Skip to content
Codezilla

Privacy Policy

Last updated: May 2026

Last updated: 2026-05-26 Effective date: 2026-05-26

This Privacy Policy explains how Codezilla ("Codezilla", "we", "us", "our") collects, uses, stores, and protects personal data when you use Codezilla v2, our AI agent platform that operates on WhatsApp and Instagram for small and medium businesses ("SMBs") in Egypt.

We wrote this policy in plain English. If anything is unclear, email us at [email protected] and we will explain.

1. Who we are

The data controller for tenant operator account data is:

  • Legal entity: Codezilla
  • Country of registration: Arab Republic of Egypt
  • Marketing site: https://codezillaeg.com
  • Privacy contact: [email protected]

We are registered in Egypt and operate under Egyptian Personal Data Protection Law No. 151 of 2020 ("PDPL"). Where relevant, we also align our practices with the EU General Data Protection Regulation ("GDPR") because some end-customers messaging an Egyptian SMB on WhatsApp or Instagram may be located in the European Union.

Two distinct relationships

Codezilla handles personal data in two different roles, and the difference matters for your rights:

  • Tenant operators (the SMB owner who signs up for a Codezilla account): we are the controller of your account data. We decide what to collect and why.
  • Tenant end-customers (the people who message an SMB's WhatsApp or Instagram channel that is connected to Codezilla): the SMB tenant is the controller of those conversations. Codezilla acts as a processor on the SMB's behalf to generate AI replies. If you are an end-customer and want to exercise rights over your messages, your first point of contact is the SMB you were messaging. We will support the SMB in responding to you.

2. What data we collect

2.1 From tenant operators (SMB account holders)

When an SMB owner signs up and uses Codezilla, we collect:

  • Full name, business name, email address, mobile phone number
  • Authentication identifiers managed through Supabase Auth (hashed passwords, session tokens, OAuth identifiers if you sign in with Google)
  • Vertical / business category (restaurant, clinic, hotel, salon, gym, real estate, marketing agency, legal, retail, school, delivery)
  • Billing information: subscription tier, invoices, payment method tokens returned by Paymob, Fawry, or VCash (we never store full card numbers ourselves)
  • Knowledge base content you upload: menus, price lists, frequently asked questions, business policies, photos, documents
  • Operational metadata: WhatsApp Business Account ID, Instagram Business Account ID, phone-number IDs, webhook tokens
  • Usage telemetry: which features you opened, message volume, error logs, performance metrics

2.2 From tenant end-customers (people who message an SMB on WhatsApp or Instagram)

When an end-customer sends a message to an SMB whose channel is connected to Codezilla, the SMB (as controller) instructs Codezilla to process:

  • WhatsApp or Instagram user identifier and phone number
  • The full content of the messages exchanged (text, images, voice notes, location pins, documents)
  • Display name, if shared by the platform or in conversation
  • Delivery address, if the end-customer provides it (for restaurants, delivery, e-commerce)
  • Order or appointment details (items, dates, times, party size, vehicle, room type, etc.)
  • Payment method and transaction reference, if the SMB collects payment through Paymob, Fawry, or VCash via the chat
  • Sentiment and intent tags produced by our AI for the SMB's analytics

We do not ask end-customers for national ID numbers, religion, political opinions, health data, or other sensitive categories. If an end-customer voluntarily shares such information inside a chat with the SMB, the SMB is responsible for handling it lawfully.

2.3 Automatically collected on the marketing site and dashboard

  • IP address, browser type, device type, referring URL
  • Cookies and similar technologies — see Section 9

3. Why we collect it (lawful basis)

Under PDPL Article 2 and GDPR Article 6, we rely on one of the following lawful bases for each processing activity:

Processing activityLawful basis (PDPL / GDPR)
Creating and maintaining a tenant operator accountPerformance of contract (PDPL Art. 2(c); GDPR Art. 6(1)(b))
Processing end-customer messages to generate AI repliesPerformance of contract between the SMB and its customer; Codezilla acts on the SMB's documented instructions as a processor
Sending operational emails (billing, security, service notices) to tenant operatorsPerformance of contract (PDPL Art. 2(c); GDPR Art. 6(1)(b))
Sending marketing emails (newsletters, product tips) to tenant operatorsConsent — you can unsubscribe at any time (PDPL Art. 2(a); GDPR Art. 6(1)(a))
Fraud detection, abuse prevention, security loggingLegitimate interest (GDPR Art. 6(1)(f)); legal obligation under PDPL Art. 4
Complying with tax, accounting, and other Egyptian legal obligationsLegal obligation (PDPL Art. 2(d); GDPR Art. 6(1)(c))
Analytics aggregated across tenants for product improvementLegitimate interest; aggregated and de-identified before use

The SMB tenant is responsible for establishing its own lawful basis with its end-customers (typically: performance of contract, or consent collected through a "by messaging us you agree to..." notice that the SMB displays).

4. How we use AI providers (transfer to processors)

To generate replies on behalf of the SMB, Codezilla sends the relevant portions of a conversation to large language model ("LLM") providers. These providers act as our sub-processors and are bound by data processing agreements:

  • Anthropic (Claude family) — primary provider for paid tiers
  • OpenAI (GPT family) — fallback and embedding generation
  • Moonshot AI (Kimi) / DeepSeek — used for free-tier and cost-sensitive workloads

We send only the minimum necessary context: the latest customer message, recent conversation history (typically the last 20 turns), and the SMB's knowledge base extracts that the AI needs to answer the question. We do not send tenant operator passwords, payment card numbers, or unrelated tenant data to these providers.

By default, our paid agreements with Anthropic and OpenAI ensure that messages sent through the API are not used to train their foundation models. Free-tier and budget providers (Kimi, DeepSeek) may have weaker data-use commitments — we list the live sub-policy and current providers at https://codezillaeg.com/legal/subprocessors.

A current list of all sub-processors (AI providers, cloud, payment, email, SMS) is maintained at the URL above and updated when we add or remove a vendor. Material changes are communicated to tenant operators at least 14 days in advance by email.

5. How long we keep it

Data categoryRetention period
Tenant operator account data (name, email, login)For the life of the account + 90 days after closure
Billing records and invoices5 years after the transaction (Egyptian tax law)
End-customer message content12 months by default; the SMB tenant can configure a shorter or longer window in their dashboard (minimum 30 days, maximum 24 months)
AI-generated tags, intent labels, sentiment scoresSame as the underlying message
Aggregated analytics (no personal identifiers)Indefinitely
Webhook logs and audit trails12 months
Backups in Cloudflare R230 days rolling — backups older than 30 days are permanently deleted
Email marketing listUntil the subscriber unsubscribes, then 30 days for the suppression record

When a retention period ends, data is permanently deleted or irreversibly anonymized. Deletion requests from end-customers (routed through the SMB) are honored within 30 days unless we have a legal obligation to retain the data.

6. Where it's stored (and cross-border transfers)

6.1 Primary storage

  • Application database (PostgreSQL): hosted on our VPS located in the European Union
  • Cache and queues (Redis): same VPS, localhost only
  • Object storage and backups: Cloudflare R2 (Cloudflare's global object storage network)
  • Authentication directory: Supabase Auth (Supabase platform)
  • Email delivery: Resend (transactional) and our marketing provider

6.2 Cross-border transfers

If the European Union is outside Egypt, hosting your data abroad is a cross-border transfer under PDPL Article 14. We rely on the following safeguards:

  • Adequacy or equivalent protection: we choose providers in jurisdictions that the Egyptian Personal Data Protection Center recognizes as adequate, or that have a binding GDPR/PDPL-aligned data-processing agreement with us.
  • Standard contractual clauses (SCCs): for transfers to AI providers and Cloudflare, we sign their standard data processing agreements that include the EU SCCs.
  • Encryption in transit: all data leaves our servers over TLS 1.2 or higher.

The owner of Codezilla has notified the Egyptian Personal Data Protection Center of cross-border transfers as required by PDPL Article 14, if applicable.

7. How we secure it

We take security seriously. Key measures include:

  • Encryption in transit: all traffic between you, your end-customers, and Codezilla uses TLS 1.2 or higher. Internal service-to-service traffic on the VPS uses localhost sockets and is not exposed to the public internet.
  • Encryption at rest: the Postgres database and Cloudflare R2 backups are encrypted at rest using AES-256.
  • Access control: production systems are accessible only by named engineers over SSH key authentication on a non-standard port. Tenant operator accounts use Supabase Auth with optional two-factor authentication.
  • Network isolation: PostgreSQL, Redis, and PgBouncer are not reachable from the public internet. Only ports 80, 443, and our SSH port are open on the VPS firewall.
  • Tenant isolation: every database row is tagged with a tenant ID and access is filtered through row-level security policies. One SMB cannot see another SMB's data.
  • Audit logging: all admin actions, billing changes, and AI tool calls are logged with timestamp, actor, and resource.
  • Vulnerability management: dependencies are scanned weekly. Critical patches are applied within 7 days.
  • Backups: automated nightly backups to Cloudflare R2, retained for 30 days. Restore drills are performed quarterly.
  • Incident response: if a breach affecting personal data occurs, we will notify the Egyptian Personal Data Protection Center within 72 hours (PDPL Art. 7) and notify affected tenant operators and, where appropriate, end-customers, within the same window.

No system is perfectly secure. If you suspect unauthorized access to your account, email [email protected] immediately.

8. Your rights and how to exercise them

Under PDPL Articles 2 and 5, and GDPR Articles 15–22, you have the following rights:

RightWhat it means
AccessGet a copy of the personal data we hold about you
RectificationCorrect inaccurate or incomplete data
ErasureHave your data deleted ("right to be forgotten"), subject to legal retention obligations
PortabilityReceive your data in a structured, machine-readable format (JSON or CSV)
RestrictionPause processing while a dispute is resolved
ObjectionObject to processing based on legitimate interest, including direct marketing
Withdraw consentWithdraw consent for activities based on consent (e.g., marketing emails) at any time
Lodge a complaintComplain to the Egyptian Personal Data Protection Center, or to your local EU supervisory authority if you are an EU resident

How to exercise your rights

  • Tenant operators: log in to your dashboard, go to Settings → Privacy. You can export your data or close your account from there. For anything not exposed in the UI, email [email protected] from the address registered on your account.
  • End-customers: contact the SMB you were messaging. They control your conversation data and can ask Codezilla to act on your request. If you cannot reach the SMB, you may email [email protected] directly and we will route your request.

We respond to verified requests within 30 days, as required by PDPL Article 5. We may extend this by a further 30 days for complex requests and will tell you if we do.

We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

9. Cookies

The Codezilla marketing site and dashboard use a small number of cookies and similar technologies:

  • Strictly necessary cookies for login sessions and security (no consent required)
  • Preference cookies for language (English / Arabic) and theme
  • Analytics cookies for understanding which pages tenant operators visit, used in aggregate

We do not use third-party advertising cookies or cross-site trackers. Full details are in our separate Cookies Policy at https://codezillaeg.com/legal/cookies.

10. Children's data

Codezilla is a business-to-business service. We do not knowingly accept tenant operator sign-ups from anyone under 18 years of age. The dashboard is not designed for, and may not be used by, minors.

End-customers messaging an SMB are presumed to be adults entering into a transaction with that SMB (ordering food, booking an appointment, asking about a service). If an SMB knows or reasonably suspects that an end-customer is a minor, the SMB — as controller — is responsible for complying with child protection requirements under PDPL Article 3 and applicable local law.

If you believe a minor has provided personal data to us, email [email protected] and we will delete the data promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our service, our sub-processors, or the law. When we make material changes:

  • We update the "Last updated" date at the top of this page
  • We email all active tenant operators at least 14 days before the change takes effect
  • We post a notice in the dashboard

For non-material changes (typo fixes, clearer wording), we just update the date. The current version is always at https://codezillaeg.com/legal/privacy.

If you do not agree with a change, you may close your account before the change takes effect. Closing the account triggers the retention schedule in Section 5.

12. Contact us

For any privacy question, request, or complaint:

  • Email: [email protected]
  • Postal address: Codezilla, Arab Republic of Egypt (full address to be added)
  • Egyptian Personal Data Protection Center: if you are not satisfied with our response, you have the right to lodge a complaint with the Center. Details: https://pdpc.gov.eg
  • EU residents: you may also lodge a complaint with the data protection authority in your country of residence.

We aim to acknowledge every privacy email within 3 business days and provide a substantive response within 30 days.

This policy is published in English and Arabic. If there is any inconsistency between the two language versions, the Arabic version prevails for matters governed by Egyptian law, and the English version prevails for matters concerning international users.