Who controls your data
The data controller for personal data described in this notice is CodeOn, the company behind https://codeon.ge and based in Tbilisi, Georgia. For any privacy question, write to [email protected].
We are a small studio (<5 people). The same person who writes the plugins replies to your privacy email; there is no outsourced data-protection bureau in between.
What this notice covers
This notice covers personal data we process when you (a) browse codeon.ge, (b) create an account or order a license, (c) install one of our Plugins on your WordPress site and the Plugin contacts our license server, and (d) email us for support.
It does notcover data you process inside your own WooCommerce store. When a CodeOn Plugin processes an order on your store, you remain the controller of your customers' data; we are at most a service provider for the technical integration.
What we collect
- Account
- Email address (verified), display name, hashed password (Argon2id), email-verification + password-reset tokens, role (customer / admin), preferred language.
- Billing
- Company name, tax id, billing address, country — only when you provide them to issue an invoice. Card data is never stored on our servers (see §8).
- Orders & licenses
- Plugin SKU, license key, term length, order timestamps, bound Domain (the URL of your WordPress site), referral code if any, refund history.
- Plugin telemetry
- On every license check the Plugin sends: site URL, Plugin version, build id, WordPress version, PHP version, and a tamper-state flag. No order data, no customer data, no product or revenue figures from your store.
- Support
- The contents of emails you send to [email protected] and any attachments (e.g. log snippets) you choose to share.
- AI assistant
- The text of questions you type into the on-page assistant on plugin pages, plus a hashed IP for rate-limiting (see §7).
- Site analytics
- Aggregate, server-side counts of page views and download requests. We do notrun third-party analytics scripts (no Google Analytics, no Meta pixel) and we don't set cookies for marketing.
- Server logs
- Standard HTTP access logs (URL, status code, IP, user agent), retained for short periods to investigate incidents and abuse.
Why we collect it
We use the data above to:
- create and authenticate your account;
- issue, validate, and renew Plugin licenses bound to your Domain;
- generate per-customer watermarked Plugin builds and serve update manifests to your WordPress installs;
- process payments via TBC, Bank of Georgia, and Flitt and meet our Georgian tax-reporting obligations;
- detect tampered installs and unauthorised redistribution of watermarked builds;
- reply to support emails and improve the Plugins from the bug reports we receive;
- run the on-page AI assistant that answers product questions before you buy;
- keep the website online and defend it against abuse.
Legal basis
Where Georgia's Law on Personal Data Protection or the EU GDPR applies, we rely on the following legal bases:
- Contract— for everything needed to deliver your license, watermarked downloads, updates, and support (account, orders, licenses, telemetry from your installed Plugin).
- Legitimate interests— for security logs, anti-fraud signals, anti-piracy watermarking, and aggregate site analytics. We've weighed these against your interests and concluded they are necessary and proportionate.
- Legal obligation— for invoice retention and other records required by Georgian tax law.
- Consent— for the AI assistant (you opt in by typing a question) and for any future marketing email (we currently send none).
License & plugin telemetry
Each CodeOn Plugin checks its license against codeon.geon activation, daily, and on update. The request body contains site URL, Plugin version, build id, WordPress + PHP versions, and a tamper-state flag. The response is a signed JSON payload telling the Plugin whether the license is active, when it expires, and whether it's in grace.
We use this data only to (a) authorise the install, (b) flag unauthorised redistribution of a watermarked ZIP, and (c) decide which build to ship in updates. We do not read, store, or relay any data about your customersor about transactions you process — that data never leaves your WordPress site through the CodeOn Plugin.
You can see the exact payload your Plugin sends in its admin settings under License → Diagnostics.
AI assistant chat
On individual plugin pages we offer an AI assistant (powered by Google Gemini) that answers pre-sales product questions. When you submit a question, the question text is sent to Google's API along with a system prompt that pins the assistant to the current plugin's public catalogue entry. We rate-limit by hashed IP.
We do not feed your account email, license keys, or any other identifying information into the AI prompt. We log the question + answer for a short period (default 30 days) to spot-check quality and rate-limit abuse, then delete it. You can ask [email protected] to delete a specific conversation sooner.
Google's handling of API requests is governed by their own terms; our setting requests that Google not use the data to train their models, but Google's policies are authoritative for that part of the flow.
Payments & card data
We accept payment via TBC Bank, Bank of Georgia, and Flitt. Card data (PAN, CVV, 3-D Secure codes) is entered directly on the bank's hosted page or PCI-compliant iFrame and is never seen by codeon.ge.
The bank returns to us a transaction id, status code, authorised amount, masked PAN (last 4 digits), and card brand. We store these on the order record so you can see your purchase history and so we can issue refunds.
How long we keep data
- Account
- Until you ask us to delete it, or after 24 months of inactivity (no login + no active license + no open support thread).
- Orders & invoices
- Retained for the period required by Georgian tax law (at least 6 years from the end of the relevant tax year).
- License + telemetry
- For the lifetime of the License plus 24 months for renewal-fraud and warranty purposes.
- Support emails
- Retained as part of the inbox archive; you can ask us to redact a specific thread.
- AI assistant logs
- 30 days, then deleted.
- Server logs
- Up to 30 days for HTTP access logs, longer only when tied to an active security incident.
International transfers
Our primary infrastructure is hosted in the European Union (Contabo, Germany). Some sub-processors (Cloudflare, Resend, Google's Gemini API, GitHub) are US-headquartered and may process limited data outside the EU and Georgia.
Where personal data is transferred outside Georgia or the EEA, we rely on the applicable provider's Standard Contractual Clauses or equivalent transfer safeguards.
Security
The website is served over TLS 1.3, with HSTS enabled. Account passwords are hashed with Argon2id; license keys are random, opaque, and stored hashed where practical. Database backups are encrypted at rest. Admin access to the production environment requires SSH key authentication from a short allowlist; password authentication is disabled.
No system is perfectly secure. If we discover a breach that is likely to affect your personal data, we'll notify you by email without undue delay and tell you what we're doing about it.
Your rights
You have the right to:
- request a copy of the personal data we hold about you (right of access);
- ask us to correct inaccurate data (right of rectification);
- ask us to delete your data, subject to records we must keep for tax and contract reasons (right of erasure);
- object to processing based on legitimate interests, in which case we'll review and stop unless we have an overriding ground;
- ask for your data in a portable machine-readable format (right to data portability);
- withdraw any consent you previously gave, without affecting the lawfulness of prior processing;
- lodge a complaint with the Personal Data Protection Service of Georgia at personaldata.ge, or with your local data-protection authority if you are in the EEA / UK.
To exercise any of these rights, email [email protected] from the address on your account. We'll reply within 30 days.
Children
CodeOn is a tool for people who run e-commerce stores. It isn't designed for, and we don't knowingly collect data from, anyone under 16. If you believe a child has created an account, write to [email protected]and we'll delete it.
Changes to this notice
We may update this notice from time to time — for example to reflect a new sub-processor, a new Plugin category, or a regulatory change. Material changes will be announced by email at least 14 days before they take effect. Past versions live in the website's Git history; ask [email protected] if you need a specific revision.
Contact
CodeOn, Tbilisi, Georgia.
Email: [email protected].
For account-specific privacy requests, please write from the address on your account so we can verify the request.