Effective date: 1 March 2026 · Last updated: 2 April 2026
Summary: We collect minimal data. Non-AI tools run entirely in your browser — nothing is sent to our servers. AI tools transmit your input to an AI provider to generate a response; we do not log it. We store only essential UI preferences locally by default. Optional advertising or analytics technologies are not activated by default and, where legally required, are only loaded after consent.
The data controller for CodeKitLab is:
Syscobyte AB
Sweden
Email: [email protected]
Website: syscobyte.com
CodeKitLab (codekitlab.com) is a product of Syscobyte AB. "We", "us", and "our" refer to Syscobyte AB throughout this policy.
| Data | Purpose | Stored? |
|---|---|---|
| IP address | Rate-limit AI endpoint abuse (security). Not linked to any identity. | In Redis, auto-expires within 24 h |
| HTTP access logs | Server health monitoring, debugging. | Up to 30 days, then deleted |
| AI tool input | Forwarded to AI provider to generate a response. Not logged. | Never stored by us |
| UI preferences (theme, language) | Remember your visual settings between sessions. | localStorage on your device only — never sent to our servers |
| Consent record | Remember whether you accepted or declined optional advertising / analytics technologies. | localStorage on your device only |
Data we never collect: name, email address, account credentials, payment card details (payments handled by third-party processors), device fingerprint, browsing history, or any personal profile.
| Processing activity | Legal basis | GDPR Article |
|---|---|---|
| Rate limiting via IP | Legitimate interests — protecting the service from abuse | Art. 6(1)(f) |
| Server access logs | Legitimate interests — operational security and debugging | Art. 6(1)(f) |
| AI tool input processing | Performance of a contract / provision of the requested service | Art. 6(1)(b) |
| Optional advertising / analytics technologies (if enabled) | Consent — you may accept or decline via the cookie banner | Art. 6(1)(a) |
| Responding to data subject requests | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests do not override your fundamental rights, given the minimal nature of the data processed.
We do not activate advertising or analytics cookies by default. If optional advertising or analytics technologies are enabled in the future, we will request consent before loading them where legally required.
| Storage key | Type | Purpose | Consent required? |
|---|---|---|---|
ckl_theme |
localStorage | Dark / light mode preference | No — strictly necessary for functionality |
ckl_lang |
localStorage | UI language preference | No — strictly necessary for functionality |
ckl_consent |
localStorage | Stores your consent choice for optional advertising / analytics technologies | No — records your own decision |
ckl_consent_v |
localStorage | Version of the policy you consented to | No |
All localStorage entries are stored only on your device and are never transmitted to our servers. You can clear them at any time via your browser settings or by clicking Cookie Settings in the site footer.
If optional analytics or advertising technologies are activated in the future, they will be subject to the consent choices recorded through the site banner where legally required.
When you use an AI-powered tool, your input text is sent to our API server and forwarded to one of the following AI providers (waterfall order):
| Provider | Model | Data processing location | Privacy policy |
|---|---|---|---|
| Google (Gemini) | Gemini 2.0 Flash Lite | EU / USA (varies) | policies.google.com/privacy |
| Groq | Llama 3.3 70B | USA | groq.com/privacy-policy |
| Ollama (self-hosted) | Mistral | Our VPS (EU/Sweden) | No third party involved |
Where data is transferred to providers outside the EU/EEA (e.g. Groq in the USA), the transfer is covered by Standard Contractual Clauses (SCCs) or the provider's EU data processing addendum.
Do not enter passwords, private keys, personal health data, payment details, or any sensitive personal information into AI tools.
These providers are engaged as data processors under GDPR Art. 28. They process your input only to fulfill the API request and are contractually prohibited from using it for training without explicit consent under their respective terms.
| Data | Retention period | Deletion method |
|---|---|---|
| IP-based rate-limit counters | 24 hours | Automatic Redis TTL expiry |
| HTTP access logs | 30 days | Automatic log rotation |
| AI tool inputs | Not retained | Never written to storage |
| localStorage (your device) | Until you clear browser data | Browser settings or Cookie Settings link |
Our servers are located in the European Union. When we forward AI requests to Google or Groq (USA-based), the transfer is subject to appropriate safeguards:
You can request a copy of the applicable safeguards by contacting us at [email protected].
As a person in the EEA/EU/UK, you have the following rights regarding your personal data:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Receive a copy of your personal data we hold | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate data | Email us |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") | Email us — access logs are deleted within 30 days by default |
| Restriction (Art. 18) | Restrict processing while a dispute is resolved | Email us |
| Portability (Art. 20) | Receive your data in a machine-readable format | Email us — applicable only to data processed by consent or contract |
| Objection (Art. 21) | Object to processing based on legitimate interests | Email us with your specific objection |
| Withdraw consent (Art. 7(3)) | Withdraw consent for optional advertising or analytics technologies at any time | Click Cookie Settings in the footer → choose essentials only |
We respond to all data rights requests within 30 days (extendable by 2 months for complex requests). Since we hold minimal data, most requests will be resolved quickly by confirming we hold no personal profile for you.
If you believe we have processed your data in breach of GDPR, you have the right to lodge a complaint with the Swedish supervisory authority:
Integritetsskyddsmyndigheten (IMY)
Swedish Authority for Privacy Protection
Website: imy.se
Phone: +46 8 657 61 00
Email: [email protected]
You may also contact the supervisory authority in your country of residence within the EU/EEA.
In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and affected individuals where required by Art. 34.
CodeKitLab is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data, please contact us and we will delete it promptly.
We may update this policy to reflect changes in our practices or applicable law. We will update the "Last updated" date at the top. If changes are material, we will note this clearly. Continued use of the Service after the updated policy takes effect constitutes acceptance.
Where we process data based on consent (for example, optional advertising or analytics technologies), a material policy change will prompt a new consent request via the cookie banner. We do this by incrementing the policy version stored alongside your consent.
For any privacy-related questions, data rights requests, or complaints, contact:
Syscobyte AB
Data controller for CodeKitLab
Sweden
[email protected]
We aim to respond to all inquiries within 5 business days.