Effective Date: 12 March 2026
Version: 1.0
Coder's Cantina e.U., registered in Vienna, Austria ("b10cks", "we", "us", or "our") operates b10cks, a subscription-based headless content management system and digital experience platform ("b10cks Services"), accessible at https://app.b10cks.com and https://www.b10cks.com.
This Privacy Policy explains how we collect, use, process, store, share, and protect your personal data when you use the b10cks Services, in compliance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (Datenschutzgesetz — DSG), and all other applicable data protection legislation.
Please read this policy carefully. By registering for an Account or using the b10cks Services, you acknowledge that you have read and understood this Privacy Policy.
b10cks operates in two distinct capacities with respect to personal data:
If you are an individual whose data has been submitted to b10cks by a business using our Services, please contact that business directly regarding their data practices.
| Data Controller | Coder's Cantina e.U. |
| Address | Wehlistraße 291/1/47, 1020 Vienna, Austria |
| hello@b10cks.com | |
| Website | https://www.b10cks.com |
| Privacy Inquiries | hello@b10cks.com |
Account and Registration Data
Billing and Subscription Data
Support and Communications
Account and Usage Data
Product Analytics and Error Monitoring (PostHog)
API Usage Data
AI Feature Usage Data (only when you use AI Features)
The b10cks web application at https://app.b10cks.com and marketing website at https://www.b10cks.com use the following categories of cookies and similar technologies:
| Category | Purpose | Examples | Can be declined? |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security (CSRF protection) | Session cookies, auth tokens | No — required for the service to function |
| Functional | Remembering your preferences (language, theme, last viewed Space) | Preference cookies | No — required for core usability |
| Analytics | Understanding how the b10cks App is used to improve the product | PostHog analytics cookies | Yes — via cookie settings |
| Marketing | Understanding traffic sources to our marketing website | Anonymised analytics | Yes — via cookie settings |
You can manage your cookie preferences at any time via the cookie settings panel accessible in the footer of https://www.b10cks.com. Withdrawing consent for non-essential cookies does not affect your ability to use the b10cks Services.
b10cks uses privacy-friendly analytics and does not sell or share your browsing data with advertising networks.
We use your personal data for the following purposes and on the following legal bases under GDPR Article 6:
We process certain data on the basis of our legitimate interests, which we have assessed to not be overridden by your interests or fundamental rights:
You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
When you initiate an AI Feature (AI Writing Assistant, AI Translation, or AI Image Analysis), the following occurs:
Depending on the AI Feature used, the following data is transmitted to OpenRouter:
OpenRouter processes data in accordance with its own Privacy Policy (https://openrouter.ai/privacy) and Terms of Service. Whether an underlying AI model provider uses submitted data for model training depends on that provider's policies. b10cks uses commercially reasonable efforts to engage providers that offer no-training data processing terms, but cannot guarantee this for all models available through OpenRouter.
You are responsible for reviewing OpenRouter's privacy policy before using AI Features.
We share personal data with the following third-party service providers acting as our data processors, sub-processors, or independent data controllers:
We do not sell your personal data to any third party. We do not share your personal data with advertisers.
The primary b10cks infrastructure is hosted within the European Economic Area (AWS eu-west-1, Ireland). However, certain sub-processors — including Lemon Squeezy, PostHog (when not using EU Cloud), and OpenRouter — are based in the United States.
Where personal data is transferred outside the EEA, we ensure an appropriate transfer mechanism is in place under Chapter V GDPR, including:
You may request details of the specific transfer mechanisms in place for any third-party processor by contacting us at hello@b10cks.com.
We retain personal data for as long as necessary for the purposes described in this Privacy Policy, subject to the following specific retention periods:
| Category | Retention Period | Legal Basis |
|---|---|---|
| Account and profile data | Duration of subscription + 90 days post-termination | Contract performance |
| Billing and subscription records | 7 years from invoice date | Austrian tax law (BAO §132) |
| Support communications | 3 years | Legitimate interests / legal claims |
| API usage and access logs | 90 days | Legitimate interests (security, debugging) |
| AI feature request metadata (token usage) | 12 months, then aggregated/anonymised | Contract performance (billing) |
| PostHog analytics events | 12 months | Legitimate interests |
| Customer Content (post-termination) | 90 days, then deleted | Contract performance |
| Marketing consent records | Until consent withdrawn + 3 years | Legal obligation (GDPR Art. 7(1)) |
After the applicable retention period, personal data is securely deleted or irreversibly anonymised. We may retain data beyond these periods where required by applicable Austrian or EU law, in which case processing is restricted to the minimum necessary.
As a data subject, you have the following rights regarding your personal data processed by b10cks as Data Controller. To exercise any of these rights, contact us at hello@b10cks.com. We will respond within 30 days of receiving your request (extendable by a further two months for complex requests, with notice).
You may request a copy of the personal data we hold about you, along with information about how it is used.
You may request correction of inaccurate or incomplete personal data. Much of your Account data can be updated directly in the b10cks App.
You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. Legal retention obligations (e.g. 7-year tax records) may limit the scope of deletion.
You may request that we restrict processing of your personal data in certain circumstances, such as while the accuracy of data is contested.
You may request your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) for transfer to another service, where processing is based on consent or contract and carried out by automated means.
You may object at any time to processing of your personal data based on legitimate interests, including for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
b10cks does not make solely automated decisions that produce legal or similarly significant effects about individuals.
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
You have the right to lodge a complaint with the competent supervisory authority at any time:
Austrian Data Protection Authority (Datenschutzbehörde — DSB)
We encourage you to contact us first at hello@b10cks.com so we can attempt to resolve your concern directly.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
Encryption All data in transit is encrypted using TLS 1.2 or higher. Data at rest within AWS Aurora DB, OpenSearch, and Valkey Cache is encrypted using AES-256 via AWS Key Management Service (KMS).
Access Controls Access to production systems and personal data is restricted to authorised b10cks personnel on a strict need-to-know basis, enforced through role-based access controls (RBAC) and multi-factor authentication (MFA).
Infrastructure Security The b10cks Services are hosted within an AWS Virtual Private Cloud (VPC) with network segmentation, private subnets for all data stores, and security group policies. CloudFront CDN enforces HTTPS for all content delivery.
Monitoring and Incident Response System and access logs are monitored for anomalous activity. b10cks maintains documented incident response procedures, including the breach notification workflow described in Section 11.
Personnel All b10cks personnel with access to personal data are subject to confidentiality obligations and receive data protection awareness training.
No security measure is absolute. While we implement industry-standard protections, we cannot guarantee the absolute security of data transmitted over the internet or stored in any system.
In the event of a confirmed Personal Data Breach affecting your personal data, b10cks will:
Notifications will be sent to the email address associated with your Account.
The b10cks Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has registered for an Account, we will promptly delete their data. Parents or guardians who believe a minor has provided personal data to b10cks should contact us at hello@b10cks.com.
For processing activities involving AI Features and international data transfers, b10cks has conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 GDPR. The DPIA identified the following key risks and mitigations:
| Risk | Mitigation |
|---|---|
| Transmission of Customer Content to OpenRouter (third-country transfer) | SCCs with OpenRouter; user control over AI Feature use; disclosure in this policy and in the AI Terms |
| Potential model training use by AI providers | Commercially reasonable efforts to select no-training providers; disclosure to users |
| Multi-tenant data segregation on shared AWS infrastructure | Logical data isolation per Account; encryption at rest and in transit; RBAC |
| PostHog analytics involving personal data | Pseudonymisation where possible; EU Cloud configuration; PostHog DPA in place |
A summary of the DPIA is available to data subjects upon request.
If you are using the b10cks Services as a business (i.e. you are uploading, managing, and publishing Customer Content that may contain personal data belonging to your own users or customers), the following applies:
The b10cks Services may contain links to third-party websites or integrations with Third Party Services. b10cks is not responsible for the privacy practices of any third-party website or service. We recommend reviewing the privacy policies of any third party before providing personal data.
We reserve the right to modify this Privacy Policy at any time. Where changes are material, we will:
Your continued use of the b10cks Services after the effective date of any updated Privacy Policy constitutes acceptance of the changes. If you do not accept the updated policy, you must stop using the b10cks Services before the change takes effect.
Q: Does b10cks store my Customer Content? A: Yes. Customer Content you upload to the b10cks Services is stored in our AWS infrastructure (eu-west-1, Ireland) for the duration of your subscription and for up to 90 days following termination to allow for data export.
Q: Does b10cks have access to my Customer Content? A: b10cks personnel may access Customer Content only as strictly necessary to provide the Services, investigate support issues, or resolve security incidents. Such access is logged and subject to strict internal access controls.
Q: Is my data used to train AI models? A: b10cks does not use your data to train any AI models. Whether underlying AI model providers (routed through OpenRouter) use submitted data for training depends on their individual policies. b10cks uses commercially reasonable efforts to select providers with no-training terms. See Section 5.3 for details.
Q: Can I export my data before cancelling? A: Yes. You can export your Customer Content and Account data via the b10cks App at any time. Following termination, data is available for export for 90 days.
Q: How do I delete my Account and data? A: You can request Account deletion by contacting hello@b10cks.com. Non-legally-required data will be deleted within 30 days. Billing records are retained for 7 years as required by Austrian tax law.
Q: Who do I contact about data belonging to my customers? A: If you are a b10cks business customer and your end users are asking about their data, you — as Data Controller — are responsible for responding to those requests. See Section 14 and the DPA for details.
For all privacy-related questions, requests, or complaints:
We will acknowledge your request within 5 business days and respond in full within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Austrian Data Protection Authority:
Datenschutzbehörde (DSB)
This Privacy Policy applies to personal data processed by Coder's Cantina e.U. as Data Controller in connection with the b10cks Services. Processing of Customer Content by b10cks as Data Processor is governed by the b10cks Data Processing Agreement at https://www.b10cks.com/legal/dpa.