Privacy Policy

Effective Date: February 5, 2026
Version: 1.0
Last Updated: February 17, 2026

This Privacy Policy explains how Codaran Ltd (“Codaran”, “we”, “us”, “our”), a company registered in England and Wales (Company Number: 17014338), with its registered office at 128, City Road, London, EC1V 2NX, United Kingdom, collects, uses, shares, and protects your personal data when you use the VoxDev platform and related services (the “Service”).

This Privacy Policy should be read together with our Terms of Service, Cookie Policy, and, where applicable, our Data Processing Agreement.

For privacy-related enquiries, contact us at privacy@voxdev.tech. Postal correspondence may also be sent to our registered office address above.

1. Data Controller

Codaran Ltd is the data controller for the personal data we collect and process in connection with your use of the Service (such as your account information, usage data, and payment data).

When you use VoxDev to record and process meetings, you (or your organisation) act as the data controller for the personal data of meeting participants. In that context, Codaran acts as a data processor on your behalf. If you are a business customer, our Data Processing Agreement governs this relationship.

2. Information We Collect

2.1. Information You Provide Directly

Account information — name, email address, organisation name, role
Payment information — processed by our payment provider (Stripe); we do not store full card numbers, CVVs, or full bank account details
Meeting audio — audio that you choose to record through the Service
Text inputs — messages and instructions you type into meeting sessions
Project data — requirements, specifications, and project information you create, edit, or import
Configuration and preferences — project settings, organisational settings, and feature preferences
Support communications — messages you send to our support team

2.2. Information Generated by the Service

Meeting transcriptions — AI-generated text from meeting audio
Speaker identification data — mathematical representations of voice characteristics used to identify who said what during meetings
AI Outputs — extracted requirements, specifications, assessments, architecture documentation, code suggestions, and agent communications
AI processing metadata — usage metrics, token counts, and model identifiers used for billing purposes

2.3. Information from Your Codebase

When the optional Client Software is installed and connected:

File contents — portions of files that AI agents access during analysis; transmitted to third-party AI providers for processing, not permanently stored beyond session retention
Code structure metadata — file names, directory listings, code signatures
Version control metadata — git status, recent changes (not full history)
File modification records — records of changes made by AI agents

2.4. Information Collected Automatically

Usage data — features used, pages visited, actions taken, session duration
Device and browser information — browser type, operating system, screen resolution
IP address and approximate geographic location
Cookies and similar technologies — see our Cookie Policy
Log data — access times, error logs, referral URLs
Client Software connection metadata — connection status, timestamps, software version

2.5. Information from Third Parties

Payment processor data — transaction status and identifiers from our payment provider (we do not receive or store full card numbers)
Authentication provider data — user identity, email address, and profile information from our authentication provider

3. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service;
Process meeting audio and generate AI Outputs;
Enable AI agents to analyse and modify your codebase;
Process payments and manage subscriptions;
Track usage for billing purposes;
Send service-related communications (account notifications, billing alerts, security notices);
Detect, prevent, and address technical issues, fraud, and security threats;
Comply with legal obligations;
Enforce our Terms of Service and Acceptable Use Policy;
Aggregate and anonymise data for analytics and service improvement.

3.1. What We Do NOT Do

We do NOT:

Sell your personal data to third parties;
Use your content to train our own AI models unless you explicitly opt in (separate, specific consent required);
Allow third-party AI providers to retain or train on your data beyond what is necessary to process your request (per our contractual agreements);
Share your content with other users, organisations, or customers;
Retain voice recordings after transcription — audio is processed in real-time and not stored;
Store full codebase copies — only portions accessed during active sessions are temporarily held in processing context.

To provide the Service, we transmit your data (including meeting transcriptions, codebase files, and project context) to third-party AI providers for processing. These transmissions are essential to the Service's core functionality. By using the Service, you consent to this data processing.

Our agreements with AI providers contractually restrict them from training on customer data, but we cannot independently audit or guarantee provider compliance. The specific providers used may change over time — see our Sub-Processor List for current providers.

Data transmitted to AI providers includes:

Meeting transcriptions and text inputs;
Codebase file contents accessed by AI agents;
Project context (requirements, specifications, documentation) relevant to the current task;
AI agent conversation history within the current session.

Data is transmitted via encrypted connections (TLS 1.2+). We do not transmit your account credentials, payment information, or personally identifying account details to AI providers.

5. Meeting Recording and Consent

YOU are solely responsible for obtaining consent from all meeting participants before recording. We provide tools to assist but compliance is YOUR obligation.

5.1. What Participants Must Be Told

When using VoxDev in a meeting, you MUST inform all participants that:

The meeting is being recorded and transcribed in real-time;
Their voice is being processed for speaker identification;
Their statements will be analysed by AI to extract requirements, generate questions, and produce technical documentation;
Their voice data and transcribed statements will be transmitted to third-party AI providers for processing;
AI-generated outputs based on their statements will be stored in your project;
They have the right to object and leave the meeting before recording begins.

5.2. Consent Requirements

In jurisdictions requiring all-party consent, you must obtain affirmative consent from EVERY participant before activating recording;
Some jurisdictions impose criminal liability and/or statutory damages for recording without consent;
For employment contexts, consent may not be a valid legal basis due to power imbalances — consider legitimate interests with a Data Protection Impact Assessment (DPIA) and balancing test;
Special category data (health, political opinions, etc.) discussed in meetings may trigger additional legal requirements.

5.3. Voice Biometric Data

The Service's speaker identification feature processes voice characteristics to determine which participant said what. Depending on your jurisdiction, this may constitute biometric data processing. YOU are responsible for determining whether your use of speaker identification requires additional consent or a specific legal basis in your jurisdiction.

5.4. What We Do NOT Do Regarding Consent

We do not determine the lawful basis for your recording in any jurisdiction;
We do not verify that you have obtained required consents from all participants;
We do not provide legal advice on consent requirements for your jurisdiction;
We do not accept any liability for recordings made without proper consent;
We do not guarantee that speaker identification is accurate (statements may be attributed to the wrong speaker).

6. Lawful Basis for Processing

Under UK GDPR and EU GDPR, we process your personal data on the following legal bases:

Processing Activity	Lawful Basis
Account creation and service operation	Contract performance (Art. 6(1)(b))
Payment processing	Contract performance (Art. 6(1)(b))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Meeting recording and transcription	As instructed by the data controller (you) — Codaran acts as data processor
Analytics and service improvement	Legitimate interests (Art. 6(1)(f)) with anonymised/aggregated data
Legal compliance	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a)) — opt-in only

We share your personal data with the following categories of recipients:

Third-party AI providers — to process meeting content and generate AI Outputs (see Section 4);
Payment processor — to process subscription payments and manage billing;
Authentication provider — to manage user identity and login;
Cloud infrastructure providers — to host and operate the Service;
Your organisation — other members of your workspace can see shared project data, session data, and organisational settings (not your personal account credentials);
Law enforcement or regulatory bodies — where required by law or to protect our rights;
Professional advisers — legal, accounting, and insurance advisers as necessary.

The specific sub-processors we use, their roles, and their locations are described in our Sub-Processor List, which is maintained separately and updated as providers change.

For business customers with a Data Processing Agreement: we will notify you of material changes to the Sub-Processor List at least 30 days in advance, giving you the opportunity to object per the terms of your DPA.

8. International Data Transfers

Codaran Ltd is based in the United Kingdom. Your data may be transferred to and processed in countries outside your country of residence, including the United States and countries where our AI providers operate.

8.1. Transfers from the UK/EEA

We rely on UK International Data Transfer Agreements (IDTAs) and EU Standard Contractual Clauses (SCCs) as appropriate;
We conduct Transfer Impact Assessments where required;
We implement supplementary technical measures (encryption in transit and at rest) as recommended by the EDPB.

8.2. Transfers Involving AI Providers

Our AI providers are currently based in the United States. Your data is transferred to the US for AI processing. This may change as we add or change providers.
Processing is subject to data processing agreements with appropriate safeguards;
We use providers who maintain SOC 2, ISO 27001, or equivalent certifications where available;
See our Sub-Processor List for current provider details and locations.

9. Data Retention

We retain your data only for as long as necessary for the purposes described in this Policy, or as required by law. The table below summarises our retention periods:

Data Type	Retention Period	Reason
Account data	Duration of account + 2 years	Service provision, legal claims
Meeting audio	NOT STORED	Processed in real-time, discarded after transcription (privacy by design)
Voice identification data	Duration of session only	Real-time speaker identification
Transcriptions	Duration of session/project, user-deletable	Service provision
AI-generated requirements and documentation	Duration of project, user-deletable	Service provision
AI conversation logs	Duration of session	Service provision
AI usage metadata	Duration of session	Billing
Codebase file contents	NOT permanently stored	Held in processing context only during active session
Session data	Duration of project	Service provision, audit
Change history (audit trails)	Duration of project	Audit trail
Payment records	7 years	Tax and legal requirements
Usage tracking data	2 years	Analytics, billing
System logs	1 year	Debugging, reliability
Security and enforcement logs	7 years	Legal and audit requirements
Support communications	3 years	Service quality
Client Software connection metadata	90 days	Security

When data reaches the end of its retention period, it is securely deleted or anonymised. You may request earlier deletion of your data by contacting privacy@voxdev.tech, subject to any legal obligations that require us to retain it.

10. Your Rights

10.1. UK GDPR / EU GDPR Rights

Under UK GDPR and EU GDPR, you have the right to:

Access your personal data;
Rectify inaccurate personal data;
Erase your personal data (right to be forgotten), subject to legal retention requirements;
Restrict processing of your personal data;
Data portability — receive your data in a structured, machine-readable format;
Object to processing based on legitimate interests;
Withdraw consent at any time (where processing is based on consent);
Lodge a complaint with a supervisory authority (UK: the Information Commissioner's Office (ICO); EU: your national Data Protection Authority).

10.2. CCPA/CPRA Rights (California)

Under CCPA/CPRA, California residents additionally have the right to:

Know what personal information is collected, used, and shared;
Delete personal information (with exceptions);
Opt out of the sale or sharing of personal information;
Non-discrimination for exercising your rights.

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.

10.3. How to Exercise Your Rights

To exercise any of these rights, contact privacy@voxdev.tech. We will respond within:

30 days for UK GDPR / EU GDPR requests;
45 days for CCPA requests.

We may ask you to verify your identity before processing your request. In some cases, we may be unable to comply with your request due to legal obligations or legitimate interests (we will explain the reason if this occurs).

11. Children's Privacy

The Service is not directed at children under 18 years of age (or the age of majority in their jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact privacy@voxdev.tech and we will take steps to delete such information.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and at rest;
Access controls with role-based permissions;
Regular security assessments;
Incident response procedures;
Secure infrastructure provided by professional cloud hosting providers.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service interface, email, or other reasonable means at least 30 days before the changes take effect.

For users in the EU/UK: material adverse changes that affect your rights will require your affirmative consent. We will present the updated Policy for your review and acceptance.

We encourage you to review this Policy periodically. The “Last Updated” date at the top indicates when the most recent changes were made.

14. Contact Information and Complaints

Codaran Ltd (Data Controller)

Company Number: 17014338

Registered Office: 128, City Road, London, EC1V 2NX, United Kingdom

Privacy enquiries: privacy@voxdev.tech

Legal enquiries: legal@voxdev.tech

General support: support@voxdev.tech

Postal correspondence may also be sent to our registered office address above.

14.1. Complaints

If you are unhappy with how we handle your personal data, please contact us first at privacy@voxdev.tech and we will do our best to resolve your concern.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
European Union: Your national Data Protection Authority — see edpb.europa.eu for a list