Legal

Privacy Policy

Last updated: 2026-04-29

This Privacy Policy explains how Quiet Forge collects, uses, and protects personal data when you use our Service or visit our website.

1. Data we collect

Account data

Email, name, hashed password, organization name. Required to create and operate your account.

Usage data

Pages viewed, actions performed, IP address, browser/OS metadata, timestamps. Used for analytics, abuse prevention, and product improvement.

Billing data

Stripe processes all card details; we never see them. We store the customer ID, last 4 digits, billing email, and invoice history.

Customer Data

Project, task, and team data you upload. Stored encrypted at rest in EU (Frankfurt).

2. How we use data

To operate the Service, process payments, send transactional and (with your consent) marketing emails, prevent abuse, comply with legal obligations, and improve the product.

3. Sub-processors

We share limited data with the following processors, each bound by a DPA:

  • Supabase (US/EU) — managed Postgres + auth.
  • Stripe (US/EU) — payments.
  • Sentry (US) — error tracking.
  • PostHog (EU) — product analytics.
  • Crisp (FR) — customer support chat.
  • Resend (US) — transactional email.
  • OpenAI (US) — AI-powered task generation. Only triggered when you toggle "Generate with AI" in the task creation modal. See section 3a below.

3a. AI-powered task generation

When you opt into the "Generate with AI" mode in the task creation flow, the following data is sent to OpenAI's API for processing:

  • The natural-language prompt you type into the modal.
  • The project's name and code (no description if your project has none).
  • Names and roles of project members (so the AI can resolve "@mentions"). Email addresses, phone numbers, and other contact details are never sent.
  • Active milestone names and due dates within that project.
  • Today's date (so phrases like "by end of week" resolve correctly).

We do not send: content of existing tasks, comments, attachments, audit history, or data from other projects you don't have access to.

Tenant retention: we keep no copy of the prompt or generated drafts on our side beyond what you explicitly save as tasks. The daily-quota counter records only the call count (an integer per organization per day) — no prompt content.

OpenAI retention: per OpenAI's API Data Usage Policies, data sent through their API is not used to train their models, and is retained only for abuse monitoring (typically 30 days) before deletion.

Opt-out: the feature is off by default. You can use the manual task creation form (the default) at any time to keep all task creation entirely within Quiet Forge — no AI provider involved.

To request deletion of any AI-generated content from your account, email legal@quietforge.tech.

4. Your GDPR rights

You have the right to access, rectify, erase, restrict, port, or object to processing of your personal data. To exercise any of these rights, email legal@quietforge.tech. We respond within 30 days.

5. Data retention

Account data: retained while your account is active and for 90 days after deletion. Backups: retained 30 days, encrypted. Audit log: per plan (7–365 days, unlimited on Enterprise). Billing records: 7 years (legal obligation).

6. Cookies

We use essential cookies for session management and consent-based analytics cookies. See our Cookie Policy for details.

7. International transfers

Some processors are based in the US. Transfers are protected by Standard Contractual Clauses (SCCs).

8. Changes

We will notify you of material changes by email at least 30 days in advance.

9. Contact

For privacy questions, email legal@quietforge.tech.