Privacy Policy

Last updated: April 17, 2026

This policy explains how CopyCodeAI processes personal data when you use copycodeai.online. This website provides technical engineering services. It does not provide legal advice. It now includes a consultation/contact form and guide request forms powered by Cloudflare Pages Functions.

1. Data Controller

Controller: Aldo Gustavo Malasomma
Operating as: CopyCodeAI (independent engineering practice)
Location: Tallinn, Estonia
Contact: [email protected]

2. Data We Process

  • Contact data you provide by email, scheduling request, or consultation form (for example: first name, last name, email, phone, company, website, project notes).
  • Guide request data you provide through the guide request form (for example: email, selected guide, required privacy consent, and optional marketing opt-in choice).
  • Operational metadata generated by service providers needed to run the site securely (for example request logs).
  • Offer status data for promotional slots (non-customer counter data in Cloudflare KV).
  • Analytics usage data, only if you accept analytics cookies.

The site does not maintain a dedicated submissions database on its own servers.

3. Purposes and Legal Bases (GDPR Art. 6)

  • Responding to consultation / contact requests and pre-contract steps: Art. 6(1)(b).
  • Delivering the requested guide access link and handling the request flow: Art. 6(1)(b) or Art. 6(1)(f), depending on context.
  • Optional marketing follow-up if you explicitly opt in on the guide request form: Art. 6(1)(a).
  • Operating and securing the website infrastructure (security, abuse prevention, reliability): Art. 6(1)(f).
  • Keeping records where required by law: Art. 6(1)(c).
  • Optional analytics measurement, only with your consent: Art. 6(1)(a).

4. Data Sources

  • Directly from you (email, scheduling flow, project brief).
  • Technical data from hosting and infrastructure providers.

5. Recipients / Processors

  • Cloudflare (hosting and serverless infrastructure for Pages/Functions/KV).
  • Brevo or the configured lead provider used by the form endpoints for lead storage and transactional emails.
  • Google Analytics / Google Ireland Limited (website analytics, only after consent).
  • Calendly (external scheduling provider; when you access their booking page, their privacy and cookie policies apply).
  • Email provider used to receive and manage inquiries.

Data is shared only when required to deliver the requested service or operate the site. Form submissions are forwarded through Cloudflare Pages Functions and the configured provider adapter.

6. International Transfers

Some providers may process data outside the EEA. Where this happens, transfers are based on applicable GDPR mechanisms (for example, adequacy decisions or Standard Contractual Clauses).

7. Cookies and Tracking

This website uses essential cookies and local storage for site operation and consent preferences. If you accept analytics, Google Analytics 4 may set first-party cookies such as _ga and _ga_<container-id> to help us understand traffic and improve the site. Analytics scripts are not loaded unless you opt in. You can change your choice at any time from the Cookie Preferences control in the footer.

Infrastructure providers (such as Cloudflare) may process technical request data (e.g., IP address and request metadata) and may set strictly necessary security cookies to protect the site and prevent abuse. When you follow our scheduling link to Calendly, Calendly may set its own cookies according to its privacy policy.

8. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Measures include access controls, least-privilege handling of inquiry data, and data minimization.

9. Retention

  • Consultation / contact requests: retained as long as needed to handle your request and follow-up, and deleted or anonymized within 12 months if no commercial relationship begins (unless longer retention is required by law).
  • Guide request submissions: retained as long as needed to deliver the signed access link and handle follow-up, plus any consent record if you opted in to marketing.
  • Operational and security logs: retained for the minimum period needed for reliability and security.
  • If a commercial relationship starts, retention may follow contract and legal obligations.

10. Your GDPR Rights

You may request access, rectification, erasure, restriction, portability, or object to processing where applicable. You may also withdraw consent where processing is based on consent.

To exercise your rights, contact [email protected].

11. Complaints

You have the right to lodge a complaint with a supervisory authority. If your main place of interaction is Estonia, this is the Estonian Data Protection Inspectorate (AKI).

12. Automated Decision-Making

This website does not perform automated decision-making that produces legal or similarly significant effects under GDPR Art. 22.

13. Policy Updates

This policy may be updated to reflect legal, technical, or operational changes. The latest version is published on this page with the update date.