Privacy Policy

DontCode Privacy Policy, a product by StormLabs (스톰랩스)

Transparent data practices

GDPR Compliant

PIPA Compliant

Effective: June 16, 2026 · Version 2.0

Our Privacy Principles

Minimal Collection

We only collect what is needed to power your app-building experience. No hidden data harvesting.

Your Projects, Your Data

The applications and databases you build on DontCode belong to you. We do not claim ownership of your content.

User Control

You can access, export, or delete your account and project data at any time through your dashboard.

Secure by Default

All data is encrypted in transit and at rest. Authentication is handled through industry-standard protocols.

1. Information We Collect

What We Collect

• Account information (email, name, profile) when you sign up via email, Google, or Kakao OAuth
• Project data: the apps, databases, workflows, and assets you create on our platform
• AI chat interactions: prompts and conversations with our AI agents used to build and refine your apps
• Team and collaboration data: roles, invitations, and permissions you configure
• Usage analytics: feature usage, page views, and performance metrics to improve the platform
• Payment information: billing details processed through PortOne (KakaoPay, card, bank transfer) or Stripe

What We Don't Collect

• We do not store full payment card numbers. All payment processing is handled by our third-party providers
• We do not use tracking cookies for third-party advertising
• We do not collect precise geolocation data from your device
• Your end-users' data in your deployed apps belongs to you. We only access it if you explicitly invite us to help with troubleshooting.

2. How We Use Information

AI-Powered App Building

Your prompts and project context are sent to our AI agents to generate code, database schemas, workflows, and suggestions for your applications.

Platform Improvement

Aggregated, anonymized usage data helps us improve our AI models, refine the editor experience, and prioritize new features.

Security & Authentication

Account data is used to authenticate sessions, enforce team permissions, and protect your projects from unauthorized access.

Use Beyond the Original Purpose

Occasionally we use data for a purpose related to, but going beyond, what we first collected it for; the main example is improving our AI models with anonymized data. Before any such use, we assess whether it is reasonable against these criteria:

Relevance: whether the new use is reasonably related to the original purpose of collection
Foreseeability: whether you could reasonably expect the additional use given the context in which the data was collected
Impact: whether the use could unfairly disadvantage or harm your interests
Safeguards: whether protections such as anonymization, encryption, and access controls are applied

You can opt out of anonymized data being used for AI model improvement at any time in Account Settings.

3. Data Retention & Deletion (개인정보 파기)

Retention Policy

Your project data (apps, databases, assets) is retained as long as your account is active. If you delete a project, its data is permanently removed within 30 days. If you delete your account, we delete all associated data within 30 days, except where a legal obligation requires us to keep it longer.

Data Lifecycle:

Account creation → App building & deployment → Account or project deletion → Data deleted within 30 days

AI chat logs retained for up to 12 months to improve model quality, then anonymized or deleted.

Security and access logs retained up to 24 months for fraud prevention and compliance.

Destruction Procedure & Method (파기 절차 및 방법)

Trigger: account deletion, project deletion, consent withdrawal, or end of retention period
Authorization: the Privacy Officer reviews and approves destruction before execution
Timeline: completed within 5 business days of the trigger event
Electronic data: securely overwritten using a method that prevents recovery (DoD 5220.22-M equivalent or secure erase)
Physical records: shredded or incinerated if applicable

Legal Retention Exceptions (법적 보존 의무)

Data Category	Legal Basis	Retention Period
Contract & payment records	Electronic Commerce Act (전자상거래법)	5 years
Consumer complaint & dispute records	Electronic Commerce Act (전자상거래법)	3 years
Tax and financial records	Framework Act on National Taxes (국세기본법)	5 years
Security and access logs	Internal fraud prevention policy	24 months

4. Third-Party Services

Service Providers

DontCode relies on trusted third-party services to deliver the platform. These include:

• Supabase: database hosting, authentication, and realtime services for your projects
• Vercel: application hosting, deployment, and edge network
• Anthropic (Claude AI): AI code generation and assistant capabilities
• PortOne (KakaoPay, card, bank transfer), Stripe: payment processing
• Google, Kakao: OAuth authentication providers

Note: We do not sell or share your personal data for advertising or marketing purposes. Third-party providers only receive the minimum data necessary to perform their service.

Entrusted Processing (처리위탁)

Some providers process personal data on our behalf and under our instructions; they are processors (수탁자), not recipients we share your data with for their own purposes. We supervise these processors and update this list whenever it changes.

Processor	Delegated Task
Supabase	Database hosting, authentication, and realtime services
Vercel	Application hosting and deployment
Anthropic (Claude AI)	AI-powered code generation and assistant
PortOne	Payment processing (KakaoPay, card, bank transfer)
Stripe	International payment processing

International Data Transfers (국외 이전)

Some personal data is transferred to recipients outside the Republic of Korea as listed below (PIPA Art. 28-8). You have the right to opt out; however, opting out of essential transfers may prevent use of the service.

Country	Purpose	Retention	Opt-out
Supabase United States	Database, authentication, and realtime services	Account lifetime + 30 days after deletion	Delete your account
Vercel United States	Application hosting and edge delivery	Access logs: 30 days	Delete your account
Anthropic (Claude AI) United States	AI-powered code generation and assistant	Not stored beyond the request	Opt out of AI improvement in Account Settings
Stripe United States	International payment processing	7 years (financial regulations)	Contact privacy@dontcode.co
Google United States	OAuth sign-in	OAuth session duration only	Use email/password sign-in instead

PortOne and Kakao are Korean companies; their processing occurs within Korea. This transfer list will be updated when our infrastructure changes.

5. Your Rights

Data Rights

Access: Request a copy of all personal data we hold about you, including project metadata and account details.
Deletion: Delete your account and all associated projects, databases, and assets permanently.
Portability & Transfer: Export your personal and project data in a structured, machine-readable format, or have it transmitted to another service where technically feasible.
Objection: Opt out of anonymized data being used for AI model improvement.
Suspension: Request that we pause processing of your personal data while a concern or dispute is reviewed.

How to Exercise Rights

Contact Information

DontCode Privacy Team

Email: privacy@dontcode.co

Business Hours: Mon–Fri, 9:00–18:00 (KST)

You can also manage most data settings directly from your DontCode dashboard under Account Settings. For requests we cannot fulfill automatically, email us and we will respond within 10 business days.

Privacy Officer (개인정보 보호책임자)

Elijah Storm

CEO

StormLabs

Email: privacy@dontcode.co

Phone: +82-10-9766-7338

The Privacy Officer is responsible for overseeing compliance with the Personal Information Protection Act (PIPA) and all applicable data protection laws. You may contact them directly to exercise data rights or raise a concern.

Right to Data Transfer (전송요구권)

Where required by law and technically feasible, you can ask us to transmit your personal data, in a structured, commonly used, machine-readable format, to yourself or directly to another service provider. Submit a request in Account Settings or to our Privacy Officer; we respond within the statutory timeframe.

Reporting & Remedies (권익침해 구제)

If you believe your privacy rights have been infringed, please contact us first. You may also seek reporting, consultation, or dispute mediation from the following Korean authorities:

Body	Contact
Personal Information Dispute Mediation Committee	1833-6972 (kopico.go.kr)
Privacy Infringement Report Center (KISA)	118 (privacy.kisa.or.kr)
Personal Information Protection Commission	pipc.go.kr
Supreme Prosecutors' Office Cybercrime	1301 (spo.go.kr)
National Police Agency Cyber Bureau	182 (police.go.kr)

6. Security Measures

Encryption

All data in transit is encrypted via HTTPS/TLS. Project databases are encrypted at rest through Supabase.

Authentication & Access

Role-based access control, MFA support, and session management protect your account and team projects.

Infrastructure

Hosted on Vercel and Supabase with SOC 2 compliant infrastructure, automated backups, and real-time monitoring.

7. Children's Privacy (Under 14)

Minimum Age Requirement

DontCode is intended for users aged 14 and older. We do not knowingly collect personal information from children under the age of 14.

Account Prohibition

Users under 14 years of age are not permitted to create an account or use DontCode. By registering, you confirm that you are at least 14 years old.

If We Discover a Minor's Account

The account will be immediately suspended and all associated data permanently deleted.
If a guardian contacts us to report an account belonging to a child under 14, we will delete the account within 5 business days.
Guardians may contact us at privacy@dontcode.co to report concerns or request deletion.

8. 자동수집장치 및 쿠키 (Cookies & Automatic Collection)

Our platform uses cookies and browser storage to manage your session and improve your experience. We do not use cookies for advertising or third-party tracking.

Cookies We Set

Cookie names containing [ref] vary per deployment environment. All session cookies are deleted when you sign out.

Name / Key	Purpose	Duration	Type
sb-[ref]-auth-token	Maintains your authenticated session	Session (deleted on sign-out)	First-party, HttpOnly
sb-[ref]-auth-token-code-verifier	OAuth PKCE security code, used temporarily during sign-in only	Minutes (deleted after sign-in completes)	First-party, HttpOnly
anonId	Anonymous visitor identifier for analytics before sign-in	1 year	First-party

Browser Storage (localStorage)

Name / Key	Purpose	Duration	Type
dontcode.auth.last_used_provider	Remembers your last sign-in method (Google, Kakao, email) to pre-select it on your next visit	Persistent (until cleared)	localStorage

쿠키 거부 방법 (How to Opt Out)

Chrome: Settings → Privacy and security → Cookies and other site data
Safari: Settings → Privacy → Manage Website Data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Note: Disabling session cookies (sb-*) will prevent sign-in. Disabling anonId does not affect core functionality.

9. Automated Decisions & AI (자동화된 결정)

Our Position

DontCode is an AI product: our AI turns your prompts into apps, code, and suggestions. It builds things for you; it does not make solely-automated decisions that produce legal effects or otherwise significantly affect your rights or obligations as a user.

Where Automated Processing Does Apply

A few protective systems run automatically, for example fraud and abuse detection. Where such a system meaningfully affects you, its criteria are disclosed and a human reviews the outcome on request.

Your Rights Over Automated Decisions

Refuse: object to a significant decision made solely by automated means
Explanation: ask for a concise, meaningful explanation of the criteria and how the decision was reached
Human review: request that a person re-examine the decision

We act on these requests within 30 days, extendable by up to 60 days where there is good cause, and notify you of the outcome.

To exercise these rights, contact our Privacy Officer (see the section above).

If you believe content hosted on DontCode or on an app deployed through DontCode infringes your copyright, you can request a takedown under Articles 102 and 103 of the Copyright Act of the Republic of Korea (저작권법) or the US Digital Millennium Copyright Act (DMCA, 17 U.S.C. § 512). The full procedure, including what a notice must contain and how counter-notices work, is described in our Terms of Service.

When you submit a takedown notice, the name and contact details in the notice are shared with the user who uploaded the content so they can respond. Dispute records are retained for 3 years under the Electronic Commerce Act, as listed in the retention table above.

View the full takedown procedure in our Terms of Service

Email: storm@dontcode.co (subject line: Copyright Takedown)

11. Changes to This Policy (변경 고지)

We review this policy regularly. When we make material changes, we announce them on this page, and through in-app notice, at least 7 days before they take effect, or at least 30 days in advance when a change significantly affects your rights. The effective date and version shown at the top always reflect the current policy.