Privacy Policy

Last updated: June 2, 2026

This Privacy Policy explains how Codeally d.o.o.(“FixFirstly”, “we” or “us”), a company registered in Croatia, collects, uses, and protects personal data. For account and waitlist information we act as the data controller. For the feedback, messages, and other content you submit to the service (“Customer Content”), we act as a processor on your behalf, and you are the controller. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

1. Information we collect

Information you provide: your email address when you join the waitlist or create an account, account details, and the Customer Content you submit (manually, via CSV upload, or through Gmail sync). To run an investigation, you may also provide credentials for a Test Target and connect a source-code repository.

Information collected automatically: basic usage and device data, and error diagnostics, collected to operate and secure the service. If you consent to analytics cookies on our website, we also collect aggregate usage statistics through Google Analytics (see Section 9).

Information from third parties: data from services you connect (for example, Google/Gmail or GitHub) within the scope of the permissions you grant, and billing status from our payment processor. We do not receive your full payment-card details.

2. How we use your information

We use your email to communicate product updates and account notices. Customer Content is analyzed by AI to classify category, sentiment, and severity, then grouped into issue clusters and scored by priority. We use data to provide, secure, and improve the service, to operate the AI QA agent when you direct it to, and to comply with legal obligations. Our legal bases under the GDPR are performance of our contract with you, our legitimate interests in operating and improving the service, your consent (where required), and compliance with law.

3. How we share your information

We share data with sub-processors that help us run the service, each under appropriate data-processing terms: Supabase (database hosting and authentication), OpenRouter (AI analysis, classification, vision, and text embeddings), Lemon Squeezy (payments as merchant of record), Plunk (transactional and product email), Sentry (error monitoring), and Google (Google Analytics for website usage statistics, only where you consent to analytics cookies). We also share data where required by law, and in connection with a merger, acquisition, or sale of the business. A current list of sub-processors is available on request.

4. Data security

We use encryption in transit (TLS) and at rest. Access tokens for connected services like Gmail, and Test Target credentials you provide, are encrypted with AES-256 before storage. We follow industry-standard security practices and apply row-level isolation between tenants.

5. Data retention

We retain personal data for as long as your account is active or as needed to provide the service, then delete or anonymize it within a reasonable period unless a longer period is required by law. Evidence captured during a reproduction (see below) is stored with the investigation record and kept for the life of your account, subject to the deletion rights below.

6. Your rights and choices

Subject to applicable law, you may request access to, correction of, deletion of, or a portable copy of your personal data, and you may object to or restrict certain processing. You can request deletion of your account and all associated data at any time by contacting us, and we will process deletion requests within 30 days. You may also lodge a complaint with your local data-protection authority (in Croatia, the AZOP).

7. The AI QA agent

When you trigger a reproduction, our agent runs a web browser on our own infrastructure against the Test Target you configured and captures screenshots and error logs as evidence. That evidence is stored on our infrastructure as part of the investigation record and is retained as described above. Test account credentials you provide are encrypted at rest, and you are responsible for ensuring you have the right to grant the agent access to the systems you connect.

8. International data transfers

Some of our sub-processors are located outside the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

9. Cookies and analytics

We use cookies that are strictly necessary to operate the site and keep you signed in. These do not require consent.

On our public website we also use Google Analytics (provided by Google) to understand how the site is used. Google Analytics sets non-essential analytics cookies (such as _ga and _gid) and is loaded only after you give consent through our cookie banner. By default it is disabled (using Google Consent Mode), so no analytics cookies are set and no data is sent to Google unless you opt in. You can decline, and you can change your choice at any time by clearing your browser's site data. Google may process this data in the United States; where that involves an international transfer, the safeguards described in Section 8 apply.

10. Children

The service is intended for business use and is not directed at children under 16, and we do not knowingly collect their personal data.

11. Changes to this policy

We may update this policy from time to time. We will post the updated version here and, for material changes, notify you by email.

12. Contact

Questions about this policy? Email us at hello@fixfirstly.com.