Effective date: 1 June 2026 | Last updated: 1 June 2026
1. Who We Are (Data Controller)
- Email:
2. What Personal Data We Collect
| Category | Examples | Source |
| Identity Data | full name, date of birth, national ID/passport | user-supplied (account or KYC) |
| Contact Data | email, telephone, billing & payout address | user-supplied |
| Account Credentials | hashed password, two-factor tokens | user-supplied |
| Financial & Transaction Data | card BIN, IBAN, on-chain wallet, invoices, VAT ID | payment service provider / user |
| Creator Content Data | assets uploaded, EXIF metadata, model releases | user-supplied |
| Usage & Technical Data | IP, device type, browser, pages viewed, clicks | automated via logs & cookies |
| Marketing Preferences | newsletter opt-in/opt-out, communication history | user-supplied |
| Compliance Data | PEP/sanctions screening results, risk scores | third-party KYC / AML vendors |
We do not intentionally collect data from children under 16. If we learn that a minor has provided personal data, we will delete it promptly.
3. Why We Process Your Data & Legal Bases
| Purpose | Legal Basis (GDPR) | Key Data |
| Account creation & contract performance | Art 6 (1)(b) Contract | Identity, Contact, Credentials |
| Processing Pay In / Pay Out | Art 6 (1)(b) Contract | Financial & Transaction |
| KYC / AML & sanctions screening | Art 6 (1)(c) Legal obligation | Identity, Compliance |
| Customer support & dispute resolution | Art 6 (1)(b)/(f) Contract / Legitimate interest | Identity, Contact, Transaction |
| Marketing communications | Art 6 (1)(a) Consent | Contact, Marketing Prefs |
| Site security & fraud prevention | Art 6 (1)(f) Legitimate interest | Usage, Technical, Compliance |
| Analytics & product improvement | Art 6 (1)(f) Legitimate interest | Usage & Technical |
Where legitimate interest is relied upon, we balance our interests with your fundamental rights and expect minimal privacy impact.
4. Cookies & Tracking Technologies
We use:
- Essential cookies – session management, secure login.
- Analytics cookies – page-view metrics (Matomo self-hosted).
- Marketing cookies – only with prior consent (e.g., Meta Pixel).
Detailed cookie lifetimes, purposes, and opt-out mechanisms are set out in our Cookie Policy shown in the consent banner.
5. Marketing & Opt-Out
- Newsletters are sent only if you tick “Subscribe”.
- You may withdraw consent at any time via the “Unsubscribe” link or your dashboard settings.
- We commit to no more than two promotional emails per month.
6. Disclosures & International Transfers
We share data only as necessary with:
- Payment processors (PCI-DSS–certified) for card and SEPA transactions.
- KYC/AML service providers for identity verification and sanctions checks.
- Cloud hosting & CDN providers (EU data centres by default).
- Analytics platform (EU-hosted instance).
- Law-enforcement or regulators when legally required.
Whenever processors are outside the EEA, we rely on:
- Adequacy decisions (e.g., UK), or
- Standard Contractual Clauses (SCCs) with supplementary security measures.
7. Data Retention
| Data Type | Retention Period | Rationale |
| Account & Transaction | 7 years after account closure | Estonian Accounting Act §12 |
| KYC & AML records | 5 years after last transaction | Estonian MLTFP Act §47 |
| Marketing consent records | Until withdrawal + 1 year | Proof of consent |
| Analytics logs | 26 months (aggregated thereafter) | Trend analysis |
| Archived backups | 35 days rolling | Disaster recovery |
8. Security Measures
- TLS 1.3 encryption in transit; AES-256 at rest.
- ISO 27001-aligned policies; quarterly penetration tests.
- Role-based access control (RBAC) and hardware MFA for admin panels.
- Continuous monitoring & automated anomaly detection.
9. Your Rights
Under GDPR you may, at no cost:
- Access your personal data.
- Rectify inaccurate or incomplete data.
- Erase data (“right to be forgotten”) where Art 17 applies.
- Restrict processing in certain circumstances.
- Port data to another controller.
- Object to processing based on legitimate interest or direct marketing.
- Withdraw consent at any time (does not affect legality of prior processing).
How to exercise: email info@codexnova.com or use the web-form in your dashboard. We respond within 30 days (extendable by 60 days for complex requests).
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): https://www.aki.ee, +372 627 4135.
10. Automated Decision-Making
We do not make solely automated decisions with legal or similarly significant effects.
Note: AML risk scoring is automated but reviewed by staff before any adverse action.
11. Changes to This Policy
We may update this Privacy Policy to reflect legal or operational changes.
- Notice period: 14 days via dashboard banner and email.
- The “Last updated” date at the top indicates the current version.
12. Contact
Email:
Business hours: Mon–Fri 09:00–18:00 EET/EEST