Privacy Policy
Last updated: 13 April 2026
This Privacy Policy explains how Instance Labs Ltd ("we", "us", "our"), a company registered in England and Wales, collects, uses, shares, and protects your personal data when you use the CDK Insights platform ("Service"), accessible at cdkinsights.dev and associated subdomains.
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller: Instance Labs Ltd
Address: 66 Paul Street, London, EC2A 4NA, United Kingdom
Company No.: 17053174 (registered in England & Wales)
Contact: privacy@cdkinsights.dev
If you have questions about this policy or your data, contact us at privacy@cdkinsights.dev.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Password (stored securely by our authentication provider; we never have access to your plaintext password)
- Company or organisation name (if provided)
- A unique user identifier assigned by our authentication provider
1.2 CDK Code Data
If you use our AI-powered code analysis features, you may submit AWS CDK code snippets for automated analysis. These code snippets are processed transiently by our AI service and are not stored. The code exists only in temporary server memory during processing (typically under 60 seconds) and is immediately discarded. Only the structured analysis results (insights, recommendations, and scores) are retained in association with your account.
We do not use your submitted code to train AI models. Your proprietary code remains confidential and is never shared with other users or third parties.
1.3 Payment Information
If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not receive or store your full card number, expiry date, or CVV. We receive only a subscription identifier, plan type, and billing status from Stripe to manage your account tier.
1.4 Usage & Analytics Data
We use Google Analytics to understand how the Service is used. This may collect:
- Pages visited and features used
- Browser type and device category
- Approximate geographic location (country/region level, derived from IP address)
- Referring website
- Session duration and interaction patterns
Google Analytics uses cookies to collect this data. See our Cookie Policy for details on how to opt out.
1.5 Server Logs
Our cloud infrastructure (AWS) automatically logs technical information such as request timestamps, HTTP status codes, and error messages. These logs are retained for up to 30 days and are used solely for debugging and service reliability. We do not systematically collect or store IP addresses, user agent strings, or device identifiers in our application logs.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service โ create and manage your account, process subscriptions, analyse your CDK code, and deliver insights and recommendations
- Process payments โ manage subscriptions and apply the correct feature tier to your account
- Analyse CDK code โ use AI to evaluate your infrastructure-as-code submissions, returning structured insights, best-practice recommendations, and security findings
- Improve the Service โ analyse usage patterns to fix bugs, improve performance, and develop new features
- Communicate with you โ respond to support requests and send essential service notifications (e.g., billing confirmations, security alerts)
- Ensure security โ detect and prevent abuse, enforce our Terms of Service, and rate-limit API usage
We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal effects.
3. Legal Basis for Processing (UK GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & management | Contract performance |
| CDK code analysis | Contract performance |
| Payment processing | Contract performance |
| Analytics & service improvement | Legitimate interest |
| Security & abuse prevention | Legitimate interest |
| Tax & accounting record keeping | Legal obligation |
| Analytics cookies | Consent |
| Marketing communications | Consent (you can withdraw at any time) |
4. Data Sharing & Third Parties
We share your personal data only in the following circumstances:
4.1 Service Providers
We use the following third-party services to operate the platform:
- Amazon Web Services (AWS) โ cloud hosting, authentication, database, and AI processing (Bedrock). Data is primarily processed in the EU West (London) region. See AWS Privacy Policy.
- Stripe โ payment processing. Stripe acts as an independent data controller for payment data. See Stripe Privacy Policy.
- Google Analytics โ website analytics. See Google Privacy Policy.
- AI Model Providers โ we use third-party large language models to power code analysis features. Code snippets are sent to these providers for processing only and are not retained by them beyond the duration of the request, in accordance with their data processing agreements.
We do not sell your data.
4.2 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request, or where necessary to protect our rights, property, or safety, or that of our users or the public.
4.3 Business Transfers
If Instance Labs Ltd is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
5. International Data Transfers
Your data is primarily stored and processed in the AWS EU West (London) region. However, some of our third-party providers (Stripe, Google Analytics, AI model providers) may transfer data to the United States or other countries. Where such transfers occur, they are protected by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
- The provider's participation in recognised data protection frameworks
- UK adequacy decisions where applicable
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account, plus 30 days after deletion |
| CDK code snippets | Not stored โ processed transiently in memory and immediately discarded |
| Analysis results | Duration of your account (you may delete individual results at any time) |
| Payment records | As required by tax and accounting regulations (typically 6 years) |
| Server logs | Up to 30 days |
| Analytics data | As per Google Analytics retention settings (14 months) |
When you delete your account, we will remove or anonymise your personal data within a reasonable timeframe, except where we are required to retain it for legal or regulatory purposes.
7. Your Rights
7.1 UK GDPR / EU GDPR Rights
If you are in the UK or EU, you have the following rights:
- Right of access โ request a copy of the personal data we hold about you
- Right to rectification โ request correction of inaccurate or incomplete data
- Right to erasure โ request deletion of your personal data ("right to be forgotten")
- Right to restriction โ request that we limit how we process your data
- Right to data portability โ receive your data in a structured, machine-readable format
- Right to object โ object to processing based on legitimate interest
- Right to withdraw consent โ where processing is based on consent (e.g., analytics cookies, marketing), you can withdraw at any time
To exercise any of these rights, contact us at privacy@cdkinsights.dev. We will respond within one month, as required by law.
7.2 Rights for California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete it, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at privacy@cdkinsights.dev.
8. Children's Privacy
The Service is designed for professional and business use and is not intended for anyone under the age of 18. We do not knowingly collect personal data from children under 18.
If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe someone under 18 has provided us with personal data, please contact us at privacy@cdkinsights.dev.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) for all data communications
- Encryption at rest for all stored data (AWS-managed encryption)
- Secure authentication with industry-standard password hashing
- Transient processing of submitted code โ never written to persistent storage
- Rate limiting on sensitive API endpoints
- Input validation and sanitisation to prevent injection attacks
- Regular security reviews of our codebase and infrastructure
- Principle of least privilege applied to all internal access controls
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
10. Cookies
We use essential cookies for authentication and session management, and analytics cookies via Google Analytics. For full details on the cookies we use and how to manage them, please see our Cookie Policy.
11. Supervisory Authority
If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: ico.org.uk/make-a-complaint. If you are in the EU, you may contact your local data protection authority.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also provide notice via the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Instance Labs Ltd
66 Paul Street, London, EC2A 4NA, United Kingdom
Company No. 17053174 (registered in England & Wales)
Privacy enquiries: privacy@cdkinsights.dev
General support: support@cdkinsights.dev
Supervisory authority: Information Commissioner's Office (ICO)
