Privacy Policy

This Privacy Policy ("Policy") is published by Bungarus Technologies ("Bungarus Technologies," "we," "us," or "our"), a technology company incorporated under the laws of India, and governs the collection, use, processing, storage, sharing, and protection of personal information in connection with Codend, its command-line interface ("Codend CLI"), its web dashboard ("Codend Web"), its backend API infrastructure, and all related services, features, tools, and applications (collectively, the "Service"). By accessing or using any part of the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must not access or use the Service. This Policy applies to: — All registered users of Codend, including free-tier users and paid subscribers under any plan (Starter, Architect, or Builder). — Visitors to our website at codend.tech and any associated subdomains. — Users of the Codend CLI application installed on their local machines. — Any person or entity that interacts with the Codend API or backend infrastructure on behalf of a registered account. This Policy does not apply to third-party websites, services, or applications that may be linked to or integrated with Codend. We encourage you to review the privacy policies of any third-party services you access through Codend. We are committed to processing your personal data in accordance with applicable data protection laws, including the Information Technology Act, 2000 (India) and associated rules, the Digital Personal Data Protection Act, 2023 (India), and, to the extent applicable, the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA).

The data controller responsible for your personal information collected through Codend is: Bungarus Technologies Email: bungarustechnologies@gmail.com Website: https://bungarus.com If you have any questions, concerns, or requests regarding your personal data, you may contact us directly at the email address listed above. We aim to respond to all privacy-related inquiries within 30 calendar days. For users located in the European Economic Area (EEA), we act as the data controller for personal data processed in connection with the Service. For users located in India, we act as a data fiduciary under the Digital Personal Data Protection Act, 2023.

We collect several categories of personal information in the course of providing the Service. The information we collect depends on how you interact with Codend. 3.1 Account and Registration Information When you create a Codend account, we collect the following information: — Full name: used to personalize your experience and identify your account. — Email address: used for authentication, account verification, service communications, and support. — Password: stored exclusively as a cryptographic hash by Firebase Authentication; never stored or transmitted in plaintext by Bungarus Technologies. — Account creation date and last login timestamp. — Plan tier (Free, Starter, Architect, or Builder) and subscription status. — Email verification status. 3.2 Usage and Technical Data When you use Codend CLI or the web dashboard, we automatically collect: — Number of requests made within each rate-limiting window (five-hour rolling window and seven-day rolling window). — Total tokens consumed per request, per session, and per billing period. — Energy Points (EP) consumed and remaining EP balance. — Models selected and used per request (e.g., Claude Sonnet, GPT-4o, Gemini Pro, etc.). — Command types executed via the CLI (e.g., codend init, codend plan, codend review-plan). — Session identifiers for CLI sessions synchronized to the web dashboard. — Web chat session metadata including session title, creation date, last updated date, and folder organization. — Audit log entries recording each API call, including timestamp, model used, token count, and success or failure status. 3.3 Device and Environment Information When you access the web dashboard, we may collect: — Browser type and version. — Operating system type and version. — IP address (used for security purposes and rate limiting; not retained in long-term logs). — Referring URL and pages visited within the Service. — Time zone and locale settings. When you use the Codend CLI, the CLI transmits: — The operating system platform of your development machine. — The CLI version installed. — The working directory path hash (not the full path) used for workspace scoping. 3.4 Payment Information We use Razorpay as our payment processing provider. When you purchase a paid subscription: — We collect your selected subscription plan and the transaction reference ID returned by Razorpay. — We do not collect, store, or process your credit card numbers, bank account details, UPI IDs, or any other full payment credentials. All payment data is handled directly and securely by Razorpay in accordance with PCI DSS compliance standards. — We store only the subscription status, plan tier, and Razorpay subscription/order identifiers necessary to manage your account and billing. 3.5 Communication Data When you contact us via email, submit a support request, or respond to any of our communications: — We collect the content of your message, your email address, and any attachments you voluntarily provide. — We retain communication records for the purpose of resolving your inquiry and improving support quality. 3.6 Chat Session and Prompt Data When you use the Codend web chat or CLI: — Chat messages (user prompts and AI-generated responses) are stored in Firestore under your authenticated user ID to enable session history retrieval and cross-device access. — Chat sessions are organized into projects and folders as defined by you. — We do not independently train AI models on the content of your prompts or responses. Your prompts are transmitted to third-party AI providers solely for the purpose of generating responses. — The metadata of each message (timestamp, model used, role) is stored alongside message content. 3.7 Verification Code Data When you register a new account or request email verification: — A cryptographically random 6-digit code is generated and transmitted to your email address. — The code is stored in Firestore as a SHA-256 hash with a 10-minute expiry. — The plaintext code is never stored on our servers. — After verification, the code record is invalidated and marked consumed.

We use the personal information we collect for the following purposes: 4.1 Providing and Maintaining the Service — To authenticate your identity and manage your account. — To process requests sent through the CLI or web dashboard and route them to the appropriate AI model provider. — To enforce rate limits and Energy Point quotas associated with your subscription plan. — To synchronize CLI sessions with the web dashboard in real time. — To store and retrieve your chat session history and project organization. 4.2 Subscription and Billing Management — To process payments through Razorpay and activate or modify your subscription plan. — To send payment confirmation and receipt emails. — To notify you of upcoming renewals, failed payments, or subscription changes. — To enforce plan-based access controls (e.g., model access, sandbox features, team seats). 4.3 Service Improvement and Development — To analyze aggregated and anonymized usage patterns to improve performance, reliability, and feature development. — To identify and fix bugs, errors, or performance bottlenecks in the CLI or web dashboard. — To develop new features based on aggregate user behavior. 4.4 Security and Fraud Prevention — To detect and prevent unauthorized access to your account or abuse of the Service. — To monitor for unusual request patterns that may indicate automated abuse, credential stuffing, or API exploitation. — To enforce our Acceptable Use Policy and these Terms of Service. 4.5 Communications — To send transactional emails including email verification codes, password-related notifications, and subscription receipts. — To notify you of significant changes to the Service, this Policy, or our Terms of Service. — To respond to your support inquiries. 4.6 Legal Compliance — To comply with applicable laws, regulations, judicial orders, or governmental requests. — To establish, exercise, or defend legal claims involving Bungarus Technologies.

For users located in the European Economic Area (EEA), we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR): 5.1 Contract Performance (Article 6(1)(b)) Processing your account registration information, usage data, and billing information is necessary to perform our contract with you — specifically, to provide the Codend service you have subscribed to. 5.2 Legitimate Interests (Article 6(1)(f)) We process certain data on the basis of our legitimate interests, including: — Security monitoring and fraud prevention. — Aggregate analytics to improve the Service. — Maintaining audit logs for service integrity. We have conducted a legitimate interests assessment and concluded that our interests are not overridden by your rights and freedoms. 5.3 Legal Obligation (Article 6(1)(c)) We may process your data to comply with legal obligations applicable to us as a data controller. 5.4 Consent (Article 6(1)(a)) Where we rely on consent — for example, for optional marketing communications — you may withdraw consent at any time by contacting us at bungarustechnologies@gmail.com.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to provide the Service, and to comply with our legal obligations. 6.1 Account Data Your account information (name, email, plan tier) is retained for the duration of your account. If you delete your account, we will permanently delete your account data within 30 days, except where retention is required for legal or regulatory purposes. 6.2 Usage and Rate Limit Data Rolling rate-limit data stored in the rate_limits Firestore collection (five-hour and seven-day window records) is automatically overwritten at the start of each new usage period and retained only for the duration necessary to enforce your plan limits. Aggregate usage statistics may be retained in anonymized form for up to 12 months. 6.3 Chat Session Data Chat sessions and messages stored in the web dashboard are retained for the duration of your account. Free-tier users have session history retained for 7 days; Starter users for 30 days; Architect users for 90 days; Builder users indefinitely. Sessions can be manually deleted at any time from the web dashboard. 6.4 Audit Logs Audit log entries (command history, token consumption records) are retained for 30 days for Free users, 90 days for Starter users, 180 days for Architect users, and 1 year for Builder users. 6.5 Payment Records Transaction records and subscription status information are retained for 7 years for accounting, tax, and legal compliance purposes, even after account deletion. 6.6 Support Communications Support email records are retained for 2 years from the date of resolution. 6.7 Security Logs IP address and access logs used for security monitoring are retained for a maximum of 90 days.

We do not sell your personal data to third parties. We share your data only in the following circumstances and only to the extent necessary: 7.1 AI Model Providers Your prompts are transmitted to third-party AI model providers to generate responses. These providers include but are not limited to: Anthropic (Claude models), OpenAI (GPT models), Google (Gemini models), Mistral AI, DeepSeek, and others supported by the Codend platform. Each provider processes your prompts subject to their own terms of service and privacy policies. We strongly recommend reviewing the applicable provider policies. We transmit only the content necessary to generate a response and do not append your personal account details to these transmissions. 7.2 Firebase (Google Cloud) We use Google Firebase for authentication (Firebase Auth), database storage (Firestore), and cloud functions (Firebase Functions). Your account data, session data, and usage records are stored on Google Cloud infrastructure in accordance with Google's data processing terms and privacy standards. Google acts as a data processor on our behalf. 7.3 Razorpay Payment processing is handled exclusively by Razorpay Technologies Pvt. Ltd. When you initiate a subscription, you are redirected to Razorpay's secure checkout environment. Razorpay processes your payment data under its own privacy policy and PCI DSS compliance framework. We receive only a transaction reference ID and subscription status confirmation from Razorpay. 7.4 Email Delivery (Nodemailer / Gmail) Verification emails and transactional notifications are sent via Google's Gmail SMTP infrastructure using application-specific credentials. Email content is limited to the minimum necessary (verification code, account notifications) and is not shared with any marketing or analytics platforms. 7.5 Legal and Law Enforcement We may disclose your personal data to law enforcement agencies, courts, regulators, or other governmental authorities if required to do so by applicable law, judicial order, or regulatory requirement, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Bungarus Technologies, its users, or the public. 7.6 Business Transfers In the event of a merger, acquisition, restructuring, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will provide notice of any such transfer and the applicable privacy terms of the successor entity. 7.7 With Your Consent We may share your data with additional parties with your explicit consent, which you may withdraw at any time.

Bungarus Technologies is incorporated in India. The Service is delivered through cloud infrastructure primarily hosted by Google Cloud, which operates data centers globally. Your personal data may be processed in data centers located outside your country of residence, including in the United States and the European Union. For users in the EEA or United Kingdom, we rely on the following mechanisms to ensure that cross-border data transfers comply with applicable law: — Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable to our data processor agreements. — Google Cloud's compliance with EU data protection requirements under its data processing addenda. — Razorpay's cross-border data transfer mechanisms for payment processing. By using Codend from outside India, you acknowledge and consent to the transfer, storage, and processing of your personal data in jurisdictions that may have different data protection standards than your own. We take all reasonable steps to ensure your data is protected regardless of where it is processed.

We implement a comprehensive set of technical and organizational security measures to protect your personal data from unauthorized access, loss, misuse, disclosure, alteration, or destruction. 9.1 Authentication Security — Passwords are never stored in plaintext. All authentication is managed by Firebase Authentication, which uses industry-standard cryptographic hashing. — All accounts are required to verify their email address via a time-limited, single-use 6-digit code hashed with SHA-256 before being granted full service access. — Session tokens are managed by Firebase and are cryptographically signed. 9.2 Data Transmission Security — All data transmitted between your browser or CLI and our servers is encrypted using TLS 1.2 or higher. — API endpoints are only accessible over HTTPS. — CLI-to-backend communication is authenticated using Firebase ID tokens issued on a per-session basis. 9.3 Access Controls — Firestore security rules enforce that users can only read and write data associated with their own user ID. — Backend Cloud Functions validate the authenticated user's identity on every request before processing. — Administrative access to production infrastructure is restricted to authorized Bungarus Technologies personnel only. 9.4 Rate Limiting and Abuse Prevention — All API endpoints enforce rolling-window rate limits to prevent abuse and denial-of-service attacks. — Verification code endpoints enforce maximum attempt limits (5 attempts per code) with automatic invalidation on failure. 9.5 Limitations Despite our efforts, no security system is impenetrable. We cannot guarantee absolute security of your personal data. In the event of a security breach that affects your personal data, we will notify you in accordance with applicable law and this Policy.

10.1 Types of Cookies We Use Codend uses only essential cookies necessary for the operation of the Service: — Authentication cookies: Session tokens set by Firebase Authentication to maintain your logged-in state across page navigations and browser restarts. — Security cookies: Tokens used to prevent cross-site request forgery (CSRF). 10.2 What We Do Not Use — We do not use advertising cookies or participate in cross-site advertising networks. — We do not use third-party analytics trackers (such as Google Analytics, Mixpanel, or Amplitude) that track your behavior across external websites. — We do not use session replay tools or heatmap services. — We do not use fingerprinting technologies for identifying users outside of their authenticated session. 10.3 Managing Cookies You can configure your browser to refuse or delete cookies. However, if you disable essential cookies, you will not be able to log in to Codend or maintain an authenticated session. We do not display cookie consent banners because we only use strictly necessary cookies, which are exempt from consent requirements under applicable law. 10.4 Local Storage The Codend web dashboard may use browser local storage to persist non-sensitive UI preferences (such as selected tab, sidebar state, or theme). This data is stored locally on your device and is not transmitted to our servers.

Depending on your location, you may have certain rights with respect to your personal data. We are committed to honoring these rights in accordance with applicable law. 11.1 Right of Access You have the right to request a copy of the personal data we hold about you, including information on how we use it, who we share it with, and how long we retain it. 11.2 Right to Rectification If any personal data we hold about you is inaccurate or incomplete, you have the right to request correction. You may update your name and certain account information directly from the Codend dashboard. For changes not available through the dashboard, contact us at bungarustechnologies@gmail.com. 11.3 Right to Erasure ("Right to be Forgotten") You have the right to request that we delete your personal data. You may exercise this right by deleting your account from Settings → Account → Delete Account in the web dashboard. Upon deletion, we permanently remove your Firestore profile, usage records, chat sessions, and Firebase Authentication account within 30 days. Certain data (payment records) may be retained for legal compliance as described in Section 6. 11.4 Right to Restriction of Processing You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while we are investigating a dispute about the accuracy of your data. 11.5 Right to Data Portability You have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format. To request a data export, contact us at bungarustechnologies@gmail.com. 11.6 Right to Object You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. 11.7 Right to Withdraw Consent Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal. 11.8 Rights Under the Digital Personal Data Protection Act, 2023 (India) As an Indian data fiduciary, we recognize your rights under the DPDP Act, 2023, including the right to access information, the right to correction and erasure, the right to grievance redressal, and the right to nominate a representative to exercise these rights on your behalf in the event of incapacitation or death. 11.9 How to Exercise Your Rights To exercise any of the above rights, please contact us at bungarustechnologies@gmail.com with the subject line "Privacy Rights Request." We may request verification of your identity before processing your request. We will respond within 30 calendar days.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). 12.1 Right to Know You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared. 12.2 Right to Delete You have the right to request deletion of personal information we have collected from you, subject to certain exceptions. 12.3 Right to Correct You have the right to request that we correct inaccurate personal information we maintain about you. 12.4 Right to Opt-Out of Sale or Sharing We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Therefore, this right is not applicable to our Service. 12.5 Right to Non-Discrimination We will not discriminate against you for exercising any of your CCPA rights. We will not deny goods or services, charge different prices, or provide a different quality of service based solely on your exercise of privacy rights. 12.6 Categories of Personal Information Collected In the past 12 months, we have collected the following categories of personal information as defined by the CCPA: Identifiers (name, email), Internet or other electronic network activity information (usage data, chat sessions, audit logs), and commercial information (subscription plan, transaction records). To submit a CCPA request, contact us at bungarustechnologies@gmail.com with the subject line "CCPA Request."

The Codend Service is not directed at children under the age of 13 (or under the age of 16 in certain jurisdictions). We do not knowingly collect personal information from children below the applicable minimum age. If you are a parent or guardian and believe that your child has provided personal information to us without your consent, please contact us immediately at bungarustechnologies@gmail.com. We will take prompt steps to delete such information from our systems. If we discover that we have inadvertently collected personal data from a child below the applicable minimum age, we will delete that information as quickly as practicable. Access to Codend requires a valid email address and verification, which provides a reasonable safeguard against underage registration.

14.1 Prompt Transmission When you send a message through Codend CLI or the web dashboard, your prompt text is transmitted to the AI model provider you have selected (or the default model configured for your session). This transmission includes the message content and any conversation history context included in the request. 14.2 Provider Policies Each AI model provider processes your data under its own terms of service and data usage policies. The following providers are currently integrated with Codend: — Anthropic (Claude Haiku, Sonnet, Opus): governed by Anthropic's privacy policy. — OpenAI (GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo): governed by OpenAI's privacy policy. — Google (Gemini Pro, Gemini Flash, Gemini Ultra): governed by Google's privacy policy. — Mistral AI (Mistral 7B, Mixtral): governed by Mistral AI's privacy policy. — DeepSeek: governed by DeepSeek's privacy policy. We strongly recommend reviewing the privacy policy of each provider whose models you use. 14.3 Data Not Transmitted We do not transmit your full name, email address, payment details, or account metadata to AI model providers as part of prompt requests. Prompts are sent with a system-level context that may include workspace metadata (e.g., file structure summaries from codend init) but does not include personally identifiable account information. 14.4 No Training on User Data We do not use your prompt content or AI responses to train Codend-specific models. AI providers may have their own policies regarding use of API traffic for model improvement; please consult their individual privacy policies.

The Codend CLI is a locally installed application that runs on your development machine. The following data practices apply specifically to CLI usage: 15.1 Local Storage The CLI stores session identifiers and minimal configuration data in your local user configuration directory (typically ~/.config/codend/ on Unix-like systems or %APPDATA%/codend/ on Windows). This local data is not transmitted to our servers except as necessary to synchronize your session with the web dashboard. 15.2 Session Files The CLI stores the last 20 session files locally at ~/.config/codend/sessions/. Each session file contains your conversation history for that session. These files remain on your machine and are only uploaded to Firestore when web sync is enabled or when you use the --web flag. 15.3 Workspace Mapping When you run codend init, the CLI scans your project directory and generates a workspace map stored in .codend/workspace.json. This file contains a list of file paths and metadata about your codebase. This file remains local to your machine. A summary of this workspace context may be included in API requests to help the AI model understand your project structure, but the full workspace.json is not uploaded to our servers. 15.4 Environment Variables and Secrets The CLI reads configuration from environment variables (such as authentication tokens). We strongly recommend not including secrets, API keys, or credentials in your prompts. We implement secret scanning detection on prompt content where feasible, and our Acceptable Use Policy prohibits the intentional transmission of secrets through the Service.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: 16.1 Notify Regulatory Authorities Where required by applicable law (including GDPR Article 33 and the DPDP Act, 2023), we will notify the relevant data protection authority within 72 hours of becoming aware of the breach, to the extent feasible. 16.2 Notify Affected Users Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, describing the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address the breach. 16.3 Notification Channel We will notify you via the email address associated with your Codend account and may additionally display a notice in the web dashboard. 16.4 Documentation We will document all data breaches, including those that do not require notification, in an internal breach register in accordance with our legal obligations.

The Codend Service may contain links to third-party websites, documentation, tools, or integrations. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service before providing them with personal information. Codend integrates with GitHub (for future CI/CD and repository features), GitLab, and other developer platforms. When you connect third-party integrations, you authorize Codend to access data from those platforms as described in the integration setup flow. You may revoke these authorizations at any time through the respective platform's settings or through the Codend dashboard.

We do not use automated decision-making processes, including profiling, that produce legal effects or similarly significant effects on you as an individual. Rate limiting decisions (e.g., blocking a request because your Energy Point quota is exceeded) are automated processes based on your usage data and plan tier, but these are contractual enforcement mechanisms rather than decisions that produce legal or similarly significant effects. AI-generated responses produced by third-party model providers are generated by automated systems. Codend does not verify or guarantee the accuracy of AI-generated content. You are solely responsible for reviewing, validating, and deciding whether to use any AI-generated output.

In accordance with the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer for addressing privacy-related complaints: Grievance Officer: Bungarus Technologies Contact Email: bungarustechnologies@gmail.com Subject Line: "Privacy Grievance" If you believe your privacy rights have been violated, please submit a detailed grievance to the above contact. We will acknowledge receipt within 48 hours and endeavor to resolve the grievance within 30 days. If you are not satisfied with our resolution, you may escalate the complaint to the appropriate data protection authority under applicable Indian law.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the features of the Service. When we make changes, we will: — Update the "Last Updated" date at the top of this page. — Send an email notification to your registered email address for material changes. — Display a prominent notice in the web dashboard for 30 days following any material change. Your continued use of the Service following notification of changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you must discontinue your use of the Service and may request deletion of your account. We encourage you to review this Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: Bungarus Technologies Email: bungarustechnologies@gmail.com Website: https://bungarus.com Response Time: We aim to respond to all privacy inquiries within 5 business days and to all formal data subject requests within 30 calendar days. For urgent security concerns (e.g., suspected unauthorized access to your account), please email us with the subject line "URGENT: Security Concern" and we will prioritize your inquiry.