Effective date: 2026-06-02
Privacy Policy
Effective Date: June 2, 2026
Table of Contents
- Introduction
- Information We Collect
- How We Collect Information
- How We Use Information
- Information Sharing and Disclosure
- Data Retention
- Your Privacy Rights
- Cookies and Tracking Technologies
- Global Privacy Control and Do Not Track
- International Data Transfers
- Children's Privacy
- Data Sale and Sharing
- Security Measures
- Changes to This Policy
- Contact Information
1. Introduction
This Privacy Policy describes how RB ZILLA LLC ("we," "us," or "our") collects, uses, and discloses information in connection with Codex Titan, an API-first, multi-tenant support platform accessible at https://www.codextitan.com (the "Platform").
Codex Titan provides embedded support infrastructure for client applications ("Client Apps"), including ticket management, AI-assisted triage, knowledge base management, bug reporting, feature request tracking, and website contact handling, all delivered through a REST API. Our administrative dashboard gives support teams real-time visibility and response capability. Client Apps interact with the Platform exclusively through our authenticated API; no direct database access is granted to Client Apps or their end users.
This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, how long we retain it, your rights, and how to contact us.
Who This Policy Covers
- Business clients ("Clients") who subscribe to and administer the Platform;
- Support team members ("Authorized Users") who access the admin dashboard on behalf of a Client; and
- End users ("End Users") of Client Apps whose support interactions are processed through the Platform.
B2B Context
Codex Titan is designed for business-to-business use. We do not market the Platform directly to individual consumers. However, because End Users of Client Apps may be natural persons whose personal data flows through the Platform, this policy addresses the rights and protections applicable to all individuals whose data we process.
Controller and Processor Distinction
RB ZILLA LLC acts as:
- A data controller for information collected directly from Clients and Authorized Users (e.g., account registration, billing, dashboard usage); and
- A data processor on behalf of Clients for End User data submitted through Client Apps, governed by the applicable Data Processing Agreement ("DPA") with each Client. Our DPA is published at www.codextitan.com/dpa and is incorporated by reference into our Terms of Service.
This Privacy Policy primarily addresses our role as a controller. If you are an End User of a Client App that uses Codex Titan, please contact that Client directly regarding how your personal data is handled.
2. Information We Collect
2.1 Account and Registration Data
When a business registers for Codex Titan, we collect:
- Full name of the account holder or primary contact
- Business name and legal entity name
- Business email address
- Account credentials (hashed password)
- Tenant identifier and API key(s)
2.2 Authorized User Information
For support team members who access the admin dashboard:
- Full name and work email address
- Role and permission level within the Platform
- Login credentials (hashed password)
- Profile information provided during account setup
2.3 Social Login Data
You may register or log in to Codex Titan using your Google account via OAuth 2.0. When you authenticate through Google, we receive the following profile data:
- Full name as it appears on your Google account
- Email address associated with your Google account
- Profile photo URL linked to your Google account
- Google User ID (UID) — a unique identifier assigned by Google
We do not receive your Google password, contacts, calendar data, or any other Google account data beyond the fields listed above. This information is used solely for account creation and authentication.
2.4 Support Interaction Data
Data submitted through Client Apps via the API, which may include:
- Support tickets: Name, email address, subject, message content, ticket status, priority, attachments, and metadata
- Bug reports: Issue description, device or browser information, application version, and diagnostic data
- Feature requests: Description and supporting information
- Website contact forms: Name, email address, subject, and message content
- Knowledge base interactions: Search queries, article views, and helpfulness ratings
2.5 AI Triage Data
When AI triage is enabled, the content of support tickets is processed by our AI system (powered by Anthropic Claude) for classification, routing, and suggested responses. AI triage can be disabled per-ticket or tenant-wide. See Section 4.1 for details.
2.6 Billing and Payment Data
When you subscribe to a paid plan, we collect billing contact information (name, email, billing address) and payment method details. Full payment card numbers are not stored on our servers; they are tokenized and processed directly by Stripe. We retain transaction identifiers, subscription status, plan tier, and invoice history.
2.7 Technical and Usage Data
We automatically collect:
- IP address, browser type and version, operating system, device type
- API request logs (endpoint, timestamp, HTTP method, response code)
- Session identifiers and authentication tokens
- Referring URLs
- Pages or features accessed within the admin dashboard
- Error logs and diagnostic data
- IP addresses associated with security-sensitive operations (recorded in audit logs for compliance and incident investigation)
2.8 Analytics and Performance Data
- Feature usage patterns, dashboard navigation behavior, and session recordings (via PostHog, consent-gated; session recordings are masked — all text and media are redacted before transmission)
- API call volumes and performance metrics
- Website usage data collected via Google Analytics operated through Cloudflare Zaraz (consent-gated)
- Server-side AI operation telemetry (model, token counts, operation type — pseudonymized by tenant ID, processed under legitimate interest)
2.9 Communications Data
When you contact us directly (e.g., via email or support channels):
- Your name and contact details
- The content and records of your communications with us
2.10 Email Engagement Data
We embed a 1x1 tracking pixel in transactional emails related to support tickets. When the pixel loads, we record which specific message was opened and the timestamp. This data is linked to the associated support ticket. You can prevent this tracking by disabling image loading in your email client.
2.11 Portal and Widget Data
- Self-service portal: When End Users access a Client's support portal, we collect page views, search queries, article interactions, ticket form usage, and referrer data.
- Embeddable widget: When End Users interact with the support widget embedded in a Client App, we collect the information the Client configures for user identification, which may include email, name, phone, company name, user ID, and custom fields.
- Contact deduplication: We merge and link widget user identities to maintain accurate contact records on behalf of the Client.
This data is processed on behalf of the Client (processor role) and is subject to the Client's own privacy policy.
2.12 Compliance and Consent Records
As part of the privacy compliance features of the Platform, we maintain records of consent events, data subject request logs, and audit trail entries generated through your use of the Platform. These records serve as compliance evidence for consent granted or denied.
3. How We Collect Information
We collect information through the following methods:
- Direct submission: You provide information when you register for an account, complete your profile, subscribe to a plan, interact with the dashboard, or contact support.
- Through the API: Client App integrations submit data on behalf of End Users. API authentication metadata is logged with each request.
- Automated collection: Our servers, application code, and analytics tools automatically collect technical and usage data when you use the Platform.
- OAuth authentication: When you choose to log in with Google, Google transmits profile data to us as described in Section 2.3.
- Payment processing: Stripe transmits billing confirmation and subscription status data to us upon completion of a transaction.
- Error monitoring and session replay: Sentry automatically captures diagnostic data when application errors occur. The dashboard and portal also use Sentry Session Replay to record masked user sessions for error diagnosis; all text is redacted (
maskAllText: true) and all media is blocked (blockAllMedia: true) before transmission. Sentry operates without cookies (sendDefaultPii: false) and does not collect PII by design. - Cookies and similar technologies: We use cookies, local storage, and similar tracking technologies as described in Section 8.
- Third-party analytics: PostHog (dashboard, consent-gated) and Google Analytics via Cloudflare Zaraz (marketing website, consent-gated) collect behavioral and usage data.
- From third parties: Infrastructure providers (Google Cloud, Cloudflare) provide operational and security data.
4. How We Use Information
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Operating the Platform — account management, API processing, ticket routing, knowledge base, admin dashboard | Art. 6(1)(b) — Contract performance; Art. 6(1)(f) — Legitimate interests |
| Billing — subscription payments, invoices, account changes | Art. 6(1)(b) — Contract performance; Art. 6(1)(c) — Legal obligation |
| AI Triage — classify, prioritize, route tickets; generate suggested responses | Art. 6(1)(b) — Contract performance; Art. 6(1)(f) — Legitimate interests |
| Security — monitor for unauthorized access, enforce rate limits, investigate incidents | Art. 6(1)(f) — Legitimate interests; Art. 6(1)(c) — Legal obligation |
| Analytics and improvement — usage patterns, feature adoption, performance optimization | Art. 6(1)(f) — Legitimate interests |
| Communications — respond to inquiries, transactional emails, onboarding | Art. 6(1)(b) — Contract performance |
| Marketing — product updates and feature announcements (opt-out available) | Art. 6(1)(f) — Legitimate interests for existing customers; Art. 6(1)(a) — Consent where required |
| Legal compliance — respond to lawful requests, enforce Terms of Service | Art. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests |
| Generating aggregated, anonymized analytics and benchmarks | Art. 6(1)(f) — Legitimate interests |
4.1 AI Processing Details
Codex Titan uses Anthropic's Claude API to provide AI-powered features:
- Ticket triage: Classifies, prioritizes, and routes incoming support tickets. May generate suggested responses for Authorized Users.
- Content generation: Generates knowledge base articles, FAQs, and canned responses from tenant-provided context.
- Compliance document generation: Generates privacy policies, terms of service, cookie policies, and data processing agreements from tenant-provided business context.
- URL content extraction: For content generation, tenants may provide URLs for our system to fetch and extract text content. We access these URLs server-side and do not store the raw HTML.
What data is sent to AI: Ticket subject and message content, relevant KB articles and FAQs for context, tenant AI configuration settings, URLs and extracted text content, and compliance document drafts. We do not send API keys, admin credentials, billing data, or data from other tenants.
No AI training on your data: Anthropic's API terms prohibit using API inputs to train models. Your data is used solely to generate responses within the Platform.
Opt-out: AI triage can be disabled per-ticket (via the disableAiTriage flag) or tenant-wide via the AI settings toggle in the dashboard.
Automated decision-making: Where AI processing constitutes solely automated decision-making with significant effects under GDPR Article 22, you have the right to request human review, express your point of view, and contest the decision.
5. Information Sharing and Disclosure
We do not sell your personal information. We share personal information only with the service providers listed below and in the circumstances described in this section. Every third party that receives personal data in connection with the Platform is identified in this table.
5.1 Third-Party Service Providers
| Service | Role | Data Shared | Why |
|---|---|---|---|
| Google Cloud / Firebase | Infrastructure, database, authentication | All Platform data (hosted on Google Cloud) | To operate the Platform |
| Anthropic | AI processing | Ticket content, KB articles, FAQs, tenant AI configuration, URLs and extracted text content, compliance document drafts (for triage, content generation, compliance document generation, and URL content extraction) | To provide AI-powered features |
| Stripe | Payment processing | Billing email, plan tier, payment method tokens | To process subscriptions. We never store card numbers. |
| Resend | Transactional email | Recipient email, notification subject and body, email open timestamps, approximate geolocation derived from IP at time of open | To deliver ticket and system notifications |
| PostHog | Product analytics | Dashboard usage events (consent-gated via cookie banner); server-side AI operation telemetry (pseudonymized by tenant ID, processed under legitimate interest — not consent-gated) | To improve the Platform |
| Sentry | Error monitoring and session replay | Error stack traces, request metadata, and masked session recordings (no PII by design: sendDefaultPii: false; session replay uses maskAllText: true and blockAllMedia: true) |
To detect, diagnose, and fix errors |
| Cloudflare | CDN, DNS, DDoS protection, edge computing, tag management (Zaraz) | HTTP request metadata (IP, headers, URLs) | To protect and deliver the Platform |
| Slack | Notification delivery (optional, customer-activated) | For each enabled support event, the fields placed in the notification message: ticket subject (first 100 characters); an excerpt of the first end-user message (first 300 characters); requester name and email (only when the ticket is not anonymous); escalation reason (first 300 characters); assigned Authorized User name; resolution status; feedback type, score, and comment (first 300 characters); ticket/feedback identifiers; and a deep link to the Codex Titan dashboard | To relay support events (new tickets, escalations, resolutions, feedback) to a customer-selected Slack channel when a client activates the integration |
Google Analytics note: Google Analytics (GA4) operates as a tool within Cloudflare Zaraz. Usage data and anonymized IP addresses are processed server-side through Zaraz, not via direct client-side scripts. Analytics data is only collected after consent is granted.
Google Ads note: Google Ads conversion tracking operates on the marketing website only through Cloudflare Zaraz and is only active when advertising campaigns are running. It sets cookies in the Marketing category (_gcl_*) and is only activated after consent is granted. Google Ads does not receive data from the Platform API or admin dashboard.
Each provider processes data under a data processing agreement (DPA) or equivalent contractual safeguards. Our Data Processing Agreement is published at www.codextitan.com/dpa and is also available by contacting [email protected].
Slack notifications (optional, customer-activated). Codex Titan offers an optional Slack notification integration that a client can activate from the dashboard. When activated, Codex Titan relays support event data — new tickets, escalations, resolutions, and customer feedback — to a client-selected Slack channel using Slack's Web API. The data placed in each Slack message is limited to: the ticket subject (first 100 characters); an excerpt of the first end-user message (first 300 characters); the requester's name and email address, included only when the ticket is not submitted anonymously; the escalation reason (first 300 characters); the assigned Authorized User's name; the resolution status; the feedback type, score, and comment (first 300 characters); ticket and feedback identifiers; and a deep link back to the Codex Titan dashboard. Codex Titan does not send card numbers, API keys, admin credentials, or another tenant's data to Slack. The bot token used to post to the client's Slack workspace is encrypted at rest using Google Cloud KMS envelope encryption and is never exposed to the dashboard. A client can disconnect the integration at any time from the dashboard, which revokes the bot token and clears the integration configuration. Messages already delivered to a client's Slack workspace remain in that workspace's message history under the client's Slack retention settings; Codex Titan cannot retroactively delete messages from a client's Slack workspace. Data deletion performed by Codex Titan covers source data held within Codex Titan systems only — Slack-delivered messages must be managed by the client's Slack workspace administrator. Slack is engaged as a sub-processor only for clients who activate the integration; clients who do not activate it have no Slack sub-processing.
5.2 Clients (as Data Controllers)
Where we act as a data processor on behalf of a Client, the Client is the data controller for End User data. We process that data per the Client's instructions and our DPA.
Clients may configure webhook subscriptions that deliver event data (including support ticket events) to Client-specified endpoints. These transmissions are Client-directed and governed by the DPA. Clients can export contact data in machine-readable format via the API or dashboard.
5.3 Business Transfers
If RB ZILLA LLC is involved in a merger, acquisition, or asset sale, personal information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a different privacy policy.
5.4 Legal Requirements
We disclose personal information when we believe in good faith that disclosure is necessary to comply with a legal obligation, enforce our Terms of Service, protect rights or safety, or detect fraud or security issues.
5.5 With Your Consent
We share personal information for any other purpose with your explicit consent.
6. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer period is required by law.
6.1 Retention by Plan Tier
Retention periods for data processed on behalf of Clients are tiered by subscription plan. After account closure, Clients have 30 days to export their data; following that window, all associated data is permanently deleted.
| Data Category | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Resolved support tickets, bug reports, feature requests | 90 days | 365 days | 730 days | Custom |
| Feedback records | 90 days | 365 days | 730 days | Custom |
| Usage records and credit ledger | 365 days | 730 days | 1,095 days | Custom |
| Audit logs | 90 days | 90 days | 365 days | Custom |
| Consent event logs | 90 days | 365 days | 730 days | Custom |
| Webhook delivery logs | 7 days | 14 days | 30 days | 90 days |
6.2 Retention for Account and Business Data
| Data Category | Retention Period |
|---|---|
| Account and registration information | Duration of active subscription + 3 years after closure (unless earlier deletion requested) |
| Authorized User information | Duration of active account + 1 year after deactivation |
| AI triage data | Same as associated support interaction data |
| API usage and technical logs | Per plan tier (see above) |
| Billing and financial records | 7 years (tax/accounting obligations, handled by Stripe) |
| Social login tokens (Google OAuth) | Duration of account; revocable at any time via Google account settings |
| Communications data | 3 years from last communication |
| Analytics data | Aggregated/anonymized: indefinitely. Pseudonymized: 24 months. |
| Cookie and tracking data | Per cookie lifespans in Section 8 |
| Security and fraud logs | 1 year from event date |
| Marketing communication preferences | Until opt-out or account deletion |
Deletion requests. Contact [email protected]. We process requests per Section 7 and applicable law. We may retain certain data where required by law or to resolve disputes.
End User data. Clients manage End User data retention. Clients may request deletion on behalf of End Users through the API or by contacting us directly.
Slack-relayed messages. When a client has the Slack integration active, support event data is transmitted to the client-selected Slack channel. Once delivered, a message is stored in the client's Slack workspace and retained under that workspace's own Slack plan settings, which Codex Titan does not control. Codex Titan retains no separate copy of the relayed message content; the message is a reformatted projection of source support data (tickets and feedback) that Codex Titan already holds and retains per the schedule above.
7. Your Privacy Rights
Depending on your location, you have the following rights. To exercise any right, contact us at [email protected]. We respond within the timeframes required by applicable law and do not charge a fee unless requests are manifestly excessive.
7.1 Response Timeframes
GDPR (EU/UK Residents). We will respond to your request within one month of receipt. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay (GDPR Art. 12(3)).
CCPA/CPRA (California Residents). We will respond within 45 calendar days of receiving your verifiable request. We may extend this period by an additional 45 days where reasonably necessary, provided we notify you of the extension.
7.2 Rights Summary
| Right | All Users | GDPR (EU/UK) | CCPA/CPRA (CA) | Other US States |
|---|---|---|---|---|
| Access your data | Yes | Art. 15 | Cal. Civ. Code § 1798.100 | Yes |
| Correct your data | Yes | Art. 16 | Cal. Civ. Code § 1798.106 | Yes |
| Delete your data | Yes | Art. 17 | Cal. Civ. Code § 1798.105 | Yes |
| Data portability | Yes | Art. 20 | Cal. Civ. Code § 1798.100(d) | Yes |
| Restrict processing | -- | Art. 18 | -- | -- |
| Object to processing | -- | Art. 21 | -- | -- |
| Opt out of sale/sharing | -- | -- | Cal. Civ. Code § 1798.120 | Yes |
| Limit use of sensitive data | -- | -- | Cal. Civ. Code § 1798.121 | -- |
| Withdraw consent | Yes | Art. 7(3) | -- | -- |
| Non-discrimination | Yes | -- | Cal. Civ. Code § 1798.125 | Yes |
| Appeal a denial | -- | -- | -- | Yes |
We do not sell or share personal information as defined by the CCPA/CPRA or similar US state privacy laws. We do not disclose personal information to third parties for their direct marketing purposes. Where our AI triage system makes decisions that significantly affect you, you have the right to request human review.
7.3 How to Submit a Request
To exercise any of the rights listed above, you may:
- Email us at [email protected]
- Submit a request through our privacy request portal at support.codextitan.com/codex-titan/data-request
We verify your identity before processing any rights request. Verification may require you to confirm your email address or provide additional identifying information. You may designate an authorized agent with written authorization.
7.4 Jurisdiction Supplements
California (CCPA/CPRA). California residents have the rights described in the table above. If we deny your request, you may appeal by contacting us at [email protected] with the subject line "Privacy Rights Appeal." We respond to appeals within 45 calendar days. If your appeal is denied, you may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
Virginia (VCDPA). Virginia residents have rights under the Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.). If we deny your request, you may appeal within a reasonable time by contacting us at [email protected]. If your appeal is denied, you may contact the Virginia Attorney General.
EU/UK (GDPR). EU and UK residents may lodge a complaint with a supervisory authority in the EU Member State of their habitual residence, place of work, or place of the alleged infringement. UK residents may lodge a complaint with the Information Commissioner's Office (ICO).
Other States. Residents of other states with comprehensive privacy laws (including Colorado, Connecticut, Texas, and Oregon) may have similar rights under their respective state laws. We extend the same request and response process described above to residents of all states with applicable comprehensive privacy legislation.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our website and dashboard:
| Category | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Platform function. Cannot be disabled. | Consent preferences (cc_cookie), Cloudflare security (__cf_bm, cf_clearance) |
| Analytics | Understand usage and improve the Platform. Consent required. | Google Analytics via Zaraz (_ga, _gid, _gat) |
| Marketing | Campaign effectiveness measurement (when active). Consent required. | Google Ads (_gcl_*). If we are not running advertising campaigns, no marketing cookies will be set even if you accept this category. |
| Functional | Enhanced features and personalization (when active). Consent required. | None currently set |
We use Cloudflare Zaraz to manage and proxy third-party scripts, which routes analytics data server-side through Cloudflare's infrastructure. Zaraz itself sets no cookies and does not directly track users.
Note on PostHog: PostHog product analytics is used in the admin dashboard (consent-gated) but does not run on the marketing website. Dashboard-specific cookies are covered by the dashboard's own consent banner.
Note on Sentry: Sentry error monitoring is used for error detection on both the website and dashboard. It operates without cookies (sendDefaultPii: false) and transmits data via HTTP headers only.
Managing cookies: We present a cookie consent banner that adapts to your region — opt-in for EEA/UK visitors, opt-out for others. You can update preferences at any time via the "Cookie Preferences" link in the website footer or through the "Manage Preferences" option on the consent banner. You can also configure your browser to refuse cookies, though this may affect functionality.
Third-party cookies: Third-party services may set their own cookies subject to their own privacy policies. We do not control third-party cookies.
For full details, see our Cookie Policy.
9. Global Privacy Control and Do Not Track
Global Privacy Control (GPC)
We honor the Global Privacy Control signal. When we detect Sec-GPC: 1 (server-side) or navigator.globalPrivacyControl (client-side), we automatically deny non-essential cookies and suppress data sharing in jurisdictions that mandate GPC recognition, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas. When GPC is detected, the consent banner is not shown — non-essential cookies are silently declined. Our GPC support is confirmed at /.well-known/gpc.json.
Do Not Track (DNT)
We do not respond to the legacy Do Not Track browser signal because there is no universally accepted standard for DNT compliance. We recommend using GPC instead, which has statutory backing in multiple jurisdictions.
10. International Data Transfers
RB ZILLA LLC is based in the United States. Personal information may be transferred to and processed in the United States.
EU/EEA/UK transfers: We rely on Standard Contractual Clauses (SCCs) as the primary transfer mechanism. For UK transfers, we use the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs. Our agreements with Google Cloud, Cloudflare, and other sub-processors incorporate SCCs or equivalent mechanisms.
Canadian transfers: Made in accordance with PIPEDA's cross-border transfer requirements with contractual safeguards.
Australian transfers: Made in accordance with Australian Privacy Principle 8 with reasonable steps to ensure comparable protection.
Our infrastructure and service providers — including Google Cloud, Cloudflare, Stripe, Resend, Anthropic, PostHog, and Sentry — may process data in data centers located in the United States and, in some cases, in other countries. Each of these providers maintains their own data transfer mechanisms and safeguards.
If your organization requires specific data transfer documentation (such as executed SCCs or a countersigned DPA), contact us at [email protected].
11. Children's Privacy
Codex Titan is designed exclusively for businesses and their employees. We do not knowingly collect personal information from children under 16 (GDPR) or 13 (COPPA). If we learn we have collected such information, we will delete it promptly. Contact [email protected] if you believe a child has provided personal information to us.
Clients are responsible for ensuring their Client Apps comply with applicable children's privacy laws before submitting data through the Codex Titan API.
12. Data Sale and Sharing
- We do not sell personal information to third parties for monetary or other valuable consideration, as defined under the CCPA/CPRA or any other applicable privacy law.
- We do not share personal information for cross-context behavioral advertising.
- We share personal information only with service providers under written contracts that prohibit them from using the data for their own purposes, as described in Section 5.
To exercise your opt-out rights or manage your privacy preferences, use the "Do Not Sell or Share My Personal Information" and cookie preference links in the footer, or contact [email protected].
13. Security Measures
We implement technical, administrative, and organizational security measures including:
- Encryption in transit using TLS 1.2 or higher for all data transmission
- Encryption at rest using AES-256 on Google Cloud infrastructure
- API key security — keys are cryptographically hashed (SHA-256) and never stored in plaintext
- Multi-tenant data isolation — each Client's data is logically separated at the database level; tenant ID is always derived from authenticated context, never from user input
- DDoS protection via Cloudflare
- Rate limiting on all API endpoints
- Audit logging for security-sensitive operations
- Role-based access controls that limit employee access to personal data on a need-to-know basis
- Application-level error monitoring through Sentry to detect and respond to anomalies
No system is 100% secure. If you discover a security vulnerability, please report it to [email protected]. In the event of a data breach that affects your rights and interests, we will notify you in accordance with applicable law.
14. Changes to This Policy
We update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make changes, we update the Effective Date at the top of this document.
For material changes — meaning changes that significantly affect how we collect, use, or share your personal information — we will provide advance notice by:
- Sending an email notification to the address associated with your account, and/or
- Displaying a prominent notice within the Platform dashboard.
We will provide at least 30 days' advance notice before material changes take effect, giving you the opportunity to review the updated Policy and, if you disagree with the changes, to close your account before they apply.
For non-material changes (such as clarifications, formatting updates, or corrections), the updated Policy will take effect upon posting. We encourage you to review this Policy periodically. Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.
All prior versions of this Privacy Policy are available upon request by contacting [email protected].
15. Contact Information
RB ZILLA LLC 116 E Main St, Suite 201 Rock Hill, SC 29730 United States
Privacy inquiries: [email protected] General support: [email protected] Security reports: [email protected] Website: https://www.codextitan.com
We aim to respond to all privacy-related inquiries within 5 business days. For formal privacy rights requests (such as access, deletion, or correction requests), response timelines are governed by Section 7 of this Policy.
Data Protection Officer. RB ZILLA LLC has determined that the appointment of a Data Protection Officer is not required under GDPR Art. 37, as we do not engage in large-scale systematic monitoring of individuals, nor do we process special categories of personal data or data relating to criminal convictions as a core business activity. All privacy inquiries, including those from EU/UK residents, should be directed to [email protected].
EU/UK Representative. RB ZILLA LLC has assessed its obligations under GDPR Art. 27. Based on the nature, scope, and scale of its processing of personal data of individuals in the EEA/UK — which is occasional, does not involve large-scale processing of sensitive data, and does not involve systematic monitoring — RB ZILLA LLC has determined that the appointment of an EU/UK representative is not required at this time. If you are located in the EEA or UK and have a privacy concern, please contact us at [email protected].