Privacy Policy

Effective Date: June 2026

The Forge ("we", "our", or "the app") is a local-first songwriting application. We take your privacy very seriously. This Privacy Policy explains what information we collect, on what legal basis, how we use it, and what rights you have under the GDPR.

1. Categories of Personal Data We Process

A. Data stored only on your device (Local-first)

  • Song lyrics, song structures, projects and sessions you create
  • Personal profile information (name, skill level, notes, avatar)
  • Finished texts, personal notes, and subscriptions
  • Media files (images, audio) uploaded via the app
  • Technical settings and preferences
All the above data is stored locally in your browser using localStorage and IndexedDB. Nothing is sent to our servers unless you explicitly publish it on the Creators Wall (see section E).

B. Dropbox (optional)

  • If you choose to connect your Dropbox account, we access only the dedicated App Folder (/Apps/The Forge/).
  • We upload/download your encrypted or unencrypted profile backup files (profile*.json and full ZIP backups).
  • We do not access any of your other files outside the The Forge folder.
  • Legal basis: consent (Art. 6(1)(a) GDPR).

C. Google Drive (optional)

  • If you choose to connect your Google account, the application accesses only the hidden AppData Folder on your Google Drive.
  • We upload and read your profile backup files to/from this folder.
  • The application does not access any of your other files on Google Drive.
  • Legal basis: consent (Art. 6(1)(a) GDPR).
  • The Forge's use of information received from Google APIs will adhere to the Google API Services User Data Policy.

D. Technical data and authentication

  • OAuth authentication tokens (stored only in your browser)
  • Supabase session cookie (to maintain login via Google OAuth)
  • Google OAuth scopes requested: openid, email, profile, https://www.googleapis.com/auth/drive.file (requested at sign-in to enable optional Google Drive backup)
  • Error logs (only when you explicitly send feedback via the form)
  • Device type and browser version (for improving responsiveness)
  • Legal basis: contract performance (Art. 6(1)(b) GDPR) — necessary for providing the service.

E. Creators Wall (Nástěnka / /creators)

  • When you publish a post on the public Creators Wall, the following is stored on our server (Supabase, EU region): post text, title, category, post type, license type (copyright), media links, anonymous flag, creation date.
  • IP address: For anonymous posts, we store a one-way hash of your IP address (SHA-256 + daily salt) for rate limiting purposes (max. 10 posts per day). The raw IP address is never permanently stored. The hash cannot be reversed to the original IP without knowledge of the daily salt.
  • User ID: If you are logged in, the post is linked to your profile. Even for anonymous posts, a technical link to the author exists in the database — anonymity is therefore pseudonymous (hidden from other users, not from the operator).
  • N-grams: For plagiarism detection, we store 3-word text fragments (n-grams) and their hash. These fragments are used to compare new posts against existing ones. Deleted automatically when the post is deleted.
  • Legal basis: contract performance (Art. 6(1)(b) GDPR) — publication under the license agreement in ToS. For IP hash and n-grams: legitimate interest (Art. 6(1)(f) GDPR) — spam and plagiarism prevention.
  • Retention: Unapproved posts are automatically deleted after 90 days. Approved posts remain until deleted by the author or until the account is deleted.

F. Plagiarism / originality check

  • Before publishing a post, the first 12 words of the text may be sent to the DuckDuckGo Lite API for originality checking.
  • Only a text fragment is sent — never your identity or IP address (the request originates from our server).
  • Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — prevention of plagiarism.

G. Internal tools and security

  • Honeypot system: Raw IP addresses are temporarily stored in Redis cache (Upstash, EU region, 24h TTL) for bot detection and DDoS protection. Data is automatically deleted after 24 hours.
  • Visit counting: IP hash is temporarily stored in Redis cache (24h TTL) for counting unique daily visitors.
  • Rhyme API rate limiting: IP address is held in server memory for a few minutes only. Not persisted.
  • Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — security and infrastructure protection.

We do not collect

  • National ID number, passport, home address
  • Phone number
  • Payment information (credit cards, bank accounts)
  • Precise geolocation
  • Biometric data
  • Third-party tracking cookies

2. Legal Bases for Processing (Art. 6 GDPR)

Overview of legal bases

  • Consent (Art. 6(1)(a)): Dropbox and Google Drive backup, PostHog anonymous analytics (optional, opt-in).
  • Contract performance (Art. 6(1)(b)): Authentication, profile, Creators Wall publication, account management — all necessary for providing the service under ToS.
  • Legitimate interest (Art. 6(1)(f)): Rate limiting, honeypot bot detection, plagiarism check, visit counting — we conduct a balancing test (LIA) and continuously evaluate proportionality.

3. How We Use Your Information

  • To provide you with the songwriting tools and features
  • To enable optional Dropbox or Google Drive backup and synchronization
  • To remember your preferences and saved projects
  • To publish your posts on the public Creators Wall (only after your explicit submission for approval)
  • To improve the application (only based on anonymous feedback)
  • To protect against spam and abuse (rate limiting, honeypot)
  • To check originality of Creators Wall posts

4. Data Sharing and Third Parties (Processors and Recipients)

We share your data only with the following processors, who are contractually bound by a Data Processing Agreement (DPA) under Art. 28 GDPR:

  • Supabase (EU region) — database and authentication. All persistent data.
  • Vercel (EU region) — application hosting and serverless functions.
  • Upstash (EU region) — Redis cache for honeypot and visit counting (IP addresses, 24h TTL).
  • PostHog (EU region) — anonymous analytics (opt-in consent only).
  • Dropbox International Unlimited Company (USA) — optional backup (transfer under SCC).
  • Google LLC (USA) — Google Drive backup and OAuth authentication (transfer under Data Privacy Framework).
We do not sell, rent, or share your personal data with advertising networks or any other third parties for marketing purposes.

API queries to external services (sent from our server, not from your browser):

  • DuckDuckGo Lite — first 12 words of text (originality check).
  • RhymeBrain — search word (rhyming API). Your IP address is never sent; the request originates from our server.
  • Free Dictionary API — search word (dictionary definitions).
These API queries go to independent public services — they are not data processors under Art. 28 GDPR. Only text fragments or search words are sent, never personal data.
The Forge's use of information received from Google APIs will adhere to the Google API Services User Data Policy.

5. Data Retention Periods

  • User profile: for the duration of the account. Upon account deletion, data is irreversibly deleted (or anonymized where service nature requires — e.g., Creators Wall posts remain but the user_id link is removed).
  • Unapproved Creators Wall posts: automatically deleted after 90 days.
  • IP hash in creators_posts: for the lifetime of the post. Once approved, the hash is no longer needed for rate limiting but retained for record consistency. Deleted when the post is deleted.
  • Redis cache (honeypot, visits): 24 hours.
  • Moderation logs: 3 years for traceability purposes.
  • Support tickets and messages: 3 years after ticket closure.
  • Admin inbox messages: 2 years.

6. Security

  • Local data is stored only on your device.
  • Dropbox or Google Drive backups can be protected with AES-256-GCM encryption using a password you choose.
  • We use industry-standard security practices (PKCE OAuth, Web Crypto API, HTTPS, Content Security Policy).
  • IP addresses are hashed using SHA-256 with a daily rotating salt.

7. Your Rights under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): You may request a copy of all personal data we process about you.
  • Right to rectification (Art. 16): You can correct inaccurate data in your profile settings.
  • Right to erasure (Art. 17): You may request deletion of your account and all related data. Creators Wall posts will be anonymized (text remains, but the link to your profile is removed).
  • Right to restriction of processing (Art. 18): You may request temporary restriction of processing of your data.
  • Right to data portability (Art. 20): You can export your data as a ZIP backup.
  • Right to object (Art. 21): You may object to processing based on legitimate interest (e.g., rate limiting).
To exercise any of these rights, contact us via support. We will respond within 30 days.

To request deletion of an anonymous post, include the post URL and PIN (if set) in your request. For security reasons, we cannot delete content without sufficient identification of the post.

By contacting support via email to request deletion of an anonymous post, you acknowledge that your email address will be linked to the post for the duration of the request processing.

8. Contact

For any privacy-related questions, to exercise your GDPR rights, or to report a suspected data breach, contact us at:

theforgewrite@gmail.com

Contact Support

We will respond within 30 days.