Codex is a mobile application developed and operated by Marouane (the "developer"), an individual based in Garches, Île-de-France, France.
I am a solo developer. Under the EU General Data Protection Regulation (GDPR) and the French Loi Informatique et Libertés, I am the data controller for any personal data processed through Codex. I am personally responsible for how your data is handled.
This policy explains what data the Codex mobile application collects, how it is used, where it is stored, and what rights you have over it. It applies to the Codex Android and iOS apps. If Codex ever has a website that itself collects personal data, a separate policy will cover that website.
Using Codex without an account
You can use Codex without creating an account. In that mode:
Everything stays on your device. Your card reading progress, drafts, reflections, and preferences are stored only in local storage on your phone using Hive and platform secure storage.
No personal data is sent to my servers until you choose to create an account or make a purchase.
If you uninstall the app or clear its data, everything is gone. I cannot recover it because I never had it.
The only exception is purchases: if you upgrade to Codex Pro, Google Play or Apple's App Store processes the transaction. I do not see your payment details. I only receive a confirmation that a purchase was made, tied to a Google or Apple subscription identifier.
Using Codex with an account
If you create an account, the following data is collected and stored on my server:
Email address — used to identify your account and let you sign in.
Password — stored as a salted hash. I never see your actual password.
Display name (optional) — whatever you enter when signing up.
Your reflections — the text you write in response to card prompts. Stored so they sync across your devices.
Card progress — which cards you have read and applied.
Assessment results — your answers to the onboarding assessment, used to recommend decks.
Subscription status — whether you have an active Codex Pro subscription.
Account creation date and last sign-in date.
I do not collect: your phone number, your real name (unless you put it in your display name), your physical address, your contacts list, your geographic location, photos, microphone audio, camera access, health data, financial data, biometric data, or your browsing or app-usage data from outside Codex.
Where data is stored
Server-side data is hosted with SmarterASP.NET / Site4Now, on the account licane5-002. The server is located in their Amsterdam, Netherlands data center, which is within the European Union.
Because the server is in the EU, your data does not leave the European Economic Area in the course of normal operation. No third-country transfer disclosure under GDPR Articles 44–49 is required.
Local data on your device stays on your device and is never transferred.
What I use the data for
Your data is used only for the following purposes:
Running the app — authenticating you, syncing your reflections, recommending decks based on your assessment.
Subscriptions — verifying that you have an active Codex Pro subscription by checking receipts from Google Play or Apple's App Store.
Support — if you email me, I read your email to answer your question.
Legal compliance — if a court order or law requires disclosure, I will comply.
I do not sell your data, share it with advertisers, use it to train AI models, profile you for marketing, or send marketing emails. You will only receive transactional emails such as password resets and subscription receipts.
Third parties that touch your data
Codex contains no advertising SDKs, no analytics SDKs, and no crash reporting SDKs. The only third parties that may receive data are:
SmarterASP.NET / Site4Now — hosts the database and API server.
Google Play Billing — processes subscriptions on Android. Their privacy policy applies separately.
Apple App Store — processes subscriptions on iOS. Their privacy policy applies separately.
bookglimps.com — a static image host I operate personally, used to deliver deck cover artwork. Image requests reach this host with your IP address (standard for any HTTP request) but no other personal data is sent. Image access logs are kept for 30 days and then deleted.
No other third-party services or SDKs receive your personal data.
How long data is kept
Reflections and account data — kept as long as your account exists.
After you delete your account — all personal data is permanently deleted from the database within 30 days, except where the law requires retention (transaction records for tax purposes, kept for up to 10 years as required by French tax law, with personal identifiers stripped where possible).
Inactive accounts — if you do not sign in for 24 months, I send a notice email. If you do not respond within 30 days, the account is deleted.
Local data on your device — persists until you uninstall Codex or clear its data through your device settings.
Your rights
Under the GDPR, you have the right to:
Access your data — ask me what I hold about you.
Correct inaccurate data.
Delete your account and all associated data. You can request this from within the app (Settings → Delete account) or by emailing me. Deletion occurs within 30 days.
Export your data — receive a copy of your reflections and account information in a portable format (JSON).
Restrict or object to certain processing.
Withdraw consent at any time. The simplest way is to delete your account.
To exercise any of these rights, email licane.apps@gmail.com. I will respond within 30 days. I may ask you to confirm your identity (typically by emailing from the address registered to your account) before fulfilling sensitive requests.
Children
Codex is not directed at children under 15 (the age of digital consent in France under Article 8 of the GDPR as transposed by French law). I do not knowingly collect data from children under 15. If you believe a child has created an account, please email me and I will delete it.
Security
I take reasonable steps to protect your data:
Passwords are stored as salted hashes, never as plain text.
Connections between the app and the server use HTTPS (TLS encryption).
Database access is restricted to me as the sole developer.
Authentication tokens are stored on your device using platform-provided secure storage (Android Keystore / iOS Keychain).
I am a solo developer without a dedicated security team. I cannot guarantee absolute security. You use Codex at your own risk. If a data breach affecting your personal data occurs, I will notify both the CNIL and affected users within 72 hours of becoming aware of it, as required by GDPR Article 33.
Changes to this policy
If I change this policy, the "Last updated" date at the top will change. Material changes — for example, adding a new third party that receives your data — will be announced inside the app and by email if I have your email address. Continued use of Codex after a change means you accept the new policy.
For postal correspondence, please first email me to request a postal address — I will provide one suitable for receiving formal notices. The CNIL and other regulators can reach me by email; this is the preferred contact method.
Provided in good faith. Reflects the actual data practices of the Codex app as of the date above. I am a solo developer, not a lawyer.