Skip to content
4.9/5 on Clutch — 13 verified reviews
Payload Logo

Privacy Policy.

Who we are

Kodexo Labs is the trading name of Kodexo Labs LLC. and its affiliates. "Kodexo Labs", "we", "our", and "us" in this Policy refer to the Kodexo Labs entity that controls the personal data described below.

Our principal place of business is:

Kodexo Labs LLC.
316 W 12th St, 4th Floor, Austin TX 78701, United States
Email: contact@kodexolabs.com
Phone: +1 219 766 5259

For data-protection enquiries from individuals in the European Economic Area or the United Kingdom, you can reach our representative at:

Kodexo Labs UK
30 Churchill Place, London E14 5RE, United Kingdom
Email: contact@kodexolabs.com

Affiliated entities that may act as joint controllers or processors include TheAgentive.ai, New York App Devs, and Kodexia.ai. Where they do, this Policy applies to that processing as well.

Scope of this Policy

This Policy explains how Kodexo Labs handles personal data when you:

  • Visit kodexolabs.com or any subdomain (collectively, the "Site")
  • Submit a brief, application, or other form on the Site
  • Email, call, or message us through any channel we publish
  • Engage with our marketing on third-party platforms (LinkedIn, Twitter, GitHub, Clutch, Upwork, Cal.com)
  • Engage Kodexo Labs as a client under a signed Master Services Agreement or Statement of Work (the "Engagement Terms")

This Policy does not cover:

  • Personal data we process strictly on behalf of a client under a Data Processing Addendum. That data is governed by the relevant client's privacy policy and the Engagement Terms.
  • Third-party sites and tools we link to. Their privacy policies apply to your interactions there.

Information we collect

Information you provide directly

When you submit a form, send an email, or otherwise contact Kodexo Labs, we collect:

  • Your name
  • Work email address (and personal email if you choose to share one)
  • Phone number, where you provide one
  • Company name and role, where you provide them
  • A description of the project, brief, role application, or enquiry
  • Any documents, CVs, or files you attach (up to 10 MB per file, 25 MB total per submission). We scan every upload for malware before storing. Attached files for enquiries that do not become engagements are deleted within 90 days of resolution.
  • Communications you send us, including email threads and call notes

Information collected automatically

When you visit the Site, we and our analytics processors collect:

  • IP address (truncated where required by law)
  • Device, browser, and operating system identifiers
  • Pages viewed, time on page, and click events
  • Referring URL and search terms where available
  • Approximate geographic location (city / country, derived from IP)
  • Cookies and similar identifiers as described in Section 7

Information from third parties

We receive personal data about you from:

  • Calendar tools (Cal.com or equivalent) when you book a call
  • Lead enrichment services that match your work email to publicly available business data
  • Authentication providers if you use a third-party login on a Kodexo Labs property
  • Recruiting platforms (LinkedIn, GitHub, or similar) when you apply through them
  • Clutch, Upwork, and Google Business Profile where you leave reviews about us

How we use information

We use personal data to:

  • Respond to your enquiries, briefs, applications, and other inbound contacts
  • Schedule and conduct scoping calls, interviews, and project meetings
  • Negotiate, sign, and operate Engagement Terms with clients
  • Process and respond to job applications and talent-pool submissions
  • Send marketing and product updates where you have opted in or where Privacy Laws permit
  • Improve the Site, our products, and our marketing through analytics and A/B testing
  • Detect, prevent, and respond to fraud, security incidents, and abuse
  • Comply with our legal, tax, accounting, and regulatory obligations
  • Defend, exercise, or establish legal claims

Legal bases (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

  • Consent: when you opt in to marketing, cookies, or specific processing. You can withdraw consent at any time without affecting prior processing.
  • Contract: to negotiate, sign, and perform under Engagement Terms with you or the entity you represent.
  • Legitimate interests: to respond to inbound business enquiries, operate the Site, conduct analytics, prevent fraud, and grow our business. We have weighed these against your rights and freedoms.
  • Legal obligation: to comply with tax, accounting, employment, immigration, and similar laws.
  • Vital interests: in the rare case of an emergency where processing is necessary to protect life.

You can request the specific legal basis for any given processing activity by emailing contact@kodexolabs.com.

Sharing and disclosure

We do not sell personal data and we do not share it for cross-context behavioural advertising as those terms are defined under the CCPA / CPRA.

We share personal data with:

  • Service providers and processors who help us run the business under written agreements that restrict their use of the data. These include: hosting (Vercel, AWS), CRM (HubSpot), analytics (Google Analytics 4), email and messaging (Google Workspace, Slack), calendar (Cal.com or equivalent), payment processors (where applicable), legal and accounting advisors.
  • Affiliated Kodexo Labs Group entities (TheAgentive.ai, New York App Devs, Kodexia.ai) where the engagement crosses brands, under the same protections as this Policy.
  • Successors in interest in the event of a merger, acquisition, financing, reorganisation, or sale of assets. We will notify you and offer you choices where Privacy Laws require.
  • Authorities, regulators, courts, and law-enforcement bodies where we are legally required to do so or where it is necessary to defend our legal rights.
  • With your consent, in any other case you specifically agree to.

Cookies and similar technologies

The Site uses cookies and similar technologies to function, to remember preferences, and to measure performance.

Categories used:

  • Strictly necessary: required to deliver the Site (session, security, load-balancing). These cannot be disabled.
  • Performance and analytics: Google Analytics 4 and similar. Used to count visits, traffic sources, and engagement patterns. We anonymise IP addresses where the tool supports it.
  • Functional: remember your cookie choices and any UI preferences.
  • Marketing: limited and used only with your consent. Where used, we may set cookies from LinkedIn Insight Tag, Twitter Pixel, or equivalent to measure ad performance.

You can manage your cookie preferences through the cookie banner at first visit and re-open it any time via the "Cookie preferences" link in the footer. You can also block cookies through your browser settings, although strictly necessary cookies cannot be disabled without breaking the Site.

A separate Cookie Notice (kodexolabs.com/cookie-policy) lists each cookie, its purpose, and its retention period.

Anti-spam: we use a simple math captcha and an invisible honeypot field on our contact form. Both are anti-abuse measures that run entirely on Kodexo Labs systems. We deliberately do not use Google reCAPTCHA or similar third-party services that share browsing data with the captcha provider.

Data retention

We retain personal data only as long as needed for the purpose for which it was collected, plus any period required by law.

Typical retention windows:

  • Inbound form submissions that do not become clients: 24 months from last contact, then deleted or anonymised.
  • Job applications that do not result in hire: 12 months from rejection unless you ask us to retain them longer for future roles.
  • Client communications and Engagement Terms records: the duration of the engagement plus 7 years for accounting, audit, and statute-of-limitations purposes, then deleted or anonymised.
  • Marketing subscribers: until you unsubscribe, plus 12 months for suppression-list maintenance.
  • Analytics data: 14 months in Google Analytics 4, then aggregated.
  • Security logs: 90 days at hot tier, up to 12 months at cold tier.

Where Privacy Laws require shorter retention, the shorter rule applies.

International transfers

Kodexo Labs operates from offices in the United States, the United Kingdom, and Pakistan. Personal data we collect may be transferred to and processed in any of these countries and in countries where our service providers operate.

When we transfer personal data out of the EEA or the UK, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses approved by the European Commission, with the UK International Data Transfer Addendum where applicable
  • An adequacy decision by the European Commission or the UK government, where one exists for the receiving country
  • Your explicit consent for a specific transfer, where applicable

A copy of the safeguards we apply to any specific transfer is available by emailing contact@kodexolabs.com.

Security

We protect personal data with a defence-in-depth security programme that includes:

  • Encryption in transit (TLS 1.2 or higher) on the Site and on all production systems
  • Encryption at rest on managed databases and object storage
  • Role-based access control with least-privilege defaults
  • Multi-factor authentication on all internal accounts and production access
  • Continuous logging, monitoring, and alerting for suspicious activity
  • Regular vulnerability scanning, dependency updates, and external penetration testing
  • Written agreements with all processors that include security and breach-notification obligations
  • Annual review of the security programme

No system is impervious. If a personal-data breach affects you and is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities within the timelines Privacy Laws require.

Your rights

Depending on where you live, Privacy Laws give you the following rights over your personal data:

  • Right of access: receive a copy of the personal data we hold about you
  • Right of rectification: correct inaccurate or incomplete data
  • Right of erasure: request deletion ("right to be forgotten")
  • Right of restriction: limit how we process your data while we resolve a question
  • Right of data portability: receive your data in a portable format
  • Right to object: object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: at any time, where consent is the legal basis
  • Right to opt out of "sale" or "sharing" as defined by CCPA / CPRA (we do neither, but the option remains available)
  • Right to non-discrimination for exercising any of these rights
  • Right to lodge a complaint with a supervisory authority

To exercise any of these rights, email contact@kodexolabs.com with the subject line "Privacy request: [type of request]". We respond within 30 days for GDPR / UK GDPR requests and within 45 days for CCPA / CPRA requests. We may need to verify your identity before we act on the request.

If you authorise an agent to make a request on your behalf, we will verify both your identity and the agent's authority before we act.

California-specific disclosures

This section applies to California residents and provides the disclosures required by the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA").

Categories of personal information collected, by CCPA category:

  • Identifiers (name, email, IP address, online identifiers, phone number, postal address)
  • Customer records (company, role, billing information for clients)
  • Internet and network activity (browsing, search, click history on the Site)
  • Geolocation data (approximate city / country)
  • Professional information (employment information from CVs and applications)
  • Inferences drawn from the above (engagement scoring for marketing)

Sources, purposes, and recipients are described in Sections 3–6 of this Policy.

Sale and sharing: we do not sell personal information and we do not share personal information for cross-context behavioural advertising.

Sensitive personal information: we do not collect sensitive personal information except where you voluntarily provide it (for example, in a CV). We do not use sensitive personal information to infer characteristics about you.

Your CCPA rights are listed in Section 11. Submit requests by emailing contact@kodexolabs.com.

We do not discriminate against you for exercising any CCPA right.

EU and UK-specific disclosures

This section applies to individuals in the European Economic Area, the United Kingdom, and Switzerland.

Controller: Kodexo Labs LLC. is the controller for personal data described in this Policy, except where we act as a processor under a Data Processing Addendum with a client.

Data Protection Officer: we have not appointed a DPO because Kodexo Labs is not legally required to do so under Article 37 of the GDPR. You can reach our privacy contact at contact@kodexolabs.com.

Representatives:

  • EU Representative under Article 27 GDPR: [to be appointed before EU-targeted marketing campaigns. Currently flagged for legal review.]
  • UK Representative under Article 27 UK GDPR: Kodexo Labs UK, 30 Churchill Place, London E14 5RE, United Kingdom.

Lead supervisory authority: where the One-Stop-Shop mechanism applies, our lead supervisory authority is determined by the location of our main EU establishment. Until an EU establishment is appointed, EEA individuals can complain to the supervisory authority where they live or work.

UK individuals can complain to the UK Information Commissioner's Office (ico.org.uk).

Automated decision-making: we do not make solely automated decisions about you that produce legal or similarly significant effects on you.

Children's privacy

The Site and our services are not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected such data, email contact@kodexolabs.com and we will delete it promptly.

Changes to this Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top and the version number in the footer.

If the changes are material, we will post a notice on the Site for at least 30 days and, where Privacy Laws require, contact you directly.

Continued use of the Site after the effective date of an updated Policy means you accept the updated Policy.

Contact us

For any privacy question, request, or complaint:

Email: contact@kodexolabs.com
Subject line: "Privacy request: [your request]"

Mail (United States):
Kodexo Labs LLC. · Attn: Privacy
316 W 12th St, 4th Floor
Austin TX 78701
United States

Mail (United Kingdom):
Kodexo Labs UK · Attn: Privacy
30 Churchill Place
London E14 5RE
United Kingdom

We aim to respond within 5 business days and to resolve all requests within the timelines set by Privacy Laws.