This version 0.90 has been last updated April 16, 2020 (list of revisions).
The term privacy may typically be associated with privacy settings controlling visibility of user created content such as sandboxes. Although addressed, this meaning of privacy will only be secondary to the main purposes just described.
This policy is further intended to apply to anyone exposed to any CodeSandbox service. To further clarify the terms we are using and how we are thinking, please refer to the glossary at the end of this document.
Please reach out to us via our contact details below as soon as possible if you or anyone in your company using CodeSandbox feels uninformed, finds anything on our websites to be unfair, incompletely explained or surprising.
We want to be as open as possible about how we treat your personal data, how you should be able to access and control your data and how you can use our services. We will not sell, rent or lease your personal data to anyone, except in case we sell our business or part thereof to another company.
A few take-home points are good to keep in mind:
- Anything you create using our services is public by default unless you opt to go private;
- We collect the minimum amount of personal data necessary to provide our services, unless you chose to provide more voluntarily;
- We make use of analytical tools on our websites and services to learn whether users are using specific features we release, such as the Template Universe or Netlify deploy option and to improve what we are building by way of placing tracking cookies;
- We may promote our services to inform you via email about new releases, community activities or for events that may ultimately affect your day-to-day use of our services;
- We may enrich your (personal) data with publicly accessible data;
- We are operationally based in The Netherlands and therefore you are dealing with applicable Dutch and/or EU law.
Personal data is collected via various sources on anyone exposed to any CodeSandbox service. Typically, users who create an account (as defined below) could provide more data. For examples, see the data types section below. You can limit or change the amount of personal data we process and store by limiting the data you provide to us in your account settings or by reaching out to us.
Processing of personal data may be deemed necessary or reasonable when we:
- Want to act in our legitimate interest as long as it does not override your fundamental rights and interests. An example of legitimate interest may be us conducting common business operations such as sending you promotional material via email when you have paid for our services.
- Have to perform our agreement in delivering the service described in this privacy document and in more detail in our terms of service;
- Have to comply with legal obligations.
- Have your explicit consent to process personal data.
Amongst other examples mentioned throughout this document, we collect and use such data to:
- Create your account and to provide you with our services;
- Process transactions and sending invoices;
- Contact you with requested support;
- Send you documentation, educational material related to our services;
- Notify you of major upcoming product or legal policy changes;
- Improve, research and develop new features as part of the services you may be using;
- Invite you to participate in surveys, where necessary subject to your consent;
- Prevent misuse of or stop other illegal activities from being conducted through our services.
Account basics. When you create an account, you are asked permission to authorize GitHub to share personal data with CodeSandbox. If available from GitHub, we collect and store: avatar, name, first name, last name, bio, email and username and -id. Please note that most of this information is already publicly available via GitHub's API.
Access Logs. Our servers keep log files, writing and storing personal data such as IP address and the type of browser you are using.
Cookies. CodeSandbox uses tracking, functional and analytical cookies because it enables many convenient features that may save you some time. We use tracking cookies to gather a unique view count of sandboxes and to match a sandbox to users without an account. We allow some of our service providers such as Google Analytics, Amplitude, Algolia and Vero to store cookies on your device. We assume you know what cookies are and how to prevent third parties from installing cookies on your device. If not, your browser settings allow you to disable cookies and control acceptance levels. Please reach out to us via details below if you are in doubt or seek assistance in understanding and changing browser settings.
Tracking. We track user behavior and register events such as whether a user has created a template or interacted with an embed to measure the effectiveness of our work and to learn about user choices and preferences in order to improve the ways we present CodeSandbox. It can also be used to measure whether and when people return to our website, also known as user retention expressed in time.
Support. When you reach out to us via one of our support channels, we may opt to maintain records related to your request, including any data, information or content provided by you or anyone on your team for training purposes of our product and support team members. We might thus collect personal data such as your browser type and specific setup, disclosed in your emails. We shall not publish your name and email when you reach out to us. This is different when you post on a more public medium.
Marketing. We may use any combination of services in order to enhance what we know about you for the sole purpose of providing tips on how to use CodeSandbox, which can be opted out of at any point in time by reaching out to us or clicking the unsubscribe at the bottom of every email you may receive from us. For instance, we may have learned you have attempted to complete a certain action twice: When we have your email, we may send you an email via one of our service providers with related tips.
Financial. We use Stripe as a payment service provider and do not collect nor store credit card or other financial data in our databases. We do have access to Stripe's database for the purpose of complying with support requests and administration requirements, but no level of access exposes full credit card details. Only the last four digits can be read and are typically used for verification purposes during support interactions.
We use third party service providers to deliver to us what we have chosen not to develop ourselves. As many of them provide vital functions in the CodeSandbox infrastructure such as hosting or analytics, we refer to them as partners or sub-processors.
As a rule of thumb, all personal data we collect and share with our partners is pseudonymized or tokenized, unless we use that partner to communicate with you or your team, for which typically an email address has to be known to that partner. If a partner does not need to know an email address for example, we do not share. An additional exception for which we are likely to use e-mail addresses is when we want to attain more publicly available data on you or your team: We would have to send a partner at least one type of personal data unique enough to generate matching results about you or your teams' online identity.
A complicated aspect of being on the modern web is increasing entanglement: A unified and consistent user interface of a single website may – unbeknownst to its user – contain dozens of services from an equal amount of different companies, each with their own handling of data and privacy policies. As a data controller CodeSandbox is fully responsible for what it can control: The choice of its partners and the orders we send to them and to attain what we need to serve you and are in accordance with this policy.
As part of our checkout flow, our Stripe integration can be considered a clear example of how hard it can be to discern who is delivering what service to you. Intuitive design has to be obfuscating in this regard and can ignite distrust in some, pleasant surprise in others.
We have certain practices in place to ensure our partners adhere to legal standards and we typically interview new partners to get a sense of how they are treating user data. We have Data Processing Agreements in place with our partners and our sub-processors.
Syntax: (Company Name (“a.k.a.”), Location, Purpose, Link)
- Amplitude, Inc. United States. Data Analysis. https://amplitude.com/blog/one-year-after-gdpr-amplitude-and-user-privacy;
- Amazon, Inc., AWS EMEA SARL. United States & European Union. Hosting services. https://aws.amazon.com/compliance/gdpr-center/;
- Cloudflare, Inc. United States & European Union. Routing, securing and caching web traffic. https://www.cloudflare.com/privacypolicy/;
- Google Ireland Limited (“Google Cloud Platform”). United States & European Union. Hosting services. https://policies.google.com/privacy;
- Google LLC, Google Ireland Limited or affiliate (“Google Analytics”). Data Analysis. https://support.google.com/analytics/answer/9019185?hl=en;
- Hetzner Online GmbH Gunzenhausen. Germany. Hosting services. https://wiki.hetzner.de/index.php/Datenschutz-FAQ/en;
- Invc.me, Inc. (“Vero”). United States. Behavior based email campaigns. https://www.getvero.com/gdpr/;
- Mailgun, Inc. United States. Email Service Provider. https://www.mailgun.com/gdpr/
- Stripe Payments Europe, Ltd. European Union. Payment Service Provider. https://stripe.com/privacy-center/legal;
- The Rocket Science Group LLC (“Mailchimp”). United States. Email Service Provider. https://mailchimp.com/gdpr/.
Your personal data may be transferred, stored and processed in the European Economic Area (“EEA”), United States (“US”) or any other country in which our service providers maintain facilities. By using our domains, you consent to any transfer, storing or processing of personal data outside of your country of residence and outside the EEA. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy.
We will not retain your personal data for a period longer than necessary to fulfill the purposes described in this policy, unless we have to keep it for legitimate tax, business or legal purposes.
You probably know that no company can ever guarantee 100% security in data transmission on the web and that breaches unfortunately can happen. We promise CodeSandbox is developed with the best security practices in mind. Here are some examples of how we are securing your personal data:
- We use third parties to test the security of our services from time to time;
- CodeSandbox team members have access to user information only to the extent where it is appropriate to their tasks and/or roles and on a need-to-know basis;
- We obtain certifications to test our practices against public or industry standards;
- When we receive reports of abuse, data breaches pertaining to the integrity of our users or our own, investigation immediately follows upon learning about it and reasonable action is taken as swiftly as possible in accordance with applicable privacy laws.
Please know your rights by learning about the EU General Data Protection Regulation also more commonly known as GDPR or your local privacy laws and reach out to us for questions or concerns. Summarizing some of your key rights, you may:
- This policy is part of your right to be informed before you create an account or use our services. You have access to your personal data we process and a right to know for what purposes;
- Where you have given us consent to process personal data, you may withdraw your choice for us to stop doing so at any time. Please be aware that this has an impact on your day-to-day use and functionality of our services;
- Under particular circumstances you may restrict processing, such as direct marketing and/or on the basis of legitimate interests following GDPR Article 6 sub 1 (f);
- Rectify any personal data that may be inaccurate or incomplete and request us to erase your account, including personal data we and any of our partners have collected;
- The personal data collected by us and requested by you should be delivered to you in a common, portable and machine-readable format;
- Objections can be made for example by filing a complaint with your local privacy authority. For the Netherlands this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). For other countries in the EEA, please refer to: https://edpb.europa.eu/about-edpb/board/members_en.
- You have the right not to be subject to a decision based solely on automated processing, including profiling, which adversely affects your legal rights or substantially impairs you in a similar manner.
Some of these rights may be executed with a click of a button from our website, insofar as they are not please reach out to us by the following means.
CodeSandbox B.V. in its role as data controller is a for profit company with its operational headquarters at Singel 542, 1017 AZ, Amsterdam, The Netherlands, available at +1 (650) 731-3185. To exercise any of the rights described above or in case of concerns, questions or inquiries, please email us at [email protected].
We promise to respond as soon as possible and in any case within fourteen (14) business days of your request. For account deletion or data dumps, please mention "privacy" anywhere in the subject header.
Our services are intended for anyone at any age who would like to experiment with and learn about design and code. However, if you are under the age of 16, please do not provide us with any personal information, have your parents or legal guardian reach out to us immediately with permission or questions. Please also be aware we have no ready access or instant knowledge of anyone’s age.
CodeSandbox operates globally and you may have different rights under your local laws. We shall strive toward complying with laws beyond where we are based. This policy is construed under Dutch law. All privacy related disputes shall be exclusively submitted to a competent court in The Netherlands.
For general concepts such as "personal data", "processor", “controller” and "pseudonymisation" we shall use the definitions given in GDPR Article 4. The following apply to CodeSandbox specifically:
Account. Anyone having signed in using their GitHub account has a CodeSandbox Account.
Embeds. An embed is (a part of) a website in a website. Anyone can choose to render (parts of) their sandbox(es) visible on other websites.
Sandbox. Anything a user creates in an environment using CodeSandbox and that is accessible by a unique URL.
Services. CodeSandbox is a productivity toolkit serving ready-made and customizable environments built by and for software developers, designers and those enthusiastic about software development. It enables people to create, adjust, test, inspect and share web applications or parts thereof in a web browser.
User. Anyone exposed to any CodeSandbox Service. We consider several types: those who view or interact with CodeSandbox embeds via other websites, visitors not signed in and users with a CodeSandbox account who are signed in.