Privacy Policy.

1. Overview

GlobalCodio is a platform operated by Medicodio Inc. ("Company," "GlobalCodio," "we," "our," or "us"), a Delaware corporation. We operate a managed immigration technology platform for immigration law firms and corporate immigration departments. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website at www.globalcodio.ai, our platform (CodioCMS, CodioForms, Codio AI Agents, CodioNetwork), or engage with our services.

By accessing or using our services, you agree to this Privacy Policy. If you do not agree, please discontinue use of our services.

2. Information We Collect

Information You Provide Directly

• Account information - name, work email address, organization name, job title, and password when you register.
• Contact form submissions - full name, work email, organization name, company website, and any message you send via our contact form.
• Client and case data - immigration case information, foreign national details, document data, and workflow data entered into CodioCMS or CodioForms by our firm clients.
• Communications - emails, support tickets, and other messages you send to us.

Information Collected Automatically

• Log data - IP address, browser type, pages visited, time spent, and referring URLs.
• Device information - hardware model, operating system, and browser version.
• Usage data - features used, actions taken, and performance metrics within our platform.
• Cookies and tracking technologies - see Section 10 for details.

Information from Third Parties

• Linked Google account - if you choose to sign in with Google or connect your Google account, we receive data from Google APIs as described in Section 3 (Google User Data). You may link or unlink your Google account at any time, consistent with our Terms of Service.
• Information from other third-party integrations you authorize (e.g., e-signature providers, calendar tools, accounting software).
• Business contact information from publicly available sources for outreach purposes.

3. Google User Data

GlobalCodio integrates with Google APIs so you can sign in with Google and send case-related and notification emails from your own mailbox. This section describes exactly what Google user data we access, why, how it is stored, and the strict limits we place on its use. It applies in addition to, and prevails over, the rest of this policy for any data obtained through Google APIs.

Scopes We Request & What Each Powers

• Sign-in (profile & email) - your name, email address, and Google profile identifier. Used solely to create and authenticate your GlobalCodio account and to display your identity within the product.
• Send email (.../auth/gmail.send) - permission to send email on your behalf from your own Gmail mailbox. Used solely to send case-status and notification emails (for example, to clients, foreign nationals, or your team) that you compose or trigger inside GlobalCodio. We do not use this scope to read, search, modify, or delete any message in your mailbox; gmail.send only sends.

Storage & Retention

Google access and refresh tokens are encrypted at rest (AES-256) and in transit (TLS 1.2+), and are stored only to maintain your authenticated session and to send emails you initiate. Profile and email data are retained for the life of your account. Tokens are deleted when you unlink your Google account or close your account, and in any event within 30 days of that event. We do not retain copies of the emails we send beyond the operational logs needed to confirm delivery.

How Google User Data Is — and Is Not — Used

• Never used to train AI/ML. Google user data (including Gmail-scope data and Google profile data) is never used to train, retrain, evaluate, or improve any artificial-intelligence or machine-learning models, whether ours or a third party’s.
• Never used for advertising. Google user data is never used for advertising, remarketing, interest-based advertising, or audience building, and is never associated with advertising identifiers.
• Never sold. We do not sell, rent, or trade Google user data.
• Not shared. Google user data is not transferred to others except as needed to provide or improve the user-facing feature you requested, to comply with applicable law, or as part of a merger or acquisition (with notice), and never for the purposes listed above.

Human Access

Humans at GlobalCodio do not read, and do not have routine access to, data obtained through Gmail scopes. We access such data only: (a) at your explicit request (for example, to troubleshoot a problem you report); (b) where necessary for security purposes or to investigate abuse; (c) to comply with applicable law; or (d) in aggregated, de-identified form for internal operations and analytics.

Limited Use

GlobalCodio’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. How We Use Your Information

We use personal information to:

• Provide, operate, and improve our platform and services.
• Process and manage immigration cases on behalf of our firm clients.
• Respond to inquiries, support requests, and contact form submissions.
• Send service-related communications including onboarding, updates, and security alerts.
• Send marketing communications where you have opted in or where permitted by law.
• Analyse usage patterns to improve functionality and user experience.
• Comply with legal obligations, including data protection laws and immigration regulations.
• Detect, prevent, and investigate fraud, abuse, and security incidents.

Legal bases (GDPR): We process personal data on the basis of contract performance, legitimate interests, legal obligations, and consent where applicable.

5. How We Share Information

We do not sell personal information. We may share information with:

Service Providers

Third-party vendors who assist us in operating our platform, including cloud hosting providers, analytics tools, e-signature platforms, and customer support software. These vendors are contractually bound to process data only on our behalf and under our instructions.

CodioNetwork Partners

When coordinating immigration services (translations, medical exams, apostille, courier), we share necessary case information with CodioNetwork service providers under confidentiality agreements.

Legal Requirements

We may disclose information when required by law, court order, or governmental authority, or to protect the rights, property, or safety of GlobalCodio, our clients, or others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected parties prior to any such transfer.

6. Data Retention

We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Immigration case data is retained in accordance with applicable immigration laws and our clients' instructions. When data is no longer required, we securely delete or anonymise it.

• Account data - retained for the duration of the client relationship plus 3 years.
• Case data - retained per client instruction and applicable legal requirements.
• Log and usage data - retained for up to 12 months.
• Marketing data - retained until you opt out or withdraw consent.

7. Security

GlobalCodio implements industry-standard technical and organisational measures to protect personal information, including:

• SOC 2 Type II audited security controls.
• ISO/IEC 27001 certified information security management.
• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and multi-factor authentication.
• Regular penetration testing and vulnerability assessments.
• 24/7 security monitoring and incident response.

Despite our safeguards, no system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law.

8. Your Rights & Choices

Depending on your location, you may have the following rights:

All Users

• Access - request a copy of the personal data we hold about you.
• Correction - request correction of inaccurate or incomplete data.
• Deletion - request deletion of your personal data where no longer necessary.
• Opt-out of marketing - unsubscribe from marketing emails at any time via the link in any email.

EEA, UK & Switzerland (GDPR / UK GDPR)

• Portability - receive your data in a structured, machine-readable format.
• Restriction - request that we limit how we process your data.
• Objection - object to processing based on legitimate interests.
• Withdraw consent - where processing is based on consent, withdraw at any time.
• Lodge a complaint - with your local supervisory authority.

California Residents (CCPA / CPRA)

• Right to know what personal information is collected, disclosed, or sold.
• Right to delete personal information.
• Right to opt-out of the sale or sharing of personal information (we do not sell personal information).
• Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at info@globalcodio.ai. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

GlobalCodio operates from the United States and India. If you are located outside these countries, your information may be transferred to and processed in countries that may not have equivalent data protection laws to your home country.

Where required by law (e.g., GDPR), we use appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to protect data transferred outside the EEA.

10. Cookies, Analytics & Advertising

We use the following types of cookies and similar technologies:

• Essential cookies - required for the platform to function (authentication, session management). Cannot be disabled.
• Analytics cookies - help us understand how visitors interact with our website (e.g., page views, traffic sources).
• Preference cookies - remember your settings and preferences.

You can control cookies through your browser settings. Disabling non-essential cookies will not affect your ability to use our core services. Where required by law, we obtain consent before placing non-essential cookies.

Google Analytics & Advertising

We may use Google Analytics and Google advertising products to measure and promote our public website. These tools apply only to website visitors — for example, to analyze website traffic and to display relevant advertising about GlobalCodio on third-party websites. They are never applied to, and never combined with, data obtained through Google OAuth sign-in or Gmail scopes (see Section 3). Data obtained through Google APIs is never used for interest-based advertising, remarketing, or audience building. You can opt out of Google Analytics using Google’s browser add-on.

11. Children's Privacy

Our services are intended for business users and are not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16 without appropriate consent, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective date" at the top of this page and, where appropriate, by sending an email notification to registered users.

Your continued use of our services after the updated policy takes effect constitutes acceptance of the revised policy.

13. Contact Us

GlobalCodio is operated by Medicodio Inc. If you have questions about this Privacy Policy, wish to exercise your rights, or have a privacy concern, please email info@globalcodio.ai or write to us at any of the addresses below: