How Codex collects, uses, and protects your data. Our commitment to transparency, security, and your right to control your information.
Last updated: May 15, 2026
Codex is committed to protecting your privacy and being transparent about how we handle your data.
This privacy policy explains how Codex ("we," "us," or "our") collects, uses, shares, and protects information about you when you use the Codex platform, including our website (codex.gr.com), CLI, IDE plugins, desktop application, and all related services (collectively, the "Codex platform"). We process your data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area, the California Consumer Privacy Act (CCPA) for California residents, and other applicable frameworks.
By using the Codex platform, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, you should not use the Codex platform. We encourage you to read this policy in full — it is written to be understandable, not buried in legal jargon. If anything is unclear, contact us at privacy@codex.gr.com and we will answer your questions directly.
Codex collects only the data necessary to provide, improve, and secure the platform — never more than what the service requires.
| Data Category | What We Collect | Purpose | Retention |
|---|---|---|---|
| Account Data | Name, email address, organization name, plan type, billing information | Account management, billing, communication | Duration of account + 90 days |
| Usage Data | Feature usage, API call counts, session duration, error logs | Service improvement, capacity planning, support | 36 months (anonymized after 12) |
| Code Content | Source code submitted for generation, review, or analysis | Providing the AI service you requested | Duration of processing + 30 days |
| Technical Data | IP address, browser type, OS, device identifiers, timestamps | Security, debugging, abuse prevention | 12 months |
| Cookie Data | Session tokens, preference settings, analytics identifiers | Session management, preferences, analytics | Per cookie policy |
Every data use serves a specific purpose — providing the Codex platform, keeping it secure, and making it better over time.
The Codex platform uses your data for four primary purposes. First, service delivery: we process your code content to generate, review, analyze, and transform it according to your instructions. This is the core function of the Codex platform and the primary reason data is collected. Second, account management: we use your account data to authenticate you, manage your subscription, process billing, and communicate service updates. Third, security and abuse prevention: we analyze usage patterns and technical data to detect unauthorized access, prevent misuse, and protect the Codex platform and its users. Fourth, service improvement: we analyze anonymized usage patterns to understand which features are most valuable, where users encounter friction, and how the Codex platform can be improved.
Codex does not use your code content to train or improve AI models. This is a fundamental policy commitment, not just a contractual term. Your code is your intellectual property — it is processed for the specific generation or review task you requested and then deleted according to our retention schedule. Codex does not mine your code for patterns, extract training examples, or build derivative models from customer content. This policy applies regardless of your plan tier and is enforced through technical controls that isolate customer code from model training infrastructure.
Codex does not sell your data. We share data only with subprocessors necessary to operate the platform — and every subprocessor is bound by data processing agreements.
Codex works with a limited set of subprocessors who provide infrastructure and services essential to operating the Codex platform. These include cloud infrastructure providers for hosting and compute, payment processors for billing, email service providers for notifications, and monitoring services for performance and security. A current list of subprocessors is maintained in the security compliance center accessible from your account dashboard. All subprocessors are subject to data processing agreements that bind them to privacy and security commitments equivalent to those in this policy. Subprocessors are prohibited from using Codex customer data for any purpose other than providing the contracted service to Codex.
Codex may disclose data when required by law — for example, in response to a valid subpoena, court order, or government request. Before disclosing any data in response to a legal demand, Codex will notify the affected customer (unless prohibited by law) and will challenge overly broad or legally insufficient requests. Codex does not voluntarily share data with government agencies and has never provided customer code content to any government entity. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction — you will be notified before any such transfer, and the receiving entity will be bound by privacy commitments no less protective than this policy.
Codex protects your data with encryption, access controls, and continuous monitoring — security is built into the platform, not bolted on.
Codex implements technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 with keys managed through a hardware security module. Access to customer data is restricted to authorized personnel with a specific operational need — access is granted through time-limited, audited credentials and revoked when no longer needed. The Codex platform undergoes quarterly penetration testing by independent security firms, and findings are remediated according to published timelines. Our security practices are informed by frameworks including the National Institute of Standards and Technology guidance published at nist.gov and the Center for Internet Security Critical Security Controls.
Codex maintains SOC 2 Type II certification, supports HIPAA compliance through Business Associate Agreements for Enterprise customers, and is pursuing FedRAMP authorization. Security documentation — including the SOC 2 report, penetration test summaries, and architecture whitepaper — is available to Enterprise customers under NDA through the security compliance center. In the event of a data breach, Codex will notify affected customers within 72 hours of confirmation, provide a detailed description of the incident and its impact, and outline remediation steps taken and planned.
You control your data — access, correction, deletion, portability, and objection rights are available to every Codex user.
Depending on your jurisdiction, you may have the following rights regarding your personal data. Right of access: you can request a copy of the personal data Codex holds about you. Right of rectification: you can request correction of inaccurate or incomplete data. Right of erasure: you can request deletion of your personal data, subject to legal retention requirements. Right of portability: you can request your data in a structured, machine-readable format. Right to object: you can object to certain processing activities, including direct marketing (which Codex does not engage in). Right to restrict processing: you can request that Codex limit how your data is used while a dispute is resolved.
To exercise any of these rights, contact privacy@codex.gr.com with your specific request. Codex will verify your identity before processing any data subject request — this verification is necessary to prevent unauthorized access to your data. We respond to all verified requests within 30 days, as required by GDPR. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. For users in the European Economic Area, a list of supervisory authorities is maintained by the European Data Protection Board.
Codex uses minimal cookies — session management, preferences, and basic analytics. No third-party advertising trackers.
The Codex platform uses cookies for three limited purposes. Session cookies maintain your authenticated state as you navigate between pages and features — these are essential for the Codex platform to function and cannot be disabled. Preference cookies remember your settings — language, theme, editor configuration — so you do not need to reconfigure them on each visit. Analytics cookies help Codex understand how the platform is used — which features are popular, where users encounter difficulties, and how performance varies across regions. All analytics data is aggregated and anonymized before use. Codex does not use cookies for advertising purposes, does not deploy third-party advertising trackers, and does not participate in cross-site tracking networks.
You can control cookie behavior through your browser settings. Most browsers allow you to block third-party cookies, clear cookies on exit, or block all cookies. Note that disabling session cookies will prevent you from using the Codex platform — authentication requires cookies to function. For users in jurisdictions requiring explicit cookie consent, Codex presents a cookie consent banner on first visit that allows you to accept or decline non-essential cookies. Your preferences are stored and respected on subsequent visits.
The Codex platform is not directed at children under 16 — we do not knowingly collect data from minors.
The Codex platform is intended for professional software developers and engineering teams. It is not directed at individuals under the age of 16, and Codex does not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to Codex, contact us immediately at privacy@codex.gr.com. Upon verification, we will delete the data from our systems. Educational institutions using the Codex platform should ensure that student use complies with applicable student data privacy laws and that appropriate consent mechanisms are in place for users under the age of digital consent in their jurisdiction.
Codex will notify you of material changes to this privacy policy — your continued use constitutes acceptance of the updated terms.
Codex may update this privacy policy from time to time to reflect changes in our practices, the Codex platform, or applicable law. When we make material changes, we will notify you through the email address associated with your account and through a notice in the Codex platform dashboard at least 30 days before the changes take effect. Non-material changes — clarifications, typo fixes, reorganization — may be made without notice. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically. Your continued use of the Codex platform after changes take effect constitutes your acceptance of the updated policy. If you disagree with any changes, you may close your account before the changes take effect.
Questions about this privacy policy or your data? Reach the Codex privacy team directly.
For privacy inquiries, data subject requests, or questions about this policy, contact the Codex privacy team at privacy@codex.gr.com. For security-related concerns, including vulnerability reports, contact security@codex.gr.com. For general support, contact support@codex.gr.com or call +1 (415) 555-0187. Our mailing address for formal correspondence is: Codex Privacy Office, 100 Market Street, Suite 400, San Francisco, CA 94105, United States. If you are located in the European Economic Area, you may also contact our EU representative at eu-representative@codex.gr.com.
Codex collects account information, usage data, and code you submit for processing. Codex never uses customer code to train AI models — that is a technical and policy commitment.
Codex collects data in four categories. Account data includes your name, email, organization, and billing details — used to manage your account and process payments. Usage data includes feature interactions, API call volumes, and session information — used to improve the platform and provide support. Code content is the source code you submit for generation, review, or analysis — processed solely to fulfill your specific request and deleted within 30 days of processing. Technical data includes IP addresses, browser versions, and device identifiers — used for security, debugging, and abuse prevention. Codex does not collect more data than necessary to provide each of these functions. Our data collection practices are reviewed quarterly against the principle of data minimization.
TLS 1.3 encryption in transit, AES-256 at rest, hardware security modules for key management, and quarterly independent penetration testing.
Codex security is layered. Transport security uses TLS 1.3 with strong cipher suites — all data between your environment and Codex servers is encrypted in transit. Storage security uses AES-256 encryption at rest with keys managed through hardware security modules — even infrastructure administrators cannot access decrypted customer data without explicit, audited access grants. Access is restricted through role-based controls — only personnel with a specific operational need can access customer data, and all access is logged, audited, and time-limited. The Codex platform undergoes quarterly penetration testing by independent security firms accredited under industry standards. Security incidents are managed through a documented incident response plan with customer notification within 72 hours of confirmed impact.
Codex does not sell data, period. Data is shared with subprocessors only as necessary to operate the platform, and every subprocessor is contractually bound to protect it.
Codex works with a limited number of subprocessors — cloud infrastructure providers, payment processors, email services, and monitoring platforms — each of which receives only the data necessary for their specific function. All subprocessors sign data processing agreements that include privacy and security commitments equivalent to those in this policy. The complete subprocessor list is published in the security compliance center and updated whenever changes occur. Codex does not sell user data, does not share data with advertisers, does not provide data to data brokers, and does not use customer data for purposes beyond providing the Codex platform. Law enforcement requests for data are scrutinized — Codex notifies affected users before disclosure (unless prohibited by law) and challenges overly broad requests.
Email privacy@codex.gr.com with your request — Codex responds to all verified data subject requests within 30 days, as required by GDPR.
You have rights to access, correct, delete, and port your data. To exercise any of these, send a detailed request to privacy@codex.gr.com. Codex will verify your identity before processing the request to prevent unauthorized access to your data. Once verified, access requests are fulfilled within 30 days — you will receive a structured export of your data. Deletion requests remove your personal data from active systems within 30 days, with residual copies cleared from backups within 90 days. Correction requests update inaccurate data within 5 business days of verification. If you are unsatisfied with Codex's response, you can lodge a complaint with your local data protection authority. For EEA users, the European Data Protection Board maintains a directory of national authorities.
Whether you are looking to download Codex for the first time, explore the Codex CLI for terminal-native development, or understand how Codex AI transforms your engineering practice, the platform provides integrated tools for every stage of software delivery. The AI code generation engine produces idiomatic code across 40+ languages, while intelligent code review catches bugs before they reach production. Teams can automate testing with the integrated testing suite, debug efficiently with automated debugging, and enforce quality standards with deep code analysis.
Developers integrating Codex into their toolchain start with CLI installation and IDE plugin setup for their preferred editor. The comprehensive API enables custom automation, CI/CD pipeline integration connects Codex to your deployment workflow, and Docker containerization simplifies environment configuration. For deeper integration, see the full documentation covering every feature in detail.