Codelura Data Protection Policy - GDPR, CCPA & Data Security Compliance

DATA PROTECTION & SECURITY

Data Protection Policy

At Codelura, your data is sacred. This comprehensive Data Protection Policy outlines our commitment to securing, protecting, and respecting your personal information. We comply with international regulations including GDPR, CCPA, and other global data protection standards. Your privacy is our priority.

Last Updated: March 16, 2026

Version: 2.0

Quick Navigation

At Codelura, data protection is at the heart of everything we do. We understand that your personal information is sacred and must be handled with utmost care and responsibility. This Data Protection Policy outlines our commitment to safeguarding your data throughout its entire lifecycle—from collection through storage, processing, and eventual deletion.

Our Core Principles

  • Transparency: We clearly communicate what data we collect and how it's used
  • Security: We employ industry-leading security measures to protect your information
  • Control: You have complete control over your data and can access or delete it anytime
  • Compliance: We strictly adhere to GDPR, CCPA, and all applicable international regulations

Codelura is committed to protecting your fundamental right to privacy. We believe that data protection is not just a legal obligation, but an ethical responsibility we owe to every user.

Codelura operates in compliance with major international data protection regulations. We have implemented comprehensive policies and procedures to ensure adherence to all applicable laws across jurisdictions where our users reside.

GDPR (General Data Protection Regulation)

For users in the European Union and EEA countries, we comply with GDPR requirements including:

  • Legal basis for data processing (consent, contract, legitimate interest)
  • Data subject rights (access, rectification, erasure, portability)
  • Data protection impact assessments for high-risk processing
  • Data processing agreements with all service providers
  • Incident reporting within 72 hours to supervisory authorities

CCPA (California Consumer Privacy Act)

For California residents, we provide rights including:

  • Right to know what personal information is collected
  • Right to delete personal information held by businesses
  • Right to opt-out of personal information sales or sharing
  • Right to non-discrimination for exercising CCPA rights
  • Mechanisms for submitting and responding to consumer requests

Other International Standards

  • LGPD (Brazil): Brazilian data protection law for Brazilian residents
  • PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
  • DPDPA (India): Digital Personal Data Protection Act for Indian users
  • ePrivacy Directive (EU): Cookie consent and electronic communications

Codelura uses state-of-the-art encryption and security technologies to protect your personal information from unauthorized access, theft, and misuse. We implement multiple layers of security across our infrastructure and applications.

Encryption in Transit

All data transmitted between your device and our servers is encrypted using industry-standard protocols:

  • TLS 1.3: Latest transport layer security protocol for HTTPS connections
  • 256-bit Encryption: Strong encryption for all data in flight
  • SSL Certificate: Valid SSL certificates from trusted certificate authorities
  • Perfect Forward Secrecy: Ensures session keys cannot be decrypted even if private key is compromised

Encryption at Rest

Data stored on our servers and databases is encrypted at rest using:

  • AES-256: Advanced Encryption Standard with 256-bit keys for database encryption
  • Encryption Keys: Managed separately from encrypted data using hardware security modules
  • Backup Encryption: All backups encrypted with same standards as production data
  • Database-Level Encryption: Transparent encryption at database level for all sensitive information

Password Security

  • Bcrypt Hashing: Industry-standard password hashing with salt and strong rounds
  • Never Stored in Plain Text: Passwords never stored or transmitted in plaintext
  • Strength Requirements: Minimum 12 characters with complexity validation
  • Two-Factor Authentication: Optional 2FA adds additional security layer

We collect personal information only when necessary to provide our services, improve user experience, and comply with legal obligations. Every data collection practice is based on legitimate purposes and user consent where required.

Categories of Data Collected

  • Personal Information: Name, email, phone, address (for billing)
  • Account Data: Username, profile information, preferences
  • User Generated Content: Projects, courses, blogs, comments
  • Technical Data: IP address, device type, browser, usage patterns
  • Behavioral Data: Pages visited, features used, time spent

Legal Basis for Processing

We process your data based on one of the following legal grounds:

  • Consent: You have explicitly consented to processing for specific purposes
  • Contract: Processing is necessary to provide services you've requested
  • Legal Obligation: We must process data to comply with applicable law
  • Legitimate Interests: Processing serves our business interests (marketing, fraud prevention)
  • Vital Interests: Processing necessary to protect someone's vital interests

Data Minimization

We practice data minimization by collecting only what's necessary for stated purposes. We don't collect excessive information and regularly review data collection practices to reduce unnecessary data gathering.

You have comprehensive rights regarding your personal data. We are committed to providing you with tools and processes to exercise these rights easily and quickly. All requests are handled with priority and care.

Your Data Rights

  • Right to Access: Request and receive copy of your personal data in a machine-readable format
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your data under certain conditions
  • Right to Restrict Processing: Limit how your data is used or processed
  • Right to Data Portability: Transfer your data to another service provider
  • Right to Object: Withdraw consent or object to specific processing

Exercising Your Rights

  1. Visit Account Settings → Privacy & Data
  2. Select the right you wish to exercise
  3. Fill in required information and submit
  4. We respond within 30 days (extendable to 90 days)
  5. Provide data in requested format (CSV, JSON, PDF)

No Discrimination

We do not discriminate against you for exercising your data rights. You will receive the same service level and pricing regardless of whether you exercise your rights or provide additional data.

We retain personal data only for as long as necessary to provide our services and fulfill the purposes for which it was collected. After this period, data is securely deleted or anonymized.

Data Retention Periods

Active User AccountsDuration of relationship
After Account Deletion30 days (grace period)
Transaction Records7 years (legal requirement)
Analytics Data6 months (anonymized)
CookiesPer cookie policy
Backup Data60 days after deletion

Secure Data Deletion

When data is deleted, we use secure deletion methods:

  • Cryptographic Erasure: Deletion of encryption keys making data unrecoverable
  • Overwriting: Multiple overwrite passes to prevent recovery
  • Physical Destruction: For hardware reaching end-of-life

Anonymization

Where possible, we anonymize data after retention period. Anonymized data cannot identify individuals and is not subject to same data protection requirements. We use anonymization for long-term analytics and service improvement.

While we implement comprehensive security measures, we recognize that no system is 100% secure. In the event of a data breach, we have established procedures to respond quickly and transparently.

Our Response Process

  1. Immediate Detection & Containment: Detect breach and stop further unauthorized access
  2. Investigation: Determine scope, nature, and affected data
  3. Internal Notification: Inform management and legal team
  4. User Notification (if required): Notify affected users without undue delay
  5. Authority Notification: Report to supervisory authorities within 72 hours (GDPR requirement)
  6. Remediation: Fix vulnerabilities and prevent future incidents
  7. Post-Incident Review: Analyze and improve security practices

User Notification

If a breach affects your personal data, we will notify you through:

  • Email to your registered email address
  • In-app notification in your dashboard
  • Detailed breach impact statement
  • Recommended actions you should take
  • Contact information for questions

Reporting Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@codelura.com. Do not publicly disclose the vulnerability. We take all security reports seriously and will investigate promptly.

We do not sell your personal data to third parties. However, we may share data with trusted service providers who help us operate the platform. All data sharing is governed by strict Data Processing Agreements.

Categories of Data Processors

  • Payment Processors: Stripe, Razorpay (secure payment processing)
  • Cloud Infrastructure: AWS, Google Cloud (hosting & storage)
  • Analytics: Google Analytics, Mixpanel (usage analytics)
  • Email Services: SendGrid, Mailgun (transactional emails)
  • Security Services: Cloudflare (DDoS protection & security)

Data Processing Agreements

All processors are bound by comprehensive Data Processing Agreements that ensure:

  • Data processed only on Codelura's instructions
  • Appropriate security measures implemented
  • Limited access to necessary personnel only
  • Sub-processor approval from Codelura
  • Assistance with data subject rights requests
  • Audit rights for Codelura

International Data Transfers

Some processors are located outside your country. For transfers from EU to non-EU countries, we use Standard Contractual Clauses and other lawful mechanisms to ensure your data receives adequate protection.

We implement Privacy by Design and Default principles, meaning data protection is built into our systems from the ground up, not added as an afterthought. This approach ensures protection throughout the entire data lifecycle.

Privacy by Design Principles

  • Proactive Not Reactive: We anticipate data protection challenges and address them before they occur
  • Default Settings: Privacy-friendly settings are defaults; users can opt for less privacy if desired
  • Data Minimization: We collect only necessary data and no more
  • Transparency: Users understand what data is collected and why
  • User Control: Users have ability to view, modify, and delete their data
  • Security & Integrity: Strong encryption and security measures protect data throughout

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIA) for all high-risk data processing activities to identify and mitigate privacy risks before implementation.

This Data Protection Policy may be updated periodically to reflect changes in our practices, technology, or applicable laws. We encourage you to review it regularly. Your feedback helps us improve data protection practices.

Policy Updates

  • Updates take effect on the date posted
  • "Last Updated" date reflects most recent changes
  • Major changes communicated via email (30 days notice)
  • Continued use of platform = acceptance of updated policy

Data Protection Officer

dpo@codelura.com

For data protection & GDPR inquiries

Privacy Team

privacy@codelura.com

For privacy & data requests

Response Timeline

We respond to data protection inquiries within 48 hours. For formal data subject requests, we comply within 30 days (extendable to 90 days for complex requests) as required by GDPR.