Privacy policy
Last updated on April 19, 2026
This Privacy Policy describes how CodeWisp, Inc. ("CodeWisp", "we", "us", or "our") collects, uses, and shares information when you use codewisp.ai, codewisp.net, and related services (collectively, the "Services"). We are based at 1395 22nd St. Ave, San Francisco, CA 94107, USA.
We've written this policy to be direct. If anything here is unclear, email legal@codewisp.ai and we'll help.
1. Information we collect
Information you give us
- Account information: email address, username, password (hashed), and date of birth (used to enforce the minimum-age requirement and for child-safety compliance).
- Profile information: display name, biography, profile picture, and any content you choose to add to your public profile.
- Content you create: projects, game code, textures, sounds, thumbnails, comments, forum posts, and any other material you upload or generate using the Services, including the full text of prompts and conversations you have with our AI features.
- Payment information: if you purchase a subscription, our payment processor (Stripe) collects payment details directly. We never see or store your full card number. We retain your Stripe customer ID, subscription status, and billing period end date.
- Communications: feedback, support requests, and emails you send us.
- Terms and Privacy Policy acceptance: the specific version of each document you accepted and the timestamp of that acceptance.
Information we collect automatically
- Device and log data: IP address, browser type, operating system, referring URL, pages viewed, time spent on pages, and timestamps. We store IP addresses briefly in an in-memory rate limiter to prevent abuse.
- Usage events: which features you use, AI prompts you submit (prompt identifier, model, token counts, credit cost), projects you create or fork, and playtime.
- Cookies and similar technologies: we use strictly-necessary cookies for authentication (Supabase session) and CSRF protection, and analytics cookies set by PostHog when you haven't opted out. See Your Privacy Choices to disable analytics.
Information from third parties
If you sign in using Google, we receive your email address, name, and profile photo (where available) per the scopes you approve. We do not receive your Google password.
2. How we use information
- Provide, operate, and maintain the Services.
- Run our AI features — your prompts and the relevant project context are sent to our AI service providers (see Subprocessors below) to generate responses.
- Process payments, manage subscriptions, and send billing communications.
- Communicate with you about account activity, product changes, security notices, and, where you have opted in, marketing.
- Detect, prevent, and investigate fraud, abuse, and violations of our Terms of Service.
- Comply with legal obligations and enforce our rights.
- Analyze product performance and improve the Services (aggregated or de-identified where possible).
- Train, evaluate, and improve our AI features and models using the content you create on the Services, including projects, prompts, and AI conversations.
Third-party AI providers we use (OpenAI, Anthropic, and Google) do not train their foundation models on content submitted through their APIs under the terms we have with them. We do not sell your personal information for money. Some of our analytics involve sharing personal information with service providers in ways that may be treated as "sharing" for cross-context behavioral advertising under California law — you can opt out at any time via Your Privacy Choices.
3. Legal bases (EEA / UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following bases for processing: (i) performance of our contract with you, (ii) our legitimate interests (e.g., securing the Services, preventing fraud, improving the product), (iii) compliance with legal obligations, and (iv) your consent (e.g., for optional analytics cookies and marketing emails), which you can withdraw at any time.
4. Subprocessors and service providers
We share information with the following service providers so we can run the Services. Each is contractually bound to protect your information.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, storage | All account, profile, and project data |
| Stripe | Payment processing | Name, email, billing address, payment method (handled by Stripe directly), subscription status |
| OpenAI | AI model provider | AI prompts and relevant project context |
| Anthropic | AI model provider | AI prompts and relevant project context |
| Google (Generative AI) | AI model provider | AI prompts and relevant project context |
| Resend | Transactional email (verification, password reset) | Email address, verification / reset token |
| PostHog | Product analytics | User ID, session ID, pseudonymous event data (if you haven't opted out) |
| Google (OAuth) | Social sign-in | Email, name, profile photo (optional) |
We will update this list when we add or remove a material provider.
5. Data retention
We keep different types of information for different lengths of time, based on why we need it.
| Category | Retention |
|---|---|
| Account and profile information | Until you delete your account, then up to 30 days for backup purge. |
| Projects, code, chat messages | Until you delete the project or your account. |
| AI chat messages | Stored with the project they belong to. Deleted when you delete the project or your account, subject to the 30-day backup window. |
| Product analytics events (PostHog + internal) | Up to 12 months, then auto-deleted. |
| Rate-limit records (IP address) | In-memory only, purged within 24 hours. |
| Password reset tokens | 15 minutes. |
| Email verification tokens | 24 hours. |
| Billing records | 7 years (US tax law). |
| Legal / compliance records | As long as required by applicable law. |
6. Your rights
Depending on where you live, you have some or all of the following rights:
- Know / access: request a copy of the personal information we hold about you.
- Correct: ask us to fix inaccurate information.
- Delete: ask us to delete your information, subject to exceptions (e.g., fraud prevention, legal retention).
- Port: receive your information in a structured, commonly used, machine-readable format.
- Object / restrict: object to certain processing, including direct marketing.
- Withdraw consent where we relied on it.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email legal@codewisp.ai from the address associated with your account, or write to the address at the top of this policy. We respond within 30 days and do not discriminate against you for exercising these rights.
7. California residents (CCPA / CPRA)
If you live in California, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you specific rights, all of which are included above: the right to know, delete, correct, and port your information; the right to opt out of the "sale" or "sharing" of personal information; the right to limit use of sensitive personal information; and the right not to be discriminated against for exercising your rights.
We do not sell personal information for money. We may "share" personal information for cross-context behavioral advertising through product analytics cookies. You can opt out at any time at Your Privacy Choices ("Do Not Sell or Share My Personal Information"). We also honor the Global Privacy Control browser signal automatically.
Categories of personal information handled (past 12 months)
- Identifiers: collected, disclosed to service providers, shared for analytics.
- Customer records (name, email): collected, disclosed to service providers.
- Commercial information (purchases): collected, disclosed to Stripe.
- Internet/network activity: collected, disclosed to service providers, shared for analytics.
- Inferences: used internally, not shared.
- Age / date of birth (sensitive): collected, used only for age verification and compliance, not sold or shared.
Authorized agents
You may designate an authorized agent to submit requests on your behalf. We will require written proof of the authorization and may ask you to verify your identity directly.
California minors ("Eraser Law")
If you are a California resident under 18 who has posted content to the Services, you can request removal by emailing legal@codewisp.ai. We will remove the content as required by California Business and Professions Code §§ 22580–22582.
8. Children
CodeWisp is not directed to children under 13. We require a date of birth at signup and block accounts for users under that age. If you believe a child under 13 has created an account, please email legal@codewisp.ai and we will delete it and associated data promptly.
For users in the EEA / UK aged 13–15 where local law sets a higher digital-consent age (up to 16), processing is based on parental consent that you represent you have obtained by agreeing to these terms. If you cannot provide that consent, do not use the Services.
9. International data transfers
Our servers and service providers are located in the United States. If you access CodeWisp from outside the United States, your information will be transferred to, stored, and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum) as the transfer mechanism.
10. Security
We use industry-standard administrative, technical, and physical safeguards: TLS in transit, encryption at rest through our database provider, scoped access for employees, and server-side rate limiting. No system is perfectly secure — if we learn of a breach affecting your personal information, we will notify you as required by applicable law.
11. Cookies and tracking
We use the following categories:
- Strictly necessary: authentication, session, CSRF protection. Required for the Services to function.
- Analytics (PostHog): helps us understand how people use the product. You can disable via Your Privacy Choices or by sending a Global Privacy Control signal from your browser.
We do not currently run third-party advertising cookies or pixel trackers.
12. Deleting your account
You can request deletion of your account at any time by emailing legal@codewisp.ai from the address on the account. We will delete your profile, projects, and chat history within 30 days, except where retention is required by law (e.g., billing records).
13. Changes to this policy
We will update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and require signed-in users to re-accept on next visit. Continued use after re-acceptance constitutes agreement to the updated policy.
14. Contact
CodeWisp, Inc.
1395 22nd St. Ave, San Francisco, CA 94107, USA
Email: legal@codewisp.ai