CS
COD Studio

Privacy Policy

Last updated: May 17, 2026

COD Studio ("we", "us", "our") operates the software-as-a-service product at https://codstudio.shop(the "Service"). This Privacy Policy explains what data we collect from merchants who use the Service and the end-customers who buy through it, how we use that data, and the choices you have. By using the Service you agree to the practices described here.

1. Who is responsible

Data controller: COD Studio. Contact: contact@codstudio.shop. For data-subject requests (access, correction, deletion) see Data Deletion.

2. Data we collect

2.1 From merchants (account holders)

  • Account info: name, email, hashed password, language preference.
  • Store config: store name, brand color, currency, WhatsApp number, courier integration credentials, ad-platform tokens (encrypted at rest).
  • Billing info: only if you are on a paid plan — we do not store full card numbers; payment is handled by Stripe.
  • Usage data: pages visited within the dashboard, feature usage, error logs (for debugging).

2.2 From end-customers (people who buy through merchants' landing pages)

  • Order data: name, phone number, shipping address, product purchased, quantity, total price.
  • Analytics data: page views, scroll depth, button clicks, abandoned cart state, IP address (truncated), user-agent, UTM parameters from ad clicks.
  • Cookies / local storage: a visitor ID for funnel attribution and abandoned-cart recovery. See Cookie Policy.

2.3 From third-party advertising platforms

With the merchant's explicit consent (granted via OAuth), we read campaign / ad-set / ad performance data from Meta Marketing API, TikTok Marketing API, and Snap Marketing API. We never read or store messages, personal posts, or anything beyond what is required to compute return on ad spend.

3. How we use data

  • To provide the dashboard features merchants subscribed to (order management, analytics, page builder, follow-up automation).
  • To attribute customer orders back to the ad campaigns that drove them (ROAS).
  • To send transactional emails (account, password reset, team invitations).
  • To send WhatsApp messages on the merchant's behalf (order confirmations, abandoned-cart recovery) using templates the merchant configured.
  • To detect fraud, debug errors, and improve product reliability.

We do not sell merchant or customer personal data to any third party.

4. Who we share data with

  • Infrastructure providers we use to operate the Service — Cloudflare (CDN, DNS), Contabo (hosting). These act as data processors under contract.
  • Payment processors — Stripe — when a paid plan is involved.
  • Email delivery — Resend — for transactional emails only.
  • WhatsApp Business Solution Provider — 360messenger — for sending merchant-configured WhatsApp messages.
  • Ad platforms — Meta, TikTok, Snap — strictly to read the merchant's own ad performance via OAuth.
  • Courier APIs — when the merchant ships an order through an integrated courier (e.g. EzzyDelivery in Qatar) we send the customer's shipping address to that courier.
  • Law enforcement — only when legally required by a valid order from a competent authority.

5. Where data is stored

We operate our own PostgreSQL database on infrastructure we directly control (a dedicated VPS in Europe). Daily encrypted backups are stored in Cloudflare R2. Sensitive credentials (ad tokens, courier keys) are encrypted at rest using AES-256-GCM with keys held only on our application servers.

6. How long we keep data

  • Order data: retained for the lifetime of the merchant's account, then deleted on account closure plus a 30-day grace period.
  • Analytics events: retained for 18 months, then aggregated and the raw events are deleted.
  • Backups: retained for 14 days, then automatically deleted.
  • Logs: server logs retained for 30 days.

7. Your rights

If you are in a jurisdiction with applicable privacy law (GDPR, CCPA, GCC personal-data laws), you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Delete your account and associated personal data — see Data Deletion.
  • Object to specific processing activities.
  • Withdraw consent (e.g. disconnect an ad platform) at any time from your dashboard settings.
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email contact@codstudio.shop. We respond within 30 days.

8. Children

The Service is intended for use by businesses. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.

9. Changes to this policy

We may update this policy as the Service evolves. We will post the new version here with a revised "Last updated" date. For material changes we will notify account holders by email.

10. Contact

Questions about this policy or any data we hold about you: contact@codstudio.shop.