Skip to content
← Back to home

Privacy Policy

Effective date: April 22, 2026

1. Introduction

CodeBricks (“we,” “us,” or “our”) operates the CodeBricks platform at codebricks.io. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have, in accordance with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and India's Digital Personal Data Protection Act (DPDPA).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

CodeBricks is the data controller responsible for your personal data. For any data protection inquiries, contact us at support@codebricks.io.

3. Data We Collect

We collect the minimum data necessary to provide and improve the Service:

3.1 Data you provide

  • Account information: Name and email address, provided through our authentication provider (Clerk). If you sign in with Google, we receive your name, email, and profile picture from Google.
  • Payment information: Billing details processed by Stripe. We do not receive, store, or have access to your full credit card number, CVV, or bank account details. We receive only a confirmation of payment status, your Stripe customer ID, and subscription details.
  • Support messages: Any messages you send through our contact form, including the content and your user ID.

3.2 Data generated through your use

  • Learning data: Review history, spaced repetition scheduling data (box levels, due dates), code attempts, grades, streaks, level progress, and review mode history.
  • Preferences: Your selected programming language and learning settings.

3.3 Data collected automatically

  • Cookies: We use essential cookies for authentication (managed by Clerk) to keep you signed in. We do not use advertising or tracking cookies. We do not use third-party analytics services.
  • Server logs: Our hosting provider (Vercel) may collect standard server logs including IP address, browser type, and request timestamps for security and operational purposes.

4. How We Use Your Data

We use your data for the following purposes:

  • Providing the Service: Delivering personalized learning content, scheduling spaced repetition reviews, tracking your progress, and maintaining your account.
  • Processing payments: Managing your subscription and billing through Stripe.
  • Customer support: Responding to your inquiries and resolving issues.
  • Service improvement: Using anonymized and aggregated data to understand usage patterns, improve learning outcomes, and develop new features. This data cannot be used to identify individual users.
  • Security: Detecting and preventing fraud, abuse, and unauthorized access.

5. We Do Not Sell Your Data

We do not sell, rent, trade, or otherwise make available your personal data to third parties for their marketing or commercial purposes.

We have never sold personal data, and we have no plans to do so in the future. This applies to all users, regardless of location.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service you have signed up for, including account management, learning features, and subscription billing.
  • Legitimate interest (Article 6(1)(f)): Improving the Service, ensuring security, and preventing fraud. We balance these interests against your rights and only process data where our interests do not override your fundamental rights.
  • Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable laws (e.g., tax and accounting requirements).
  • Consent (Article 6(1)(a)): Where applicable, such as for optional communications. You may withdraw consent at any time.

7. Third-Party Services (Sub-processors)

We share your data with the following third-party service providers solely for the purposes of operating the Service. Each provider acts as a data processor on our behalf:

  • Clerk (clerk.com): Authentication and user management. Receives your email, name, and authentication data. Privacy policy: clerk.com/legal/privacy
  • Stripe (stripe.com): Payment processing. Receives your billing information. Privacy policy: stripe.com/privacy
  • Neon (neon.tech): Database hosting. Stores your account and learning data. Data is encrypted at rest and in transit.
  • Vercel (vercel.com): Application hosting. May process server logs containing IP addresses.
  • Resend (resend.com): Transactional email delivery for support communications.
  • ImprovMX (improvmx.com): Email forwarding for support inquiries.

We do not share your data with any other third parties. If we add new sub-processors in the future, we will update this policy accordingly.

8. International Data Transfers

Our Service is hosted in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by applicable law.

By using the Service, you consent to the transfer of your data to the United States in accordance with this Privacy Policy.

9. Data Retention

  • Active accounts: Your data is retained for as long as your account is active and as needed to provide the Service.
  • After account deletion: Upon your request, we will delete your personal data within 30 days. Some data may be retained for up to 90 days in encrypted backups before being permanently removed.
  • Legal obligations: We may retain certain data for longer periods where required by law (e.g., financial records for tax compliance).
  • Anonymized data: Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytical and statistical purposes.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data and account.
  • Data portability: Request your data in a structured, machine-readable format.

Additional rights for EU/EEA residents (GDPR)

  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

Additional rights for California residents (CCPA/CPRA)

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected.
  • Right to delete: You may request deletion of your personal information.
  • Right to opt out of sale: We do not sell your personal information. No opt-out is necessary.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Additional rights for Indian residents (DPDPA)

  • Right to access: You may request a summary of your personal data and processing activities.
  • Right to correction and erasure: You may request correction of inaccurate data or erasure of data no longer necessary for the purpose it was collected.
  • Right to grievance redressal: You may raise a grievance with us, and we will respond within 30 days.
  • Right to nominate: You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, contact us at support@codebricks.io. We will respond to all requests within 30 days (or within the time period required by applicable law).

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest in our database
  • Secure authentication through Clerk (including support for multi-factor authentication)
  • Payment data handled exclusively by Stripe, a PCI DSS Level 1 certified provider
  • Regular security reviews of our infrastructure and dependencies

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal data from children under these ages. If we become aware that we have inadvertently collected data from a child under the applicable minimum age, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at support@codebricks.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated policy on this page, updating the effective date, and, where practicable, sending a notice to the email address associated with your account.

We encourage you to review this page periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, contact us at:

Email: support@codebricks.io

We aim to respond to all inquiries within 30 days.