Privacy Policy

Effective: 2026-05-02 · Last updated: 2026-05-02

The short version. OffCoder collects the minimum personal information required to run the Service: your email, your name, and the content you choose to put into your projects. We send your AI prompts to the third-party AI provider you select for processing. OffCoder itself does not use your prompts or code to train AI models, and we select the not-for-training setting on our master keys where the provider exposes one. If you Bring Your Own Key (BYOK), training and retention behaviour is governed by your own account settings with that provider — see §4 for the AI-provider details. You can access, correct, export, or delete your data at any time. Disputes are governed by Indian law.

1. Who we are

"OffCoder", "we", "us", and "our" refer to the operator of the OffCoder mobile application (the "App") and the website at offcoder.com (the "Website"; together with the App, the "Service"). We operate from India. OffCoder is presently operated as a sole proprietorship pending incorporation; once OffCoder is incorporated as a registered legal entity, this Policy will be updated to reflect the entity name, registered office address, and any applicable tax registrations.

For the purposes of the Digital Personal Data Protection Act 2023 ("DPDPA"), OffCoder is the Data Fiduciary in relation to the personal data described below. For users in the European Economic Area, the United Kingdom, and Switzerland (together, "EU/EEA users"), OffCoder is the data controller within the meaning of Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

2. Scope of this Policy

This Policy describes how OffCoder collects, uses, discloses, retains, and protects personal data when you use the Service. It applies to information collected through the App, the Website, our customer-support channels, and any other interaction you have with us.

This Policy does not govern: (a) the privacy practices of third-party websites we link to; (b) the privacy practices of the AI providers (e.g. Anthropic, OpenAI, Google, OpenRouter) you choose to route AI requests to — those providers act independently as their own data fiduciaries / controllers and you should review their policies; or (c) the privacy practices of Razorpay or any other payment processor we engage, in respect of payment information they collect directly from you.

3. Personal data we collect

We collect only what we need. Specifically:

3.1 Information you provide

Account information. Your email address and display name. If you sign up via OAuth (Google, GitHub, GitLab, Bitbucket, LinkedIn), we receive the basic profile fields the provider returns (name, email, avatar URL, provider-side user ID).
Profile handle. A short URL-safe handle you can edit. Your handle becomes part of any hosted-service URL you create (<handle>-<project>.offcoder.dev).
User-generated content. The source code, project files, project secrets, and any text you put into your projects, including AI prompts and chat messages.
Bring-Your-Own-Key API credentials. If you use the BYOK feature, you provide a third-party AI provider API key. The key is encrypted at rest using AES-256-GCM with a per-record data-encryption key wrapped under a Key-Encryption-Key (KEK) held in a separate application secret manager (AWS Secrets Manager) — the database row alone is therefore not sufficient to decrypt the key. The key is never returned to the App after submission, never written to logs, and used only to relay your AI requests to the AI provider you have selected. Access to the unwrapped key value is limited to the inference forwarding subsystem; engineering personnel cannot read the plaintext value through ordinary tooling, and any break-glass access is logged. You may rotate or delete the stored key at any time from Settings → BYOK; deletion takes effect immediately in the live system and within 30 days from encrypted backups.
Feedback & flags. Free-text comments, AI-output flags (with the prompt + output context), and bug reports you submit.

3.2 Information we collect automatically

Device + session metadata. App version and build number, OS version, device model, time zone (IANA name), the IP address used at sign-in, and timestamps of authentication events.
Service-usage telemetry. Per-request metadata for paid features: AI provider, model name, input/output token counts, request type (chat / agent / diff). We use this for billing reconciliation and abuse detection. The token counts and metadata are stored at the application level for the retention period in §9. The raw prompt and response text are not stored at the application level — but to enable incident debugging, request and response bodies may transit through volatile operational logs at the load-balancer / application-server tier for up to 72 hours, after which those operational logs are auto-purged. The two layers are distinct: "application-level retention" means written to our database; the 72-hour window applies only to short-lived operational logs.
Runtime-job metadata. When you trigger a cloud run, we record the runtime type, duration, exit code, and stdout/stderr emitted by your code, retained for the lifetime of the job's parent project.
Crash & error reports. If we have configured a crash-reporting SDK (Sentry), the App and our backend may send pseudonymized stack traces, breadcrumbs, app version, OS version, minimal device-context fields (e.g. device model, locale, screen size — Sentry's standard "device context" capture, not a tracking fingerprint), and a per-install random identifier to that provider when an unhandled error occurs. No source code, prompt content, or model output is included; PII scrubbing is applied to captured strings via Sentry's beforeSend hook where feasible.

3.3 Information we deliberately do NOT collect

Precise or approximate geolocation.
Contacts, photos, microphone audio, SMS, call logs.
Browser history outside the Service.
Health, biometric, or financial-account information.
Children's data — see Section 11 (the Service is restricted to persons aged 18 and over; we do not knowingly collect data from anyone under 18).

4. AI processing — what happens to your prompts

OffCoder is an AI coding tool. When you use an AI feature, the following happens:

Your prompt (and, in some workflows, related code from your project) is sent from the App to our backend over a TLS-encrypted connection.
Our backend forwards the prompt to the AI provider you have selected — either via OffCoder's master API key (Pro subscription) or your stored BYOK key (BYOK subscription).
The AI provider returns a response. Our backend forwards it back to your device.
Token counts are recorded for billing and abuse-detection purposes. The prompt and response themselves are NOT retained at the application level, save for (i) the short-lived operational-log transit window described in §3.2 (up to 72 hours), and (ii) the two narrow exceptions described immediately below.

The exceptions where prompt/output content is retained:

Flagged outputs. If you flag an AI output via the in-app report button, we retain the prompt + output associated with that flag for up to 30 days for our review queue, then delete it (or anonymize it for product-improvement analysis).
Agent sessions. If you use the multi-step Agent feature, the per-step prompt + response history is retained as part of the agent-session record, scoped to the parent project, until you delete the project or the session.

We do not use Your Content to train AI models. Where the AI provider exposes a content-not-for-training setting on their API, we have selected it on our master keys. Note that providers may still retain prompts and outputs for a short trust-and-safety review period (typically up to 30 days) under their published baseline terms; the specific retention posture per provider is set out in the AI provider table of our Sub-processors page. Litigation holds may extend retention beyond the standard window for one or more providers (for example, the court-ordered preservation directive in The New York Times Co. v. Microsoft Corp. and OpenAI currently affects OpenAI API logs); the current particulars are stated in that AI provider table and are updated as the position changes. We do not currently operate a Zero Data Retention ("ZDR") arrangement with any AI provider; if and when we do, this Policy and the Sub-processors page will be updated. For BYOK users, training and retention behaviour is governed by your account's settings with the AI provider you have chosen — review that provider's policy directly.

Cross-border transfer. The AI providers we currently use (Anthropic, OpenAI, Google, OpenRouter) operate servers in jurisdictions outside India and the EEA, including the United States. The transfer mechanisms we apply to AI-prompt relays and to other cross-border flows are described in §8 below.

5. Why we process your data (lawful basis)

Under DPDPA we process your personal data on the basis of your consent, given when you create an account and accept this Policy at sign-up, and — where applicable — on the basis of the legitimate-use grounds in §7 of the DPDPA, in particular §7(a) (the Data Principal voluntarily provides her personal data to the Data Fiduciary for a specified purpose and has not indicated that she does not consent to its use), which is the limb most directly applicable to delivering the Service you have signed up for. Under GDPR we rely on:

Performance of contract (Article 6(1)(b)) — to deliver the Service you have signed up for.
Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the Service; to detect and prevent abuse and fraud; to comply with legal obligations. We have weighed these interests against your privacy rights and consider them not to be overridden.
Legal obligation (Article 6(1)(c)) — to keep tax records, respond to lawful requests, and meet other regulatory obligations.
Consent (Article 6(1)(a)) — for any optional processing not covered above (e.g. opt-in marketing emails). Withdrawn at any time without affecting prior lawful processing.

6. How we use your data

We use the personal data described in Section 3 to:

Authenticate you and maintain your session.
Deliver the features you request (project storage, AI processing, cloud-runtime jobs, hosted services).
Charge for paid plans, top-up purchases, and refunds via Razorpay; reconcile payment events with your account.
Send transactional emails (sign-up confirmation, payment receipts, refund confirmations, renewal reminders, security alerts, sub-processor change notices, upgrade-link emails, and similar service-administration messages — note we do not send password-reset emails because the Service is OAuth-only and we do not maintain passwords). These are not marketing.
Detect, prevent, and respond to abuse, fraud, security incidents, and violations of our Acceptable Use Policy.
Maintain audit logs as required for tax, accounting, dispute resolution, and security investigations.
Improve the Service through aggregated usage analytics that are not tied to you individually after the analysis window.
Comply with applicable law, lawful requests from authorities, and Court orders.

We do not sell your personal data, share it with data brokers, or use it for cross-context behavioral advertising.

We do not currently send marketing emails. The communications you receive from us are transactional in nature (sign-up confirmation, payment receipts, refund confirmations, security alerts, sub-processor change notices, renewal reminders, and similar service-administration emails). The reservation of a "consent" lawful basis under §5 above is anticipatory only — it covers the possibility that we offer an opt-in newsletter or product-update email at a later date, in which case opt-in will be explicit, will not be bundled with sign-up consent, and may be withdrawn from the email itself or from your account settings.

6.1 Automated decision-making and profiling

We employ automated processes in two narrow areas, neither of which produces a "decision based solely on automated processing which produces legal effects concerning [you] or similarly significantly affects [you]" within the meaning of Article 22(1) GDPR:

AI-content safety classifiers. We run rule-based and model-based classifiers on AI prompts and outputs to detect content prohibited by our Acceptable Use Policy (CSAM, weapons-of-mass-destruction synthesis, malware-development assistance, surveillance tooling, illegal drugs). A positive classifier hit may block the request or response in real time. A material consequence (e.g. account suspension) is never imposed by the classifier alone — it is reviewed by a human on the AI-flag review queue before any account-level action is taken.
Anti-fraud / abuse signals. Velocity checks and rate-limiting on sign-ups, payments, and runtime jobs may temporarily throttle or block a request. Permanent restrictions (suspension, refund refusal, ban) are imposed only after human review.

You have the right to obtain human intervention, to express your point of view, and to contest any automated outcome that affects you, by contacting privacy@offcoder.com. We aim to route the matter to a human reviewer (separate from the automated system) within 7 business days, and in any event within the response timelines stated in §10. Where the volume of requests or operational circumstances would otherwise prevent us from meeting the 7-business-day target, we will acknowledge receipt and provide a revised timeline within that period.

7. Who we share your data with

We share personal data only with the parties listed below, only to the extent necessary, and only under contractual or statutory protections.

7.1 Service providers (Data Processors / sub-processors)

The current list of sub-processors with whom we share personal data is maintained at offcoder.com/legal/subprocessors. We commit to providing at least 30 days' notice to registered users — by email and on that page — before adding a new sub-processor that materially changes the categories of personal data shared, the destination, or the purpose. We flow contractual data-protection terms (including, where applicable, Standard Contractual Clauses) down to each sub-processor.

The principal sub-processors as of the effective date above are:

AI providers — Anthropic, OpenAI, Google AI, OpenRouter (per your selection). Receive: your AI prompts and the source code / context you submit alongside them.
Razorpay Software Private Limited — payment processor. Razorpay is engaged as our payment processor; for the payment data Razorpay collects directly from you (card number, UPI VPA, banking credentials, KYC information), Razorpay acts as an independent data fiduciary / controller under its own privacy policy and we are not a processor of that data. We receive only your name, email, transaction amount, and the IP address you paid from. We do not see or store your card number, UPI VPA, or banking credentials.
Hosting + infrastructure — Amazon Web Services (AWS) for compute and storage, with AWS region ap-south-1 (Mumbai) by default and backups replicated to an additional region for resilience; AWS SES for transactional email; Neon Inc. (Singapore region as of the date above) for the managed PostgreSQL application database; Cloudflare for CDN and edge TLS termination on a global edge network. The current vendor for each role is always disclosed on the Sub-processors page; if a vendor changes, that page is updated and the §7.1 30-day notice applies.
Crash + error monitoring — Sentry, when configured. Receives: pseudonymized stack traces with PII scrubbing applied where feasible (we configure Sentry's beforeSend hook to strip known-sensitive fields and to truncate long string captures), app version, OS version, and a per-install random identifier.
OAuth identity providers — Google, GitHub, GitLab, Bitbucket, LinkedIn — only when you choose to sign in with one. Each operates under its own Privacy Policy.

7.2 Legal and regulatory

We may disclose personal data to law-enforcement, regulators, courts, or other government authorities if we are legally required to (subpoena, search warrant, court order, statutory request) or where we have a good-faith belief that disclosure is necessary to: (a) comply with applicable law, (b) enforce our Terms or this Policy, (c) protect the rights, property, or safety of OffCoder, our users, or the public, or (d) detect or prevent fraud or security incidents.

We will, where lawful, attempt to notify you of any such request that materially affects your account before producing data, so that you have an opportunity to challenge it.

7.3 Business transfers

If OffCoder is involved in a merger, acquisition, sale of assets, or insolvency proceeding, your personal data may be transferred to the successor entity. The successor will be bound by terms no less protective than this Policy. We will publish a notice on the Website at least 14 days before any such transfer takes effect.

8. International data transfers

Personal data we collect may be transferred outside India and the EEA in the course of providing the Service — typically to the AI providers' US-based servers, our cloud-hosting regions, and Razorpay's processors. The principal recipient jurisdictions are the United States (AI providers, Sentry), India (Razorpay, AWS Mumbai region, our managed PostgreSQL provider where so configured) and global edge points-of-presence operated by our CDN.

For data originating in the EEA, the United Kingdom, or Switzerland we rely on the following transfer mechanisms, in order of priority: (a) where the recipient is certified under the EU–US Data Privacy Framework (or its UK / Swiss extensions), on that adequacy decision; (b) for all other recipients in non-adequate jurisdictions, on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, modules 2 (controller-to-processor) and 3 (processor-to-processor)) and, for UK-origin data, on the UK Information Commissioner's International Data Transfer Addendum to those Clauses. We have conducted a Transfer Impact Assessment for the principal recipients identifying the laws of the destination country that may permit access to personal data and the supplementary safeguards we apply (TLS 1.2+ in transit, encryption at rest, application-layer pseudonymization where feasible, contractual obligations to challenge unlawful access requests). The TIA is reviewed at least annually and on any material change.

For data originating in India, transfers proceed in accordance with §16 DPDPA and any restrictions notified by the Central Government from time to time. As of the date above, no destination has been blacklisted by notification under §16(2). We will update this Policy and notify users if a notified restriction subsequently affects an active sub-processor.

A copy of the SCC-based agreement on file with a particular sub-processor can be requested by EEA / UK data subjects at privacy@offcoder.com. To the extent any specific transfer cannot be supported by an adequacy decision or by SCCs (for example, the immediate relay of an AI prompt you submit to a selected AI provider), the transfer is processed in reliance on Article 49(1)(b) GDPR — transfer necessary for the performance of a contract between you and OffCoder, or for the implementation of pre-contractual measures taken at your request. We do not rely on Article 49(1)(a) "explicit consent" as an ordinary basis for cross-border transfer.

9. Retention

We retain personal data only as long as we have a legitimate purpose to do so:

Account profile + projects: while your account is active. If you delete your account, we delete your account profile and project files within 30 days, save for the limited records described below.
AI prompts & outputs: not retained at the application level (i.e. not written to our database) except for (i) flagged outputs (≤30 days in the review queue, then deleted or anonymized) and (ii) agent-session history (until you delete the session or project). Separately, ephemeral operational logs at the load-balancer / application-server tier may transit request/response bodies for up to 72 hours for incident debugging, after which they are auto-purged.
Audit logs (sign-in events, security events, and the operational portion of billing/admin events that is not part of the audit trail for a paid transaction): 18 months from the event, then deleted. The minimum audit-log fields tied to a paid transaction (transaction ID, user-pseudonym, amount, timestamp) are retained for the longer 8-year period under the tax-records bullet below.
Tax + accounting records (invoices, GSTR-1 line items, the wallet ledger of credit grants and debits to the extent it forms part of the audit trail for paid transactions, the underlying payment ledger, and the payment-event log corresponding to each invoice): retained for 8 years from the end of the relevant financial year. We adopt 8 years as a conservative ceiling that covers the primary record-retention requirements under the Income Tax Act, 1961 (and Rules thereunder) and §36 of the CGST Act, 2017, together with the periods within which proceedings may be reopened or reassessed under those Acts. Where a longer retention is mandated for an open dispute, audit, or proceeding, the records are held until the matter is finally concluded, then deleted.
Crash + error reports: 90 days at the Sentry provider, then auto-purged.

9.1 How account deletion works

When you trigger account deletion (App: Settings → Danger zone → Delete account; Website: Account → Delete account; or by emailing privacy@offcoder.com), the request flows as follows:

Day 0 — request received. If a paid subscription is active, the subscription is first cancelled with Razorpay so that no further charges occur. Your account is then placed in a "soft-deleted" state: you are signed out of all sessions, OAuth tokens are revoked, the App and Website refuse all sign-in attempts, and your handle is reserved against re-use. We send a confirmation email to the address on file.
Days 1–30 — restoration window. If you contact privacy@offcoder.com within 30 days you may restore your account in its prior state. This window exists primarily to mitigate accidental or coerced deletion. No new processing occurs during this window beyond keeping the soft-deleted record indexed.
Day 30 — hard deletion of live systems. Account profile, project files, BYOK credentials, agent-session history, AI flags, wallet records, and audit-log entries that are not subject to a statutory retention duty are permanently deleted from live production databases.
Backup tail (worst case approximately Day 60). Our daily encrypted database backups follow a 30-day rotation. The most recent backup that captured your live data was taken between the day before deletion and the day of deletion (Day −1 to Day 0); on the standard 30-day rotation that backup rolls off no later than approximately Day 30 from the date it was taken — so, in the worst case, no later than approximately Day 60 after deletion was initiated. Once the last pre-deletion backup has rolled off, no copy of your deleted live data remains on our infrastructure. Backups are not selectively read for individual records; they are accessed only for whole-system disaster recovery and are themselves encrypted.
Permanently retained. The following records survive deletion because we are legally required to keep them: (i) tax invoices and the underlying ledger of payments and refunds (Indian Income Tax Act, 1961 and the GST Acts: 8 financial years); (ii) the minimum audit-log fields tied to a paid transaction (transaction ID, user-pseudonym, amount, timestamp) necessary to prove that the transaction occurred, retained against the same period; (iii) the wallet ledger of credit grants and debits to the extent it forms part of the audit trail for paid transactions, retained against the same period; and (iv) any records subject to a then-current preservation order or lawful-request hold. These are kept in a segregated archive accessible only for compliance and legal purposes; they are not used for any operational, marketing, profiling, or product-improvement purpose.

You may request a downloadable copy of your data ("Download my data") at any time before initiating deletion; we recommend doing so first.

10. Your rights

Depending on where you live, you have one or more of the following rights with respect to your personal data:

Right of access — request a copy of the personal data we hold about you. Use the "Download my data" button in your account or email us.
Right of correction — update inaccurate or incomplete information. Edit your profile in the App, or email us.
Right of erasure / "right to be forgotten" — delete your account and associated personal data. Use the in-app delete button (Settings → Danger zone → Delete account) or email us.
Right to data portability — receive a machine-readable copy of your data ("Download my data" gives you JSON).
Right to object / restrict processing — object to processing based on legitimate interests, or ask us to restrict processing pending resolution of a dispute.
Right to withdraw consent — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing already done.
Right to grievance redress (DPDPA) — see Section 14 below.
Right to lodge a complaint with a supervisory authority:
- India (DPDPA): the Data Protection Board of India.
- EEA / United Kingdom (GDPR / UK GDPR): for UK residents, the Information Commissioner's Office (ico.org.uk); for residents of other EEA Member States, the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
- United States: the relevant state Attorney General and, in California, the California Privacy Protection Agency, where your jurisdiction confers that right.

Our response timelines depend on the regime under which you exercise the right:

India (DPDPA), EEA / United Kingdom / Switzerland (GDPR / UK GDPR), and other jurisdictions not separately listed — within 30 days of a verified request, extendable by a further 60 days for complex or numerous requests with notice within the original 30-day window explaining the reasons for the extension.
United States — California, Virginia, Colorado, Connecticut, Texas — within 45 days of a verified request, extendable by a further 45 days for complex or numerous requests with notice within the original 45-day window. See Section 10A for state-specific particulars.

We may need to verify your identity before acting, typically by sending a confirmation email to the address on file; we will not require disproportionate identification documents. Requests are handled free of charge. The only exceptions are requests that are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR — in particular, where they are repetitive — in which case we may either (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested, or (b) refuse to act on the request. The burden of demonstrating that a request is manifestly unfounded or excessive rests with us. You may appeal any refusal to legal@offcoder.com and, where applicable, complain to the supervisory authority identified above.

10A. United States — state privacy disclosures

This Section supplements the rights described in Section 10 for residents of California, Virginia, Colorado, Connecticut, and Texas. It is provided in good faith based on those states' privacy statutes; nothing in this Section is intended to grant rights to residents of other jurisdictions beyond those already described above.

10A.1 California — CCPA / CPRA

If you are a California resident, you have the rights to (i) know what personal information we collect, use, disclose and (where applicable) sell or share, (ii) request deletion of your personal information, (iii) request correction of inaccurate personal information, (iv) opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising, and (v) limit the use of "sensitive personal information" to the extent we collect it. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"). We do not knowingly collect or process personal information of California residents under 16 years of age. To exercise any CCPA right, use the methods in Section 10 or email privacy@offcoder.com with the subject "CCPA request". We will not discriminate against you for exercising your rights. You may designate an authorized agent to make a request on your behalf, accompanied by signed written permission and identity verification.

10A.2 Virginia, Colorado, Connecticut, Texas

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA) and Texas (TDPSA) have rights of access, correction, deletion, data portability, and opt-out from (a) targeted advertising, (b) sale of personal data, and (c) profiling in furtherance of decisions producing legal or similarly significant effects. As stated above we do not engage in (a), (b), or such (c). Sensitive data — to the extent we collect any — is processed only with your consent. To exercise any of these rights or appeal a denial, email privacy@offcoder.com with the subject "[State] privacy request" or "[State] privacy appeal". We respond within 45 days (extendable by 45 days for complex requests, with notice).

10A.3 Categories of personal information (CCPA-style table)

For the past 12 months we have collected the following CCPA-defined categories from US residents: identifiers (email, name, OAuth provider IDs, IP address); commercial information (purchase history, transaction amounts); internet/network activity (request logs, app version, device/OS version); inferences (usage telemetry tied to entitlements). We do not collect biometric, geolocation (precise), audio, video, sensory, or thermal information; we do not collect health, racial-or-ethnic, religious-or-philosophical, sexual-orientation, citizenship-or-immigration-status, or genetic information.

The business and commercial purposes for which each category above is processed — and the retention period applied — are set out in §6 (How we use your data) and §9 (Retention) of this Policy. The categories of recipients with whom each category may be shared are set out in §7 (Who we share your data with) and on our Sub-processors page. This cross-reference is provided for compliance with Cal. Code Regs. tit. 11, §7011(e).

11. Children

The Service is not directed to, and not available to, persons under 18 years of age, as a uniform product policy. This 18+ floor is consistent with our Terms of Service §1–§2 and our Acceptable Use Policy §5. By creating an account, signing in, or otherwise using the Service, you represent and warrant that you are at least 18 years old (or the age of majority in your jurisdiction, whichever is greater).

For completeness — because some readers will look here for jurisdiction-specific child-protection law — we note that the statutory definitions of "child" or "minor" for data-protection purposes are: India (DPDPA) below 18 years; United States (COPPA) below 13 years; EEA / UK (Article 8 GDPR / UK GDPR) below 16 years (or, where an EEA Member State has set the age between 13 and 16, the Member-State age). OffCoder's 18+ floor is more restrictive than each of these and applies regardless of jurisdiction.

Sign-up requires you to confirm that you are at least 18. We do not currently operate a verifiable-parental-consent flow capable of lawfully on-boarding a person under 18, so a person under 18 cannot lawfully use the Service even with informal parental supervision. If we become aware that an account holder is under 18, we will immediately suspend the account, attempt to contact the registrant (or, where contact information is reasonably available, a parent or guardian) to verify, and if the account-holder's age cannot be lawfully validated within 14 days, delete the account and associated personal data. Deletion under this paragraph is free of charge. To report a suspected under-age account, email privacy@offcoder.com.

The 18+ floor is a hard threshold and OffCoder's current product posture is to keep it so. We are tracking the Rules to be notified by the Central Government under §9(5) DPDPA. We do not commit to opening the Service to persons under 18 once those Rules are notified — any such change would be a deliberate product decision that we would announce in advance, accompanied by a verifiable-parental-consent flow, an updated version of this Policy, and the 14-day material-change notice in §15.

12. Security

We implement reasonable security practices and procedures appropriate to the nature of the personal data we collect, including:

TLS 1.2+ encryption in transit for all client-server traffic.
Encryption at rest for sensitive fields (BYOK API keys, project secrets) using AES-256-GCM, with per-record data-encryption keys wrapped under a Key-Encryption-Key held in AWS Secrets Manager so that database compromise alone does not yield plaintext.
OAuth-only sign-in (passwords are out of scope for new accounts) plus refresh-token rotation and per-device session binding.
Network isolation of database and runtime-orchestrator services.
Audit logging of administrative actions.
Periodic third-party penetration testing prior to public launch and annually thereafter.
Internal access controls — only personnel with a legitimate operational need can access user data, and such access is logged.

No system is perfectly secure. If we become aware of a personal data breach that materially affects you, we will notify you and the relevant authorities within the timelines required by law:

DPDPA — notification to the Data Protection Board of India and to each affected Data Principal in such form and manner as the Board may prescribe, as soon as reasonably practicable after becoming aware of the breach.
CERT-In Directions of 28 April 2022 (under §70B(6) of the IT Act, 2000) — reportable cyber-security incidents (including data breaches, identity-theft incidents, and unauthorized access events) are reported to the Indian Computer Emergency Response Team (CERT-In) within six (6) hours of becoming aware, in the prescribed format.
GDPR / UK GDPR — notification to the lead supervisory authority within 72 hours of awareness where the breach is likely to result in a risk to data-subject rights and freedoms; affected data subjects are notified without undue delay where the risk is high.

Notification to affected users will include, at minimum, the nature of the incident, the categories of personal data affected, the likely consequences, and the steps taken or planned in response. Notifications will be sent to the email on file; we may also publish a public advisory at offcoder.com/legal/security where the incident is of broader interest.

13. Cookies and tracking

The Website uses a small set of cookies and equivalent first-party storage (localStorage), all set by OffCoder itself rather than by third-party trackers. The categories we use are:

Strictly necessary — session cookie, CSRF token, sign-in flow state. Required for the Service to function. Set without consent under Article 5(3) of the EU ePrivacy Directive and Regulation 6(4) of the UK PECR.
Functional / preference — for example, whether you last selected the INR or USD currency view on the pricing page, or whether the sidebar in your account dashboard was open. These are not strictly necessary; under EDPB guidance they require consent. Where the Website sets such a cookie or localStorage value, we present a banner offering Accept and Refuse choices of equal prominence (same visual weight, same placement, same number of clicks to act on, in line with current EDPB guidance on dark-pattern-free consent). Refusing means the preference is simply not remembered between visits; nothing else changes.

We do not set analytics, performance, advertising, or behavioral cookies, and we do not embed third-party tracking pixels, fingerprinting libraries, or cross-context behavioral-advertising tags. The full inventory, purposes, and retention periods are listed in our Cookies Policy. If at a future date we introduce any new non-essential cookie category (for example, opt-in product analytics), the consent surface will be expanded to give granular control over each category.

14. Grievance officer (DPDPA & IT Rules)

If you have a grievance regarding the processing of your personal data, contact our Grievance Officer at legal@offcoder.com. We acknowledge grievances within 24 hours of receipt and resolve them within 30 days, in accordance with the DPDPA and Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Grievance Officer's individual identity will be published on this page once OffCoder is formally registered as a legal entity.

15. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes (those that meaningfully expand the categories of data we collect, the parties we share it with, or how we use it) will be notified to registered users by email at least 14 days before they take effect. Continuing to use the Service after the effective date constitutes your acceptance of the updated Policy. If you do not agree, delete your account.

16. Contact

Privacy questions, rights requests, or grievances:

General privacy: privacy@offcoder.com
Grievance officer / lawful requests: legal@offcoder.com
Security incidents: security@offcoder.com

This Policy is governed by Indian law and will be construed in accordance with the DPDPA, the Information Technology Act 2000 and Rules thereunder, and applicable provisions of the Indian Consumer Protection Act 2019. For EU/EEA users, additional rights conferred by GDPR apply concurrently.