Privacy PolicyVersion 0.9.0 (04/16/2020).Click here for previous versions of our Privacy Policy.Privacy Policy
<p>This privacy policy allows you to learn about the way CodeSandbox B.V.
(“CodeSandbox”) controls and processes data about you or data that may allow
anyone with access, to identify you or anyone on your team with a CodeSandbox
account as a natural person.
Additionally, the types of data we collect and how
we use, share and secure this data and how you can exercise your privacy rights
are outlined.</p>
<p>The term privacy may typically be associated with privacy settings controlling
visibility of user created content such as sandboxes.
Although addressed, this
meaning of privacy will only be secondary to the main purposes just described.</p>
<p>This policy is further intended to apply to anyone exposed to any CodeSandbox
service.
To further clarify the terms we are using and how we are thinking,
please refer to the glossary at the end of this document.</p>
<p>Please reach out to us via our contact details below as soon as possible if you
or anyone in your company using CodeSandbox feels uninformed, finds anything on
our websites to be unfair, incompletely explained or surprising.</p> In short
<p>We want to be as open as possible about how we treat your personal data, how you
should be able to access and control your data and how you can use our services.
We will not sell, rent or lease your personal data to anyone, except in case we
sell our business or part thereof to another company.</p>
<p>A few take-home points are good to keep in mind:</p>
<ul>
<li>Anything you create using our services is public by default unless you opt to
go private;</li>
<li>We collect the minimum amount of personal data necessary to provide our
services, unless you chose to provide more voluntarily;</li>
<li>We make use of analytical tools on our websites and services to learn whether
users are using specific features we release, such as the Template Universe or
Netlify deploy option and to improve what we are building by way of placing
tracking cookies;</li>
<li>We may promote our services to inform you via email about new releases,
community activities or for events that may ultimately affect your day-to-day
use of our services;</li>
<li>We may enrich your (personal) data with publicly accessible data;</li>
<li>We are operationally based in The Netherlands and therefore you are dealing
with applicable Dutch and/or EU law.</li>
</ul> What does CodeSandbox collect and why?
<p>Personal data is collected via various sources on anyone exposed to any
CodeSandbox service.
Typically, users who create an account (as defined below)
could provide more data.
For examples, see the data types section below.
You can
limit or change the amount of personal data we process and store by limiting the
data you provide to us in your account settings or by reaching out to us.</p>
Why we are collecting data
<p>Processing of personal data may be deemed necessary or reasonable when we:</p>
<ul>
<li>Want to act in our legitimate interest as long as it does not override your
fundamental rights and interests.
An example of legitimate interest may be us
conducting common business operations such as sending you promotional material
via email when you have paid for our services.</li>
<li>Have to perform our agreement in delivering the service described in this
privacy document and in more detail in our
terms of service;</li>
<li>Have to comply with legal obligations.</li>
<li>Have your explicit consent to process personal data.</li>
</ul>
<p>Amongst other examples mentioned throughout this document, we collect and use
such data to:</p>
<ul>
<li>Create your account and to provide you with our services;</li>
<li>Process transactions and sending invoices;</li>
<li>Contact you with requested support;</li>
<li>Send you documentation, educational material related to our services;</li>
<li>Notify you of major upcoming product or legal policy changes;</li>
<li>Improve, research and develop new features as part of the services you may be
using;</li>
<li>Invite you to participate in surveys, where necessary subject to your consent;</li>
<li>Prevent misuse of or stop other illegal activities from being conducted
through our services.</li>
</ul>
Data types we are collecting and using
<p>Account basics.
When you create an account, you are asked permission to
authorize GitHub to share personal data with CodeSandbox.
If available from
GitHub, we collect and store: avatar, name, first name, last name, bio, email
and username and -id.
Please note that most of this information is already
publicly available via GitHub's API.</p>
<p>Access Logs.
Our servers keep log files, writing and storing personal data such
as IP address and the type of browser you are using.</p>
<p>Cookies.
CodeSandbox uses tracking, functional and analytical cookies because it
enables many convenient features that may save you some time.
We use tracking
cookies to gather a unique view count of sandboxes and to match a sandbox to
users without an account.
We allow some of our service providers such as Google
Analytics, Amplitude, Algolia and Vero to store cookies on your device.
We
assume you know what cookies are and how to prevent third parties from
installing cookies on your device.
If not, your browser settings allow you to
disable cookies and control acceptance levels.
Please reach out to us via
details below if you are in doubt or seek assistance in understanding and
changing browser settings.</p>
<p>Tracking.
We track user behavior and register events such as whether a user has
created a template or interacted with an embed to measure the effectiveness of
our work and to learn about user choices and preferences in order to improve the
ways we present CodeSandbox.
It can also be used to measure whether and when
people return to our website, also known as user retention expressed in time.</p>
<p>Support.
When you reach out to us via one of our support channels, we may opt to
maintain records related to your request, including any data, information or
content provided by you or anyone on your team for training purposes of our
product and support team members.
We might thus collect personal data such as
your browser type and specific setup, disclosed in your emails.
We shall not
publish your name and email when you reach out to us.
This is different when you
post on a more public medium.</p>
<p>Marketing.
We may use any combination of services in order to enhance what we
know about you for the sole purpose of providing tips on how to use CodeSandbox,
which can be opted out of at any point in time by reaching out to us or clicking
the unsubscribe at the bottom of every email you may receive from us.
For
instance, we may have learned you have attempted to complete a certain action
twice: When we have your email, we may send you an email via one of our service
providers with related tips.</p>
<p>Financial.
We use Stripe as a payment service provider and do not collect nor
store credit card or other financial data in our databases.
We do have access to
Stripe's database for the purpose of complying with support requests and
administration requirements, but no level of access exposes full credit card
details.
Only the last four digits can be read and are typically used for
verification purposes during support interactions.</p>
Use of third parties, sharing data and sub-processors
<p>We use third party service providers to deliver to us what we have chosen not to
develop ourselves.
As many of them provide vital functions in the CodeSandbox
infrastructure such as hosting or analytics, we refer to them as partners or
sub-processors.</p>
<p>As a rule of thumb, all personal data we collect and share with our partners is
pseudonymized or tokenized, unless we use that partner to communicate with you
or your team, for which typically an email address has to be known to that
partner.
If a partner does not need to know an email address for example, we do
not share.
An additional exception for which we are likely to use e-mail
addresses is when we want to attain more publicly available data on you or your
team: We would have to send a partner at least one type of personal data unique
enough to generate matching results about you or your teams' online identity.</p>
<p>A complicated aspect of being on the modern web is increasing entanglement: A
unified and consistent user interface of a single website may – unbeknownst to
its user – contain dozens of services from an equal amount of different
companies, each with their own handling of data and privacy policies.
As a data
controller CodeSandbox is fully responsible for what it can control: The choice
of its partners and the orders we send to them and to attain what we need to
serve you and are in accordance with this policy.</p>
<p>As part of our checkout flow, our Stripe integration can be considered a clear
example of how hard it can be to discern who is delivering what service to you.
Intuitive design has to be obfuscating in this regard and can ignite distrust in
some, pleasant surprise in others.</p>
<p>We have certain practices in place to ensure our partners adhere to legal
standards and we typically interview new partners to get a sense of how they are
treating user data.
We have Data Processing Agreements in place with our
partners and our sub-processors.</p>
Sub-processors &.
Data locations
<p>Syntax: (Company Name (“a.k.a.”), Location, Purpose, Link)</p>
<ul>
<li>Amplitude, Inc.
United States.
Data Analysis.
https://amplitude.com/blog/one-year-after-gdpr-amplitude-and-user-privacy;</li>
<li>Amazon, Inc., AWS EMEA SARL.
United States &.
European Union.
Hosting services.
https://aws.amazon.com/compliance/gdpr-center/;</li>
<li>Cloudflare, Inc.
United States &.
European Union.
Routing, securing and caching
web traffic.
https://www.cloudflare.com/privacypolicy/;</li>
<li>Google Ireland Limited (“Google Cloud Platform”).
United States &.
European
Union.
Hosting services.
https://policies.google.com/privacy;</li>
<li>Google LLC, Google Ireland Limited or affiliate (“Google Analytics”).
Data
Analysis.
https://support.google.com/analytics/answer/9019185?hl=en;</li>
<li>Hetzner Online GmbH Gunzenhausen.
Germany.
Hosting services.
https://wiki.hetzner.de/index.php/Datenschutz-FAQ/en;</li>
<li>Invc.me, Inc.
(“Vero”).
United States.
Behavior based email campaigns.
https://www.getvero.com/gdpr/;</li>
<li>Mailgun, Inc.
United States.
Email Service Provider.
https://www.mailgun.com/gdpr/</li>
<li>Stripe Payments Europe, Ltd.
European Union.
Payment Service Provider.
https://stripe.com/privacy-center/legal;</li>
<li>The Rocket Science Group LLC (“Mailchimp”).
United States.
Email Service
Provider.
https://mailchimp.com/gdpr/.</li>
</ul>
<p>Your personal data may be transferred, stored and processed in the European
Economic Area (“EEA”), United States (“US”) or any other country in which our
service providers maintain facilities.
By using our domains, you consent to any
transfer, storing or processing of personal data outside of your country of
residence and outside the EEA.
We will take all steps reasonably necessary to
ensure that your data is treated securely and in accordance with this policy.</p>
Retaining data
<p>We will not retain your personal data for a period longer than necessary to
fulfill the purposes described in this policy, unless we have to keep it for
legitimate tax, business or legal purposes.</p>
Securing data
<p>You probably know that no company can ever guarantee 100% security in data
transmission on the web and that breaches unfortunately can happen.
We promise
CodeSandbox is developed with the best security practices in mind.
Here are some
examples of how we are securing your personal data:</p>
<ul>
<li>We use third parties to test the security of our services from time to time;</li>
<li>CodeSandbox team members have access to user information only to the extent
where it is appropriate to their tasks and/or roles and on a need-to-know
basis;</li>
<li>We obtain certifications to test our practices against public or industry
standards;</li>
<li>When we receive reports of abuse, data breaches pertaining to the integrity of
our users or our own, investigation immediately follows upon learning about it
and reasonable action is taken as swiftly as possible in accordance with
applicable privacy laws.</li>
</ul> Your rights and how to contact us
<p>Please know your rights by learning about the
EU General Data Protection Regulation
also more commonly known as GDPR or your local privacy laws and reach out to us
for questions or concerns.
Summarizing some of your key rights, you may:</p>
<ul>
<li>This policy is part of your right to be informed before you create an account
or use our services.
You have access to your personal data we process and a
right to know for what purposes;</li>
<li>Where you have given us consent to process personal data, you may withdraw
your choice for us to stop doing so at any time.
Please be aware that this has
an impact on your day-to-day use and functionality of our services;</li>
<li>Under particular circumstances you may restrict processing, such as direct
marketing and/or on the basis of legitimate interests following GDPR
Article 6 sub 1 (f);</li>
<li>Rectify any personal data that may be inaccurate or incomplete and request us
to erase your account, including personal data we and any of our partners have
collected;</li>
<li>The personal data collected by us and requested by you should be delivered to
you in a common, portable and machine-readable format;</li>
<li>Objections can be made for example by filing a complaint with your local
privacy authority.
For the Netherlands this is the
Dutch Data Protection Authority
(<em>Autoriteit Persoonsgegevens</em>).
For other countries in the EEA, please refer
to:
https://edpb.europa.eu/about-edpb/board/members_en.</li>
<li>You have the right not to be subject to a decision based solely on automated
processing, including profiling, which adversely affects your legal rights or
substantially impairs you in a similar manner.</li>
</ul>
<p>Some of these rights may be executed with a click of a button from our website,
insofar as they are not please reach out to us by the following means.</p>
Contact us
<p>CodeSandbox B.V.
in its role as data controller is a for profit company with its
operational headquarters at Singel 542, 1017 AZ, Amsterdam, The Netherlands,
available at +1 (650) 731-3185.
To exercise any of the rights described above
or in case of concerns, questions or inquiries, please email us at
hello@codesandbox.io.</p>
<p>We promise to respond as soon as possible and in any case within fourteen (14)
business days of your request.
For account deletion or data dumps, please
mention "privacy" anywhere in the subject header.</p>
Age
<p>Our services are intended for anyone at any age who would like to experiment
with and learn about design and code.
However, if you are under the age of 16,
please do not provide us with any personal information, have your parents or
legal guardian reach out to us immediately with permission or questions.
Please
also be aware we have no ready access or instant knowledge of anyone’s age.</p>
Applicable law
<p>CodeSandbox operates globally and you may have different rights under your local
laws.
We shall strive toward complying with laws beyond where we are based.
This
policy is construed under Dutch law.
All privacy related disputes shall be
exclusively submitted to a competent court in The Netherlands.</p> Glossary
<p>For general concepts such as "personal data", "processor", “controller” and
"pseudonymisation" we shall use the definitions given in GDPR
Article 4.
The following apply to CodeSandbox specifically:</p>
<p>Account.
Anyone having signed in using their GitHub account has a CodeSandbox
Account.</p>
<p>Embeds.
An embed is (a part of) a website in a website.
Anyone can choose to
render (parts of) their sandbox(es) visible on other websites.</p>
<p>Sandbox.
Anything a user creates in an environment using CodeSandbox and that is
accessible by a unique URL.</p>
<p>Services.
CodeSandbox is a productivity toolkit serving ready-made and
customizable environments built by and for software developers, designers and
those enthusiastic about software development.
It enables people to create,
adjust, test, inspect and share web applications or parts thereof in a web
browser.</p>
<p>User.
Anyone exposed to any CodeSandbox Service.
We consider several types:
those who view or interact with CodeSandbox embeds via other websites, visitors
not signed in and users with a CodeSandbox account who are signed in.</p>
<p>Websites or Domains.
codesandbox.io and
*.csb.app or any of its user-facing subdomains.</p>
Previous versions of our Privacy Policy<ul>
<li>Version 0.8.0 (07/19/2017) (Website)</li>
</ul>