Available to Pro subscribers.
This privacy policy allows you to learn about the way CodeSandbox B.V. (“CodeSandbox”) controls and processes data about you or data that may allow anyone with access, to identify you or anyone on your team with a CodeSandbox account as a natural person. Additionally, the types of data we collect and how we use, share and secure this data and how you can exercise your privacy rights are outlined.
The term privacy may typically be associated with privacy settings controlling visibility of user created content such as sandboxes. Although addressed, this meaning of privacy will only be secondary to the main purposes just described.
This policy is further intended to apply to anyone exposed to any CodeSandbox service. To further clarify the terms we are using and how we are thinking, please refer to the glossary at the end of this document.
Please reach out to us via our contact details below as soon as possible if you or anyone in your company using CodeSandbox feels uninformed, finds anything on our websites to be unfair, incompletely explained or surprising.
We want to be as open as possible about how we treat your personal data, how you should be able to access and control your data and how you can use our services. We will not sell, rent or lease your personal data to anyone, except in case we sell our business or part thereof to another company.
A few take-home points are good to keep in mind:
Personal data is collected via various sources on anyone exposed to any CodeSandbox service. Typically, users who create an account (as defined below) could provide more data. For examples, see the data types section below. You can limit or change the amount of personal data we process and store by limiting the data you provide to us in your account settings or by reaching out to us.
Processing of personal data may be deemed necessary or reasonable when we:
Amongst other examples mentioned throughout this document, we collect and use such data to:
Account basics. When you create an account, you are asked permission to authorize GitHub to share personal data with CodeSandbox. If available from GitHub, we collect and store: avatar, name, first name, last name, bio, email and username and -id. Please note that most of this information is already publicly available via GitHub's API.
Access Logs. Our servers keep log files, writing and storing personal data such as IP address and the type of browser you are using.
Cookies. CodeSandbox uses tracking, functional and analytical cookies because it enables many convenient features that may save you some time. We use tracking cookies to gather a unique view count of sandboxes and to match a sandbox to users without an account. We allow some of our service providers such as Google Analytics, Amplitude, and Algolia to store cookies on your device. We assume you know what cookies are and how to prevent third parties from installing cookies on your device. If not, your browser settings allow you to disable cookies and control acceptance levels. Please reach out to us via details below if you are in doubt or seek assistance in understanding and changing browser settings.
Tracking. We track user behavior and register events such as whether a user has created a template or interacted with an embed to measure the effectiveness of our work and to learn about user choices and preferences in order to improve the ways we present CodeSandbox. It can also be used to measure whether and when people return to our website, also known as user retention expressed in time.
Support. When you reach out to us via one of our support channels, we may opt to maintain records related to your request, including any data, information or content provided by you or anyone on your team for training purposes of our product and support team members. We might thus collect personal data such as your browser type and specific setup, disclosed in your emails. We shall not publish your name and email when you reach out to us. This is different when you post on a more public medium.
Marketing. We may use any combination of services in order to enhance what we know about you for the sole purpose of providing tips on how to use CodeSandbox, which can be opted out of at any point in time by reaching out to us or clicking the unsubscribe at the bottom of every email you may receive from us. For instance, we may have learned you have attempted to complete a certain action twice: When we have your email, we may send you an email via one of our service providers with related tips.
Financial. We use Stripe as a payment service provider and do not collect nor store credit card or other financial data in our databases. We do have access to Stripe's database for the purpose of complying with support requests and administration requirements, but no level of access exposes full credit card details. Only the last four digits can be read and are typically used for verification purposes during support interactions.
We use third party service providers to deliver to us what we have chosen not to develop ourselves. As many of them provide vital functions in the CodeSandbox infrastructure such as hosting or analytics, we refer to them as partners or sub-processors.
As a rule of thumb, all personal data we collect and share with our partners is pseudonymized or tokenized, unless we use that partner to communicate with you or your team, for which typically an email address has to be known to that partner. If a partner does not need to know an email address for example, we do not share. An additional exception for which we are likely to use e-mail addresses is when we want to attain more publicly available data on you or your team: We would have to send a partner at least one type of personal data unique enough to generate matching results about you or your teams' online identity.
A complicated aspect of being on the modern web is increasing entanglement: A unified and consistent user interface of a single website may – unbeknownst to its user – contain dozens of services from an equal amount of different companies, each with their own handling of data and privacy policies. As a data controller CodeSandbox is fully responsible for what it can control: The choice of its partners and the orders we send to them and to attain what we need to serve you and are in accordance with this policy.
As part of our checkout flow, our Stripe integration can be considered a clear example of how hard it can be to discern who is delivering what service to you. Intuitive design has to be obfuscating in this regard and can ignite distrust in some, pleasant surprise in others.
We have certain practices in place to ensure our partners adhere to legal standards and we typically interview new partners to get a sense of how they are treating user data. We have Data Processing Agreements in place with our partners and our sub-processors.
Syntax: (Company Name (“a.k.a.”), Location, Purpose, Link)
Your personal data may be transferred, stored and processed in the European Economic Area (“EEA”), United States (“US”) or any other country in which our service providers maintain facilities. By using our domains, you consent to any transfer, storing or processing of personal data outside of your country of residence and outside the EEA. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy.
We will not retain your personal data for a period longer than necessary to fulfill the purposes described in this policy, unless we have to keep it for legitimate tax, business or legal purposes.
You probably know that no company can ever guarantee 100% security in data transmission on the web and that breaches unfortunately can happen. We promise CodeSandbox is developed with the best security practices in mind. Here are some examples of how we are securing your personal data:
Our AI tools utilize the OpenAI API Service to fulfill chat requests and operate the core functionality of the AI assistant. If permissions are explicitly granted by team admins, CodeSandbox transmits the chat input, which may include personal information, to Open AI for processing. Please note that OpenAI retains the data sent via API for a limited period of time, in accordance with their data retention policy.
OpenAI takes appropriate security measures to protect your data and uses your data in accordance with its data usage policy. By using CodeSandbox AI tools, you acknowledge and agree that the app is subject to OpenAI's API Terms of Service and Privacy Policy, and you consent to the processing of your data by OpenAI. We are not responsible for any data handling practices or policies of OpenAI or any third-party services used by OpenAI.
For more information on how OpenAI processes and protects your data, please visit their Privacy Policy and Terms of Service.
Please know your rights by learning about the EU General Data Protection Regulation also more commonly known as GDPR or your local privacy laws and reach out to us for questions or concerns. Summarizing some of your key rights, you may:
Some of these rights may be executed with a click of a button from our website, insofar as they are not please reach out to us by the following means.
CodeSandbox B.V. in its role as data controller is a for profit company with its operational headquarters at Singel 542, 1017 AZ, Amsterdam, The Netherlands, available at +1 (650) 731-3185. To exercise any of the rights described above or in case of concerns, questions or inquiries, please email us at [email protected].
We promise to respond as soon as possible and in any case within fourteen (14) business days of your request. For account deletion or data dumps, please mention "privacy" anywhere in the subject header.
Our services are intended for anyone at any age who would like to experiment with and learn about design and code. However, if you are under the age of 16, please do not provide us with any personal information, have your parents or legal guardian reach out to us immediately with permission or questions. Please also be aware we have no ready access or instant knowledge of anyone’s age.
CodeSandbox operates globally and you may have different rights under your local laws. We shall strive toward complying with laws beyond where we are based. This policy is construed under Dutch law. All privacy related disputes shall be exclusively submitted to a competent court in The Netherlands.
For general concepts such as "personal data", "processor", “controller” and "pseudonymisation" we shall use the definitions given in GDPR Article 4. The following apply to CodeSandbox specifically:
Account. Anyone having signed in using their GitHub account has a CodeSandbox Account.
Embeds. An embed is (a part of) a website in a website. Anyone can choose to render (parts of) their sandbox(es) visible on other websites.
Sandbox. Anything a user creates in an environment using CodeSandbox and that is accessible by a unique URL.
Services. CodeSandbox is a productivity toolkit serving ready-made and customizable environments built by and for software developers, designers and those enthusiastic about software development. It enables people to create, adjust, test, inspect and share web applications or parts thereof in a web browser.
User. Anyone exposed to any CodeSandbox Service. We consider several types: those who view or interact with CodeSandbox embeds via other websites, visitors not signed in and users with a CodeSandbox account who are signed in.
Websites or Domains. codesandbox.io and *.csb.app or any of its user-facing subdomains.