Privacy Policy

Last updated: May 25, 2026

This Privacy Policy explains how Codeally d.o.o.(“FixFirstly”, “we” or “us”), a company registered in Croatia, collects, uses, and protects personal data. For account and waitlist information we act as the data controller. For the feedback, messages, and other content you submit to the service (“Customer Content”), we act as a processor on your behalf, and you are the controller. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

1. Information we collect

Information you provide: your email address when you join the waitlist or create an account, account details, and the Customer Content you submit (manually, via CSV upload, or through Gmail sync). To run an investigation, you may also provide credentials for a Test Target and connect a source-code repository.

Information collected automatically: basic usage and device data, and error diagnostics, collected to operate and secure the service.

Information from third parties: data from services you connect (for example, Google/Gmail or GitHub) within the scope of the permissions you grant, and billing status from our payment processor. We do not receive your full payment-card details.

2. How we use your information

We use your email to communicate product updates and account notices. Customer Content is analyzed by AI to classify category, sentiment, and severity, then grouped into issue clusters and scored by priority. We use data to provide, secure, and improve the service, to operate the AI QA agent when you direct it to, and to comply with legal obligations. Our legal bases under the GDPR are performance of our contract with you, our legitimate interests in operating and improving the service, your consent (where required), and compliance with law.

3. How we share your information

We share data with sub-processors that help us run the service, each under appropriate data-processing terms: Supabase (database hosting and authentication), OpenRouter (AI analysis, classification, vision, and text embeddings), Browserbase (browser sessions used by the agent), Lemon Squeezy (payments as merchant of record), Plunk (transactional and product email), and Sentry (error monitoring). We also share data where required by law, and in connection with a merger, acquisition, or sale of the business. A current list of sub-processors is available on request.

4. Data security

We use encryption in transit (TLS) and at rest. Access tokens for connected services like Gmail, and Test Target credentials you provide, are encrypted with AES-256 before storage. We follow industry-standard security practices and apply row-level isolation between tenants.

5. Data retention

We retain personal data for as long as your account is active or as needed to provide the service, then delete or anonymize it within a reasonable period unless a longer period is required by law. Evidence captured during a reproduction (see below) is retained for 7 days.

6. Your rights and choices

Subject to applicable law, you may request access to, correction of, deletion of, or a portable copy of your personal data, and you may object to or restrict certain processing. You can request deletion of your account and all associated data at any time by contacting us, and we will process deletion requests within 30 days. You may also lodge a complaint with your local data-protection authority (in Croatia, the AZOP).

7. The AI QA agent

When you trigger a reproduction, our agent opens a browser session against the Test Target you configured and captures screenshots and error logs as evidence. Screenshots are hosted by our browser provider (Browserbase) and retained for 7 days; we do not copy them to our own storage. Test account credentials you provide are encrypted at rest, and you are responsible for ensuring you have the right to grant the agent access to the systems you connect.

8. International data transfers

Some of our sub-processors are located outside the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

9. Cookies and children

We use only the cookies necessary to operate the site and keep you signed in. The service is intended for business use and is not directed at children under 16, and we do not knowingly collect their personal data.

10. Changes to this policy

We may update this policy from time to time. We will post the updated version here and, for material changes, notify you by email.

11. Contact

Questions about this policy? Email us at hello@fixfirstly.com.