Legal

Privacy notice

This notice explains what personal data Kodiac collects when you use our website and services, why we collect it, how long we keep it, and the rights you have over your information under UK GDPR and the Data Protection Act 2018.

Last updated: 12 May 2026 · Version: 1.0

Who we are
What personal data we collect
Why we collect it (purposes and lawful basis)
Website analytics
Who we share data with
International transfers
How long we keep data
How we protect data
Your rights
How to contact us
Changes to this notice

1. Who we are

Kodiac is the trading name of Kodiac Ltd, a company registered in England and Wales. We provide AI Visibility & Representation Infrastructure to enterprise customers. Our registered office is in London, UK.

For the purposes of UK GDPR, Kodiac is the data controller for personal data collected through this website and our products.

2. What personal data we collect

2.1 Contact form

When you submit the form on our Contact page, we collect:

Your name
Your work email address
Your company name
The reason for your enquiry (booking a demo, partnership, investor, press, careers)
Any message text you provide

2.2 Free audit signup

When you request a free three-layer AI visibility audit, we collect:

The brand domain you want audited
Your name
Your work email address
Your role (e.g. CMO, Head of SEO, IT Director)

We use this information to run the audit, deliver the results to you by email, and follow up with relevant product information.

2.3 Newsletter and content signups

If you subscribe to our AI Audit Friday weekly series or any other newsletter, we collect your email address and, optionally, your name.

2.4 Information you provide if you become a customer

If your organisation becomes a Kodiac customer, we will collect additional information necessary to deliver the service, including billing details, user accounts (name, email, role), and content you connect to the platform. This is covered by our separate Customer Data Processing Agreement, available on request.

2.5 Information collected automatically

When you visit kodiac.ai, our infrastructure provider Cloudflare logs basic request metadata (IP address, request timestamp, page requested, user agent) for security, abuse prevention, and service operation. This is standard practice for any website behind a CDN.

We also use Cloudflare Web Analytics for aggregate traffic statistics. See Section 4 for details.

3. Why we collect it

We collect personal data for the following purposes, each with a lawful basis under Article 6 of UK GDPR:

To respond to your enquiries (contact form, demo requests): legitimate interest in operating our business and responding to people who reach out to us.
To deliver the free audit you requested: performance of a pre-contractual step at your request.
To send marketing communications (newsletter, follow-ups): consent, which you can withdraw at any time using the unsubscribe link in any email.
To deliver our services to customers: performance of our contract with the customer organisation.
To secure our website and prevent abuse: legitimate interest in protecting our systems and other users.
To improve our website via aggregate analytics: legitimate interest, with no individual tracking (see Section 4).
To comply with legal obligations: legal obligation under UK law.

4. Website analytics

We use Cloudflare Web Analytics to understand how visitors use kodiac.ai in aggregate.

What this means in practice:

We do not use cookies, localStorage, fingerprinting, or any other client-side identifier to track you.
We do not build individual visitor profiles.
We do not share analytics data with advertising networks.
We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any cross-site tracker.

Cloudflare Web Analytics works by sampling request metadata Cloudflare already sees as our infrastructure provider, and reporting aggregate statistics such as page views, top referrers, and country-level traffic. It does not set tracking cookies. Cloudflare's privacy practices for this product are described at cloudflare.com.

Because no personal data is processed for analytics in a way that identifies individuals, no cookie consent banner is required for this purpose under the Privacy and Electronic Communications Regulations (PECR).

We share personal data only with third-party processors who help us deliver our service. Each is bound by a Data Processing Agreement (DPA) and may only process data on our instructions.

The processors we use include:

Cloudflare, Inc. — content delivery network, security, and aggregate web analytics
Email service providers — for transactional emails (audit results, demo confirmations) and marketing emails (newsletter)
CRM provider — to manage sales conversations and customer relationships
Cloud hosting providers — to run the Kodiac application

We will publish the full current list of sub-processors and notify customers of changes in line with our customer DPA. We do not sell personal data to anyone, ever.

6. International transfers

Some of our processors are based outside the UK and EEA, including in the United States. Where this is the case, we ensure appropriate safeguards under UK GDPR:

For transfers to the US, we rely on the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) where the recipient is certified, or on Standard Contractual Clauses with the UK International Data Transfer Addendum.
For other jurisdictions, we rely on adequacy decisions or Standard Contractual Clauses as appropriate.

Cloudflare is certified under the EU-US Data Privacy Framework and the UK Extension.

7. How long we keep data

We keep personal data only as long as we need to for the purpose we collected it:

Contact form enquiries: 24 months from the last interaction, then deleted or anonymised.
Free audit signups: 24 months, then deleted unless you have become a customer.
Newsletter subscriptions: until you unsubscribe, plus 30 days for unsubscribe processing.
Customer data: for the duration of the customer agreement plus the retention period specified in the customer DPA.
Server logs: 30 days for security purposes.
Analytics data: aggregate statistics may be retained indefinitely; no individual-level data is collected to retain.

Some data may be kept longer where required by law (for example, financial records under HMRC rules) or to defend legal claims.

8. How we protect data

We apply appropriate technical and organisational measures to protect personal data, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls within Kodiac
Multi-factor authentication for all internal systems
Audit logging of access to production systems
Regular security review and dependency patching
Vendor due diligence for all sub-processors

We are working towards SOC 2 Type II certification (target Q4 2026) and follow ISO 27001 baseline controls today.

9. Your rights

Under UK GDPR you have the following rights over your personal data:

Right of access — to ask what data we hold about you and receive a copy
Right to rectification — to ask us to correct inaccurate or incomplete data
Right to erasure — to ask us to delete your data in certain circumstances
Right to restrict processing — to ask us to limit how we use your data
Right to data portability — to receive your data in a portable format
Right to object — to object to processing based on legitimate interests, or to direct marketing at any time
Right to withdraw consent — where we rely on consent, you can withdraw it at any time
Right to complain — to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113

To exercise any of these rights, email privacy@kodiac.ai. We will respond within one month, with a possible extension of two further months for complex requests.

10. How to contact us

For any privacy-related question, request, or complaint:

Email: privacy@kodiac.ai
Post: Kodiac Ltd, [Registered office address], London, UK

If you are unhappy with how we have handled your data, you have the right to complain to the ICO without first contacting us, although we would prefer the chance to address the issue ourselves first.

11. Changes to this notice

We may update this notice from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top shows when it was last revised. Material changes will be communicated by email to people we hold a current email address for, where reasonable.

This notice is published in English. Where Kodiac operates in other jurisdictions, we may publish localised versions. The English version is the legally binding text.