Skip to content

Legal · Privacy · Effective June 15, 2026

Privacy Policy

What we collect, why, how long we keep it, and the things we will never do with it. Structured to the Australian Privacy Principles and written to remain meaningful to engineers reading it.

1. About this policy

This Privacy Policy explains how Codritium (ABN 68 872 276 630), based in Sydney, New South Wales, Australia, handles personal information. It applies to the Codritium website, the Codritium platform, and any related products and services we operate (collectively, the Service).

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where users in other jurisdictions interact with the Service, we additionally observe the relevant local protections — including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) — to the extent they apply.

2. What we collect

We collect only the personal information we need to operate the Service, score work, issue credentials, communicate with you, and meet our legal obligations. Specifically:

2.1 Account information

  • Email address (required to create an account).
  • Username / display handle.
  • Optional profile fields (region, experience band, stack).
  • Authentication metadata (hashed password or third-party identity provider token).

2.2 Engineering and replay data

  • Code you submit during a challenge, including diffs, test runs, and terminal commands captured by the platform.
  • Replay artefacts — the AI conversation thread, your annotations, your decision-point tags, and the time-aligned timeline.
  • Reviewer scores and rubric breakdowns for your submissions.

2.3 Usage and device data

  • Pages visited, features used, approximate session duration, and aggregate event counts.
  • Device information: user-agent, operating system, browser, viewport size, and IP-derived country (we do not store full IP addresses beyond what is needed for security and fraud prevention, and only for short windows).

2.4 Billing information

  • Name, billing address, and tax identifier where applicable. We do not store full card numbers or bank details. Payment instruments are processed by our payment provider (see §5).

2.5 Support and community communications

  • Emails you send to our inboxes, and our replies.
  • Messages you post in moderated community spaces (e.g., Discord) where the Codritium brand operates.

3. How we collect it

  • Directly from you, when you create an account, submit work, contact us, or post in community channels.
  • Automatically, through cookies and similar technologies described in §7, and through standard server logs.
  • From third parties, only where you authorise it — for example, if you sign in via a third-party identity provider, we receive the minimum profile fields you have permitted that provider to share.

4. Why we use it

We use personal information for the following purposes, each tied to a lawful basis under Australian privacy law and, where relevant, GDPR:

  • Operating the Service — providing accounts, running challenges, generating replays, issuing credentials. Lawful basis: performance of our contract with you.
  • Scoring and credentialing — applying the public scoring rubric to your submissions and replays. Lawful basis: performance of our contract with you.
  • Billing — processing payments and meeting tax and accounting obligations. Lawful basis: performance of our contract with you; legal obligation.
  • Communications — service messages, security alerts, and (with separate consent) the newsletter. Lawful basis: consent for marketing; legitimate interests for transactional messages.
  • Security and integrity — preventing fraud, abuse, scraping, and bulk extraction of challenge solutions. Lawful basis: legitimate interests; legal obligation.
  • Product improvement — analysing aggregate usage to improve the Service and inform research. We use aggregated and de-identified data wherever possible. Lawful basis: legitimate interests.
  • Legal and regulatory compliance — responding to lawful requests and protecting our rights. Lawful basis: legal obligation.

5. Third-party processors

We use a small, deliberately chosen set of vendors to operate the Service. Each is bound by contract to handle personal information only on our instructions. The categories we use are:

  • Hosting and infrastructure — to serve the website and platform.
  • Payments — to process subscription and one-time purchases. Payment details are submitted directly to the provider over an encrypted channel; we receive only a token and the transaction metadata we need for billing.
  • Transactional and newsletter email — to deliver service emails and (with consent) marketing email.
  • Privacy-respecting product analytics — for aggregate usage measurement. We do not use ad-tech trackers or cross-site behavioural advertising.
  • Error and performance monitoring — to detect regressions and security incidents.
  • Community platforms — including Discord, governed by their own privacy policies for content you post there.

We will publish a current list of named processors on request. We do not sell personal information, and we do not share it with data brokers or advertising networks.

6. Replay content and AI model training

Your replay data is sensitive: it contains how you reason, where you pushed back on an AI suggestion, and the path you took to your submission. We treat it as such.

  • We use replay content to operate the Service — scoring, leaderboards, panel review, and credential issuance.
  • We use aggregated, de-identified replay statistics in our published research (e.g., percentages, distributions). Individual replays are never published in research without your separate, written consent and credit.
  • We do not use your replay content to train external AI models, nor do we permit our processors to do so. If we ever change this position, it will be opt-in only, with granular controls and a written summary of the intended use, before any data is included.
  • You can request deletion of specific replays from the dashboard, or by emailing privacy@codritium.com.

7. Cookies and similar technologies

We use only the minimum cookies necessary, in two categories:

  • Strictly necessary cookies — keep you signed in, preserve session state, secure form submissions, and remember theme preference.
  • Aggregated analytics — cookieless or first-party, IP-truncated, configured to retain only the minimum needed to measure aggregate traffic. We do not use third-party advertising cookies, and we do not enable cross-site tracking.

Where required by law, we will display a cookie notice and honour your choices. You can also block or clear cookies at any time through your browser settings; some features may then degrade.

8. International transfers

Codritium is operated from Australia, but our processors may store or process data in the United States, the European Union, or other jurisdictions. Where we transfer personal information outside your country, we rely on appropriate safeguards — including Standard Contractual Clauses for transfers out of the EEA, and equivalent contractual protections under APP 8 for transfers out of Australia.

9. How long we keep your data

  • Account data — for as long as your account is active. On deletion, account identifiers are removed within 30 days, subject to legal retention obligations.
  • Replay and submission data — for the life of your account, unless you delete specific replays sooner.
  • Billing records — for the period required by Australian tax law (currently seven years), then deleted.
  • Support and community messages — for a rolling 24-month window, then archived in aggregated form or deleted.
  • Aggregated analytics — indefinitely, in a form that does not identify any individual.

10. Security

We use industry-standard controls to protect personal information: encrypted transport (TLS) for all traffic, encryption at rest for sensitive stores, least-privilege access for engineers, multi-factor authentication on administrative accounts, audit logging, and a documented incident response process. If we ever become aware of a breach involving personal information that poses a real risk of serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

Report a suspected vulnerability privately to security@codritium.com.

11. Your rights

Subject to applicable law and reasonable verification, you can:

  • Access the personal information we hold about you.
  • Correct it if it is inaccurate.
  • Export it in a portable format.
  • Delete it (where retention is not legally required).
  • Withdraw consent for marketing emails at any time.
  • Object to or restrict certain processing (GDPR).
  • Opt out of the sale or sharing of personal information (CCPA — we do neither).

Most of these can be exercised directly from your account settings. For anything that cannot, email privacy@codritium.com. We respond within 30 days and will tell you if we need longer.

12. Children

The Service is not designed for, or directed at, people under 16. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, contact privacy@codritium.com and we will delete it.

13. Changes to this policy

We may update this policy as the Service evolves. We will publish the revised version with an updated effective date and, where the change materially affects your rights, notify registered users by email at least 30 days before it takes effect. Continued use of the Service after the effective date constitutes acceptance.

14. Complaints

If you believe we have handled your personal information in a way that contravenes the Australian Privacy Principles, contact us first at privacy@codritium.com. We will investigate and respond. If you are not satisfied, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Users in the EEA may contact their local supervisory authority.

15. Contact

For any privacy-related question or request, email privacy@codritium.com. Postal correspondence can be addressed to Codritium, Sydney, New South Wales, Australia.

Questions about this document? Reach us at privacy@codritium.com. For all other enquiries see our contact page.