Skip to content
Legal

Privacy Policy

This policy explains, in plain language, what data Codecanis collects, why we collect it, how long we keep it, and the rights you have over it.

Last updated: May 1, 2026

1. Introduction

Codecanis ("we", "us", "our") is a software engineering company. This Privacy Policy describes how we handle personal data collected through codecanis.com, our contact and careers forms, our newsletter, and any prospect or client communication that flows through the site.

It applies to three groups of people: visitors who browse the site, leads who submit a project brief or apply for a role, and clients with an active engagement. If you have a signed Master Services Agreement with us, that contract governs in any conflict.

Quick read: we collect what's necessary to respond to you and run the business, we don't sell personal data, and you can email contact@codecanis.com at any time to access, correct, or delete your information.

2. Information we collect

a) Information you give us directly

When you fill out a form, email us, or apply for a role, you may provide:

  • Name, work email address, company name, and role.
  • Country and timezone (for scheduling calls).
  • Project description, budget range, and timeline.
  • For careers: CV, portfolio links, work authorisation, and any optional cover letter.
  • Any other content you choose to include in your message.

b) Information collected automatically

When you visit the site, our servers and tools record:

  • IP address (truncated for analytics).
  • User agent string (browser and OS), screen size, and language preference.
  • Pages visited, referrer URL, and timestamps.
  • Essential cookies for CSRF protection and session management — see our Cookie Policy for the full list.

c) Information from third parties

We use privacy-respecting analytics (Plausible / Fathom) which provide aggregated traffic data without personal identifiers. We may also receive publicly available information from LinkedIn or GitHub if you choose to share a profile link with us.

3. How we use your information

We only use personal data for a specific, declared purpose:

  • To respond to enquiries — replying to your project brief, scheduling an intro call, or sending a proposal.
  • To deliver services — managing a signed engagement, including invoicing, status reports, and project communication.
  • To send updates — only if you've explicitly opted in to our engineering newsletter. Every email contains a one-click unsubscribe.
  • To improve the site — anonymised traffic patterns help us find broken pages, slow routes, and content gaps.
  • To comply with law — including responding to lawful requests from authorities and meeting tax, accounting, and employment obligations.

We do not use personal data for automated decision-making or profiling, and we do not train any machine-learning model on the contents of your project brief.

If you're in the European Economic Area or the UK, our lawful basis for processing is one of:

  • Consent — newsletter subscription, optional cookies, marketing cookies (none currently in use).
  • Contract — managing an active engagement under an MSA or Statement of Work.
  • Legitimate interest — responding to your enquiry, securing the site, preventing fraud, and analysing aggregate traffic.
  • Legal obligation — record-keeping for accounting, tax, and any statutory disclosure.

You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Sharing & disclosure

We share personal data only with the parties that help us run the company:

  • Infrastructure providers — Cloudflare (CDN, edge security), our hosting provider (DigitalOcean / AWS), and managed database services.
  • Productivity tools — Google Workspace (email), Linear, GitHub.
  • Analytics — Plausible / Fathom, which do not use cross-site tracking.
  • Transactional email — Postmark or Amazon SES for receipts, replies, and contact-form delivery.
  • Error tracking — Sentry, which scrubs PII from stack traces.
  • Legal requests — when we are legally required to disclose, we will push back on overreach and notify you where the law permits.

We do not sell personal data, and we do not share it with advertising networks. Every sub-processor is bound by a data-processing agreement.

6. Data retention

We keep data only as long as it serves a purpose:

  • Lead enquiries — up to 24 months from last contact, unless we begin a paid engagement.
  • Active client records — for the lifetime of the engagement plus 7 years for tax and accounting compliance.
  • Job applications — 12 months from the date of application; we'll ask permission before keeping you in a talent pool longer.
  • Newsletter subscriptions — until you unsubscribe.
  • Analytics — aggregated only, retained 26 months.
  • Server access logs — 30 days, then deleted.

7. Your rights

Wherever you live, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything inaccurate.
  • Erasure — ask us to delete your data, subject to legal retention limits.
  • Portability — receive your data in a machine-readable format.
  • Restriction — temporarily limit how we process your data.
  • Objection — object to processing based on legitimate interest, including direct marketing.
  • Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email contact@codecanis.com with the subject line "Privacy request". We aim to respond within 30 days and will verify your identity before actioning a deletion.

8. International transfers

Codecanis is headquartered in Pakistan with team members and clients across the EU, UK, and the United States. Personal data may therefore be processed in Pakistan, the EU, and the US.

For transfers out of the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK addendum, supplemented by technical safeguards: TLS in transit, encryption at rest where the provider supports it, and access controls scoped to need-to-know.

9. Children's privacy

The site is built for businesses. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted information to us, email contact@codecanis.com and we will delete it promptly.

10. Security

We take pragmatic, layered security measures:

  • TLS 1.3 for all traffic; HSTS preloaded.
  • Encryption at rest on managed databases and object storage.
  • Role-based access control with least-privilege defaults; SSO + MFA on every admin tool.
  • Quarterly access reviews and offboarding within 24 hours of a team member leaving.
  • Dependency scanning, secret scanning, and automated security updates on the production stack.
  • Encrypted, off-site backups with documented restore drills.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant regulator within 72 hours, as GDPR requires.

11. Changes to this policy

We will update this policy when our practices change or when the law requires. The "Last updated" date at the top always reflects the current version. If a change materially affects your rights, we'll flag it on the site and, where we have your address, email you directly. Previous versions are kept on file and available on request.

12. Contact us

For anything privacy-related, reach us at:

Codecanis

Email: contact@codecanis.com

Address: Siddique Trade Center, Block H Gulberg 2,
Lahore, Punjab, Pakistan