Privacy Policy

Last updated: December 2024

1. Introduction

Codalyx ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our proxy infrastructure services.

Privacy is fundamental to our service architecture. We operate on a zero-knowledge model where your data never touches our servers in an unencrypted state. This policy outlines our comprehensive privacy practices, your rights regarding your personal information, and how we maintain the highest standards of data protection in compliance with GDPR, CCPA, and other applicable privacy regulations.

By using Codalyx services, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this Privacy Policy. We reserve the right to modify this policy at any time, and such modifications will be effective immediately upon posting.

2. Information We Collect

We collect only the minimum information necessary to provide and maintain our services. Our data collection practices are designed to respect your privacy while ensuring service quality and security.

2.1 Information You Provide

When you are invited and approved for Codalyx services, we collect:

  • Account Information: Full name, business email address, company name, job title, and organizational details required for account verification and management
  • Billing Information: Payment method details, billing address, tax identification numbers, and financial information necessary for processing payments and maintaining financial records
  • Verification Documents: Business registration documents, proof of identity, and other verification materials required for account approval
  • Communication Records: All correspondence including support requests, emails, secure messaging, and communication logs with your dedicated account manager

2.2 Automatically Collected Information

We automatically collect certain technical information to ensure service quality:

  • Usage Metrics: Aggregate bandwidth usage, request volumes, connection counts, and performance metrics for billing and optimization purposes
  • Technical Data: IP addresses used for authentication (not destination IPs), connection timestamps, device information, and browser types
  • Service Analytics: Error logs, performance diagnostics, and system health metrics that do not contain personal or traffic content
  • Security Information: Login attempts, authentication events, and security-related logs for fraud prevention and account protection

2.3 Information We Do NOT Collect

Due to our zero-knowledge architecture, we explicitly do not collect:

  • Destination URLs or IP addresses you access through our proxies
  • Content of your requests or responses
  • Browsing history or session data
  • Data transmitted through our proxy infrastructure
  • Any information that could identify your specific online activities

3. Zero-Knowledge Architecture

Our proxy infrastructure operates on a zero-knowledge architecture, meaning we have no access to your actual traffic data. This is not a policy choice—it's a fundamental technical design of our infrastructure.

How Zero-Knowledge Works: All traffic passing through Codalyx proxies is encrypted end-to-end using AES-256 encryption with perfect forward secrecy. Our infrastructure routes encrypted packets without decrypting or inspecting the contents. We cannot see, log, or access:

  • Destination URLs or IP addresses you access through our proxies
  • Data transmitted through our proxy infrastructure
  • Content of your HTTP/HTTPS requests or responses
  • Browsing history, search queries, or session data
  • Any application-layer data or payloads
  • Cookies, authentication tokens, or session identifiers

Technical Implementation: Our zero-knowledge architecture is enforced at the network level. Even if we wanted to access your traffic (which we don't), our infrastructure design makes it technically impossible. Encryption keys are generated client-side and never transmitted to our servers. This ensures that even in the event of a security breach, your traffic data remains protected.

What We Can See: We can only see aggregate, anonymized metrics such as total bandwidth usage, connection counts, and performance statistics. These metrics are used solely for billing, capacity planning, and service optimization. They contain no personally identifiable information or traffic content.

4. How We Use Your Information

We use the information we collect solely for legitimate business purposes related to providing and improving our services. We never sell your personal information or use it for marketing purposes without your explicit consent.

4.1 Service Provision

  • Create and manage your Codalyx account and service access
  • Authenticate your identity and authorize access to our infrastructure
  • Configure and maintain your dedicated proxy network
  • Provide technical support and account management services
  • Deliver service updates, security patches, and infrastructure improvements

4.2 Financial Operations

  • Process payments for hardware purchases and annual membership fees
  • Generate invoices and maintain financial records
  • Handle buyback transactions and refunds
  • Comply with tax reporting and financial regulations
  • Prevent fraud and verify payment authenticity

4.3 Communication

  • Respond to your support requests and technical inquiries
  • Provide service notifications, security alerts, and important updates
  • Facilitate communication with your dedicated account manager
  • Send service-related communications (not marketing materials)

4.4 Service Improvement

  • Analyze aggregate usage patterns to optimize infrastructure performance
  • Identify and resolve technical issues and service disruptions
  • Develop new features and capabilities based on aggregate needs
  • Conduct security audits and penetration testing

4.5 Legal Compliance

  • Comply with applicable laws, regulations, and legal processes
  • Respond to valid legal requests from law enforcement or regulatory authorities
  • Enforce our Terms of Service and protect our rights
  • Prevent illegal activities and security threats

5. Data Security

We implement comprehensive, multi-layered security measures to protect your information. Our security practices exceed industry standards and are continuously updated to address emerging threats.

5.1 Encryption

  • End-to-End Encryption: All data in transit is encrypted using AES-256 encryption, the same standard used by military and financial institutions
  • Perfect Forward Secrecy: Each session uses unique encryption keys that are never reused, ensuring that past sessions cannot be decrypted even if future keys are compromised
  • Data at Rest: All stored account and billing information is encrypted using AES-256 encryption with keys managed through a hardware security module (HSM)
  • Key Management: Encryption keys are generated client-side and never transmitted to our servers in plaintext

5.2 Infrastructure Security

  • Secure Data Centers: All infrastructure is hosted in tier-1 data centers with physical security controls including biometric access, 24/7 security personnel, and video surveillance
  • Network Security: Multi-layer firewall protection, intrusion detection systems, and DDoS mitigation up to 10 Tbps
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for all administrative access, and principle of least privilege
  • Network Segmentation: Isolated network segments prevent lateral movement in the event of a security incident

5.3 Security Practices

  • Regular Audits: Annual third-party security audits and penetration testing by certified security firms
  • Vulnerability Management: Continuous vulnerability scanning, patch management, and security updates
  • Security Monitoring: 24/7 security operations center (SOC) monitoring for threats and anomalies
  • Incident Response: Comprehensive incident response plan with defined procedures for security breaches
  • Employee Training: Regular security awareness training for all personnel with access to customer data

5.4 Compliance Certifications

  • ISO 27001: Certified information security management system
  • SOC 2 Type II: Annual audits confirming security, availability, and confidentiality controls
  • PCI DSS Level 1: Certified for secure payment processing
  • Regular Compliance Audits: Ongoing compliance verification with GDPR, CCPA, and other applicable regulations

5.5 Data Breach Procedures

In the unlikely event of a data breach affecting your personal information, we will:

  • Notify affected users within 72 hours of discovering the breach, as required by GDPR
  • Provide detailed information about what data was affected and what steps we're taking
  • Work with law enforcement and security experts to investigate and remediate
  • Implement additional security measures to prevent future incidents
  • Offer credit monitoring or other protective services if appropriate

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

6.1 Retention Periods

  • Active Accounts: We retain account information, billing records, and communication logs for the duration of your active service membership
  • Terminated Accounts: After account termination, we retain account and billing information for 7 years to comply with tax, accounting, and legal requirements
  • Traffic Data: Due to our zero-knowledge architecture, we do not retain any proxy traffic data. No traffic logs are created or stored
  • Usage Metrics: Aggregate, anonymized usage statistics are retained indefinitely for capacity planning and service optimization, but contain no personally identifiable information
  • Security Logs: Authentication and security event logs are retained for 90 days for fraud prevention and security analysis

6.2 Deletion Procedures

Upon your request or after the retention period expires, we will securely delete your personal information using industry-standard secure deletion methods. However, we may retain certain information if:

  • Required by law, regulation, or legal process
  • Necessary for resolving disputes or enforcing agreements
  • Needed for legitimate business purposes (e.g., preventing fraud)
  • Information has been anonymized and cannot be linked back to you

7. Your Rights

You have comprehensive rights regarding your personal information under GDPR, CCPA, and other applicable privacy laws. We are committed to facilitating the exercise of these rights.

7.1 Right to Access

You have the right to request access to your personal information. We will provide you with a copy of your personal data, including account information, billing records, and communication logs. Requests will be fulfilled within 30 days.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete personal information. We will update your information promptly and notify you of the changes. You can also update certain information directly through your account dashboard.

7.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal information, subject to legal and contractual obligations. We will delete your data unless we have a legitimate reason to retain it (e.g., legal requirements, dispute resolution, fraud prevention).

7.4 Right to Restrict Processing

You can request that we limit how we use your personal information in certain circumstances, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability

You can request a copy of your personal data in a structured, machine-readable format. We will provide your account data, usage statistics, and communication records in a standard format (e.g., JSON or CSV).

7.6 Right to Object

You can object to processing of your personal information for certain purposes, such as direct marketing or legitimate interests. We will respect your objection unless we have compelling legitimate grounds for processing.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Note that withdrawing consent may affect our ability to provide certain services.

7.8 How to Exercise Your Rights

To exercise any of these rights, please contact us through your dedicated account manager or through the secure communication channels provided after account approval. We will respond to your request within 30 days and may request verification of your identity to protect your privacy.

Note: Due to our invitation-only access model, all privacy-related requests must be made through established secure channels. We do not accept privacy requests through public contact methods.

8. Third-Party Services

We work with trusted third-party service providers to deliver our infrastructure and services. All third-party relationships are governed by strict data protection agreements that require them to protect your information to the same standards we maintain.

8.1 Payment Processors

We use PCI DSS Level 1 certified payment processors for handling transactions. These processors receive only the minimum payment information necessary to process transactions. We never store full credit card numbers on our servers.

8.2 Infrastructure Providers

Our infrastructure is hosted on tier-1 cloud providers and data centers. These providers have no access to your traffic data due to our zero-knowledge architecture. They only see encrypted data packets with no ability to decrypt or inspect contents.

8.3 Analytics and Monitoring

We use third-party analytics tools for aggregate service metrics and performance monitoring. These tools only receive anonymized, aggregate data that cannot identify individual users or their activities.

8.4 Data Protection Agreements

All third-party service providers are contractually required to:

  • Maintain confidentiality and security of your information
  • Use your information only for specified purposes
  • Comply with applicable privacy laws and regulations
  • Notify us immediately of any security incidents
  • Return or delete your information upon termination of services

8.5 Third-Party Privacy Policies

Third-party services have their own privacy policies governing their use of information. We encourage you to review these policies. However, our data protection agreements ensure that third parties cannot use your information in ways that violate this Privacy Policy.

9. International Data Transfers

Codalyx operates a global infrastructure network spanning multiple countries. Your personal information may be transferred to and processed in countries other than your country of residence, including countries that may have different data protection laws.

9.1 Transfer Safeguards

We ensure that international data transfers comply with applicable laws through:

  • Standard Contractual Clauses: We use EU-approved standard contractual clauses for transfers outside the EEA
  • Adequacy Decisions: We prioritize transfers to countries with adequacy decisions from the European Commission
  • Binding Corporate Rules: Internal policies ensure consistent data protection standards across all jurisdictions
  • Encryption: All transferred data is encrypted in transit using industry-standard encryption

9.2 Data Processing Locations

Your account and billing information may be processed in:

  • United States (primary processing location)
  • European Union (for EU-based clients, ensuring GDPR compliance)
  • Other jurisdictions where our infrastructure providers operate (with appropriate safeguards)

Important: Your proxy traffic data is never transferred internationally in a way that could be accessed, as our zero-knowledge architecture ensures it cannot be decrypted or inspected by any party, including ourselves.

10. Children's Privacy

Codalyx services are designed exclusively for enterprise and business use. Our services are not intended for, and we do not knowingly collect personal information from, individuals under 18 years of age.

Age Verification: During the account approval process, we verify that account holders are authorized representatives of legitimate businesses. This verification process includes confirming that the organization is a registered business entity and that the account holder has authority to bind the organization.

No Personal Use: Our invitation-only, enterprise-focused model means we do not provide services to individuals for personal use, including minors. All accounts must be associated with verified business entities.

If we become aware that we have collected personal information from a minor, we will immediately delete such information and terminate the associated account. If you believe we have collected information from a minor, please contact us immediately through your account manager.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes that affect your rights or how we use your information.

11.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

  • Notify you via email sent to your registered business email address at least 30 days before changes take effect
  • Post a prominent notice on our website and service dashboard
  • Update the "Last updated" date at the top of this policy
  • Provide a summary of material changes in the notification

11.2 Your Rights Regarding Changes

If you do not agree with changes to this Privacy Policy, you may:

  • Terminate your account and request deletion of your personal information
  • Contact your account manager to discuss concerns about specific changes
  • Exercise your right to object to processing if changes affect how we use your information

Continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your personal information, please contact us through your dedicated account manager or through the secure communication channels established after account approval.

Important: Due to our invitation-only access model and security requirements, we do not accept privacy-related inquiries through public contact methods. All privacy requests must be made through established secure channels to protect your information and verify your identity.

For Verified Clients: Contact your dedicated account manager or use the secure messaging platform provided after approval. Your account manager can facilitate all privacy-related requests, including data access, correction, deletion, and portability requests.

Response Times: We will respond to privacy requests within 30 days as required by GDPR and other applicable laws. Complex requests may require additional time, and we will notify you if an extension is needed.

Data Protection Officer: For EU-based clients, our Data Protection Officer can be reached through your account manager. All communications are handled through secure, encrypted channels.

Regulatory Complaints: If you believe we have not adequately addressed your privacy concerns, you have the right to file a complaint with your local data protection authority. However, we encourage you to contact us first so we can resolve the matter directly.