Privacy Policy

ctxloom is operated by Ricardo Ribeiro, trading as Codzign, a sole trader registered in Luxembourg at 28, cité Joseph Brebsom, L4046, Esch-sur-Alzette.

For the purposes of the EU General Data Protection Regulation (GDPR) and any equivalent local law, we are the "data controller" for the personal data described in this policy.

You can contact us about anything privacy-related by emailing our support team.

We collect only what is necessary to provide ctxloom, prevent abuse, and bill customers. The full inventory:

Account & licence data

• Email address — to send you your licence key, contact you about your subscription, and enforce our one-trial-per-customer rule.
• Licence key and activation (instance) ID — issued by our payment processor on purchase; used to verify your subscription is active each time the CLI runs.
• Device fingerprint — a one-way SHA-256 hash derived from non-identifying machine attributes (hostname, OS, hardware class). We do not store the raw inputs and the hash is not reversible. It exists so a single licence seat can be tied to a single machine, which is what makes multi-seat plans meaningful.

Payment data

Payments are handled by Creem (creem.io), our Merchant of Record. Creem collects and stores your billing details, card information, billing address, and any tax-related data needed to comply with local law. We never see, store, or transmit your full card number — we only receive a token that lets us link a charge to a licence. See Creem's privacy policy for details on how they handle that data.

Operational data

• Server logs — IP address, request time, and route path, retained for up to 30 days by our hosting provider (Cloudflare). Used for rate limiting, security monitoring, and debugging. Personally identifying parts of log lines (email addresses) are redacted before being written.
• Error reports — when an unhandled exception occurs in our backend, a stack trace and the HTTP request context (path, method, status, redacted email if present) are sent to Sentry. We use this only to fix bugs.

• Performance of a contract — we need your email and licence data to deliver the ctxloom service you purchased.
• Legitimate interest — preventing trial abuse (one trial per email/device), enforcing seat limits, rate-limiting requests, and securing the service against attacks.
• Legal obligation — keeping payment and tax records for the period required by law in your country and ours.

We only share personal data with the third-party processors strictly needed to run the service. Each processor is bound by a Data Processing Agreement and processes data only on our instructions.

• Cloudflare(EU region — data processed within the European Union via Cloudflare's EU data-residency configuration) — hosting, KV storage, rate limiting. Privacy policy.
• Creem (EU-based Merchant of Record) — payment processing, invoicing, tax compliance. Creem may in turn use card networks and acquirers as sub-processors, some of which operate globally. Privacy policy.
• Sentry(EU region — error data processed in Sentry's Frankfurt data centre) — error reporting only. Privacy policy.
• Resend (EU region — email infrastructure operated within the European Union) — transactional email (licence keys, receipts). Privacy policy.

We do not sell your data. We do not share it with advertising networks. We have no advertising network.

We have selected the EU region for every processor we directly use (Cloudflare, Creem, Sentry, Resend), so your personal data is processed within the European Economic Area as a matter of routine operation. We do not transfer your personal data to the United States or any other third country in the ordinary course of providing the service.

A narrow exception applies to card payment data: when Creem settles a transaction, it routes payment instructions to global card networks (Visa, Mastercard) and acquirers that may operate outside the EEA. Those transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the additional technical and organisational safeguards published in Creem's DPA and the card networks' own data-protection frameworks. We never see or store card data ourselves.

• Trial dedup records — 30 days, then automatically deleted from our KV store.
• Active licence and account data — for as long as your subscription is active.
• Billing & tax records — kept by Creem (and by us where required) for the legal retention period in your country (typically 7–10 years for invoices and tax documents).
• Server logs & error reports — up to 30 days for logs, up to 90 days for error reports, then purged.

Under GDPR and equivalent laws, you have the right to:

• Access the personal data we hold about you.
• Rectify any inaccurate personal data.
• Eraseyour personal data ("right to be forgotten"), subject to legal retention requirements for billing data.
• Restrict or object to certain processing.
• Port your data to another service in a machine-readable format.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email our support team. We will respond within 30 days.

Our website does not set tracking cookies and we do not run third-party analytics scripts. Cloudflare may set a strictly necessary cookie (typically named __cf_bm) for fraud and bot mitigation; this cookie does not track you across other sites and expires after 30 minutes of inactivity.

The ctxloom CLI runs entirely on your machine. Beyond the licence activation/validation calls described above, the CLI sends anonymous, opt-out product telemetry (anonymous UUID and a SHA-256-truncated opaque project ID, never your code or filenames) to PostHog (EU region) and crash reports to Sentry. You can disable telemetry at any time by setting either of these environment variables before running ctxloom:

CTXLOOM_NO_TELEMETRY=1      # disable all ctxloom telemetry
DO_NOT_TRACK=1              # honored — universal opt-out standard
CTXLOOM_TELEMETRY_LEVEL=off # off | error | all (default: all when enabled)

When telemetry is off, no events leave your machine. The opt-out is checked on every CLI invocation — no daemon, no cached consent.

ctxloom is a professional developer tool and is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy from time to time. Material changes will be announced via email to active subscribers and on this page at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

For any privacy question, request, or complaint, write to our support team.