// Legal

Privacy Policy.
Plain and simple.

Last updated: 10 March 2026
Questions?
// 01

Data Controller

Kozo is operated as an independent product. For any data-related enquiries, reach us at . We'll respond within 30 days.

// 02

What We Process

When you use Kozo, we process: Account Metadata: Your email address and GitHub username for authentication. Codebase Metadata: This includes:

File paths and file names
Line counts per file
Language detection results (e.g. TypeScript: 80%, Python: 20%)
Dependency lists from package.json / pyproject.toml
Test file ratios and folder depth metrics
Presence or absence of security-relevant files (e.g. .env.example)

We never process, store, or transmit your source code. Your actual code is read locally in your browser and discarded immediately. Only the extracted metadata above is ever sent to our servers. See our Open source code on GitHub

// 03

Where We Process

All server-side processing takes place exclusively on infrastructure located in Frankfurt, Germany (EU), operated via Vercel and Supabase.

Your metadata does not leave the EU except as described in Section 04 below regarding AI processing.

// 04

AI Processing

Extracted metadata — not source code — is passed to Claude (Anthropic) to generate your debt score, refactor roadmap, and AI constitution.

GDPR Note

Anthropic may process this data on servers located in the United States under standard contractual clauses (SCCs) in accordance with GDPR Article 46. No personally identifiable code, credentials, or source content is included in these requests.

// 05

Retention

Scan metadata and generated constitutions are retained for 90 days from the date of creation, after which they are automatically and permanently deleted.

You may delete any scan or constitution from your account at any time before that date.

// 06

Your Rights (GDPR)

As a data subject under the GDPR, you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data at any time
Data portability — receive your data in a structured, machine-readable format
Object to processing based on legitimate interests
Lodge a complaint with your national supervisory authority

To exercise any of these rights, contact . We will respond within 30 days.

// 07

Cookies

We use essential cookies only — specifically the session cookie required to keep you logged in.

We do not use tracking cookies, advertising cookies, or any third-party analytics that set cookies without your explicit consent.

// 08

Payment Processing

We use third-party payment processors to handle transactions. These processors are PCI-DSS compliant. By making a purchase, you agree to their respective privacy policies. We collect your billing address and tax identification (where required) to comply with international tax laws.

// 09

Changes to This Policy

This Privacy Policy may change from time to time. The most current version of the Privacy Policy will always appear on the Website. You should periodically review the Privacy Policy to stay informed on how We use information submitted to Us.

Questions? Email