Privacy Policy

1. Data controller

The data controller responsible for personal data processed on this website is:

Aloaha Limited
"Helgoland"
45, Triq Gio Felice Inglott
Pembroke PBK1131
Malta

Email: info@codeb.io
Phone: +49 541 3859 4554 / +49 151 5761 0183

Aloaha Limited operates the CodeB Identity Solutions product line and the www.codeb.io website. For all data-protection matters, please address your request to info@codeb.io with "GDPR request" in the subject line. We will respond within one month, as required by Article 12(3) GDPR.

2. Categories of personal data we process

2.1 Information you actively provide

• Contact form & email enquiries — name, role, company or institution, work email address, approximate seat count, the topic of your enquiry and the free-text message you write.
• Telephone enquiries — the phone number you call from (visible to the receiving handset) and any details you choose to share during the call.
• Customer account data — for licensed customers: invoicing address, named technical and procurement contacts, contract reference.

2.2 Information collected automatically

• Server access logs — IP address, request path, timestamp, HTTP status, user-agent string, referrer header. These are standard web-server logs required to operate and secure the website.
• Contact-form metadata — when you submit the form, the handler also records the IP address and user-agent for spam-prevention and auditing purposes, alongside the fields above.

2.3 Information we do not collect

• We do not run third-party analytics (no Google Analytics, no Plausible, no Matomo, no Mixpanel, no behavioural advertising pixels).
• We do not set tracking cookies. The site uses no cookies of any kind by default.
• We do not build profiles of visitors or use automated decision-making within the meaning of Article 22 GDPR.

3. Purposes of processing & legal bases

• Responding to your enquiry — to read your message, prepare a tailored answer, and follow up by email or phone. Legal basis: pre-contractual measures at your request (Art. 6(1)(b) GDPR) and our legitimate interest in conducting normal business correspondence (Art. 6(1)(f) GDPR).
• Operating and securing the website — server logs, anti-spam honeypot, basic abuse mitigation. Legal basis: our legitimate interest in keeping the site available and free of abuse (Art. 6(1)(f) GDPR).
• Performing a contract — for licensed customers: managing the contract, invoicing, support tickets. Legal basis: Art. 6(1)(b) GDPR and, for accounting records, our legal obligations under tax and commercial law (Art. 6(1)(c) GDPR).
• Compliance with legal obligations — retention of tax-relevant records, response to lawful requests. Legal basis: Art. 6(1)(c) GDPR.

4. Recipients & processors

We share personal data only with a small set of recipients, each bound by a written data-processing agreement under Article 28 GDPR where required:

• Our hosting provider for the website and contact-form handler — an EU/EEA-based IIS hosting partner. Server logs are stored at the host.
• Our outgoing email provider for delivering contact-form notifications and replies to info@codeb.io.
• Our accounting and invoicing provider for customer records, where applicable.
• Public authorities and courts when we are legally required to disclose data (e.g. tax authorities, valid law-enforcement requests).

We do not sell personal data. We do not share enquiry data with marketing partners.

5. Retention periods

• Contact-form submissions and email correspondence — kept for as long as needed to handle the enquiry and any reasonable follow-up, typically up to 24 months. After that, the records are deleted or anonymised unless we still have a contractual or legal reason to keep them.
• Server logs — kept for a maximum of 90 days, then deleted automatically.
• Customer contract data and invoicing records — retained for the duration of the contract plus the statutory retention periods required under Maltese tax and commercial law (typically up to 10 years for invoicing records).

6. International transfers

No customer data is stored or processed outside the EU/EEA. Our hosting, mail relay and accounting providers are all located inside the EEA. Aloaha Limited is a Malta-registered company and is therefore outside the jurisdictional reach of the US CLOUD Act and equivalent extraterritorial-disclosure regimes that apply to US-headquartered service providers. When we use any tool whose provider is outside the EEA — for example the Google Fonts CDN described below, which only receives anonymous request metadata, never customer-account data — the transfer is governed either by an EU adequacy decision (Art. 45 GDPR) or by Standard Contractual Clauses (Art. 46(2)(c) GDPR), together with supplementary technical measures where appropriate.

7. Cookies & similar technologies

www.codeb.io does not set any cookies of its own. We do not use local storage, session storage, fingerprinting, or any similar tracking technology for marketing, analytics, or profiling purposes. There is therefore no cookie banner — there is nothing to consent to.

Should we ever introduce a cookie that is not strictly necessary (e.g. for a future opt-in analytics function), we will ask for your prior, informed consent in line with the ePrivacy Directive and Section 25 TTDSG.

8. Web fonts (Google Fonts)

The visual design uses two typefaces — Raleway and IBM Plex Mono — delivered via the Google Fonts CDN (fonts.googleapis.com and fonts.gstatic.com). When your browser renders a page, it requests these font files from Google. This means Google necessarily receives your IP address and basic request metadata.

We use Google Fonts only to render type; no font-related cookies are set. Our legal basis is our legitimate interest in a coherent, accessible visual identity (Art. 6(1)(f) GDPR). Google's processing is governed by its own privacy notice (policies.google.com/privacy). If you would prefer to avoid this transfer, you can use a content-blocker extension or a privacy-respecting browser configuration — the site remains fully readable in its system-font fallback.

9. Hosting & server logs

www.codeb.io is hosted on Microsoft IIS infrastructure operated by Aloaha Limited or its EU-based hosting partner. Every HTTP request generates a log entry containing the items listed in section 2.2. Logs are processed on the basis of our legitimate interest in operating and securing the site (Art. 6(1)(f) GDPR) and are retained for a maximum of 90 days.

10. CodeB software products

The CodeB Credential Provider V2 with the Web SSO and Desktop Switcher add-ons are delivered to you as software and run on your own infrastructure. They do not transmit personal data — neither end users' nor administrators' — back to Aloaha Limited. There is no SaaS control plane and no analytics built into the products. No cloud or internet connection is required — the products deploy and run on fully air-gapped networks. Each installation is a self-contained processing environment under your control as controller.

When you act as controller for the personal data your CodeB installation processes, we (Aloaha Limited) are not a processor on your behalf for that data — it never reaches us. We can act as processor under a separate data-processing agreement only when we are engaged for explicit professional-services or support work that requires access to your environment.

11. Your rights as a data subject

Under Articles 15 to 22 GDPR you have the right to:

• Confirmation and access — to know what personal data we hold about you and to receive a copy (Art. 15).
• Rectification — to have inaccurate or incomplete data corrected (Art. 16).
• Erasure — to have your data deleted where one of the grounds in Art. 17 applies (the "right to be forgotten").
• Restriction — to have processing restricted in the situations listed in Art. 18.
• Data portability — to receive the personal data you provided in a structured, machine-readable format and to transmit it to another controller (Art. 20).
• Objection — to object at any time, on grounds relating to your particular situation, to processing carried out on the basis of legitimate interest (Art. 21).
• Withdrawal of consent — where processing is based on consent, to withdraw that consent at any time without affecting prior lawfulness (Art. 7(3)).

To exercise any of these rights, write to info@codeb.io with "GDPR request" in the subject line. We may need to verify your identity before we can act.

12. Right to lodge a complaint with a supervisory authority

You have the right under Article 77 GDPR to lodge a complaint with a data-protection supervisory authority — either in the EU member state of your habitual residence, your place of work, or where the alleged infringement took place. As the controller is established in Malta, the lead supervisory authority is the Office of the Information and Data Protection Commissioner (IDPC), Malta.

13. Data security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. Measures include TLS encryption in transit for every page and form submission on www.codeb.io, access controls on the server, principle-of-least-privilege for staff access to mail and accounting systems, and short retention periods for the data classes listed in section 5.

For security disclosures regarding our website or products, please email info@codeb.io with "Security disclosure" in the subject line. We follow a coordinated 90-day disclosure timeline.

14. Changes to this policy

We may revise this privacy policy when our practices change or when the law requires it. The current version, with effective date, is always available at this URL. Any material change will be reflected in a higher version number and (where appropriate) notified to customers we are in active correspondence with.

Document ID: codeb-privacy-policy-1.0 · Last reviewed: 21 May 2026.