Code Ahead Lda (operating VULK at vulk.dev) is the data controller for personal information collected through the Service. This page summarizes how we comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Who is the controller?
Code Ahead Lda, a private limited company registered in Portugal under NIF 519071948, with registered office in Vila do Conde. For all privacy-related correspondence:
- Use the contact form with topic "Privacy / DPO"
- Postal: Code Ahead Lda, Vila do Conde, Portugal
2. Lawful bases for processing
We rely on the following lawful bases under Article 6:
- Contract (Art. 6(1)(b)) — to provide the Service you sign up for (account, generation, billing, deployment).
- Consent (Art. 6(1)(a)) — for marketing emails, non-essential cookies, and analytics tracking.
- Legal obligation (Art. 6(1)(c)) — for tax invoicing (7-year retention under Portuguese law) and responses to lawful requests.
- Legitimate interests (Art. 6(1)(f)) — fraud prevention, service security, and product analytics that don't identify individuals.
3. What we collect
- Account data — email, name, password hash (Argon2id), OAuth identifiers.
- Billing data — name, country, payment method (tokenized by Stripe — we never see card numbers).
- Project data — prompts, generated source files, deployments, usage credits.
- Technical data — IP, user agent, device fingerprint (limited), session timestamps.
4. Your rights under GDPR
You have the following rights, exercisable free of charge:
- Article 15 — Right of access: download a copy of all personal data we hold.
- Article 16 — Right to rectification: correct inaccurate data.
- Article 17 — Right to erasure ("right to be forgotten"): delete your account and associated data, subject to retention obligations.
- Article 18 — Right to restriction: pause processing while a dispute is pending.
- Article 20 — Right to portability: export your data in a machine-readable format (JSON).
- Article 21 — Right to object: opt out of marketing or profiling-style processing.
- Article 22 — Automated decision-making: we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects.
- Article 77 — Lodge a complaint: with your supervisory authority. In Portugal: CNPD.
We respond to verified rights requests within 30 days. Most data is also self-serve in your account settings.
5. Sub-processors
We engage these sub-processors. Each has signed a Data Processing Agreement (DPA) with us:
| Provider | Purpose | Region |
|---|---|---|
| AWS RDS | Primary database (Postgres 16) | EU (Frankfurt) |
| Cloudflare | CDN, DDoS, Workers | Global edge |
| Stripe | Subscription billing + 3DS | US / EU |
| OpenRouter | AI model gateway | US |
| Vertex AI (Google) | Gemini family inference | EU regions where available |
| Anthropic | Claude inference | US |
| OpenAI | GPT-5 family inference | US |
| Hetzner | App + preview servers | EU (Falkenstein, Helsinki) |
| Resend | Transactional email | US |
| Sentry | Error tracking (PII scrubbed) | US |
For non-EU transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Sub-processor list updated at least annually; material additions announced by email.
6. International transfers
Primary infrastructure is EU-hosted. Where transfers to non-EU countries occur (e.g., AI inference at OpenAI/Anthropic US endpoints), they are protected by SCCs and, where available, EU-US Data Privacy Framework certifications.
7. Data Processing Agreement (DPA)
Business and Enterprise customers can sign a DPA mirroring Article 28(3) GDPR. Request via the contact form with topic "Sales / Enterprise".
8. Breach notification
In the event of a personal data breach likely to result in a risk to your rights, we notify the supervisory authority within 72 hours and affected users without undue delay (Articles 33, 34 GDPR).
9. Children
VULK is not directed to individuals under 16. We do not knowingly process data from children. If you believe a child has registered, contact us immediately and we will delete the account.
10. Changes
Material changes to this GDPR statement are announced by email at least 14 days before they take effect. The latest version always lives at /gdpr.