Privacy Policy

This Privacy Policy explains what Personal Data AI Code that Works, LLC ("AI Code that Works," "we," "us," or "our") collects through https://aicodethatworks.com (the "Site"), how we use it, who we share it with, and the rights you have over it. We aim for plain English; defined terms are introduced where they matter.

• We collect Personal Data you give us when you fill out a form (name, email, optional product-interest selections, optional free-text), and limited technical data set by analytics and error-monitoring cookies (subject to your consent).
• We use it to respond to you, send product updates you opt into, improve the Site, and run security and fraud-prevention controls.
• We share it with the named third-party Processors listed below — Supabase (database + auth), Vercel (hosting), GoHighLevel (CRM + email delivery), PostHog (product analytics), Sentry (error monitoring), and Google (Google Tag Manager + GA4 + future Meta Pixel and Google Ads when enabled).
• We do not sell Personal Data. We do not engage in cross-context behavioral advertising.
• You have rights under the GDPR, UK GDPR, and CCPA/CPRA. Exercise them by emailing alex@aicodethatworks.com.

The following capitalized terms have the meanings set out here:

• "Site" — the website at https://aicodethatworks.com.
• "Service" — the Site and any associated forms, content, and communications described in this Policy.
• "User" / "you" — any natural person who visits the Site, submits a form, or otherwise interacts with the Service.
• "Personal Data" — any information that identifies you, relates to you, or could reasonably be linked to you, as that term is defined under the EU/UK GDPR and the California Consumer Privacy Act (as amended by the CPRA) ("CCPA").
• "Processing" — any operation performed on Personal Data (collection, storage, use, disclosure, deletion), as defined under GDPR Article 4(2).
• "Controller" — the entity that determines the purposes and means of Processing. For Personal Data collected through the Service, AI Code that Works is the Controller.
• "Processor" — a third-party service provider that Processes Personal Data on the Controller's behalf under a Data Processing Agreement.

The Controller of your Personal Data collected through the Service is AI Code that Works, LLC, a limited liability company organized under the laws of Texas, United States.

Contact for any privacy-related question, rights request, or complaint: alex@aicodethatworks.com. We do not currently maintain a separate EU representative or UK representative; if you reside in the EEA or the UK and prefer to contact a representative in your jurisdiction, please email us at the address above and we will route your request.

We collect the following categories of Personal Data through the Service:

• Information you give us through a form. Every form on the Site is wired to a single canonical Server Action (`submitLead`) that stores the submission in our `leads` database table. The fields collected vary by form (newsletter signup, Starter Harness download request, free course enrollment, lab/cohort interest) but draw from a single typed schema: required — email address; optional — first name, last name, phone number, company, role, and free-text describing your build goal or use case.
• Provenance metadata captured with each form submission. We attach to each `leads` row the page slug you submitted from and the call-to-action tag of the specific form. We also record three consent-related fields derived from the form itself, not from the cookie banner: `consent_marketing` (a boolean reflecting the opt-in promise of the specific form's copy — e.g. a newsletter form sets it to true because submitting the form is the disclosed opt-in action, a data-request form sets it to false because the form isn't a marketing opt-in), `consent_analytics` (defaults to false; not propagated from your cookie-banner choice today), and `consent_at` (the timestamp of the form submission). The database schema also reserves columns for URL UTM parameters (`utm_source`, `utm_medium`, `utm_campaign`, `utm_term`, `utm_content`), the HTTP `Referer` header, and a `consent_ip` IP address — but the marketing-site forms in use today do not populate any of those, so those columns are null on every row written today. The IP address that submitted the form is read transiently for per-IP rate limiting only (capped at approximately 10 requests per minute per IP) and is not written to the lead record. If we begin populating those fields (for example, to forward attribution data to our CRM or to support cookie-banner audit trails under future GDPR enforcement guidance), this Policy will be updated.
• Technical / device data set by analytics and error-monitoring tools, gated by your cookie-banner choice. When you grant analytics consent, PostHog (product analytics) opts in and begins capturing aggregate usage events (pages viewed, referrer, browser and OS metadata, viewport dimensions, and a pseudonymous device identifier) with cookies named `ph_*`. The PostHog SDK initializes in opt-out mode (`opt_out_capturing_by_default: true`) and only opts in after consent; withdrawing consent re-asserts opt-out and resets the SDK's local identity. When you grant analytics consent, Sentry (error monitoring) also begins session-mode session replay (no session-mode replays are captured before consent — the SDK initializes with `replaysSessionSampleRate: 0` and the `<SentryReplayConsentGate>` only calls `start()` after consent is granted). Regardless of analytics consent, Sentry captures error breadcrumbs (the list of UI actions that preceded a crash), browser metadata, and a short rolling buffer (~15-30 seconds) that is flushed to Sentry only when an error occurs — the Sentry SDK's default PII masking (`maskAllText`, `maskAllInputs`, `blockAllMedia`) keeps the error buffer free of identifiers, which we rely on as a legitimate-interest basis for debugging. We opt every Sentry scope — client-side, server-side, and edge-runtime — out of automatic IP capture by setting `ip_address: null`: the client-side scope is opted out on every page mount via our observability seam, and the server-side and edge-runtime scopes apply a `beforeSend` hook that strips `event.user.ip_address` along with the common IP-bearing request headers (`X-Forwarded-For`, `X-Real-IP`, `True-Client-IP`, `CF-Connecting-IP`) from every event before it leaves the runtime.
• GTM-relayed tag data (subject to your consent). When you grant analytics consent, our Google Tag Manager container (GTM-WR9T9R8J) loads Google Analytics 4 cookies (`_ga`, `_gid`, and other `_ga_*` measurement-ID cookies). When you grant marketing consent in the future, we may additionally load Meta Pixel cookies (`_fbp`, `fr`) and Google Ads conversion cookies (`_gcl_*`) — neither is currently active.
• Network metadata captured by our hosting provider, Vercel, including your IP address, request URL, HTTP method, response status, and timestamp, retained for security, abuse prevention, and operational logging.
• Information you send us by email. If you email us at the address above, your email address, your name (if you provide it), the subject line, and the body of the email.

For California residents, the following categories of Personal Information from CCPA Section 1798.140 are collected through the Service:

• Identifiers — name, email address, phone number (where provided), IP address.
• Customer record information (Cal. Civ. Code § 1798.80(e)) — name, email, phone, company name.
• Commercial information — programs or content (free course, Starter Harness, lab/cohort) you express interest in.
• Internet or other electronic network activity — pages visited, referrer URL, browser/OS metadata, viewport dimensions, and a pseudonymous device identifier (all captured by PostHog when analytics consent is granted, mirroring the analytics-capture list in § Information we collect above). The marketing-site forms today do not forward URL UTM parameters or the HTTP `Referer` header to your `leads` row, so those database columns remain null on every row written.
• Geolocation data — country/region inferred from IP. We do NOT collect precise (city-block-level) geolocation.
• Inferences drawn from the above — none currently used to build a consumer profile reflecting preferences or characteristics.
• Sensitive Personal Information (CPRA) — none collected.

We do not knowingly collect Personal Information about minors under 16. See the Children's Privacy section below.

We Process Personal Data only for the specific purposes set out below, and only on the GDPR legal basis named for each. We rely on the equivalent basis under the UK GDPR for UK residents.

• To respond to your form submission, deliver the lead magnet (Starter Harness, course access, etc.) you requested, send the newsletter or program update you opted into, and route the lead to our CRM (GoHighLevel) for follow-up. Legal basis: performance of pre-contractual steps at your request (GDPR Article 6(1)(b)) and, for opt-in marketing communications, your consent (GDPR Article 6(1)(a)).
• To send you newsletter, educational content, and program announcements about AI Code that Works (the free course, the Starter Harness, the paid lab/cohort program, and related education offerings). We send marketing email only when you have opted in via a form or via reply-to-our-emails confirmation. Legal basis: your consent (GDPR Article 6(1)(a)); you can withdraw consent at any time by clicking the unsubscribe link in any email or emailing us.
• To operate and improve the Site through aggregated analytics. Legal basis: your consent (analytics category, GDPR Article 6(1)(a)) where required, or our legitimate interests in understanding which pages and content perform (GDPR Article 6(1)(f)) where consent is not required.
• To monitor for errors, debug, and maintain the security and integrity of the Site. Legal basis: our legitimate interests in keeping the Site secure and functional (GDPR Article 6(1)(f)).
• To prevent abuse and enforce our Terms of Service. We use rate-limiting (capped at approximately 10 form submissions per IP address per minute) and may temporarily block IP addresses that exceed the threshold. Legal basis: our legitimate interests in fraud and abuse prevention (GDPR Article 6(1)(f)).
• To comply with our legal, regulatory, and tax obligations, and to establish, exercise, or defend legal claims. Legal basis: compliance with a legal obligation (GDPR Article 6(1)(c)) and our legitimate interests in defending claims (GDPR Article 6(1)(f)).

Where our basis is legitimate interests, we have carried out a balancing test and concluded that our interests are not overridden by your interests, fundamental rights, or freedoms. You may object to legitimate-interests Processing on grounds relating to your particular situation by emailing us at the address above.

We do not engage in automated decision-making that produces legal or similarly significant effects on you, including profiling under GDPR Article 22.

We share Personal Data only with the third-party Processors listed below, and only to the extent each one needs to perform a function on our behalf. We have entered into Data Processing Agreements with each Processor, or rely on the Processor's published standard data-processing terms incorporating the EU Standard Contractual Clauses (which take effect when we accept the provider's terms of service); operator-side execution of each provider's DPA is tracked in GitHub Issue #473. Each Processor is itself the Controller of the limited operational metadata it must retain to run its service:

• Supabase, Inc. (United States) — database and authentication. Stores `leads` records, consent state, and audit/usage event ledgers. Privacy notice: https://supabase.com/privacy.
• Vercel Inc. (United States) — hosting and edge runtime. Receives every HTTP request to the Site, including IP address and request metadata. Privacy notice: https://vercel.com/legal/privacy-policy.
• GoHighLevel (LeadConnector LLC, United States) — CRM, email delivery, and lead workflow automation. Receives `leads` records after submission for follow-up email communications. Privacy notice: https://www.gohighlevel.com/privacy-policy.
• PostHog Inc. (United States, with EU cloud option) — product analytics. Receives pseudonymous page-view and page-leave events. Session replay is NOT enabled in our PostHog configuration today; if we enable it in the future, this Policy will be updated. Privacy notice: https://posthog.com/privacy.
• Functional Software, Inc. dba Sentry (United States) — error monitoring and session replay. Receives error stack traces, breadcrumbs, and session replays. Session-mode replay fires only after you grant analytics consent (via `<SentryReplayConsentGate>`). A short rolling buffer is maintained regardless of consent and flushed to Sentry only when an error occurs; it relies on the Sentry SDK's default PII masking to remain free of identifiers. Privacy notice: https://sentry.io/privacy.
• Google LLC (United States) — Google Tag Manager (the tag-relay container we run at `GTM-WR9T9R8J`), Google Analytics 4 (when analytics consent is granted), and, in the future, Google Ads (when marketing consent is granted). Privacy notice: https://policies.google.com/privacy.

Affiliated brand — RevAStack. AI Code that Works and RevAStack are sibling brands of the same legal entity, AI Code that Works, LLC. If you opt into our newsletter or download a lead magnet, your contact details are processed by our shared GoHighLevel CRM and may be visible to operators of both brands for coordinated marketing. We do NOT sell your data to any third party; the cross-brand visibility is internal to one legal entity and one CRM workspace.

We do not sell Personal Data within the meaning of the CCPA, the CPRA, or any other US state privacy law that recognizes a right to opt out of sale. We do not share Personal Data for cross-context behavioral advertising. We will update this Policy and provide a conspicuous opt-out mechanism before that changes.

Beyond Processors, we may disclose Personal Data: (i) in response to a subpoena, court order, or other valid legal process, (ii) to law enforcement or governmental authorities to comply with applicable law, (iii) to protect our rights, property, or safety, or those of our users or the public, and (iv) in connection with the sale or merger of our business, in which case we will give you notice and an opportunity to object where required by law.

All of our Processors named above operate primarily from the United States. When we transfer Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that the European Commission has not deemed to provide adequate protection, we rely on appropriate safeguards, including:

• The European Commission's Standard Contractual Clauses (Module 1: Controller-to-Controller; Module 2: Controller-to-Processor) (Commission Implementing Decision (EU) 2021/914), incorporated into our agreements with each Processor.
• The UK Addendum to the EU SCCs (issued by the ICO) for transfers from the UK.
• Where applicable, the EU-US Data Privacy Framework (DPF) or its UK Extension, for Processors that have self-certified under the DPF.
• Supplementary technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization) where the transfer risk assessment recommends them.

You may request a copy of the relevant safeguards by emailing us at the address above. Please note that copies of executed agreements with third parties may be redacted to protect commercially sensitive terms.

We keep Personal Data only as long as we need it for the purpose it was collected, or as long as required by law. Our default retention periods are:

• Lead-capture records (the `leads` table) — 24 months from the date of your last interaction with us (form submission, email reply, or other inbound engagement), after which we delete or anonymize the record. We may retain a suppression-list entry (your email address tagged 'do not contact') indefinitely to honor opt-out requests.
• Analytics events (PostHog, GA4) — 14 months from event capture. After 14 months, individual events are deleted; aggregated, non-identifying summaries may be retained indefinitely for trend analysis.
• Sentry error events and breadcrumbs — 30 days from capture, after which they are deleted by Sentry's retention policy.
• Session replays — 30 days from capture; we apply field-level masking by default so most replays do not contain identifying input.
• Audit and usage-event ledgers (Supabase `audit_events` and `usage_events`) — 7 years, to support security investigations, billing reconciliation, and statutory record-keeping obligations.
• Email correspondence with us — for the duration of our ongoing relationship plus up to 7 years thereafter, for tax, accounting, and dispute-resolution purposes.
• Backups and disaster-recovery snapshots — up to 35 days after the source record is deleted, after which the backup retention window closes.

Where we are required by law to retain certain records (for example, tax records or records related to an active legal claim), we will keep them for the statutory period and apply the shortest retention period above only after the statutory period expires.

Depending on where you live and the law that applies to you, you have one or more of the following rights over your Personal Data.

GDPR / UK GDPR rights (EEA, UK, and Swiss residents):

• Right of access (Article 15) — a copy of the Personal Data we hold about you, together with information about the Processing.
• Right to rectification (Article 16) — correction of inaccurate or incomplete Personal Data.
• Right to erasure / 'right to be forgotten' (Article 17) — deletion of Personal Data where one of the listed grounds applies, subject to limited exceptions.
• Right to restriction of Processing (Article 18) — pause our Processing while you contest accuracy, object to Processing, or need the data for a legal claim.
• Right to data portability (Article 20) — receive your Personal Data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
• Right to object (Article 21) — object to Processing based on our legitimate interests (Article 6(1)(f)) or for direct-marketing purposes. We will stop Processing for direct marketing on receipt of any such objection.
• Right to withdraw consent (Article 7(3)) — withdraw consent at any time for any consent-based Processing. Withdrawal does not affect the lawfulness of Processing before the withdrawal.
• Right to lodge a complaint with a supervisory authority (Article 77) — you may lodge a complaint with your local data-protection authority. For EU residents, the list of authorities is at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, the supervisory authority is the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.

CCPA/CPRA rights (California residents):

• Right to know (Cal. Civ. Code § 1798.110) — what categories of Personal Information we have collected, the sources, the purposes, and the categories of third parties with whom we have shared it. The disclosures above answer this for all California consumers in advance.
• Right to access specific pieces of Personal Information (§ 1798.110) — a copy of the specific Personal Information we hold about you, covering the 12 months preceding your request.
• Right to delete (§ 1798.105) — deletion of your Personal Information, subject to the statutory exceptions (transactional records, security and fraud-prevention, legal compliance).
• Right to correct (§ 1798.106) — correction of inaccurate Personal Information.
• Right to opt out of the sale or sharing of Personal Information (§ 1798.120) — we do not sell or share Personal Information for cross-context behavioral advertising, so there is currently nothing to opt out of. We honor the browser Global Privacy Control (GPC) signal: when `navigator.globalPrivacyControl === true`, we treat that as an automatic denial of analytics and marketing consent for the session. The cookie banner remains available so you can override the signal by explicit consent, and email to alex@aicodethatworks.com is also a valid universal opt-out request.
• Right to limit the use of Sensitive Personal Information (§ 1798.121) — we do not collect Sensitive Personal Information.
• Right to non-discrimination (§ 1798.125) — we will not discriminate against you for exercising any of these rights (e.g., we will not deny service, charge different prices, or provide a different level of service).

Other US state privacy laws (including the Colorado, Connecticut, Virginia, and Utah consumer privacy acts) provide similar rights. We honor those rights on the same procedural basis as CCPA rights.

To exercise any of the rights above, email us at alex@aicodethatworks.com with the subject line "Privacy Rights Request" and tell us (a) which right you want to exercise, (b) which jurisdiction's law applies to you (e.g., GDPR, CCPA), and (c) enough information for us to identify your records (typically the email address you used to submit a form).

We will acknowledge receipt of your request within 10 business days and complete our response within the statutory window applicable to you — typically within 1 month under the GDPR (extendable by 2 further months for complex requests), and within 45 days under the CCPA/CPRA (extendable by 45 further days on notice).

We may need to verify your identity before acting. For GDPR and CCPA requests, we typically verify by confirming you control the email address on file. We do not require additional documentation unless your request involves a high-risk action (e.g., deletion of an account with substantial history) or we have reason to believe your account has been compromised.

You may designate an authorized agent to make a request on your behalf. For California residents, the agent must provide proof of authorization (a written designation signed by you, or a power of attorney). We will then verify both the agent's authority and your identity, and may contact you directly to confirm.

There is no fee for exercising your rights. We reserve the right to charge a reasonable fee for, or refuse to act on, requests that are manifestly unfounded or excessive — in particular because of their repetitive character.

Our use of cookies and similar technologies (localStorage, sessionStorage, pixel tags) is described in detail in our Cookie Policy, including the specific cookies set, their purposes, durations, and how to manage your preferences. The Cookie Policy is incorporated into this Privacy Policy by reference.

Our consent model is Google Consent Mode v2 in default-deny / Basic mode. Tags loaded through our Google Tag Manager container (currently GA4; in the future Meta Pixel and Google Ads when activated) do NOT fire until you have granted analytics or marketing consent through the cookie banner. PostHog opts in only after you grant analytics consent (the SDK is initialized with `opt_out_capturing_by_default: true`); Sentry session-mode session replay only starts after you grant analytics consent (via `<SentryReplayConsentGate>`). The functional cookie that stores your consent decision is named `revastack_consent`. These cookie names come from our shared observability package, which is namespaced under our parent organization; the provider of the cookie when set on this site is AI Code that Works. The cookie is set the first time you interact with the banner.

We apply technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in transit via TLS 1.2+ for every connection between you and the Site and between our services and Processors.
• Encryption at rest for the Supabase database and Vercel build artifacts.
• Row-Level Security (RLS) policies on the `leads` table and every other tenant-scoped table, enforcing isolation at the database layer rather than relying on application-level filtering.
• Least-privilege access controls — service-role credentials are never exposed to client bundles or browser code, and operator access to production data is gated and logged.
• Per-IP rate limiting on the form-submission endpoint to mitigate abuse and credential-stuffing.
• Automated error monitoring (Sentry) and audit-event ledgers in the database, so unusual activity surfaces quickly.

No security measure is perfect. We do not guarantee the absolute security of any Personal Data and you transmit it to us at your own risk. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Articles 33-34).

The Service is not directed to, and we do not knowingly collect Personal Data from, individuals under the age of 16. If you are under 16, do not submit Personal Data through the Service or send us email. If we learn that we have collected Personal Data from a child under 16 without verified parental consent, we will delete that Personal Data as soon as reasonably possible.

If you are a parent or guardian who believes that we may have collected Personal Data from your child without your consent, please contact us at alex@aicodethatworks.com and we will investigate and respond promptly.

The Site links to third-party platforms that we do not operate or control — most notably (a) our Skool community at https://www.skool.com/aicodethatworks (where the free course and any paid lab/cohort programming are hosted), (b) our YouTube channel and individual video pages on https://www.youtube.com, and (c) the marketing website of our affiliated brand RevAStack at https://revastack.ai. This Privacy Policy applies only to data we collect through the Service. When you click through to any of these third-party platforms, the platform's own privacy notice governs the data they collect about you on their surfaces, and we encourage you to read each one before submitting Personal Data there.

AI Code that Works does not operate a software-as-a-service application at aicodethatworks.com — there are no user accounts, no API, and no billing surface on this Site. Enrollment in the free course and any paid programs happens on Skool (linked above); video content is hosted on YouTube; the Starter Harness is delivered as a free downloadable ZIP through our newsletter or download form.

Browsers vary in their handling of the Do Not Track (DNT) signal and there is no consensus among industry participants as to what DNT means. We do not currently respond to DNT signals as a standalone signal.

AI Code that Works honors the browser Global Privacy Control (GPC) signal. When your browser exposes `navigator.globalPrivacyControl === true`, we treat the signal as an automatic denial of analytics and marketing consent. You can still affirmatively grant consent via the cookie banner — the GPC spec recognizes the signal as a universal opt-out, not a binding floor, so an explicit Accept on the banner overrides GPC. We remember the explicit Accept on this device (in browser local storage and a first-party cookie) until you withdraw it via the banner; that means the override persists across subsequent page loads, not only the current session. You can also email us at the address above to make a formal opt-out request. (Implementation note: GPC honor is currently client-side via `navigator.globalPrivacyControl`; server-side honor of the `Sec-GPC: 1` request header is a separate enhancement we have not yet shipped.)

We may update this Privacy Policy from time to time. The 'Last updated' date at the top of the page reflects the most recent change. When a change is material, we will notify you by email (if we have your email on file and the change is relevant to your relationship with us) or by a prominent banner on the Site for at least 30 days before the change takes effect.

Your continued use of the Service after a material change becomes effective constitutes your acceptance of the updated Policy, except where we have asked for fresh consent under applicable law.

For any privacy-related question, rights request, or complaint, email us at alex@aicodethatworks.com.

Postal address — AI Code that Works, LLC. We do not yet publish a postal mailing address; for correspondence that requires a physical address, please email alex@aicodethatworks.com and we will provide one.

Effective date: 2026-05-23.