(Wundercode · Privacy Policy) Effective · 26 May 2026 · v 2026.05
(02)Data & privacy · GDPR / UK-GDPR

Your data, briefly explained.

We collect very little and we don't sell anything to anyone. This page tells you exactly what we hold, why we hold it, how long we keep it, and what you can ask us to do with it. Written in plain English, then again in the GDPR's own language — so a Data Protection Officer can audit it without raising their eyebrows.

UK-GDPR · EU-GDPR compliant No cross-site tracking No data sales · ever 1-click unsubscribe
01 · Who is the controller

The data controller.

The legal entity responsible for your personal data ("the Controller" under Art. 4 (7) GDPR and Sched. 1 UK-GDPR) is:

Controller
Codaiq LTD trading as Wundercode°
Registered office
71–75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Email
hello@wundercode.studio
Phone
+971 58 560 60 84
DPO
We are not legally required to appoint a DPO under Art. 37 GDPR. Privacy queries are handled directly by the company directors at the email above.
02 · What we collect

Three short categories.

(a) Information you actively give us

Anything you type into a form or send us in an email or call. In practice this is:

  • Name & work email — when you book a discovery call, request the pricing PDF, subscribe to Wundercode Notes, or email us directly.
  • Company & brief — what you tell us about your project: company name, role, what you're building, target timeline and budget range.
  • Phone number — only if you choose to leave one for a call-back.

(b) Information collected automatically

When you visit the site, our servers and our analytics tool (Plausible, see section 04) automatically log:

  • Aggregate page-views — which URL was viewed, when, and from which referring site.
  • Truncated user agent — your browser family and OS family (e.g. "Safari · macOS"). Not your exact version string.
  • Hashed IP — your IP address is hashed with a daily-rotating salt and discarded within 24 hours. We never store raw IP addresses.
  • Coarse country — country only, derived from the IP at request time. Not the city, not the postcode.

This is all the analytics tool sees. No cross-site tracking, no fingerprinting, no third-party cookies, no shared identifiers. The data is anonymous in the sense the GDPR understands it.

(c) Information stored on your device

A small amount of state is kept on your device, not on our servers:

  • Cookie consent — your choice from the consent banner (essential / analytics / preferences).
  • Tweak panel state — only if you've enabled "Preferences" cookies. Remembers palette and motion settings between visits.

Details and exact names are in the Cookie Policy.

What we do not collect

No ad-tech identifiers. No social-media pixels (Meta, LinkedIn, TikTok, X). No cross-site cookies. No location beyond country. No sensitive categories under Art. 9 GDPR (health, biometric, political, etc.). No automated decision-making or profiling under Art. 22.

03 · Why & legal basis

What we do with it — and why we may.

Purpose Data used Legal basis Reference
Reply to your enquiry Name, email, message, optional phone Pre-contract Art. 6 (1)(b)
Book & run a discovery call Name, email, slot, brief context Pre-contract Art. 6 (1)(b)
Send the pricing PDF Email only Consent Art. 6 (1)(a)
Send Wundercode Notes newsletter Email, double opt-in confirmation, open/click events Consent Art. 6 (1)(a)
Run aggregate analytics Hashed IP, country, page URL, referrer Consent Art. 6 (1)(a)
Keep the site secure Request logs (15 min retention) Legitimate interest Art. 6 (1)(f)
Comply with the law Whatever a valid legal request specifies Legal obligation Art. 6 (1)(c)

You can withdraw your consent at any time — without affecting the lawfulness of processing before you withdrew it. See section 07.

04 · Who we share with

The very short supplier list.

We work with a small, carefully chosen set of processors (Art. 28 GDPR). Each is bound by a Data Processing Agreement. We do not sell or rent your data to anyone, ever.

Processor What for Where hosted Type
Plausible Analytics Cookieless, EU-hosted aggregate analytics. No personal identifiers. EU · Germany Analytics
Cal.com Discovery-call scheduling. Stores: name, email, slot, optional notes. EU · Germany Booking
Resend Transactional email (replies, PDF delivery, calendar invites). EU · Ireland Email
Buttondown Wundercode Notes newsletter. Email only, double opt-in. US · with SCCs Newsletter
Hetzner Cloud Web hosting and database. Site delivery, request logs (15 min). EU · Germany & Finland Hosting
Cloudflare DDoS protection and CDN. Sees aggregate request metadata. Global · with SCCs & UK IDTA CDN / security

We may disclose data when required by law — a valid court order, subpoena or regulatory request — but only the minimum necessary, and only after challenging overbroad demands where we reasonably can.

05 · International transfers

When data leaves the EU/UK.

Most of our processing happens inside the European Union or the United Kingdom. Two exceptions:

  • Buttondown (newsletter) is US-hosted. Transfers rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum. A Transfer Impact Assessment is on file.
  • Cloudflare may route traffic via its global edge. Same SCC / IDTA framework applies; Cloudflare is also certified under the EU-US Data Privacy Framework.

Note that the registered office of Codaiq LTD is in the United Kingdom. The UK is recognised by the European Commission as providing an adequate level of data protection (Decision (EU) 2021/1772). Transfers from the EU to the UK therefore do not require additional safeguards.

One of the directors is reachable by phone in the United Arab Emirates. The UAE is not currently the subject of a Commission adequacy decision; however, no personal data of website visitors is transferred to the UAE for processing — the UAE phone is a personal contact channel only.

06 · How long we keep it

Short, by default.

Data Retention After that Source
Enquiry emails & brief notes 24 months from last contact Deleted Mailbox
Discovery-call records 24 months from booking Deleted Cal.com
Newsletter subscriber records Until you unsubscribe + 6 months suppression Deleted Buttondown
Hashed IP & daily salt 24 hours rolling Discarded Plausible
Aggregate page-view stats 5 years (anonymous aggregate, GA-style historical) Deleted Plausible
Web-server & CDN request logs 15 minutes (security only) Rotated Hetzner / CF
Engagement contract data 10 years from last invoice Deleted Accounting

The 10-year retention for engagement contract data is set by UK tax legislation (Companies Act 2006 + HMRC record-keeping rules). Until that obligation lapses, the data is kept in a locked-down accounting archive — not used for any other purpose.

07 · Your rights

You can ask any of this.

Under Articles 15 to 22 GDPR (and the corresponding UK-GDPR provisions) you have the right to:

  1. Access — see a copy of the data we hold about you, in a readable format.
  2. Rectify — correct anything that's wrong.
  3. Erase — ask us to delete your data ("right to be forgotten"), subject to the legal-obligation exception in section 06.
  4. Restrict — pause processing while a query is open.
  5. Portability — receive your data in a machine-readable format and have it transferred elsewhere.
  6. Object — to processing based on legitimate interests, or to direct marketing (which we don't do, but the right stands).
  7. Withdraw consent — at any time, without giving reasons. Unsubscribing from Wundercode Notes is one click in every email we send.
  8. Avoid automated decisions — we don't make any. If we ever start, you'll have the right not to be subject to them.

To exercise any of these rights, email hello@wundercode.studio with the subject "Privacy request". We answer within one calendar month (extendable by two further months for complex requests, per Art. 12 (3) GDPR — we'll tell you if we need the extra time).

We don't charge for these requests unless they are manifestly unfounded or excessive, in which case the fee will be capped at our reasonable administrative cost.

08 · Cookies

The short version.

We use the smallest set of cookies that can reasonably make the site work. Three categories, two of which are opt-in:

  • Essential — your consent choice itself, and basic security. Always on.
  • Analytics — Plausible aggregate stats. Opt-in via the banner.
  • Preferences — remembers your tweak-panel settings. Opt-in via the banner.

Full names, retention and opt-out details: Cookie Policy. You can change your choice any time by clicking the small "Cookies" button at the bottom-left of every page.

09 · Security

What we do to keep it safe.

We apply Art. 32 GDPR "appropriate technical and organisational measures" — sized to a small studio:

  • TLS 1.3 everywhere, HSTS preload, no plain-HTTP fallbacks.
  • At-rest encryption on the database and the mailbox archive.
  • Two-factor authentication on every administrative account, hardware-key where supported.
  • Least-privilege access — only the directors hold production access; engineers ship via review-protected pipelines.
  • Quarterly dependency audits with automated CVE alerts in between.
  • Backup daily to a separate region, encrypted with a different key class.

If we ever experience a personal-data breach of the kind that triggers Art. 33 / 34 GDPR, we will notify the relevant supervisory authority within 72 hours and notify affected data subjects without undue delay.

10 · Children

This site is not for under-16s.

Our services are intended for businesses and the people who buy them, which in practice means adults. We do not knowingly collect personal data from anyone under the age of sixteen (16). If you believe a minor has provided us with personal data, please email us and we will delete it immediately.

11 · Changes to this policy

How we version this page.

We may update this policy from time to time. Significant changes will be notified by:

  • Bumping the version date at the top and bottom of this page.
  • Posting a short note to Wundercode Notes subscribers, if the change materially affects their data.
  • Re-prompting the consent banner if cookie categories change.

Old versions of this policy are kept on file and available on request to hello@wundercode.studio.

12 · Contact & complaints

If you'd like to talk to a regulator.

If you believe we're processing your data unlawfully, please email hello@wundercode.studio first — most things can be sorted in a single reply. You also have the right to lodge a complaint with a supervisory authority at any time, in particular:

UK
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow SK9 5AF · ico.org.uk
EU · Berlin
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin · datenschutz-berlin.de
EU · home authority
The supervisory authority of the EU member state in which you reside is also competent.

Effective: 26 May 2026 · Version: 2026.05 · Controller: Codaiq LTD