Privacy Policy
Forjet — forjet.dev Last updated: April 2026
What This Policy Covers
This Privacy Policy explains what data Forjet collects, why we collect it, how we use it, and your rights regarding that data. Forjet is operated by Youssef Alaoui ("we," "us," "our"). This policy applies to all users of forjet.dev and the Forjet application.
We keep this document short and direct. No legal fog.
What We Collect
Information You Provide
Account information. When you sign up: email address, name (optional), and password or authentication token if using a third-party login provider (e.g., GitHub OAuth, Clerk).
Waitlist information. If you join our waitlist before launch: email address and the date you signed up.
Project data. When you create a project: the GitHub repository URLs you provide, the text prompts you write describing your project, and your configuration preferences (CORS origins, API URLs, project name).
Payment information. If you purchase a Lifetime Deal or subscription: payment is processed by our payment provider (Stripe, LemonSqueezy, or Gumroad). We do not store your credit card number, CVV, or full payment details. We receive: email, transaction ID, tier purchased, and amount.
Communications. If you email us, submit feedback, or contact support: the content of your message and your email address.
Information Collected Automatically
Usage data. Pages visited, features used, scaffolds created, timestamps. This helps us understand which parts of Forjet work well and which need improvement.
Technical data. Browser type, operating system, screen resolution, IP address (anonymized after 30 days). We do not fingerprint your device.
Scaffold metadata. When you run a scaffold: which repos were selected, which transformations were applied, sandbox validation results (pass/fail), and download events. We do NOT store the generated source code — the ZIP is built, delivered to you, and not retained on our servers.
Information We Do NOT Collect
- We do not read or store the contents of your GitHub repositories beyond what is necessary to perform the scaffold operation.
- We do not access your private GitHub repositories unless you explicitly authorize it.
- We do not sell your data to anyone. Ever.
- We do not run behavioral advertising.
- We do not use third-party tracking pixels (Facebook Pixel, Google Ads, etc.).
How We Use Your Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, waitlist communication, transactional emails | Consent (you signed up) |
| Project prompts & repo URLs | Generating your scaffold | Contract performance (you asked us to build something) |
| Usage data | Improving the product, fixing bugs | Legitimate interest |
| Payment data | Processing your purchase, fraud prevention | Contract performance |
| IP address (anonymized) | Security, abuse prevention, rate limiting | Legitimate interest |
We do not use your project data (prompts, repo URLs, scaffold results) to train AI models. Your projects are yours.
Where Your Data Lives
Forjet's infrastructure runs on:
- Railway (application hosting) — servers in the US and EU
- Neon PostgreSQL (database) — EU region
- Cloudflare (CDN, DDoS protection) — global edge network
- Netlify (frontend hosting) — global CDN
Your data may be transferred to and processed in countries outside your country of residence. We ensure all providers meet adequate data protection standards.
Data Retention
| Data | Retention Period |
|---|---|
| Account data | As long as your account exists. Deleted within 30 days of account deletion. |
| Waitlist emails | Until launch + 90 days. Unsubscribed emails deleted within 7 days. |
| Scaffold metadata | 90 days (for debugging and product improvement), then anonymized. |
| Generated source code (ZIPs) | Not retained. Built on-demand, delivered, and discarded. |
| Payment records | 7 years (legal requirement for financial records). |
| Server logs | 30 days, then deleted. IP addresses anonymized after 30 days. |
Your Rights
Regardless of where you are located, you have the right to:
- Access your data — request a copy of everything we have about you.
- Correct your data — update inaccurate information.
- Delete your data — request account and data deletion. We will comply within 30 days.
- Export your data — receive your data in a portable format.
- Opt out of marketing emails — every email includes an unsubscribe link. One click.
- Object to processing based on legitimate interest — email us and we will review.
For EU/EEA residents (GDPR): You have additional rights under the General Data Protection Regulation, including the right to restrict processing and the right to lodge a complaint with your local data protection authority.
For California residents (CCPA): We do not sell your personal information. You have the right to know what data we collect, request deletion, and not be discriminated against for exercising your rights.
To exercise any of these rights, email: privacy@forjet.dev
We will respond within 30 days.
Cookies
Forjet uses only essential cookies required for the application to function (session tokens, authentication state). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
If this changes in the future, we will update this policy and notify you.
Third-Party Services
Forjet integrates with the following third-party services, each with their own privacy policies:
| Service | Purpose | Their Privacy Policy |
|---|---|---|
| GitHub | Repository cloning and analysis | github.com/privacy |
| Clerk | Authentication (if enabled) | clerk.com/privacy |
| Stripe / LemonSqueezy | Payment processing | stripe.com/privacy |
| Cloudflare | CDN and security | cloudflare.com/privacypolicy |
| Railway | Application hosting | railway.app/legal/privacy |
Security
We implement the following security measures to protect your data:
- All data transmitted over HTTPS (TLS 1.2+)
- Passwords hashed with bcrypt (never stored in plain text)
- API keys encrypted at rest
- Role-based access control on all internal systems
- Firecracker microVM sandbox isolation for code execution — your scaffold runs in a locked-down VM with no network access to other users' data
- Regular dependency audits and vulnerability scanning
If you discover a security vulnerability, please report it to security@forjet.dev. We take all reports seriously and will respond within 48 hours.
Children
Forjet is not designed for or directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
Changes to This Policy
We may update this policy from time to time. When we do:
- The "Last updated" date at the top will change.
- For significant changes, we will notify you via email or an in-app notification.
- We will never retroactively reduce your privacy protections without your consent.
Contact
For any privacy questions or data requests:
Email: privacy@forjet.dev Responsible person: Youssef Alaoui Location: Kenitra, Morocco
This policy is written in plain language because we believe you shouldn't need a lawyer to understand how your data is handled.