polka.codes

Legal

Privacy Policy

Last updated: 3 June 2026

Effective date: 3 June 2026

This Privacy Notice explains how XEN SOFTWARE CONSULTING LIMITED, trading as Polka Codes, collects, uses, discloses, stores, and protects personal information when you use Polka Codes, our pre-release AI coding workspace.

In this notice:

  • "Polka Codes", "we", "us", and "our" mean XEN SOFTWARE CONSULTING LIMITED.
  • "Personal information" means information about an identifiable individual.
  • "Customer content" means content you submit, connect, upload, generate, or authorise Polka Codes to process, including prompts, chat messages, code, repository content, files, logs, screenshots, uploaded images, generated outputs, workflow state, and memory files.
  • "Approved repository" means a repository that you authorise Polka Codes to access through GitHub or within the Polka Codes workspace.

1. Who we are

Polka Codes is owned and operated by XEN SOFTWARE CONSULTING LIMITED in New Zealand.

Registered office: 21e Cradock Street, Avondale, Auckland, 1026, New Zealand Privacy Officer contact: privacy@polka.codes

You can contact us at privacy@polka.codes with privacy questions, access or correction requests, deletion requests, or complaints.

2. Scope

This Privacy Notice applies to Polka Codes and related account, workspace, support, billing, and pre-release product activities.

Polka Codes is a pre-release service. During the pre-release period, we may collect more diagnostic and usage information than a mature production service so that we can debug failures, improve reliability, investigate abuse, and understand service performance.

3. Information we collect

We collect personal information directly from you, automatically when you use Polka Codes, and from third parties such as GitHub and Stripe.

Information you provide or create in Polka Codes

We collect information you provide, upload, connect, or generate while using Polka Codes, including:

  • chat messages, prompts, instructions, code snippets, files, screenshots, uploaded images, logs, generated outputs, and memory files;
  • approved repositories, repository settings, workspace settings, workflow progress, preferences, and support messages;
  • account settings, usage records, quota state, feature access records, and billing-related metadata.

Information we collect from GitHub

When you sign in with GitHub or authorise Polka Codes for a repository or organisation, we collect information GitHub provides to us, depending on the permissions you grant. This may include your GitHub user ID, login, name, avatar, email address, email verification status, OAuth tokens or GitHub App tokens, repository installation information, repository identifiers, repository metadata, permissions, and related webhook or installation events needed to provide the service.

Polka Codes only accesses repositories that you approve for use with Polka Codes and only within the GitHub permission scope you grant. We do not intentionally access unrelated repositories.

Billing information

If you use paid features, Stripe may collect and process your payment details. We receive and store billing metadata needed to manage your account, such as Stripe customer IDs, subscription status, invoice records, plan information, payment status, and tax or accounting metadata.

We do not intentionally store full payment card numbers.

Technical, diagnostic, and usage information

We collect technical and diagnostic information such as IP address, device and browser information, request metadata, timestamps, authentication and session records, error logs, workflow durations, tool invocations, token usage, model and provider metadata, analytics events, security events, abuse-prevention records, and rate-limit or quota records.

Error reports and diagnostics may include stack traces, file paths, request context, runtime metadata, and limited snippets needed to diagnose failures. We use filtering and access controls to reduce unnecessary exposure, but you should avoid submitting secrets or highly sensitive information.

Cookies and local storage

We may use cookies, local storage, session storage, and similar technologies for authentication, security, preferences, analytics, and product operation. Some of these are necessary for Polka Codes to work.

Where required by law, we will ask for consent before using optional cookies or similar technologies.

4. How we use information

We use personal information to:

  • create, authenticate, and manage user accounts;
  • connect to GitHub and provide repository-aware AI coding workflows;
  • process prompts, repository context, files, logs, images, and generated outputs;
  • maintain chat, workspace, memory, and workflow continuity;
  • run tools, sandboxes, and supporting infrastructure;
  • manage quotas, plans, billing, invoices, and feature access;
  • provide support and respond to user requests;
  • troubleshoot bugs, monitor performance, and improve reliability;
  • understand product health, usage patterns, billing costs, and failure patterns;
  • secure Polka Codes, detect misuse, prevent abuse, and enforce our terms;
  • comply with legal, tax, accounting, security, and dispute-resolution obligations.

Some information is required to provide the service. If you do not provide required information, revoke required GitHub permissions, uninstall the GitHub App, or disconnect a repository, some or all Polka Codes features may not work.

Where practical, we use aggregated, de-identified, or limited diagnostic information for analytics, reliability, and product improvement.

5. Repository content and AI processing

Polka Codes is designed to provide repository-aware AI coding workflows. If you approve a repository or provide code, prompts, files, logs, screenshots, or images, that content may be processed by Polka Codes, AI model providers, gateway services, sandboxes, and supporting infrastructure so the app can answer questions, generate plans, inspect errors, propose code, run workflows, and produce outputs.

Depending on the GitHub permissions you grant and the workflow you run, Polka Codes may access repository metadata and repository content from approved repositories. We aim to access and send only the information reasonably needed for the relevant feature or workflow.

Uploaded images are stored under your account and are served only to your authenticated account while they remain in Polka Codes. If you use an uploaded image in an AI workflow, the image may be sent to AI model providers and supporting infrastructure for that workflow.

You should not submit secrets, credentials, private keys, access tokens, regulated personal information, or confidential material unless you are authorised to do so and are comfortable with it being processed by Polka Codes and the service providers needed to operate the app.

You are responsible for ensuring that you have the right to submit repository content, personal information, and other material to Polka Codes.

6. AI model training

For free usage, we may use customer content, prompts, code, repository context, files, logs, screenshots, images, outputs, usage data, and diagnostic data to analyse, evaluate, develop, improve, and train Polka Codes, including our models, systems, prompts, evaluation processes, workflows, safety systems, and product features.

For paid usage, we do not use paid workspace content to train AI models.

For paid usage, we may still use account data, billing data, usage data, diagnostic data, security records, aggregated data, and de-identified data to operate, secure, support, troubleshoot, measure, and improve Polka Codes.

We require our AI processing providers and routes not to use customer content submitted through Polka Codes for model training. We do not opt in to provider training, evaluation, or data-sharing programs for customer content.

AI model providers, routing services, and infrastructure providers may still process or temporarily retain information as needed to provide the service, operate infrastructure, maintain security, prevent abuse, debug failures, comply with law, or enforce their terms.

7. Service providers and subprocessors

We use service providers to operate, secure, support, and improve Polka Codes. These include:

  • GitHub, for authentication, repository access, repository permissions, installation management, and repository workflows;
  • Stripe, for billing, payments, subscriptions, invoices, tax, and payment support;
  • Cloudflare, for hosting, storage, Workers, Durable Objects, R2, D1, AI Gateway, analytics, security, and related infrastructure;
  • Sentry, for error monitoring, diagnostics, performance monitoring, and reliability work;
  • OpenRouter, for AI model routing and gateway functionality;
  • OpenAI, Anthropic, and Z.AI, for AI model processing and output generation;
  • email, support, sandbox, logging, monitoring, and security infrastructure used to operate Polka Codes.

We may update our service providers as Polka Codes develops. If we publish a separate subprocessor page, we will keep it reasonably current.

We do not sell personal information. We do not use customer content for third-party advertising. We do not share personal information for cross-context behavioural advertising.

Our team may access personal information and customer content only where reasonably necessary, such as to provide support, debug a problem, investigate abuse or security issues, comply with law, or maintain and improve Polka Codes.

8. Overseas processing

Polka Codes is operated from New Zealand, but our service providers may process, store, or access personal information outside New Zealand, including in the United States, Singapore, the European Union, and other locations where our providers operate.

Where we disclose personal information to an overseas recipient and New Zealand Privacy Act requirements apply, we take reasonable steps to satisfy ourselves that the recipient is required to protect the information in a way that, overall, provides safeguards comparable to the New Zealand Privacy Act. These steps may include provider terms, data processing agreements, contractual commitments, security reviews, access controls, and data minimisation.

Where an overseas disclosure requires your authorisation because comparable safeguards are not available, we will seek that authorisation after informing you that the overseas recipient may not be required to protect the information in a way that provides comparable safeguards to the New Zealand Privacy Act.

Where EU, UK, or other international transfer rules apply, we rely on appropriate transfer mechanisms where required, such as adequacy decisions, standard contractual clauses, international data transfer addenda, data processing terms, or other lawful safeguards.

9. Retention and deletion

We keep personal information for as long as reasonably needed to provide Polka Codes, maintain accounts and workspaces, meet legal, tax, accounting, and billing obligations, resolve disputes, enforce terms, prevent abuse, maintain security, and preserve backups or audit records.

Unless a longer period is required or justified:

  • active account and workspace information is kept while your account remains active;
  • after account deletion, customer content and workspace records are deleted or de-identified from active systems within 90 days where reasonably practicable;
  • diagnostic, analytics, security, and abuse-prevention logs are generally kept for up to 90 days;
  • backup copies are deleted or overwritten on our normal backup cycle, generally within 90 days;
  • GitHub tokens and installation records are kept while needed to provide connected repository features, unless you disconnect GitHub, uninstall the GitHub App, revoke access, or delete your account;
  • billing, tax, invoice, fraud-prevention, accounting, and dispute records may be kept for longer where required or permitted by law.

You may request access, correction, or deletion by contacting privacy@polka.codes or by using account deletion in settings where available.

If you delete your account, we will delete or de-identify personal information from active systems where reasonably practicable, subject to information we need to retain for legal, billing, security, abuse-prevention, dispute-handling, or backup integrity purposes.

Deletion from Polka Codes may not immediately delete information already processed by service providers, backups, logs, or AI model providers. Those records are handled under the relevant provider terms, retention settings, and legal obligations.

10. Security

We use technical and organisational safeguards designed to protect personal information, including authentication, access controls, least-privilege practices, hosted infrastructure security, logging, monitoring, separation of application data across relevant storage systems, and encryption where supported by our infrastructure.

No online service can guarantee absolute security. If you believe your account, repository content, or personal information has been exposed, contact privacy@polka.codes promptly.

If we become aware of a privacy breach that has caused or is likely to cause serious harm, we will notify affected individuals and the New Zealand Office of the Privacy Commissioner where required by law.

11. Your rights

Under New Zealand privacy law, you can ask us to confirm whether we hold personal information about you, request access to that information, and ask us to correct it if you think it is wrong, incomplete, or misleading.

Depending on where you live, you may also have rights to request deletion, portability, restriction of processing, objection to processing, withdrawal of consent, or review of certain automated decisions.

We may need to verify your identity before responding. We will respond within the timeframe required by applicable law, unless an extension or lawful refusal applies.

If we do not agree to make a requested correction, you may ask us to attach a statement of correction to the information.

If you are not satisfied with our response to a privacy concern, you can contact the New Zealand Office of the Privacy Commissioner or another privacy regulator that applies where you live.

12. Additional notice for EU and UK users

This section applies where EU or UK data protection law applies to our processing of your personal information.

Controller: XEN SOFTWARE CONSULTING LIMITED, trading as Polka Codes. Registered office: 21e Cradock Street, Avondale, Auckland, 1026, New Zealand Contact: privacy@polka.codes

Our legal bases may include:

  • contract necessity, where processing is needed to provide Polka Codes, manage your account, connect repositories, run workflows, provide support, and process billing;
  • legitimate interests, where processing is needed to secure, maintain, debug, improve, and protect Polka Codes, prevent abuse, understand product health, and enforce our terms;
  • legal obligations, where processing is needed for tax, accounting, legal, regulatory, security, or dispute-handling obligations;
  • consent, where we ask for consent for optional cookies, optional communications, or other optional processing.

You may have rights to access, correct, delete, restrict, object to, or port your personal data. You may also withdraw consent where processing is based on consent.

You may complain to your local data protection authority.

We do not make decisions based solely on automated processing that produce legal or similarly significant effects for you. AI outputs are generated as part of coding assistance workflows, but you remain responsible for reviewing and deciding whether to use those outputs.

13. Additional notice for California residents

This section applies where the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to our processing of personal information.

We collect the categories of personal information described in this Privacy Notice, including identifiers, account information, commercial and billing metadata, internet or network activity information, professional or employment-related information you submit through repositories or workspaces, inferences from usage needed for product operation, and any sensitive personal information you choose to submit.

We use that information for the purposes described in this Privacy Notice, including providing Polka Codes, authentication, repository-aware workflows, billing, support, diagnostics, security, abuse prevention, legal compliance, and product reliability.

We disclose personal information to service providers and processors for business purposes described in this Privacy Notice.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use sensitive personal information to infer characteristics about you.

California residents may have rights to know, access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.

You or your authorised agent can make a request by contacting privacy@polka.codes. We may need to verify your identity and, for authorised agents, proof of authority.

14. Children

Polka Codes is not directed to children. You must not use Polka Codes if you are below the minimum age required by the laws that apply to you or by our terms of service.

If we learn that we have collected personal information from a child without required consent, we will take reasonable steps to delete it.

15. Changes to this notice

We may update this Privacy Notice from time to time. If we make material changes, we will take reasonable steps to notify you, such as by posting the updated notice in Polka Codes, updating the effective date, or sending an account email.

Questions

Contact privacy@polka.codes for privacy questions. You can also review the Terms of Service.

© 2026 Polka Codes. All rights reserved.

Owned and operated by XEN SOFTWARE CONSULTING LIMITED, New Zealand.