Privacy Policy

Zuletzt aktualisiert: February 19, 2026 (Version 2026-02-19)

1. Introduction

Qodiak ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered app and form builder platform.

By using Qodiak, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (used for login and communication)
  • Full name (for account personalization)
  • Password (hashed and never stored in plain text)
  • Tenant organization name (for multi-tenancy)

2.2 OAuth Authentication Data

If you sign in with Google OAuth, we collect:

  • Google account email address
  • Profile name and picture (optional)
  • OAuth tokens (encrypted and used only for authentication)

2.3 App and Form Data

When you create apps or forms, we store:

  • App/form names, descriptions, and configurations
  • Page layouts and component configurations
  • Custom JavaScript scripts (stored in sandboxed environment)
  • Form submissions and user-generated content
  • Uploaded files and assets

2.4 API Connection Credentials

When you connect external APIs or databases, we securely store:

  • API endpoints and authentication credentials (encrypted at rest)
  • Google Sheets access tokens (encrypted)
  • Database connection strings for supported databases including PostgreSQL, SQL Server, and MySQL (encrypted)
  • Third-party service credentials for Airtable, Notion, Firestore, and other integrations (encrypted)
  • Custom authentication headers (encrypted)

2.5 Usage Data

We automatically collect:

  • IP address and browser information
  • Pages visited and features used
  • Error logs and performance metrics
  • Login timestamps and session durations

3. How We Use Your Information

We use collected information for:

  • Service Delivery: To provide, maintain, and improve Qodiak's platform functionality
  • Authentication: To verify your identity and secure your account
  • API Integrations: To execute API calls on your behalf using encrypted credentials
  • Script Execution: To run user-provided JavaScript in isolated sandboxes
  • Communication: To send service-related emails (password resets, billing, updates)
  • Analytics: To understand usage patterns and improve our service
  • Security: To detect and prevent abuse, fraud, and unauthorized access

4. Data Security & Multi-Tenancy

4.1 Row-Level Security (RLS)

Qodiak uses Row-Level Security to isolate tenant data at the database level. Every database table includes a TenantId column with RLS policies that ensure:

  • Users can only access data belonging to their own tenant
  • Database-level isolation prevents cross-tenant data leaks
  • Application-level filtering provides defense-in-depth security

4.2 Encryption

We protect your data with industry-standard encryption:

  • At Rest: All API credentials and sensitive data are encrypted using ASP.NET Core Data Protection API
  • In Transit: All connections use TLS 1.2+ encryption (HTTPS)
  • Passwords: Hashed using industry-standard algorithms with per-user salts (never stored in plain text)
  • Authentication Tokens: Short-lived tokens with secure storage

4.3 Script Sandbox Security

User-provided JavaScript code runs in isolated sandboxes with strict limitations:

  • Executed in separate processes using Jint JavaScript engine
  • Configurable timeout and memory limits
  • No access to .NET Base Class Library (BCL)
  • Cannot access other tenants' data or file systems

5. Cookies & Tracking Technologies

We use cookies and similar technologies for:

  • Authentication Cookies: Tokens used to maintain your logged-in session
  • Preference Cookies: Remember your dark mode preference and language settings
  • Analytics Cookies: Understand usage patterns (you can disable these in your browser settings)

You can disable cookies in your browser settings, but this may limit platform functionality.

6. Data Sharing & Third-Party Services

6.1 Third-Party Integrations

Qodiak integrates with third-party services you explicitly authorize:

  • Google OAuth: For authentication (requires your consent)
  • Google Sheets API: For data storage (only when you connect it)
  • External REST APIs: For data retrieval (only APIs you configure)

When you connect these services, you grant Qodiak permission to access them on your behalf using encrypted credentials.

6.2 We Do NOT Share Your Data With:

  • Advertisers or marketing companies
  • Data brokers or analytics aggregators
  • Social media platforms (except when you use OAuth)
  • Other Qodiak tenants or users

6.3 Legal Disclosure

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety.

7. GDPR Compliance & Your Rights

If you are in the European Economic Area (EEA), you have the following rights under GDPR:

7.1 Right to Access

You can request a copy of all personal data we hold about you. Contact us at privacy@qodiak.com.

7.2 Right to Rectification

You can update incorrect or incomplete information in your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and associated data. We will permanently delete all personal data within 30 days, except where retention is required by law.

7.4 Right to Data Portability

You can request a copy of your data in a portable format by contacting us at privacy@qodiak.com.

7.5 Right to Object & Withdraw Consent

You can opt out of marketing emails at any time via the unsubscribe link in each email, or by updating your preferences in account settings. You may also disable analytics cookies in your browser settings.

8. Data Retention

We retain your data as follows:

  • Active Accounts: Data retained as long as your account is active
  • Deleted Accounts: Personal data deleted within 30 days of account deletion
  • Backups: May persist in encrypted backups for up to 90 days
  • Legal Requirements: Some data may be retained longer to comply with legal obligations (e.g., tax records)

9. User Content Ownership

You retain full ownership of:

  • Apps and forms you create
  • Form submissions and data collected via your apps
  • Custom JavaScript scripts and configurations
  • Uploaded files and assets

Qodiak does not claim ownership of your content. You grant us a license to host, store, and execute your content solely to provide the Qodiak service.

10. Children's Privacy

Qodiak is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us immediately at privacy@qodiak.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our platform. Continued use of Qodiak after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us: