BestCoderBestCoder
Start free

Privacy Policy

Last updated: 2026-04-28 · Version: 1.0 · GDPR-aligned

This policy explains what personal data BestCoder SAS ("we") collects, why we collect it, how long we keep it, and what your rights are. It applies to the BestCoder website, control plane, and Agent.

1. Data controller

BestCoder SAS — 8 rue de la Tour des Dames, 75009 Paris, France. Contact: privacy@bestcoder.app · DPO: dpo@bestcoder.app.

2. Data we collect

2.1 Account data

Email, name, password hash (bcrypt), and any optional profile fields you fill in. Lawful basis: contract (Article 6(1)(b) GDPR).

2.2 Project metadata

Project IDs, deployment timestamps, build statuses, AI session lengths. We never ingest your source code, your secrets, or your AI prompts; the Agent processes them locally and only sends metadata. Lawful basis: contract.

2.3 Lead and audit data

When you submit the form on /audit we store your email, an SHA-256 hash of your IP (with rotating salt), and the simulator's preview score in our audit_logs table. Lawful basis: explicit consent (Article 6(1)(a)).

2.4 Payment data

Stripe processes your card details. We see only the last 4 digits, brand, expiration, and Stripe customer ID. Lawful basis: contract + legal obligation (book-keeping).

2.5 Telemetry

Aggregate, anonymous Vercel Analytics page-view counts. No cookies, no fingerprinting, no cross-site tracking. Lawful basis: legitimate interest (Article 6(1)(f)).

3. Cookies

We use only strictly necessary cookies by default — NextAuth session, CSRF, and a single bc_consent cookie storing your consent choice (max-age 6 months, Secure, SameSite=Lax). Optional analytics cookies require your explicit opt-in below.

Analytics & speed insights

Aggregate, anonymous Vercel Analytics + Speed Insights. No persistent identifiers, no cross-site tracking.

Vercel Analytics and Speed Insights are loaded only after you click "Opt in". Until then no script from *.vercel-insights.com is fetched and no third-party cookie is set.

4. International transfers

Some subprocessors operate outside the EU. For each, we rely on Standard Contractual Clauses (SCC) signed with the provider, plus encryption in transit (TLS 1.3) and at rest. We maintain a Transfer Impact Assessment (TIA) for each non-EU subprocessor; available on request.

5. Retention

| Data | Retention | |---|---| | Active account | Until you delete it | | Cancelled account | 90 days read-only, then permanent deletion | | Lead / audit logs | 24 months from last activity | | Billing records | 10 years (French Code de commerce) | | Aggregate analytics | 25 months max (Vercel Analytics) |

6. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability (export in JSON / CSV);
  • lodge a complaint with the CNIL (https://www.cnil.fr).

To exercise any right, write to privacy@bestcoder.app. We respond within 30 days, sometimes faster.

7. Security

See the Security page for our technical and organisational measures: encryption, MFA on internal systems, quarterly access reviews, vulnerability disclosure process.

8. Children

The Service is not directed at children under 16. We do not knowingly collect data from minors. Contact us if you believe a child has provided us with personal data and we will delete it promptly.

9. Changes to this policy

Material changes are notified by email and via an in-product banner at least 30 days before they take effect. The version history is available on request.