Privacy Policy

Last updated: April 2026

1. Introduction

1.1. This Privacy Policy ("Policy") describes how Coodesh Serviços Tecnológicos Ltda., registered under Brazilian Federal Tax ID (CNPJ/MF) No. 30.078.586/0001-78, headquartered at Av. Afonso Pena, 3,351 – 11th floor, suite 1103, Funcionários, Belo Horizonte/MG, Brazil, ZIP 30130-008 ("Coodesh", "we", or "our"), collects, uses, stores, shares, and protects personal data of users of its products and services.

1.2. This Policy applies to all people who interact with the Coodesh Platform, including: Candidates, Collaborators, Management Users (representatives of Client Companies), and visitors to the website www.coodesh.com and related domains, including workdex.ai.

1.3. By accessing or using our Services, You acknowledge that You have read and understood this Policy. In cases where data processing depends on consent, this will be requested in a clear and specific manner.

1.4. This Policy is an integral part of our Terms and Conditions of Use.

2. Controller and Data Protection Officer (DPO)

2.1. Data controller: Coodesh is the controller of personal data collected directly from Users for purposes of operation, improvement, and commercialization of the Services.

2.2. Data processor: When a Client Company uses the Services to evaluate Candidates or Collaborators, the Client Company acts as the controller of the personal data of such individuals, and Coodesh acts as the processor, processing the data on behalf of and under the instructions of the Client Company.

2.3. Data Protection Officer (DPO): Coodesh has a duly appointed Data Protection Officer in compliance with Article 41 of the LGPD and Article 37 of the GDPR. To exercise your rights or clarify questions about the processing of your personal data, contact us via email: dpo@coodesh.com.

3. Personal Data We Collect

Coodesh collects different categories of personal data according to the type of user and the product used:

3.1. Coodesh Assessments

Candidates and Collaborators evaluated:

  • Name — collected upon registration or login (mandatory)
  • Email — collected upon registration or login (mandatory)
  • Geolocation and IP address — collected automatically during Assessments
  • Photos and webcam recordings — collected during Assessments with proctoring (optional, according to configuration)
  • Audio recordings — collected during Assessments with audio response or AI Interviewer (optional, according to configuration)
  • Responses to test questions — collected during Assessments (mandatory for test completion)

Management Users (Company):

  • Name — collected upon registration or login (mandatory)
  • Email — collected upon registration or login (mandatory)
  • Job title / Position — collected upon profile update (optional)
  • Gender — collected upon profile update (optional)
  • Date of birth — collected upon profile update (optional)
  • Mini bio — collected upon profile update (optional)

3.2. Coodesh Hiring

Candidates (talent feed and job applications):

  • Name — collected upon registration or login (mandatory)
  • Email — collected upon registration or login (mandatory)
  • Phone — collected during profile onboarding or job application (mandatory)
  • City — collected during profile onboarding or job application (mandatory)
  • LinkedIn (public profile) — collected during profile onboarding or job application (mandatory)
  • GitHub (public profile) — collected during profile onboarding or job application (optional)
  • Salary expectation — collected during job application (mandatory)
  • Resume (.pdf) — attached during job application (mandatory)
  • Career information (education, professional history) — collected during profile onboarding (optional)
  • Gender, race/color, sexual orientation, disability — collected during profile onboarding (optional — sensitive data, see Section 3.5)

3.3. Coodesh Skills (Workdex.ai)

Company Collaborators:

  • Name — collected upon registration or login (mandatory)
  • Email — collected upon registration or login (mandatory)
  • Geolocation and IP address — collected automatically during Assessments
  • Photos and webcam recordings — collected during Assessments with proctoring (optional, according to configuration)
  • Audio recordings — collected during Assessments (optional, according to configuration)
  • Responses to test questions — collected during Assessments (mandatory for test completion)

3.4. Data collected automatically (all products)

Regardless of the product used, we automatically collect:

  • Navigation data: IP address, browser type, operating system, pages accessed, time spent, and reference data.
  • Device data: device type, screen resolution, and unique identifiers.
  • Cookies and similar technologies: as described in our Cookie Policy.
  • Usage data: records of interactions with the Platform, including features accessed, actions performed, and timestamps.

3.5. Sensitive personal data

3.5.1. Certain data collected by Coodesh Hiring (gender, race/color, sexual orientation, and disability) are classified as sensitive personal data under Article 5, II, of the LGPD and Article 9 of the GDPR.

3.5.2. The collection of such data is always optional and occurs exclusively when the Candidate chooses to provide it during profile onboarding. Processing of such data is based on the specific and highlighted consent of the data subject (Article 11, I, of the LGPD) and is intended exclusively for diversity and inclusion purposes.

3.5.3. Coodesh provides specific consent forms in compliance with the LGPD for the processing of sensitive data, which may be customized by the Client Company.

4. Legal Bases for Processing

Coodesh processes personal data based on the following legal bases, as per the LGPD (Article 7) and the GDPR (Article 6):

  • Provision and operation of Services — LGPD: performance of contract (Art. 7, V) | GDPR: performance of contract (Art. 6, 1, b)
  • Account creation and maintenance — LGPD: performance of contract (Art. 7, V) | GDPR: performance of contract (Art. 6, 1, b)
  • Carrying out Assessments — LGPD: performance of contract (Art. 7, V) | GDPR: legitimate interest (Art. 6, 1, f)
  • Collection of sensitive data (diversity) — LGPD: specific consent (Art. 11, I) | GDPR: explicit consent (Art. 9, 2, a)
  • Video/audio recordings in Assessments — LGPD: consent (Art. 7, I) | GDPR: consent (Art. 6, 1, a)
  • Marketing communications — LGPD: consent (Art. 7, I) | GDPR: consent (Art. 6, 1, a)
  • Improvement and personalization of Services — LGPD: legitimate interest (Art. 7, IX) | GDPR: legitimate interest (Art. 6, 1, f)
  • Anonymized data for benchmarking — LGPD: legitimate interest (Art. 7, IX) | GDPR: legitimate interest (Art. 6, 1, f)
  • Security and fraud prevention — LGPD: legitimate interest (Art. 7, IX) | GDPR: legitimate interest (Art. 6, 1, f)
  • Compliance with legal obligations — LGPD: compliance with legal obligation (Art. 7, II) | GDPR: legal obligation (Art. 6, 1, c)

5. Purposes of Processing

We use the personal data collected for the following purposes:

5.1. Provision of Services: provide, operate, and administer the contracted Services, including carrying out Assessments, processing results, and generating skills reports.

5.2. Communication: send transactional communications (account confirmations, test results, security alerts), as well as newsletters and updates about the Services. You may opt out of marketing communications at any time through notification settings or the unsubscribe link in emails.

5.3. Service improvement: analyze usage patterns to enhance features, fix technical issues, develop new features, and optimize the User experience.

5.4. Sharing with Client Companies: when You complete an Assessment at the request of a Client Company, we share your results and evaluation information directly with the respective Client Company.

5.5. Anonymized data and benchmarking: use aggregated and anonymized data for statistical, research, market benchmarking purposes, and improvement of evaluation algorithms. Anonymized data does not allow individual identification.

5.6. Security and integrity: prevent fraud, abusive use, unauthorized activities, and ensure the security of the Platform.

5.7. Legal compliance: comply with legal, regulatory, tax obligations, or those arising from judicial or administrative orders.

6. Use of Artificial Intelligence

6.1. Some features of the Services use artificial intelligence and machine learning technologies, including language models provided by third-party providers, for functionalities such as answer analysis, question generation, and automated interview conduct.

6.2. When personal data is processed through artificial intelligence features, such processing occurs in compliance with applicable legal bases and with the security and privacy commitments established with third-party providers.

6.3. Personal data processed through AI features is not used for training third-party language models.

7. Data Sharing with Third Parties

7.1. Coodesh may share personal data with the following categories of third parties, always in compliance with applicable legislation and subject to contractual security and privacy commitments:

Payment processors:

  • Vindi (for payments in Brazil)
  • Stripe (for payments in Brazil and internationally)

CRM and marketing automation:

  • RD Station (CRM and marketing automation)

Digital contract signature:

  • Clicksign

Artificial intelligence providers:

  • OpenAI (processing of AI features, including AI Interviewer)

Infrastructure and hosting:

  • Amazon Web Services (AWS) and/or Google Cloud Platform (GCP)

7.2. Coodesh may also share personal data: (a) to comply with legal, regulatory obligations, or court orders; (b) to protect rights, property, or safety of Coodesh, its Users, or the public; (c) in the event of corporate reorganization, merger, acquisition, or sale of assets, subject to confidentiality commitment and continuity of data protection.

7.3. Data access via API. Coodesh provides an API for Client Companies to integrate the Services with their internal systems (ATS, LMS, corporate platforms). Personal data accessed or transmitted via API remains subject to this Policy and the Terms of Use. When consuming data via API, the Client Company assumes the condition of independent controller of the data received and is responsible for ensuring compliance with applicable data protection legislation in its environment.

7.4. MCP integrations with Client LLMs. Coodesh offers connectors based on the MCP (Model Context Protocol) that allow the Client Company to integrate the Services with its own or third-party language models (LLMs). When personal data is accessed by Client's LLMs through these integrations, Coodesh acts exclusively as a provider of the requested data, and the Client Company is fully responsible for the subsequent processing carried out by the LLM, including any retentions, inferences, or automated decisions.

7.5. Coodesh does not sell, rent, or commercialize personal data of its Users to third parties.

8. International Data Transfer

8.1. Given that Coodesh's infrastructure uses servers located in the United States (AWS and/or GCP) and that some of our service providers are headquartered or operate in other countries, personal data may be transferred, stored, and processed outside Brazil.

8.2. For data subjects in Brazil (LGPD): International data transfers are carried out in compliance with Article 33 of the LGPD and its regulations, based on: (a) standard contractual clauses ensuring compliance with the principles and rights provided in the LGPD; (b) adequacy commitments from recipients; or (c) when the destination country provides an adequate level of data protection.

8.3. For data subjects in the European Union/EEA (GDPR): International data transfers are carried out in compliance with Chapter V of the GDPR, based on: (a) Standard Contractual Clauses (SCCs) adopted by the European Commission; (b) adequacy decisions by the European Commission; or (c) the EU-US Data Privacy Framework, when applicable.

8.4. For additional information on the safeguards applied to international data transfers, contact our DPO via email at dpo@coodesh.com.

9. Data Retention

9.1. Coodesh retains personal data for as long as necessary to fulfill the purposes described in this Policy, subject to the following retention periods:

  • Account data (name, email) — while the account is active + 12 months after termination
  • Assessment results (Client Company) — while the contract is in force + 12 months after termination
  • Independent Candidate data — while the account is active + applicable legal period
  • Video and audio recordings — for the period necessary for service delivery + 6 months
  • Navigation and log data — up to 12 months
  • Financial and tax data — according to applicable tax legislation (minimum 5 years in Brazil)

9.2. Upon expiration of retention periods, data will be anonymized or securely deleted, except when retention is required by legal, regulatory obligation or for the regular exercise of rights in judicial or administrative proceedings.

10. Data Security

10.1. Coodesh adopts appropriate technical and organizational measures to protect personal data against unauthorized access, destruction, loss, alteration, communication, or any form of inadequate or unlawful processing, including:

  • Encryption of data in transit (TLS/SSL) and at rest;
  • Password encryption with secure algorithms;
  • Role-based access control (RBAC);
  • Access monitoring and logging (audit logs);
  • Regular backups in secure infrastructure;
  • Internal information security policies and team training.

10.2. Although Coodesh employs reasonable efforts to protect your data, no security system is completely foolproof. In the event of a security incident that may entail relevant risk or harm to data subjects, Coodesh will communicate the fact to the Brazilian National Data Protection Authority (ANPD), the competent supervisory authority (when applicable under the GDPR), and affected data subjects, within the time limits established by applicable legislation.

11. Rights of Data Subjects

11.1. In compliance with the LGPD and GDPR, You have the following rights regarding your personal data:

  • Confirmation and access — confirm the existence of processing and access your personal data
  • Correction — request the correction of incomplete, inaccurate, or outdated personal data
  • Anonymization, blocking, or deletion — request the anonymization, blocking, or deletion of unnecessary, excessive, or data processed in non-compliance with legislation
  • Portability — request the portability of your personal data to another service provider
  • Deletion — request the deletion of personal data processed based on consent
  • Information on sharing — obtain information about public and private entities with which Coodesh has shared your data
  • Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of processing carried out previously
  • Objection — object to processing carried out based on legitimate interest, if you believe there is a violation of applicable legislation
  • Complaint — file a complaint with the ANPD (in Brazil) or the competent supervisory authority (in the EU/EEA)

11.2. Additional rights for data subjects in the EU/EEA (GDPR): In addition to the rights above, data subjects in the EU/EEA have the right to: (a) request the restriction of processing in certain circumstances (Art. 18); (b) not be subject to decisions based solely on automated processing, including profiling, which produce significant legal effects (Art. 22); (c) file a complaint with the data protection authority of their country.

11.3. How to exercise your rights:

  • Via Platform: access User Menu > Settings to manage your data directly.
  • Via email: send your request to dpo@coodesh.com, stating your name, registered email, and the right you wish to exercise.

11.4. Coodesh will respond to data subject requests within 15 (fifteen) business days (LGPD) or 30 (thirty) days (GDPR), which may be extended according to the complexity of the request.

12. Data of Minors

12.1. Coodesh's Services are not directed to minors under 18 (eighteen) years of age. We do not intentionally collect personal data from minors. Should we become aware that we have collected data from a minor, we will take the necessary steps to delete it.

12.2. If You believe a minor has provided personal data to Coodesh, contact us via email at dpo@coodesh.com.

13. Links to Third-Party Sites

13.1. The Platform and Coodesh emails may contain links to third-party sites or services. This Privacy Policy does not apply to such sites or services. We recommend that You review the privacy policies of any third-party sites You visit.

14. Changes to this Policy

14.1. Coodesh may modify this Privacy Policy periodically to reflect changes in our Services, data processing practices, or applicable legislation.

14.2. Significant changes will be communicated through: (a) notice on the Platform; (b) email to the registered address; or (c) notification banner on the website.

14.3. We recommend that You review this Policy periodically. The date of the last update will always be indicated at the top of this document.

15. Contact

For questions, requests, or complaints related to this Privacy Policy or the processing of your personal data:

  • Data Protection Officer (DPO): dpo@coodesh.com
  • General support: help@coodesh.com
  • Address: Av. Afonso Pena, 3,351 – 11th floor, suite 1103 – Funcionários, Belo Horizonte/MG – ZIP 30130-008

Logo
Coodesh
About UsTerms and ConditionsCookies PolicyPrivacy PolicyContact
For Companies
AssessmentsHire DevelopersUpskillHelp Center
For Candidates
My Tech ProfileJobsRequest ReviewHelp CenterChallenges