Codeti.dev takes the protection of your personal data very seriously. This Privacy Policy explains what data we collect, why we collect it, how long we store it, and what rights you have regarding the processing of your data. We collect only what is strictly necessary — and we never collect your source code.
The controller of your personal data is Codeti.dev (an independent project). Contact: [email protected].
For any matters relating to personal data protection, you may reach us at the same e-mail address.
We collect only the data necessary to provide the coding time tracking service and ensure its security.
Data you provide voluntarily
E-mail address
Required to create an account, log in, send notifications, recover passwords, and for correspondence.
Username
A publicly visible identifier displayed on your profile.
Password
Stored as a bcrypt hash — it is unreadable by the administrator.
Avatar
Optional. Displayed on your public profile if provided.
Custom status
Optional "thought of the day" displayed on your public profile.
Quick links
Optional links displayed on your public profile.
Data collected automatically
IP address
Used for login logs, rate limiting, blocking suspicious addresses, and protection against attacks. Never publicly visible.
User-Agent
Identifies your browser, operating system, and device. Used for statistics and security purposes.
Heartbeats
Programming activity data sent from your editor: language, editor, project, OS, activity type, timestamp. Source code is never included.
API / Secret Keys
Auto-generated. API Keys authorize heartbeat submission (cdt_live_); Secret Keys provide full account access (cdt_secret_).
Likes
Stored by user ID (if logged in) or IP address (if anonymous).
Login logs
Date, time, IP, User-Agent, approximate location (from IP), login status (success/failure).
Sessions
auth_token stored as an HttpOnly cookie to maintain your session after login.
Your code is always yours.Codeti.dev never collects, stores, or processes your source code. Heartbeats contain only activity metadata — nothing more.
Art. 6(1)(b)
Contract performance
Processing is necessary to perform the service (coding time tracking). Applies to: e-mail address, username, password, and heartbeats.
Art. 6(1)(f)
Legitimate interests
Processing is necessary for the controller's legitimate interests: ensuring security, protection against attacks, service analysis and improvement, and statistics. Applies to: IP address, User-Agent, login logs.
Art. 6(1)(a)
User consent
For optional features such as avatar, custom status, quick links, and analytical cookies.
| Data type |
Retention period |
| Account data (personal data) |
Until account deletion +30 days recovery |
| Raw heartbeats |
24 months — then aggregated into statistics (raw data deleted) |
| Login logs |
12 months |
| Sessions (auth_token) |
7 days or until logout |
| API Key / Secret Key |
Until regenerated or account deleted |
| Likes |
Until account deletion or unlike |
| Analytical cookies |
Max 365 days — per cookie policy |
After the retention period, data is permanently deleted or anonymized (in the case of heartbeat aggregation).
Oracle Cloud
Hosting provider
Servers in the European region. Data processing agreement in place.
Brevo
E-mail service (formerly Sendinblue)
Used for notifications and verification codes. GDPR-compliant, EU servers.
Cloudflare
CDN & DDoS protection (planned)
Will be used for content delivery and attack protection in future releases.
Law enforcement
Authorities / courts
Data disclosed only when required by applicable law (e.g. suspected criminal activity).
We never sell your data.Your personal data is never sold to any third party, period.
You have the following rights regarding the processing of your personal data:
Right of access
You may request information about what data we process about you.
Right to rectification
You may correct inaccurate data (e.g. username, email) in the user panel or by contacting us.
Right to erasure
Delete your account in the user panel. After 30 days, all data is permanently removed.
Right to restriction
You may request a suspension of processing (e.g. while contesting data accuracy).
Right to portability
Export all your data as JSON via the "Export data" button in the user panel.
Right to object
You may object to processing for marketing or legitimate-interest purposes.
Right to withdraw consent
Withdraw consent (e.g. for analytics, avatar) at any time without affecting past processing.
Right to lodge a complaint
If you believe we are processing data unlawfully, you may file a complaint with the Polish DPA (UODO).
To exercise any of your rights, contact us at
[email protected]. We will respond within 30 days.
We apply the following security measures to protect your data:
HTTPS (TLS 1.3)
All traffic between your browser and our servers is encrypted.
Password hashing
Passwords stored using bcrypt (cost factor 10) — unreadable by anyone.
Secure API keys
64-character random keys, unique per account, resistant to brute-force.
Rate limiting
Per-minute/hour request limits protect against DDoS and brute-force attacks.
IP & UA blocking
Ability to manually block suspicious IP addresses and client user agents.
Login audit logs
All login attempts are logged and monitored for unauthorized access.
Daily backups
Automatic daily database backups to protect against data loss.
HttpOnly cookies
The auth_token cookie is inaccessible to JavaScript — protected against XSS attacks.
Codeti.dev is intended primarily for developers aged 13 and above. Registration is available from the age of 13. Persons under 13 may use the Service only with the consent of a parent or legal guardian.
We do not knowingly collect data from persons under 13. If we become aware that a minor has registered without parental consent, we will delete their data immediately upon discovery.
The Service uses cookies. For detailed information, please refer to our Cookie Policy.
We reserve the right to amend this Privacy Policy at any time. Users will be notified of changes via:
- A notice displayed on the main page of the Service
- An e-mail to the address associated with your account (for material changes)
Changes take effect 14 days after announcement. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
For any data protection matters, please contact us at: [email protected].
We act as our own Data Protection Officer (DPO). A dedicated external DPO has not been appointed, as this is not required for non-profit projects that do not process data at large scale.