identifiers, account metadata, billing status, and the specific data you authorize.

What we can technically see

We try to be specific because vague language in this section is the worst kind.

  • Your code is not on our servers. Files, environment variables, and tool state stay on the VPS you provisioned. The control plane never persists workspace files or previewed file content; file uploads, downloads, and previews are streamed in transit. Telegram file previews use short-lived access tokens rather than copying your repository into Chatcode storage. They can open files explicitly referenced by an agent or linked from an already opened preview: all files under ~/workspace, including hidden files there, plus non-hidden files in the gateway user's home folder. Hidden home paths outside ~/workspace, such as .ssh, .claude, .codex, and dotfiles, are blocked by the preview feature.
  • Terminal traffic is relayed by the control plane. Today there is no end-to-end encryption between your browser and your gateway. TLS protects each hop, but the control plane terminates those connections, which means an operator with control plane access could in theory inspect terminal payloads. We do not do this as a routine, and we do not store this traffic, but the technical capability exists. A payload-encrypted mode is on our roadmap.
  • Telegram session updates are transcript-driven. When you enable Telegram continuity, Chatcode reads agent transcript/progress events on your VPS and sends selected prompts, progress summaries, tool activity, and final messages into the relevant Telegram topic. Those messages are then processed by Telegram under Telegram's own terms.
  • Voice transcription leaves Chatcode temporarily. Browser, Mini App, and Telegram voice prompts are sent to our transcription provider so they can be converted to text. The transcript is returned to the browser for your review or posted to the session topic, depending on where you used voice.
  • We do not store your AI provider API keys centrally. Agents sign in inside the session with your credentials, on your VPS.
  • We do not store private SSH keys. The control plane only ever sees public keys you choose to push.

Why we process personal data

  1. Provide and operate the Service – sign you in, route session traffic, manage gateway connections, maintain Telegram continuity, process voice transcription, and enforce plan limits.
  2. Provide support – respond to requests, troubleshoot, run a temporary support SSH session if you explicitly grant access.
  3. Maintain security and prevent abuse – detect fraud, rate-limit auth, secure infrastructure.
  4. Improve the product – understand which features are used, fix bugs, improve performance, and show aggregate/product usage such as the Telegram token leaderboard. For authenticated app usage, we may send minimized product events, sanitized pageviews, and privacy-masked session replay to PostHog using your internal Chatcode user ID; these records do not include raw terminal content.
  5. Understand acquisition and onboarding – connect a user's first contact source, partner link, Telegram start payload, onboarding survey answers, product usage, and payment lifecycle so we can evaluate campaigns, partner referrals, and product-market fit without relying on third-party analytics as the source of truth.
  6. Process payments and subscriptions – create checkout sessions and invoices, apply plan changes, process refunds, prevent duplicate subscriptions, and keep an audit trail of billing events.
  7. Comply with legal obligations – accounting, tax, lawful requests.
  8. Communicate with you – service emails for important updates and security notices. Marketing communications are opt-in only.

Legal bases (GDPR)

  • Contract – to provide the Service you request.
  • Legitimate interests – for security, reliability, abuse prevention, and minimized authenticated product analytics, balanced against your rights.
  • Consent – for non-essential cookies, marketing emails, and optional features that require it.
  • Legal obligation – for tax, accounting, and lawful requests.

AI-related processing

chatcode.dev itself does not run AI inference. Instead, it lets you run AI coding agents inside a session on your own server, signed in with your own account.

What that means in practice

  • Prompts and outputs flow from the agent CLI on your VPS to the AI provider you chose (for example Anthropic, OpenAI, Google), under that provider's terms and privacy policy.
  • The control plane sees these prompts and outputs only because it relays the terminal stream – see “What we can technically see”.
  • AI outputs may be wrong. Treat them as assistance, not ground truth, and review code changes before deploying.
  • We do not make automated decisions that produce legal or similarly significant effects under GDPR Article 22. Plan-limit checks and anti-abuse controls may automatically allow, block, or rate-limit product actions, but they do not decide legal rights about you.

Sharing data with others

Service providers

We rely on a small number of trusted vendors. They process data only to provide services to us, under their own security and data protection terms.

  • Cloudflare – hosting for the control plane, marketing site, web app, Workers, Durable Objects, D1, KV, queues, logging, security, and CDN.
  • Amazon Web Services / SES – email delivery for magic-link sign-in emails and service notifications.
  • Stripe – web checkout, subscriptions, invoices, payment status, refunds, tax/billing records, and customer portal sessions.
  • Telegram – login/linking, Telegram bots, Mini Apps, session topics, file-preview links, notifications, and Telegram Stars subscriptions.
  • DigitalOcean – droplet provisioning and server lifecycle actions when you connect a DigitalOcean account.
  • Groq – audio transcription for voice prompts when the feature is enabled and you choose to use it.
  • Google and GitHub – optional sign-in or account-linking providers.
  • Google Analytics – optional public landing-page analytics after you allow analytics cookies. We keep Google Analytics out of authenticated app surfaces and do not use it as the authoritative store for user identity, billing, partner attribution, or lifetime value.
  • PostHog EU Cloud – product analytics for the authenticated app and selected server-side events. We use explicit, minimized events, sanitized authenticated pageviews, and privacy-masked session replay to understand feature usage, onboarding, acquisition, billing funnels, and UI friction. We keep PostHog autocapture disabled, mask text and inputs, block terminal DOM, disable console-log recording, and do not use it for raw terminal-content capture. We do not use the cookie banner to disable these authenticated service analytics.
  • Operator and diagnostics tools – we may mirror important sign-up, billing, and external API error events to an internal operator Telegram group so we can detect failures quickly. These messages are limited to operational summaries and identifiers needed to investigate.

Integrations you connect

When you connect DigitalOcean, we exchange OAuth tokens to provision droplets you've authorized. When you connect Telegram, we use Telegram's Bot API to deliver session messages, Mini App launches, invoices, and notifications. AI providers (Anthropic, OpenAI, Google and others) receive prompts and context when you run their CLI inside a session, on your VPS. Those AI providers are services you choose and control; Chatcode does not proxy AI inference through Chatcode-owned model accounts.

Legal disclosures

We may disclose data if required by law or to protect rights, safety, and security.

International data transfers

We're based in Estonia (EU). Some service providers may process data outside the European Economic Area (EEA). For those transfers we use appropriate safeguards such as European Commission adequacy decisions, Standard Contractual Clauses (SCCs), and supplementary measures where needed.

How long we keep data

  • Account data – for the life of your account and as required for legal/tax purposes.
  • Connection and session metadata – kept only as long as needed for operation, debugging, and abuse prevention.
  • Billing events – retained as the commercial audit trail for payments, refunds, subscription changes, and tax/accounting needs.
  • Third-party API error logs – usually retained for about 30 days for incident investigation.
  • Agent usage metrics – normalized token counts are kept for usage history and leaderboard features. Raw vendor usage payloads are tagged for shorter retention and may be dropped while preserving the normalized counts.
  • Anonymous acquisition touches – pre-account attribution records are kept for a limited period so a later sign-up can be connected to the original source. Once attached to a user, the earliest known attribution profile is retained with the account for campaign, partner, and LTV analysis.
  • Onboarding survey answers – kept with your account while the survey schema is current and the account is active, unless you ask us to delete them and we no longer need them for operational or legal reasons.
  • Auth sessions and notification journals – expired or revoked sessions and processed delivery journals are cleaned up on a rolling schedule.
  • Workspace and previewed files – never persisted by us. They live on your VPS; transfer and preview bytes are streamed only while the request is active.
  • Voice audio – handled transiently for transcription. We do not keep it as an account recording library.

Security

We apply technical and organizational measures appropriate to the Service, including:

  • TLS in transit on every hop (browser ⇄ control plane ⇄ gateway).
  • Per-gateway authentication tokens, hashed at rest.
  • No central storage of private SSH keys.
  • Least-privilege access controls and audit logging for operators.
  • Vendor security reviews and contractual safeguards.

No system is perfectly secure. Keep your account credentials safe and use strong authentication.

Cookies

We use cookies, local storage, session storage, and similar technologies for:

  • Essential functionality – sign-in sessions, CSRF protection, security, terminal reconnect state, and Mini App routing.
  • Diagnostics – to recover from failed asset loads, remember short-lived client state, and debug reliability issues.
  • Optional analytics on our public landing pages – if you allow analytics cookies, we load Google Analytics to understand which public pages and campaigns help people find Chatcode.
  • Authenticated app product analytics – when you are signed in, some product-usage events, sanitized pageviews, and privacy-masked session replay are sent to PostHog. PostHog may use browser storage to keep a session and identified user state for the app. We keep autocapture disabled, mask all replay text and inputs, block terminal DOM, and do not send terminal text, prompts, code, filenames, or workspace paths to PostHog. This is separate from optional landing-page Google Analytics cookies and remains enabled so we can operate, secure, and improve the product.

We do not currently use advertising cookies. Google Analytics is disabled by default and is loaded only after you choose Allow analytics in the cookie notice. If you decline, we store that choice locally and do not load Google Analytics. You can change this choice later through the Cookie settings link in the footer, and you can also control cookies via your browser settings. If your browser sends the Global Privacy Control signal, we treat it as an opt-out from sale or sharing for targeted advertising where required by law.

Your rights (GDPR)

If you are in the EEA/UK (and often elsewhere), you may have rights to:

  • Access – know what data we have about you.
  • Rectification – correct inaccurate data.
  • Erasure – request deletion (subject to legal/operational limits).
  • Restriction – limit processing in certain cases.
  • Objection – object to processing based on legitimate interests.
  • Portability – receive your data in a usable format.
  • Withdraw consent – where processing is based on consent.

To exercise rights, email gdpr@chatcode.dev. We may verify your identity before fulfilling requests. You can also lodge a complaint with your local data protection authority. In Estonia, that's the Estonian Data Protection Inspectorate; in the UK, you can contact the Information Commissioner's Office. We will not charge you for ordinary rights requests unless a request is manifestly unfounded, excessive, or repeated in a way the law allows us to handle differently.

Children

chatcode.dev is not intended for children. We do not knowingly collect personal data from anyone under 13, or from anyone under the minimum age required for online services in their country without valid parental consent. If you believe a child has provided personal data to us, contact privacy@chatcode.dev and we'll take appropriate steps.

US privacy disclosures

If you are a resident of certain US states (including California), you may have additional rights under state privacy laws.

  • No sale of personal information. We do not sell your personal information.
  • No targeted advertising sharing. We do not share personal information for cross-context behavioral advertising today. If we ever enable advertising pixels or similar technologies, we'll provide a way to opt out where required by law.
  • Sensitive information. We do not use sensitive personal information to infer characteristics about you. Please do not put sensitive personal data into Chatcode unless your own compliance review says it is appropriate.

Depending on your state, you may have rights to access, delete, correct, opt out of targeted advertising, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights. To exercise these rights, email privacy@chatcode.dev.

Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we'll provide notice through the Service or by email. The “Effective date” at the top shows when this version began to apply.

Contact

Questions or requests about privacy:
privacy@chatcode.dev
Holy Traction OÜ
Sepapaja tn 6, 15551 Tallinn, Estonia