Privacy manifesto

Nothing about you ever leaves this room.

CodeB Conference is a meeting tool, not a data product. We don't run analytics on you, we don't log who you spoke to, we don't keep your face or voice anywhere, and we don't sell anything to anyone about you. This page is an exhaustive enumeration — not a marketing tagline.

01 / Things we do not do

The list of "no".

None of the following exist anywhere in CodeB Conference. No exceptions, no "but only if you opt in", no asterisks.

No third-party analytics — no Matomo, no Plausible, no Mixpanel, no Amplitude, no Segment, no first-party analytics either.
No advertising trackers — no ad-network pixels of any kind. No retargeting tags, no audience pixels.
No cookies — we don't set any cookies, first-party or otherwise. The app uses localStorage for your preferences only, and even that stays on your device.
No session recording, heatmaps or scroll tracking — no FullStory, Hotjar, LogRocket, Mouseflow or similar.
No A/B testing platforms — no Optimizely, no LaunchDarkly, no feature-flag service of any kind.
No error reporting to third parties — no Sentry, no Bugsnag, no Datadog RUM. Errors stay in your browser console.
No CDN dependencies in the call path — the QR code generator, the WebRTC client and the signaling endpoint are all served from phone.codeb.io.
No mandatory third-party logins — no social-account sign-in, no Microsoft account, no SSO required to join a room. You enter a room code; you're in.
No identity providers in the middle — your name is whatever you type; we don't verify it against an external directory.
No meeting persistence on any server — recordings exist only on the recorder's machine; chat lives only in browser memory and disappears when the tab closes.
No telemetry from the app itself — the running browser code does not send "the user clicked X" events to any endpoint, period.
No ad-supported tier — there are no ads on any page, ever.

02 / Things we do

The list of "yes — briefly".

The list of things that actually happen is short enough to fit on this page.

The IIS server keeps a short in-memory list of "who is in which room right now" so it can route signaling between you. When the last person leaves the room, the entry is gone. Nothing is written to disk.
Standard IIS access logs record HTTP requests (URL, status code, IP, user agent) the same way every web server does. Most operators rotate these out after 14 days. We do not parse them.
Your browser stores a handful of personal-preference keys in localStorage: display name, selected camera/microphone, mirror toggle, push-to-talk, auto-spotlight, background-blur, join-muted and join-camera-off. Clear your browser data and they're gone.
For meetings that require it, an HMAC-SHA1 TURN credential is generated for your browser at room-join time. The credential expires after one hour. It does not contain your name, email or any persistent identifier.

03 / Third-party network calls

Where bytes leave our network.

Three external hosts may be contacted by the browser, depending on which features you use. None of them ever see your video, audio, chat or files.

Host	Why	What it sees	Avoidable?
Public web-fonts CDN	Loads the Raleway + IBM Plex Mono typefaces for the page chrome.	Your IP and the fact that you opened the page. No content.	Yes — replace with self-hosted woff2 files in the `css/` folder for a fully offline build.
Public STUN servers	STUN — tells your browser its own public IP so WebRTC can negotiate a direct connection.	One small UDP packet per call. No media, no name, no room code.	Yes — point `StunHosts` in `web.config` at the CodeB TURN server, which also speaks STUN.
Public asset CDNs	Loads the MediaPipe Selfie Segmentation model — only if you enable Background Blur.	Two HTTP requests at first activation. Model is then cached.	Yes — mirror the WASM + .tflite files locally and edit two URLs in `conference.js`.

For an air-gap install, the WebRTC signaling, TURN relay, JS, CSS, fonts and ML model can all live on the customer's own LAN. The build supports it; the recipe is documented in the deployment README.

04 / A note on the amber screen

Why the colour scheme looks like a 1980s terminal.

The accent colour you see throughout CodeB Conference — that warm #f5a524 against the deep #0a0d12 background — is a deliberate tribute to amber-phosphor CRT monitors.

For roughly fifteen years, from the late 1970s into the early 1990s, the people who ran the world's most consequential computers stared at amber screens. The IBM 5151, the Wyse 50, terminals on hospital nursing stations, manufacturing line PLCs, air-traffic-control consoles, defence command terminals — they all glowed in this same warm yellow at around 580 nm wavelength.

The reason wasn't aesthetic. Amber phosphor (P3, later P134) was chosen because it sits in the sweet spot of the human eye's photopic sensitivity curve. Operators staring at a screen for ten or twelve hours — radiologists, air-traffic controllers, machine-tool programmers — experienced measurably less eye fatigue with amber than with the otherwise-common green P1 phosphor, and significantly less than with the white CRTs that became fashionable later. Amber was the colour of tools for people whose work mattered.

C:\> LOGON CONSOLE.42
ACCESS GRANTED · OPERATOR SE-002 · 2026-05-22 09:14:33
> DIAL ROOM TEAM-STANDUP
ROOM OK · 3 PEERS · TURN OK
>

That's the lineage we wanted CodeB to invoke. A serious tool for people doing serious work — clinicians, engineers, factory operators, public servants, defence supply chains — the same people CodeB Identity Solutions has served for two decades. The codeb.io design language uses amber the way those terminals did: high signal, no decoration. There is one accent colour because the work is what matters; the chrome shouldn't compete with it.

(And there's a small practical bonus: against a dark background, amber has the highest perceptual contrast of any single accent colour, and it remains distinguishable to people with the most common forms of red-green colour vision deficiency. The 1980s engineers picked it for ergonomic reasons; we picked it for the same ones plus a bit of historical respect.)

05 / Commitments

The promise written down.

If any of the items in section 01 ("things we do not do") ever stops being true, this page changes before the change ships. We won't roll trackers in quietly. We won't bury new analytics three menus deep.

The source code for CodeB Conference lives on your own IIS server. Every JavaScript file, every C# handler and the entire TURN service is open to inspection by anyone in your organisation. There is no obfuscation, no minification step that hides logic, and no compiled binary that contains anything not visible in the source.

If you spot something in the running app that contradicts this manifesto, please write to info@codeb.io. A real person reads that inbox — or answers that phone.

See also: data flow · features · Aloaha privacy manifesto

A note on cookies and OIDC sign-on

CodeB ships with a built-in OpenID Connect identity provider. We make a deliberate trade-off: no cookies, anywhere on the site, including for SSO. Instead, when you sign in at the IdP, the server stores a short-lived signed assertion in localStorage at the IdP origin only (phone.codeb.io) so that a second relying party can re-use your authentication for 30 minutes without re-prompting. That assertion is:

Origin-bound: it lives at the IdP origin’s storage bucket. Other sites can’t read it.
Never transmitted automatically: cookies are sent by the browser on every request; this assertion is only POSTed when the IdP’s own login page explicitly chooses to use it.
Short-lived: 30 minutes idle, 4 hours absolute. After that you re-authenticate.
Cleared on logout: hitting end-session removes it.
Not used for tracking: it carries only your identity (sub) + role + expiry. No analytics, no cross-site correlation, no advertising IDs.

In short: the privacy promise is “no cookies”, and we keep it. Where session continuity was needed, we used a different storage primitive on purpose and scoped it as narrowly as we know how.