Ask AI
Skip to main content

Privacy policy

NoCode‑X Privacy Policy

Last updated: 22/02/2026

Confidentiality and security are core to Co‑Dex.eu BV. With NoCode‑X, we want you to build and run powerful no‑code solutions in a way that is secure, transparent and GDPR‑compliant.

This Privacy Policy combines and modernizes our existing Co‑Dex.eu visitor privacy policy with the specific processing that happens when you use the NoCode‑X SaaS platform.

We explain in plain language:

  • what data we collect,
  • why we use it,
  • on which legal basis,
  • how long we keep it,
  • who we share it with (including external LLM providers),
  • and what your rights are.

1. Who we are

Controller
Co‑Dex.eu BV
Albert I‑laan 23
8920 Langemark‑Poelkapelle
Belgium

Email (privacy contact & DPO): [email protected]

Co‑Dex.eu BV is the controller for:

  • visitors of our websites and events, and
  • users, admins and billing contacts of the NoCode‑X platform.

When we process data on behalf of our business customers inside NoCode‑X (for example, data about end users of apps or websites that our customers build on NoCode‑X), our customer is usually the data controller and we act as their data processor under a separate Data Processing Agreement (DPA). This Privacy Policy explains how we, as controller, handle your data when we decide the purposes and means.

Supervisory authority – One‑Stop Shop

Our lead data protection authority under GDPR is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):

You can always contact them if you’re unhappy with how we handle your data.

2. Scope of this policy

This Privacy Policy applies when you:

  • visit a Co‑Dex.eu or NoCode‑X website,
  • register for or attend our events (online or on‑site),
  • contact us (email, phone, forms, social media),
  • use the NoCode‑X SaaS platform (as user, admin, or billing contact),
  • interact with apps, workflows or websites that our business customers build and operate using NoCode‑X, to the extent we process data as controller (e.g. service telemetry and security logs),
  • receive our B2B marketing or newsletter communications.

Some parts (e.g. camera surveillance, whistleblower channels) apply when you visit our physical offices or other Co‑Dex.eu locations.

For cookies and similar technologies on our websites, please also see our Cookie Policy.

Important: When you use an application or website built by our customer on NoCode‑X, they are typically your main data controller for the business logic and content processed there. This policy explains how Co‑Dex.eu, as the platform provider, may process technical and usage data about your interactions to keep the service secure, reliable and supported.

3. What personal data we process

Depending on how you interact with us or with apps built on NoCode‑X, we may process:

  • Identification data: name, first name, email address, company, role, phone number, (where needed) date/place of birth, ID numbers when legally required (e.g. VAT, national ID in AML contexts).
  • Account & platform usage data: username, roles and permissions, workspace/tenant membership, activity timestamps, feature usage, configuration changes.
  • Application usage & user‑flow telemetry (for apps and websites built on NoCode‑X):
    • pages/screens visited, clicks/actions, navigation paths,
    • technical events and performance metrics,
    • error messages and correlation IDs,
    • identifiers that link events to a user, browser or device.
  • Contact & communication data: emails, support tickets, chat messages, phone calls (and, if applicable, call recordings).
  • Transaction & billing data: bank account number, payment references, invoice data, subscription details.
  • Technical data: IP address, device and browser info, OS, timestamps, security events, cookies/IDs.
  • Event data: event registrations, attendance lists, evacuation lists, streaming participation.
  • Audiovisual data: CCTV images in or around our offices or event venues, livestream recordings where you appear.
  • Supplier data: contact details of suppliers and their staff when we work together.
  • Marketing & preference data: newsletter opt‑ins, unsubscribe/objection flags, topics or interests you share with us, basic email statistics (open/click).

We do not want to receive special categories of personal data (e.g. health data, political opinions, religion) through NoCode‑X unless strictly necessary and agreed with our customer. If our customer chooses to process such data in their app, they remain responsible as controller.

We do not intentionally offer information society services directly to children under 13 without parental consent and we do not direct marketing to children under 13.

4. Why we process your data (purposes & legal bases)

Below is a structured overview of key purposes, examples of data and the legal basis under the GDPR.

4.1 Authentication & Authorization (NoCode‑X)

What we do
Create and manage your NoCode‑X account, log you in, assign roles and permissions, and keep tenants separated in our multi‑tenant architecture.

Examples of data

  • Name, email, hashed password or SSO identifier
  • Workspace/tenant membership, roles, access rights

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

We cannot provide a secure, personalized SaaS service or protect your and your company’s IP without this.

4.2 Operational Logging, Security & Multi‑Tenancy Protection

What we do
Log system and security events to ensure correct delivery and functioning of the platform and to safeguard your IP and data isolation.

This includes logging when and how you use NoCode‑X and, to a limited extent, how end users interact with apps and websites built on NoCode‑X, to detect abuse and protect the shared infrastructure.

Examples of data

  • Login attempts, IP address, device/browser, timestamps
  • Security events (suspicious access, rate‑limiting, failed logins)
  • Audit logs (who accessed which workspace or resource, when)

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

These logs are essential to protect your and other customers’ data in a shared (multi‑tenant) environment and to investigate incidents.

4.3 Technical Support & Troubleshooting (incl. user‑flows and apps built on NoCode‑X)

What we do
When you or your company contact support, we may look at user‑flows and logs to reproduce and fix issues in:

  • the NoCode‑X platform itself, and
  • apps, workflows and websites that run on NoCode‑X.

We focus on technical and usage telemetry (what button was clicked, which page errored, which API call failed), not on reading all the business content processed by those apps, unless this is strictly necessary to solve a specific issue.

Examples of data

  • Event logs: pages/screens visited, clicks/actions, feature usage
  • Error logs, stack traces, correlation IDs
  • Workspace/user identifiers linked to a support ticket
  • Occasional content snippets if you or your company share them in a ticket or if viewing them is strictly necessary to diagnose the problem

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

Support and debugging are part of the service you (or your company) pay for. Without diagnostic data, we often cannot solve complex no‑code issues or customer app problems.

We do not use this data for marketing.

4.4 LLM‑Assisted Support & DevOps (with external providers)

What we do
For certain support and DevOps workflows, we may use large language model (LLM) tools to:

  • generate or improve troubleshooting steps,
  • suggest configuration or query fixes,
  • summarize complex logs or tickets.

We may use an external LLM provider, but under strict constraints.

Examples of data

  • Snippets of logs, configuration or error messages relevant to a ticket
  • Very limited and minimized excerpts of application behavior or payloads, only if necessary to understand the issue
  • Never more than what is needed for the specific support/devops task

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR (support and incident resolution)
  • Legitimate interest – Art. 6(1)(f) GDPR (efficient, high‑quality support using modern tools)

Safeguards

  • External LLM providers are bound by Data Processing Agreements and treated as sub‑processors.
  • They are contractually prohibited from re‑using your data (including prompts and outputs) for their own purposes, such as training or improving their foundation models.
  • We minimize the data we send to LLMs and, where feasible, redact secrets, credentials or sensitive content.
  • We maintain controls so that using LLM‑assisted support does not lower the overall security, confidentiality or availability of the Services.

You can always ask us for more information about these tools at [email protected].

4.5 Incident Management & Service Restoration

What we do
Detect, analyse and resolve platform incidents, restore availability and integrity, and document what happened.

Examples of data

  • System performance logs and monitoring metrics
  • Event sequences around the incident (including how apps built on NoCode‑X were used at that time)
  • Affected workspaces/tenants and features

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

We must be able to restore and maintain the service as described in our agreement.

4.6 Service Reliability & Capacity Planning

What we do
Monitor performance and load so we can scale the platform and keep it responsive.

Examples of data

  • Aggregated error rates & response times
  • Feature usage volumes and concurrency
  • Infrastructure load by region or environment

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

Without this, we cannot proactively manage capacity or ensure acceptable performance.

4.7 Payments, Invoicing & AML

What we do

  • Process your subscription and other payments
  • Issue and store invoices and accounting records
  • Perform Anti‑Money Laundering (AML) checks where applicable

Examples of data

  • Billing name, company, VAT number, address
  • Bank account number, payment references, payment status
  • Where applicable: AML/KYC data required by law or payment intermediaries

Legal basis

  • Legal obligation – Art. 6(1)(c) GDPR
  • Contractual necessity – Art. 6(1)(b) GDPR (for billing itself)

We must comply with tax, accounting and AML laws.

4.8 Contractual & License Notifications, Payment Reminders

What we do

  • Inform you of upcoming license or subscription expiry
  • Send payment reminders for overdue invoices
  • Notify you about material contractual changes

Examples of data

  • Admin/billing contact details
  • Subscription details and expiry dates
  • Invoice and payment status

Legal basis

  • Contractual necessity – Art. 6(1)(b) GDPR

These messages are needed to ensure continuity of your service. You cannot opt out of these essential service communications while keeping an active account.

4.9 Events, Streaming & Access Control (Visitor context)

We use your data when you attend events, participate in streaming, or visit our sites.

Some examples (from our existing visitor policy):

  • Event registration lists

    • Legal basis: performance of a contract (Art. 6(1)(b))
    • Retention: typically up to 6 months after the event

  • Event streaming (public or authenticated)

    • Legal basis: performance of a contract (Art. 6(1)(b))
    • Retention: typically 2 weeks (online streaming) / 30 days (public streaming)

  • Evacuation lists for events (safety)

    • Legal basis: legitimate interest (Art. 6(1)(f)) & safety obligations
    • Retention: typically 3 months after the event

  • Access control to facilities (e.g. badges, visitor logs)

    • Legal basis: legitimate interest (Art. 6(1)(f)) – physical security
    • Retention: typically 1 day

  • Whistleblower procedure (if you use it)

    • Legal basis: legal obligation (Art. 6(1)(c)) and/or public interest
    • Retention: typically 7 years

4.10 CCTV / Camera Surveillance (Offices & Premises)

What we do
Monitor certain areas in and around our offices to prevent and investigate incidents.

Examples of data

  • Video images where you may appear
  • Date, time and location of footage

Legal basis

  • Legitimate interest – Art. 6(1)(f) GDPR
  • Legal requirements under local CCTV legislation

Retention

  • Usually up to 30 days, unless an incident requires longer retention (e.g. police request).

Cameras are placed and signposted in accordance with applicable Belgian law.

4.11 Product & UX Improvements (Non‑Marketing, Aggregated)

What we do
Use aggregated and/or pseudonymized telemetry to understand how features are used, identify friction points and improve NoCode‑X and the apps built on it.

Examples of data

  • Feature adoption statistics and funnels
  • Anonymous or pseudonymized clickstream metrics
  • Aggregated app/session performance and error trends

Legal basis

  • Legitimate interest – Art. 6(1)(f) GDPR

We want to make the product better for everyone and keep innovating.

Safeguards

  • Wherever possible, we work with aggregated or anonymised data that no longer identifies you.
  • If we use pseudonymized data, only a very limited group within Co‑Dex.eu can re‑identify, and only when needed and logged.
  • We do not use this data for advertising or sell it to third parties.

Your choice

  • You may object (Art. 21 GDPR) via your account or at [email protected].
  • We then stop using your identifiable data for this purpose unless we demonstrate compelling legitimate grounds (in practice, we aim to honor objections).

4.12 Internal Support Quality Assurance

What we do
Review a limited number of support cases to verify solution quality and train our support team.

Examples of data

  • Support tickets and communication history
  • Relevant logs and diagnostic data for that case
  • Resolution notes and timing

Legal basis

  • Legitimate interest – Art. 6(1)(f) GDPR

You benefit from fast and accurate support; we need some QA to guarantee this.

Safeguards

  • Access limited to supervisors/QA roles
  • Reviewed only in the context of a specific case
  • Retention aligned with complaint handling and legal needs

You may object, but we may still keep minimal records to prove how we handled your request.

4.13 Direct / Indirect B2B Marketing

What we do

  • Contact you or your company to present NoCode‑X and related services, when:
    • you or your company requested information, or
    • we receive your professional contact data from partners or publicly available B2B sources, in a context where our services are relevant.

Examples of data

  • Name, professional email, job title
  • Company, industry, potential interest
  • Interaction history (e.g. demo, download, event)

Legal basis

  • Legitimate interest – Art. 6(1)(f) GDPR

B2B contacts generally expect some commercial communication about relevant tools.

Your choice

  • Each message includes an unsubscribe link.
  • You can also object at any time via [email protected].

In that case, we stop using your data for this purpose and may keep a minimal “do‑not‑contact” flag.

4.14 General Product Updates (Feature Announcements)

What we do
Inform existing users/admins about new features or significant updates to NoCode‑X that may be relevant to your current use.

Examples of data

  • Name, professional email
  • Workspace / subscription linkage

Legal basis

  • Legitimate interest – Art. 6(1)(f) GDPR

It’s in both your interest and ours that you know what the product you’re already using can do.

Your choice

  • You can opt out via the unsubscribe link or by contacting us.
  • Critical safety or contractual changes may still be sent as essential service messages under Art. 6(1)(b).

4.15 Newsletter & Editorial Content (Opt‑in)

What we do
Send a newsletter with broader content (articles, events, thought leadership, general NoCode‑X updates).

Examples of data

  • Name, email
  • Newsletter preferences
  • Basic engagement data (opens, clicks)

Legal basis

  • Consent – Art. 6(1)(a) GDPR

You only receive this if you actively subscribe.

Your choice

  • You can withdraw consent at any time via unsubscribe or [email protected].
  • Withdrawal does not affect past lawful processing.

5. Email statistics

For certain communications (e.g. newsletters, product updates) we may collect basic email statistics such as:

  • email opened or not,
  • links clicked,
  • bounces.

We use this to understand whether our communication is effective and relevant. Where this involves the newsletter, it is covered by your consent; for necessary or LI‑based communications it is covered by the same legal basis as that communication. You can always unsubscribe or object as explained above.

6. Do you have to provide your data?

In some cases, we need your data to:

  • perform the contract (e.g. create an account, provide support, invoice you), or
  • comply with the law (e.g. AML, tax).

If you refuse to provide the information that is clearly necessary, we may not be able to:

  • create or maintain your NoCode‑X account,
  • provide certain services or access,
  • complete payments or comply with legal obligations.

For optional processing (e.g. newsletter, certain marketing, UX improvements), you can say no, object, or withdraw consent at any time.

7. Who we share your data with

We may share your personal data with:

Within Co‑Dex.eu

  • Different Co‑Dex.eu entities and internal departments where needed for operations, compliance, security, support and accounting.

Financial institutions

  • Banks and payment service providers to process your payments and transfers.

Government & regulated bodies

When required by law, for example:

  • Tax authorities
  • Supervisory authorities (e.g. central bank, data protection authorities)
  • Police, prosecutors, courts, arbitration or mediation bodies
  • Bankruptcy trustees and similar roles

Service providers (processors)

We use service providers to help us:

  • host and maintain our infrastructure and websites
  • send emails and manage ticketing/support
  • provide LLM‑assisted support and other analytics/logging tools
  • process payments and invoicing
  • organize marketing campaigns and events
  • perform research and innovation (often using aggregated or anonymized data)

We only share the minimum necessary data with these partners and always under a Data Processing Agreement. They may not use your data for their own purposes, including LLM providers who are contractually prohibited from re‑using your data for model training.

Research & innovation partners

Sometimes we share aggregated/anonymized data with universities or innovation partners for research. They must respect strict data protection requirements; results do not identify you.

We will never sell your personal data.

8. International transfers

If your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, such as:

  • an adequacy decision of the European Commission, or
  • Standard Contractual Clauses (SCCs) with additional technical and contractual protections.

You can ask for more information via [email protected].

Our servers that store and process core customer data are, as a rule, located within the EU. If this changes, we will implement the safeguards described above.

9. How long we keep your data

We keep your data only as long as necessary for the purposes described, and in line with legal retention obligations. After that, we delete or anonymize it.

Examples:

  • Operational & security logs: typically 90–180 days, unless needed for an active incident or legal case.
  • Event data: see indicative periods above (e.g. evacuation lists ±3 months, camera footage max 30 days).
  • Support tickets: for the duration of the customer relationship and a limited period thereafter (e.g. typical limitation periods).
  • Billing & invoicing data: up to 7–10 years in line with accounting/tax law.
  • Whistleblower records: usually up to 7 years, depending on legal requirements.
  • Marketing / lead data: until you object, unsubscribe, or we determine the data is no longer up to date or relevant.
  • Newsletter data: until you withdraw consent or we stop the newsletter.

Because different laws impose different retention periods, there is no single universal period; it depends on context and purpose.

10. How we protect your data

We apply strong organizational and technical measures including:

  • internal security policies and staff confidentiality obligations
  • role‑based access control and least‑privilege principle
  • encryption in transit and at rest where appropriate
  • industry‑standard security for networks and applications
  • logging, monitoring and incident response processes
  • regular updates and security improvements

No security is perfect, but if a breach occurs that could have major consequences for you, we will:

  • inform you without undue delay where required, and
  • take all reasonable steps to mitigate the impact.

11. What you can do to protect yourself

Simple good practices help:

  • Use up‑to‑date antivirus/anti‑malware and a firewall.
  • Keep your devices and authentication means (tokens, cards) safe.
  • Log out from applications when not in use.
  • Choose strong, unique passwords and change them regularly (password managers can help).
  • Be cautious with unusual emails or links asking for credentials or payment details.

12. Your GDPR rights

You have the following rights, which you can exercise by emailing [email protected]. We may have to verify your identity before acting.

  • Right of access – you can ask which personal data we hold about you and obtain a copy.
  • Right to rectification – you can ask us to correct incomplete or inaccurate data.
  • Right to erasure – in certain cases (e.g. data no longer needed, consent withdrawn), you can ask us to delete your data.
  • Right to restriction – you can request that we temporarily restrict processing in specific situations.
  • Right to data portability – for data you provided to us, processed by automated means based on consent or contract, you can request it in a structured, commonly‑used, machine‑readable format.
  • Right to object – you can object to processing based on legitimate interest (e.g. product improvement, B2B marketing, LLM‑assisted support where based on LI, product updates). We will stop unless we demonstrate compelling legitimate grounds. You can always object to direct marketing, and we will stop immediately.
  • Right to withdraw consent – for processing based on consent (e.g. newsletter), you can withdraw at any time.

If you are not satisfied with our response, you can always lodge a complaint with the Belgian Data Protection Authority:

13. How to contact us

For questions, requests, or complaints about privacy:

  • Email: [email protected]
  • Postal mail:
    Co‑Dex.eu BV – Privacy
    Albert I‑laan 23
    8920 Langemark‑Poelkapelle
    Belgium

When you contact us, we may ask for additional information to verify your identity (for example, a partially redacted copy of an ID with your national register number obscured). If we cannot reasonably identify you, we may have to respond in a more generic way to avoid disclosing data to the wrong person.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect legal changes or new features in NoCode‑X.

  • We will announce important changes at least 7 calendar days before they take effect, via the service, our website, or email (where feasible).
  • The latest version will always be available on our website and will indicate the effective date at the top.

If you keep using our services after the updated policy takes effect, the new version will apply to your use.