Privacy Policy

Last Updated: June 19, 2026

What AI Can Do ("we", "us", or "our") is dedicated to protecting your privacy. This Privacy Policy details how we handle the collection, use, security, and disclosure of information when you use the Codeoba desktop application (the "App"), the Codeoba Premium module (the "Premium Module"), and the Codeoba Backend cloud synchronization services (collectively, the "Service").

Please read this policy carefully. If you do not agree with the terms outlined herein, please do not use the Service.

1. Our Core Principle: Local-First by Default

Codeoba is built to be a local-first application. In its default, free configuration, all transcripts are compiled, cached, and indexed entirely on your machine. We do not transmit or store your coding assistant dialogue records on our servers.

Key aspects of our local-first implementation include:

  • Zero Remote Logs: Conversation transcripts aggregated from local assistant directories (Claude Code, Google Antigravity, Cursor, OpenAI Codex, Aider, Copilot, etc.) are processed offline and parsed directly inside the desktop client's JVM runtime.
  • Local SQLite Database & Cache: All indexed turns, logs, search keywords, and telemetry speed tables are persisted in a local cache directory (typically ~/.codeoba/cache/).
  • Local Vector Indexing: For semantic query matching, the application downloads a quantized transformer model (all-MiniLM-L6-v2) locally. All conceptual calculations and search lookups are run on your machine's CPU with no third-party API transmissions.

2. Information We Collect (Premium Service Users)

If you choose to subscribe to Codeoba Premium and activate cloud sync or multi-device relay services, the Service will transmit and hold specific account, subscription, and command payloads on our secure cloud backend (built on Firebase).

A. Account and Authentication Details

To authorize sync features and billing, users must create a profile. We use Firebase Authentication to secure these endpoints:

  • Identity Profile: We register your email address, profile photo (if authenticated via social sign-in), and system-generated unique ID (UID).
  • Social Login Tokens: When using Google or GitHub OAuth, we retrieve authorized federated profile ID tags and email scopes.

B. Device and Client Attestation

To safely register devices on the control plane:

  • Device Keys: We collect and register your device identifier (Device ID), customized device name, and public cryptographic key (EC P-256) used to authenticate remote requests.
  • Rate-Limiting Caps: Accounts are restricted to a maximum of three (3) active registered devices. We log device registration counts to enforce this limit.
  • App Hashes: We check application integrity by validating client signature hashes (CODEOBA_APP_SIGNATURE_HASH) to prevent unauthorized client versions from retrieving premium assets.

C. Command Relays and Audit Trails

To synchronize actions between multiple developer machines:

  • Relayed Messages: When sending synchronization signals, the backend relays command packets containing the commandId, sender UID, target Device ID, the command instructions, and dates.
  • Synchronization Queues: Relayed messages are written to a secure Firestore subcollection and delivered to your listening devices. We log these requests in an append-only audit collection (/users/{uid}/audit/{commandId}) to enable sync synchronization and security audits.

D. Payments and Billing Portal

All subscription processing and checkouts are handled securely by Polar.sh as our Merchant of Record:

We do not collect, process, or store payment card details, bank account numbers, or direct financial credentials. All transactions are conducted on Polar.sh secure servers.

Polar updates our database via webhooks. We register and hold: Polar customer identifiers, active subscription statuses, billing timestamps, and order reference numbers, linked directly to your account UID.

E. Licensing and Premium Downloads

The Premium Module is compiled separately and served on-demand:

  • Entitled Module Downloads: Upon verifying an active subscription, the server fetches the signed premium asset (premium.jar) from Cloud Storage.
  • Session Watermarking: To enforce license validation and prevent unauthorized redistribution, the backend applies an AES-GCM watermarked signature to the binary file prior to streaming it to your desktop instance.

3. Server Logging & Telemetry

To keep the platform operational, safe, and performant, we track basic diagnostics on our cloud instances:

  • Update Checks: If the client application checks for software updates, our backend proxy logs the request to fetch data from the GitHub Release API. Update logs are flagged with a telemetry prefix (checkLatestRelease) to monitor volume spikes and prevent Denial of Service (DDoS) issues.
  • Local-Only Error Scans: Codeoba Premium scans your local assistant transcripts for execution keywords like error, exception, or fail. This audit is done locally on your machine to build a history panel. These scanned logs are never uploaded to our servers.

4. Use of Your Information

We process collected server data for the following specific purposes:

  • Setting up, maintaining, and verifying your user profile.
  • Relaying commands securely between your linked desktop environments.
  • Checking subscription status and serving signed, watermarked premium modules.
  • Syncing and maintaining subscription settings via Polar.sh Customer Portal redirects.
  • Enforcing safety protocols, including rate-limits (3 devices max) and app attestation checks.
  • Protecting against security incidents, infrastructure abuse, and bad-faith traffic anomalies.

5. Sharing of Your Information

We do not share, sell, or disclose your information except to the following service providers who host and support our infrastructure under strict confidentiality agreements:

  • Firebase / Google Cloud Platform: For hosting web resources, verifying OAuth signatures, storing document queues, and executing backend function code.
  • Polar.sh: For managing subscriptions, secure billing integrations, and customer checkout sessions.
  • GitHub: For resolving software update release files.

6. Security of Your Data

We take security seriously and utilize multiple protective structures:

  • All communications between desktop clients and the backend are encrypted in transit using SSL/TLS.
  • Device pairings are authenticated using ECDSA cryptographic handshakes, rendering replay attacks ineffective.
  • Database structures are protected by robust Firebase Security Rules. Users can only read or write documents within their verified UID subcollections.

7. Data Retention & Your Deletion Rights

Under regulations like GDPR (European General Data Protection Regulation) and CCPA (California Consumer Privacy Act), you have control over your data. We support a comprehensive deletion process:

Account Deletion: Initiating an account deletion immediately sets your status to isDeleted = true. All device syncing, command relays, and profile reads are instantly blocked by security rules.

We apply the following lifecycle policies:

  1. 30-Day Soft Deletion: Your records are held in an inaccessible, soft-deleted state for 30 days. If you re-authenticate with the same account within 30 days, your account and linked devices are fully restored.
  2. Permanent Purge: After the 30-day grace period, a daily automated database clean-up task executes recursively on our servers. It permanently purges your account documents, registered device lists, command cues, challenges, and audit logs. This action is irreversible.

8. Children's Privacy

The Service is not intended for or marketed to individuals under the age of 13. We do not knowingly collect personal data from children. If we discover a profile has been initialized by a minor under 13, we will delete all associated records immediately.

9. Changes to This Privacy Policy

We reserves the right to modify this Privacy Policy. Any modifications will be updated on this page with a revised "Last Updated" date. We recommend checking this page periodically to stay informed of our data practices.

10. Contact Us

If you have any questions or would like to exercise your data rights, please contact our privacy compliance officer: