This Privacy Policy is the single, umbrella privacy policy for CodeRed and all of our products and services. It is in two parts: Part A sets out the shared terms that apply to everything we do, and Part B contains a short, self-contained schedule for each individual product describing the data flows that are unique to it. To understand how we handle your information for a particular product, read Part A together with that product's schedule in Part B.
Contents
A1Who we are
This policy is issued by CodeRed (ABN 99 163 851 573), based in Western Australia, Australia ("CodeRed", "we", "us", "our"). For the purposes of applicable privacy laws, CodeRed is the entity responsible for (and the data controller of) the personal information described in this policy.
CodeRed is committed to handling personal information in accordance with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs), and, where applicable, with the GDPR (EU/UK) and the CCPA/CPRA (California).
Privacy questions, requests, and complaints: cody@codered.lol.
A2Scope
This policy applies to all CodeRed products and services, including Lares (our home-inventory app) and CodeRed Shop (our online hardware store), and to any future products listed in the schedules below, except where a particular product publishes its own separate policy that expressly does not incorporate this one.
Part A applies across every product. Each product also has a schedule in Part B that lists the additional data, third parties, processing locations, and retention specific to that product. Where a schedule conflicts with Part A, the schedule prevails for that product.
A3What we collect across products
The exact information we collect depends on which CodeRed product you use. Across our products the categories of personal information we may collect are:
| Category | What it can include | Used in |
|---|---|---|
| Identity & contact | Name, email address, and (for purchases) phone number where you provide it. | Lares (email), CodeRed Shop (name, email, phone) |
| Account & profile | User ID, plan tier, settings, preferences, and usage counters. | Lares |
| Address information | Shipping and billing addresses (street, city, state/province, postcode, country). | CodeRed Shop |
| Content you create or upload | Inventory entries, room names, photos and videos of your belongings, and customisation details such as custom-logo text and image files. | Lares, CodeRed Shop |
| Order & transaction data | Items purchased, quantities, prices, order references, totals, currency, payment status and method label, fulfilment status, and carrier/tracking details. Subscription references and status. | Lares (subscription), CodeRed Shop (orders) |
| Payment data | Card and payment details are collected and processed by our third-party payment providers. CodeRed does not store full card numbers, PAN, or CVV — only a payment status and a payment-method label. | Lares, CodeRed Shop |
| Device, network & usage data | IP address, browser/device identifiers, and cookies, primarily collected by the platforms that host checkout. CodeRed-built surfaces run no analytics or tracking pixels of their own (see the relevant schedule). | CodeRed Shop |
| Correspondence | Messages you send us for support, returns, or enquiries. | All products |
We collect information directly from you (for example when you create an account, place an order, or contact us) and, for some categories, automatically (for example device and cookie data collected by a hosted checkout) or from our service providers (for example identity data returned by our authentication provider). Product-specific detail is in Part B.
A4How we use your information
Consistent with APP 6, we use personal information only for the purposes for which it was collected and related, reasonably expected purposes, including to:
- create, operate, authenticate, and secure your account;
- provide the product's core features (cataloguing belongings, AI recognition and valuation, processing and fulfilling orders);
- process payments and manage subscriptions through our payment providers;
- arrange delivery of physical goods and provide tracking;
- respond to your requests, provide support, and handle returns and complaints;
- maintain security, prevent fraud and abuse, debug, and keep our services running (we keep structured operational logs); and
- comply with our legal and tax record-keeping obligations.
We do not sell your personal information, and we do not use it for cross-context behavioural advertising. Where a product relies on your consent for a particular processing activity (such as cloud AI processing of images in Lares), that is identified in the relevant schedule.
A5Sharing & international transfers
We share personal information only with the categories of recipients below, each acting to deliver the part of the product that depends on them, or where required by law. We do not sell your data or share it for advertising.
- E-commerce platform & hosted checkout (Shopify) — for CodeRed Shop orders and payment.
- Payment providers (Shopify Payments and its payment processor; Stripe; and our self-hosted crypto-payment server, BTCPay) — to process payments. Card data is handled by these providers, not by CodeRed.
- AI / recognition & valuation providers (OpenRouter routing to Google Gemini; plus marketplace and barcode lookups) — for Lares item recognition and valuation.
- Authentication provider (Clerk) — for Lares sign-in and identity.
- Hosting, storage & address tools (Cloudflare R2 / S3-compatible object storage; Vercel and Vercel Blob; Google Maps/Places autocomplete) — to host our services and store files.
- Shipping carriers (e.g. Australia Post or couriers) — to deliver physical goods and provide tracking.
- Our own self-hosted systems (InvenTree inventory, Paperless-ngx document archive, and ntfy notifications) — these run on infrastructure we operate ourselves. They are not external third parties, but they do hold customer personal information and are disclosed for transparency.
- Legal & safety — courts, regulators, or other parties where required by law or to protect rights, safety, or property.
APP 8 Overseas / cross-border disclosure
Several of our providers are located outside Australia, so your personal information is likely to be transferred to, processed, and stored overseas. The likely recipient countries are the United States, Canada, Ireland/EU, and Singapore:
- Shopify (CodeRed Shop's e-commerce platform and hosted checkout) is based in Canada/US and uses subprocessors in the US, Canada, the EU/Ireland, and Singapore. Shopify acts as a data processor under its Data Processing Addendum and uses standard contractual clauses with its subprocessors.
- Stripe, Clerk, OpenRouter, UPCitemdb, Expo, Vercel, and Google are principally US-based or operate on global cloud infrastructure.
CodeRed remains the data controller and takes reasonable steps (as required by APP 8) to ensure overseas recipients handle your personal information consistently with the APPs, including by relying on those providers' data-processing terms. Privacy laws in those countries may differ from Australian law. Where a product feature depends on overseas processing, using that feature involves this overseas disclosure.
A6Security
All data sent between you, our servers, and our providers is transmitted over encrypted connections (HTTPS/TLS). Personal information is held in access-controlled systems; uploaded files are stored in account- or order-scoped storage; and session tokens are kept only in your device's OS secure store. No method of transmission or storage is completely secure, but we take reasonable steps to protect your information. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the OAIC as required by the Notifiable Data Breaches scheme.
A7Retention
- We keep personal information only for as long as needed for the purposes described in this policy, or as required by law (for example, order and tax records).
- Account and content data is generally kept until you delete it or your account is deleted (see the Lares schedule).
- Order records, receipts, and related documents are retained for the period required for tax and accounting purposes (see the CodeRed Shop schedule).
- Product-specific retention details are set out in the relevant schedule in Part B.
A8Your rights (access, correction, deletion)
Subject to applicable law, you have the right to access the personal information we hold about you, to request correction of inaccurate information, and to request deletion of your information. You can also opt out of any marketing communications at any time.
- Access & correction (APP 12/13): you can view and edit much of your data directly in-product (for example, your inventory and settings in Lares), or email cody@codered.lol and we will provide or correct it.
- Deletion: you can delete content in-product where available, or email cody@codered.lol from your account/order email and we will delete your information without undue delay, except where we must retain it by law (such as completed-order tax records). Product-specific deletion mechanics are in Part B.
- EU/UK (GDPR): you additionally have rights to rectification, erasure, restriction, data portability, and objection, and may lodge a complaint with your local supervisory authority. We process data to provide the service you requested (contract), for our legitimate interests in operating and securing our products, to meet legal obligations, and — for cloud AI processing of images — on the basis of your consent.
- California (CCPA/CPRA): you have the right to know, to delete, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information and do not use it for cross-context behavioural advertising.
- Complaints (Australia): please contact us first at cody@codered.lol. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
A9Children
CodeRed products are not directed to children and are not intended for anyone under 16 years of age. Lares in particular captures camera images and processes them with AI, so we ask that minors not use it. If you believe a child has provided us with personal information, contact us and we will delete it.
A10Changes to this policy
We may update this Privacy Policy from time to time, including by adding a new product schedule. When we make a change we will revise the "Last updated" date at the top, and material changes will be communicated in-product or by other reasonable means. Continued use of a CodeRed product after an update means you accept the revised policy.
A11Contact
CodeRed
ABN 99 163 851 573
Western Australia, Australia
Email: cody@codered.lol
Schedule A — Lares (app)
This schedule adds to Part A the data flows specific to Lares, our home-inventory and valuation mobile app. Read it together with Part A.
What Lares collects (in addition to Part A)
For Lares we collect only what we need to run the app. We do not collect your name, phone number, postal address, precise location/GPS, health data, biometric data, or government identifiers.
| Category | What it includes | How it is collected |
|---|---|---|
| Account identifiers | Your unique user ID and email address. (We do not store your name or password — those are held by our authentication provider, Clerk.) | Provided to us by Clerk when you sign up or sign in, and synced via a signed webhook when your Clerk account is created, updated, or deleted. |
| Account settings & usage counters | Your plan tier (free / pro / household), default currency (e.g. AUD), a counter of cloud-AI scans you have used, and created/updated timestamps. | Set on sign-up and when you change settings; the cloud-AI counter increments each time a cloud scan succeeds. |
| Inventory item data | Item name, category, description, brand, model number, barcode/UPC, quantity, condition, purchase date, estimated value and currency, and AI detection/valuation source and confidence. | Manual entry, single-photo AI scan, or video room-scan review. |
| Room / location names | The room or area names you define (e.g. "Living Room", "Garage"), which can be nested. | Entered by you in the app. |
| Photos of your belongings | JPEG/PNG/WebP/HEIC photos (up to 25 MB each) you capture with the in-app camera. These can incidentally show the inside of your home and your possessions. | Captured with the in-app camera and uploaded to our cloud storage. The app uses only the live camera — it does not read your device photo library. |
| Walkthrough scan videos | MP4/MOV room-walkthrough videos (up to 200 MB) recorded with your camera. Audio is captured as part of the recording. | Recorded with the in-app camera and microphone and uploaded to our cloud storage; we extract still frames from them on our server. |
| AI detection & valuation results | Detected item names, brands, models and confidence scores, and valuation history (estimated value, source, confidence, and the raw response from the AI / marketplace lookup). | Generated on our server when you scan or value an item. |
| Billing / subscription references | Payment provider name, Stripe customer ID, Stripe subscription ID, subscription status, and current period end. We never store your card number, PAN, or CVV. | Created via Stripe Checkout and Stripe webhooks when you subscribe. Card details are entered on Stripe's own pages and never reach our servers. |
| Session tokens | Clerk session / login tokens. | Issued by Clerk and stored only on your device in the OS secure store (iOS Keychain / Android Keystore). Our backend verifies them but does not store them. |
Camera and microphone access
Lares requests access to your device camera to photograph and catalog your belongings, scan barcodes, and record room-walkthrough videos. Because room-scan videos are recorded with sound, Lares also requests microphone access — the microphone is used only as part of video recording. Lares does not request access to your photo/media library and does not request location/GPS access. Media used by Lares comes only from the live camera while you are using a capture feature.
Important AI processing of your images
Some Lares features send your images off your device and to a third-party AI provider for automated item recognition and valuation. Please read this carefully:
- Single-photo scans: when you tap "High accuracy (cloud)" — or when cloud is the configured default, which is currently the case in our production service — the photo is uploaded to us and then sent (base64-encoded) to our cloud AI provider.
- Video room-scans: these always use the cloud AI provider. We extract still keyframes from your video on our server and send each keyframe to the cloud provider.
- Valuation: in addition to images, we send a text query built from the item's name, brand, model, barcode, and attributes (plus any web-search snippets) to help estimate value.
- The cloud provider receives only the image(s) and the text needed for recognition/valuation. We do not send your email address, account ID, or any device identifier in these AI requests.
- Our production cloud AI path is OpenRouter, which routes the request to Google Gemini (model google/gemini-2.5-flash-preview-04-17).
- A non-cloud single-photo option uses a self-hosted AI model running on our own infrastructure; in that path your image is not transmitted to any third party.
By using the cloud scan features you consent to this processing. If you do not want an image processed by the third-party AI, do not use the cloud single-photo option or the video room-scan feature.
Lares third parties & processing locations
In addition to the categories in Part A, Lares relies on:
| Provider | Role | What it receives |
|---|---|---|
| Clerk (US) | Authentication and identity. Holds your login credentials, email, and any profile information you give it. | Clerk collects your credentials and email directly at sign-up/sign-in. We receive your user ID and email back from Clerk. |
| OpenRouter → Google Gemini (US / Google cloud) | Cloud AI vision for item recognition and valuation. Our primary production vision provider. | Your item photos and extracted video keyframes (as base64 images), plus item text for valuation. No account email, ID, or device identifier. |
| Stripe (US / global) | Payment processing for paid subscriptions (Checkout, Billing Portal, webhooks). | Card details are entered directly on Stripe's pages and never touch our servers. We pass Stripe your user ID and plan tier as metadata; Stripe returns customer/subscription IDs and status. |
| eBay (Browse API) (global) | Marketplace price estimation (median of active listings). | A search query built from the item's brand/name/model only. No account info and no photos. |
| UPCitemdb (US) | Barcode → product identity lookup, to improve valuation accuracy. | The scanned barcode/UPC number only. No personal information and no photos. |
| Cloud object storage (operator-hosted; e.g. Cloudflare R2 / S3-compatible) | Stores your uploaded photos and videos. | Your photos, videos, and the keyframe thumbnails we extract, stored under a path scoped to your account. |
| Self-hosted services (operator infrastructure — not third parties) | A self-hosted AI model (non-cloud photo path) and a self-hosted web-search service used to ground valuations. The web-search service may query upstream search engines using an item text query (no personal information). | Item images (local AI path only) and item text queries. |
| Expo / EAS (US) | Build and distribution tooling for the mobile app. Not a runtime data processor. | No user runtime data. Lares includes no Expo analytics, push notifications, or update-tracking in the reviewed code. |
Each provider operates under its own privacy policy. Lares contains no analytics, telemetry, crash-reporting, advertising, or attribution SDKs (no Sentry, Crashlytics/Firebase, Amplitude, Mixpanel, PostHog, Segment, the Facebook SDK, AdMob, or App Tracking Transparency), sends no push notifications, and does not collect location or advertising identifiers. Our server keeps structured operational logs only.
Lares retention & deletion
- Inventory items, locations, photos, videos, scans, and valuations are kept until you delete them in the app, or until your account is deleted.
- When your account is deleted, your account record and all related database rows (items, locations, photo/video references, scans, detections, valuations, and subscription references) are permanently deleted. We do not run a fixed retention timer; data persists while your account is active.
- You can access and correct your inventory data directly in the app, delete individual items, locations, and scan sessions at any time, and export your data (CSV/ZIP and PDF) from settings.
- To delete your whole account, use the in-app account-deletion option where available, or email cody@codered.lol from your account email. When your Clerk account is deleted, a signed webhook triggers permanent deletion of your Lares records.
Honest disclosure Stored media after deletion
When data is deleted, our deletion process currently removes the database records only. The underlying photo, video, and thumbnail files in object storage may not be automatically deleted at the same time, and could remain in storage until purged separately by us. We are working to make blob deletion automatic. If you want assurance that your stored images and videos have been purged, contact cody@codered.lol and we will action it.
Schedule B — CodeRed Shop (online store)
This schedule adds to Part A the data flows specific to CodeRed Shop, our online store selling keyboards and related hardware. Read it together with Part A.
How the store works
The CodeRed Shop storefront is a headless website, but checkout and payment are hosted by Shopify. When you check out on the standard card path, you are taken to Shopify's own hosted checkout, where Shopify (as the merchant of record for the order) collects your name, email, optional phone number, shipping and billing addresses, and your card/payment details. CodeRed's storefront never sees your raw card data. After payment, the order details flow back to CodeRed through authenticated webhooks so we can fulfil and record the order.
An optional "Pay with crypto" path is operated directly by CodeRed: you enter your name, email, and shipping address into a CodeRed form, and we send the payment to our self-hosted BTCPay Server for Bitcoin, Lightning, or Monero. This path is not Shopify-hosted and does not involve card data.
What CodeRed Shop collects, and who it goes to
When you buy hardware we collect your name, email address, shipping and billing address, optional phone number, and order/transaction history. Card payment is handled on Shopify's hosted checkout (card details are not stored by CodeRed). The table below sets out each data flow.
| Data | Collected via | Stored where | Shared with |
|---|---|---|---|
| Full name | Shopify-hosted checkout (standard card path); CodeRed crypto form (crypto path). | Shopify (merchant of record). Also pushed to our self-hosted InvenTree (customer record) and rendered into a PDF stored in our self-hosted Paperless-ngx on every paid order. | Shopify (US/global); InvenTree; Paperless-ngx; ntfy order alert. Crypto path: also in the BTCPay invoice metadata. |
| Email address | Shopify-hosted checkout (standard); CodeRed crypto form (crypto). | Shopify; InvenTree (used as the customer-lookup key); Paperless PDF receipt; BTCPay invoice metadata (crypto path). | Shopify (US/global); InvenTree; Paperless-ngx; ntfy (email appears in the "New Order" and "Order Fulfilled" notifications); BTCPay (crypto path). |
| Shipping address | Shopify-hosted checkout (standard); CodeRed crypto form, with Google Places autocomplete assisting entry (crypto). | Shopify; InvenTree (address record + sales-order shipping address); Paperless PDF receipt. | Shopify (US/global); InvenTree; Paperless-ngx; ntfy (city/postcode/country summarised); shipping carrier (via Shopify). Crypto path: full address to BTCPay metadata, and the address you type is sent to Google (US) for autocomplete suggestions. |
| Billing address | Shopify-hosted checkout only (standard card path). The crypto form collects a single shipping address and no separate billing address. | Shopify; rendered into the Paperless PDF receipt. InvenTree uses billing address only as a fallback if no shipping address is present. | Shopify (US/global); Paperless-ngx; InvenTree (fallback only). |
| Phone number | Optional at Shopify-hosted checkout. The CodeRed/crypto form does not collect a phone number. | Shopify only. | Shopify (US/global). Not forwarded to InvenTree, Paperless, or ntfy by CodeRed. |
| Payment / card data | Shopify-hosted checkout exclusively — the storefront redirects to Shopify's hosted checkout. On the crypto path BTCPay collects the on-chain payment; no card data at all. | Shopify and its payment processor. CodeRed/InvenTree/Paperless store only the payment status and a method label ("Shopify Payments" or "BTCPay (BTC / XMR / LN)") — never card numbers. | Shopify Payments / Shopify's payment processor (US/global). Crypto path: self-hosted BTCPay Server; no card data. |
| Order / transaction history | Generated by purchasing (Shopify order; InvenTree sales order; Paperless archived receipt). | Shopify; InvenTree (orders, line items, and any uploaded custom-logo attachments); Paperless-ngx (PDF receipts, kept for tax records); Vercel Blob (temporary custom-logo image storage, deleted after upload to InvenTree). | Shopify (US/global); InvenTree; Paperless-ngx; ntfy (order/fulfilment summaries); Vercel Blob (transient, US/global). |
| Device / network / cookies | Shopify checkout and Shopify-managed cookies during the hosted checkout. The CodeRed storefront sets only a first-party functional cartId cookie (the Shopify cart token). | Shopify (per its privacy policy). The cartId cookie is functional/first-party. | Shopify (US/global) and any of Shopify's analytics/advertising partners per Shopify's policy. CodeRed adds no analytics (no Google Analytics, Meta Pixel, PostHog, Plausible, or Sentry). |
| Carrier tracking info | Shopify fulfilment webhook when the order is marked shipped (carrier, tracking number, tracking URL). | Shopify; written back to the InvenTree sales order; sent in the ntfy "Order Fulfilled & Shipped" notification. | The shipping carrier (Australia Post / courier); InvenTree; ntfy. |
CodeRed Shop third parties
- Shopify (Canada/US; global infrastructure) — e-commerce platform and merchant-of-record hosted checkout. Collects and processes name, email, phone, shipping and billing addresses, payment/card data, order history, and device/IP/cookies. International transfer to US/global Shopify infrastructure. See Part A, Section A5 (APP 8).
- Shopify Payments — Shopify's integrated payment processor; processes card payments inside the hosted checkout. Card data never touches CodeRed servers.
- Shipping carrier(s) (e.g. Australia Post / courier) — receive your name and shipping address to deliver your order and return tracking details.
- Google (Maps / Places API) — address autocomplete only on the crypto checkout form; as you type a shipping address, keystrokes are sent to Google (US) for Australia-scoped suggestions. Not used on the standard Shopify checkout path.
- Vercel (hosting + Vercel Blob) — hosts the storefront (US/global) and temporarily stores customer-uploaded custom-logo image files until they are copied into InvenTree, after which the blob is deleted; may incidentally process request IP/logs.
- Self-hosted InvenTree (operator infrastructure, not an external third party) — receives customer name, email, and address and stores them as a customer record plus a sales order with line-item customisations.
- Self-hosted Paperless-ngx (operator infrastructure, not an external third party) — every paid order is rendered to a PDF receipt containing name, email, full shipping and billing address, line items, and total, then archived for tax records.
- Self-hosted ntfy (operator infrastructure, not an external third party) — receives push notifications on new and fulfilled orders containing your email, an item summary, and the destination city/postcode/country (and destination name on fulfilment).
- Self-hosted BTCPay Server (operator infrastructure; crypto checkout path only) — on the "Pay with crypto" path your name, email, and full shipping address are included in the invoice metadata, and BTCPay hosts the BTC / Lightning / Monero payment page. Not used on the standard card path.
Payment data & processors
Card and payment details for standard orders are collected and processed by Shopify Payments inside Shopify's PCI-compliant hosted checkout; CodeRed does not store full card numbers. Crypto payments are processed by our self-hosted BTCPay Server. Please review Shopify's privacy policy for how it handles checkout, payment, and cookie data, including any Shopify-side fraud-analysis, network-intelligence, or Shop Pay features that may be enabled.
CodeRed Shop retention
Order records, receipts, and related correspondence are retained for as long as needed to fulfil and support your order and to meet our tax and accounting obligations (typically several years, as required by Australian law). Data held by Shopify is retained under Shopify's policy. You can request access to or correction of your order details, or deletion of personal information that we are not required to keep, by emailing cody@codered.lol.
Schedule C — Future products
As CodeRed launches new products and services, each will be added here as its own self-contained schedule describing the additional data, third parties, processing locations, and retention specific to it. The shared terms in Part A apply to every future product unless that product publishes its own separate policy that expressly does not incorporate this one.
For questions about this policy or to exercise your rights, contact cody@codered.lol.