Legal

Privacy Policy

Last updated: May 9, 2026

What we collect

When you sign in with Google OAuth, we receive your name and email address from Google. We store this information to identify your account. We also collect session data to keep you authenticated across visits, and we use Vercel Analytics to understand aggregate usage patterns; page views, feature usage, and performance metrics. We do not collect sensitive health information or billing data beyond what is necessary to process your subscription.

How we use it

Your name and email are used solely for authentication and to communicate with you about your account; for example, billing receipts or important service announcements. Usage analytics help us understand which features are most valuable so we can improve the product. We do not sell your personal information to third parties and we do not use it for advertising.

Third-party services

Codelle uses a small number of trusted third-party services to deliver the product:

  • Google OAuth ; handles sign-in. Your Google profile data is only used to create your Codelle account.
  • Stripe: processes subscription payments. Stripe stores your payment method details; Codelle never sees raw card numbers.
  • Resend: delivers transactional email (receipts, account notifications).
  • Google Gemini AI ; powers AI-assisted code search. Queries you submit may be processed by Google's Gemini API. We do not store the content of AI queries beyond what is needed for the current session.
  • Vercel: hosts the application and provides aggregate analytics. Vercel processes request logs as part of normal infrastructure operation.
  • Deepgram: transcribes voice input when you use the dictation microphone. Audio streams directly from your browser to Deepgram's medical speech-to-text service. Codelle never stores the audio. Deepgram does not retain or train on the audio under our business agreement.
  • PostHog: powers product analytics, error tracking, and session replay. Codelle uses session replay with all input fields masked by default. Pasted clinical notes, dictation text, and form fields appear as ●●●●● and are never recorded. PostHog stores anonymous interaction data (page views, clicks, custom events) tied to your user account; you can request deletion via account deletion or by emailing hello@codelle.com.

Each of these providers has its own privacy policy governing their handling of data.

Cookies

We use session cookies set by Auth.js to keep you signed in. These cookies are strictly necessary for authentication and expire when your session ends or after a fixed period of inactivity. We do not use tracking or advertising cookies.

Data retention

We retain your account data for as long as your account is active. When you delete your account from your dashboard, we soft-delete it immediately and permanently delete your personal information seven days later. During those seven days you can sign in and cancel the deletion to restore the account fully. After day seven, deletion is permanent: bookmarks, drafted claims, scrub sessions, and AI history are removed and cannot be recovered. Some records may be retained longer where required for legal or financial compliance, for example Stripe payment records and AI request trace IDs (kept for 30 days for support debugging).

Your rights

You have the right to access, correct, or delete the personal information we hold about you. Account deletion is self-serve from your dashboard (Danger zone → Delete account); for access or correction requests, contact us at the email below. We will respond within 30 days.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of this page. Continued use of Codelle after any changes constitutes your acceptance of the updated policy.

Contact

Questions about this policy? Email us at privacy@codelle.com.