Skip to main content

Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 2026

At GabForge AI, privacy is not an afterthought — it is the foundational design principle behind every product we ship. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the rights you have over your data when you use our Services at gabforge.ai, the GabForge API at api.gabforge.ai, GabForge Studio IDE, GabForge OS, and GabForge Creative Suite (collectively, the "Services").

Local-First Privacy Guarantee

When you use GabForge Studio IDE or GabForge OS with local AI models, your code never leaves your machine. No prompt, no source file, and no generated output is transmitted to GabForge servers. We do not collect telemetry on your codebase or local AI sessions.

Contents

  1. Data Controller
  2. What Data We Collect
  3. Local-First Inference
  4. Cloud API Processing
  5. How We Use Your Data
  6. Cookies and Tracking
  7. Third-Party Services
  8. Data Retention
  9. Security Measures
  10. Your Rights
  11. International Transfers
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact

1. Data Controller

The data controller for personal data processed through the Services is:

GabForge AI
Website: gabforge.ai
Privacy contact: [email protected]

"Data controller" means the entity that determines the purposes and means of processing your personal data. This policy applies to personal data processed by GabForge AI. Where you use open-source products (GabForge Studio IDE, GabForge OS, GabForge Creative Suite) entirely offline, GabForge AI does not act as a data controller for that usage because no data is transmitted to us.

2. What Data We Collect

We collect the minimum data necessary to provide, maintain, and improve the Services. The categories of data we may collect are:

Account Data

  • Email address — used for authentication, billing notifications, and product updates.
  • Display name — shown in your dashboard and, if you choose to post in community spaces, publicly visible.
  • Password — stored as a hashed derivative using Argon2id. We never store your plaintext password.
  • Account creation date and last login timestamp.

Billing and Payment Data

  • Subscription tier and billing history — stored in our systems for accounting and customer service purposes.
  • Payment method token — we receive a tokenised reference from our payment processors (Stripe, PayPal, Razorpay). We do not store raw card numbers, CVV codes, or bank account details on GabForge servers.
  • Billing address — collected where required for tax purposes (for example, GST compliance for Indian customers).

API Usage Data

  • Request metadata: timestamp, model used, token counts (input and output), credit cost, API key identifier, and HTTP status code.
  • This metadata is retained for billing verification and abuse prevention. It does not include the content of your prompts or the generated responses.

Website and Dashboard Analytics

  • Standard web server logs: IP address (anonymised after 24 hours), browser user agent, referring URL, pages visited, and session duration.
  • We use self-hosted, privacy-preserving analytics. We do not use Google Analytics or any other third-party behavioural tracking service.

Support Communications

  • When you contact us by email or through the support portal, we retain the content of that correspondence in order to respond to your request and maintain a support history.

Data We Do Not Collect

  • The contents of your prompts or generated outputs when using the cloud API.
  • Your source code, files, or project data in any form.
  • Keystroke data, screen recordings, or any behavioural telemetry from GabForge Studio IDE or GabForge OS unless you have explicitly opted in to an optional diagnostics programme.

3. Local-First Inference

GabForge Studio IDE and GabForge OS include a built-in AI inference engine (powered by llama.cpp with Vulkan GPU support). When you use AI features with a locally downloaded model:

  • All inference runs entirely on your own hardware.
  • Your prompts, code context, and AI responses exist only in your machine's memory and, optionally, your local filesystem.
  • No data is transmitted to api.gabforge.ai or to any GabForge server.
  • No usage metadata is recorded by GabForge for local inference sessions.
  • Model weights are downloaded from our model registry at initial setup and then stored locally at ~/.local/share/gabforge/models/. The download is a one-time transfer of model files; it does not include any of your personal data.

This local-first architecture means that GabForge AI has no technical ability to access your code or AI interactions during local inference, regardless of any legal compulsion or security incident.

4. Cloud API Processing

When you send requests to api.gabforge.ai (whether directly via the API or by configuring GabForge Studio to use the cloud API):

Ephemeral Processing

Your prompt and any associated context are transmitted over TLS 1.2 or higher to our inference servers, processed to generate a response, and the response is returned to you. The prompt and response are held only in volatile memory during the request lifecycle. They are not written to disk, not logged to any database, and not retained after the response is sent.

No Training on Your Data

GabForge does not use the content of your API requests or responses to train, fine-tune, evaluate, or otherwise improve any AI model. Our models are trained exclusively on publicly available datasets and data for which we hold appropriate licences. This commitment applies without exception and regardless of your subscription tier.

What Is Retained from API Requests

We retain only request metadata (timestamp, model, token counts, credit cost, API key identifier, and response status) for billing, quota enforcement, and abuse detection. This metadata does not contain any portion of your prompt or response content. Metadata is retained for 90 days and then deleted.

5. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Services — authenticating your account, processing API requests, managing credits and subscriptions, and delivering product updates.
  • Billing and payments — processing subscription fees, top-up purchases, and issuing receipts and tax invoices.
  • Security and abuse prevention — detecting and preventing fraudulent activity, rate-limit abuse, and violations of our Acceptable Use Policy.
  • Customer support — responding to your enquiries and resolving technical issues.
  • Product improvement — using aggregated, anonymised analytics to understand how the Services are used and to identify areas for improvement. This analysis never involves the content of your prompts or code.
  • Legal compliance — retaining records as required by applicable law, including tax and accounting obligations.
  • Communications — sending you transactional emails (receipts, password resets, security alerts) and, where you have opted in, product newsletters and announcements. You may opt out of marketing communications at any time.

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

6. Cookies and Tracking Technologies

Cookies We Set

We use a minimal set of cookies necessary for the Services to function correctly:

  • __gf_session (essential) — A signed, HttpOnly, Secure session cookie that identifies your authenticated session. Set when you log in; expires when you log out or after 30 days of inactivity. This cookie does not contain any personally identifiable information; it holds only a random session token that is validated server-side.
  • __gf_csrf (essential) — A CSRF protection token used to prevent cross-site request forgery attacks. Set on all pages that contain forms.
  • __gf_theme (preference) — Stores your light/dark mode preference. No personal data; expires after 1 year.

Cookies We Do Not Set

  • No third-party advertising or retargeting cookies.
  • No persistent cross-site tracking cookies.
  • No Google Analytics, Facebook Pixel, or similar third-party behavioural tracking scripts.

Managing Cookies

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, refusing the __gf_session cookie will prevent you from logging in to your account. Preference and CSRF cookies are required for normal operation of the authenticated dashboard.

7. Third-Party Services

Payment Processors

We use the following payment processors to handle subscription billing and top-up purchases. When you make a payment, you are subject to the privacy policy of the relevant processor in addition to this policy:

GabForge shares with payment processors only the minimum data necessary to process a transaction: your email address, billing amount, currency, and subscription details. We do not share your API usage data or code with payment processors.

Email Delivery

Transactional and notification emails are sent via a third-party email delivery provider. Your email address is shared with this provider solely for the purpose of delivering emails on our behalf. The provider processes email addresses as a data processor acting on our instructions and is contractually prohibited from using your data for any other purpose.

Infrastructure

Our servers and databases are hosted in secure data centres. Hosting providers process data on our behalf under data processing agreements and do not have independent access to your personal data for their own purposes.

Open-Source Offline Products

GabForge Studio IDE, GabForge OS, and GabForge Creative Suite, when used entirely offline with local models, do not communicate with any third-party service. The IDE may optionally integrate with third-party source code hosts (such as GitHub or GitLab) if you configure such integrations; these integrations are governed by those third parties' own privacy policies.

8. Data Retention

  • Account data (email, display name, password hash) — retained for the lifetime of your account. If you delete your account, account data is permanently deleted within 30 days, except where retention is required by law (for example, tax records, which are retained for 7 years).
  • API request metadata (timestamp, token counts, model, credit cost) — retained for 90 days from the date of the request, then permanently deleted.
  • Billing and payment records — retained for a minimum of 7 years in accordance with applicable accounting and tax law obligations.
  • Support correspondence — retained for 3 years from the date of last interaction, then deleted.
  • Web server logs — IP addresses are anonymised after 24 hours; anonymised log aggregates are retained for up to 12 months.
  • Prompt and response content — never stored. Not subject to retention.

9. Security Measures

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction:

  • Password hashing — all passwords are hashed using Argon2id with per-user salts. Plaintext passwords are never stored or logged.
  • Transport encryption — all data in transit between your browser or application and our servers is encrypted using TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) with a minimum age of one year.
  • API key security — API keys are stored as hashed values. The full key is shown only once at the time of creation. We recommend storing API keys in environment variables or a secrets manager, never in source code.
  • Session security — session tokens are cryptographically random, stored in HttpOnly Secure cookies, and invalidated on logout.
  • Access controls — internal access to production data is restricted on a need-to-know basis, protected by multi-factor authentication, and logged for audit purposes.
  • Vulnerability management — we conduct regular security reviews and address critical vulnerabilities promptly. To report a security issue, please email [email protected] with the subject line "Security Disclosure".

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data using commercially reasonable means, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour these rights for all users regardless of location, in alignment with the principles of the EU General Data Protection Regulation (GDPR) and applicable Indian data protection law.

Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this in a commonly used, machine-readable format (JSON or CSV) within 30 days of a verified request.

Right to Rectification

If any personal data we hold is inaccurate or incomplete, you have the right to request that we correct or complete it. You can update your email and display name directly in your dashboard at any time.

Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data. You can initiate account deletion from your dashboard settings. Upon deletion, your account data is permanently removed within 30 days. Note that we may retain certain data where required by law (for example, billing records for tax purposes) or where it is necessary to protect legitimate interests (for example, evidence of abuse to maintain a ban).

Right to Data Portability

You may request an export of your personal data in a structured, machine-readable format (JSON). This includes your account details and API usage history. To request a data export, email [email protected].

Right to Restrict Processing

You may request that we restrict the processing of your personal data in certain circumstances, for example if you contest the accuracy of the data or object to its use. During the period of restriction, we will store but not further process your data.

Right to Object

You have the right to object to processing of your personal data where we are relying on a legitimate interest as our lawful basis. You may also opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us at [email protected].

Exercising Your Rights

To exercise any of the rights listed above, email [email protected] with the subject line "Data Subject Request". We may ask you to verify your identity before processing your request. We will respond within 30 days; in complex cases we may extend this by a further 60 days with notice. There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

Right to Lodge a Complaint

If you believe we have processed your personal data in violation of applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. For EEA/UK residents, this is your national data protection authority. For residents of India, this is the Data Protection Board of India (once operational under the Digital Personal Data Protection Act 2023).

11. International Data Transfers

GabForge AI is based in India. If you access the Services from outside India, your personal data may be transferred to and processed in India. We take steps to ensure that any such transfers comply with applicable data protection law, including implementing appropriate contractual safeguards where required.

For users in the European Economic Area (EEA) or the United Kingdom, transfers of personal data to India are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, or an equivalent mechanism recognised under UK law. By using the Services, you consent to the transfer of your personal data to India under these safeguards.

12. Children's Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact [email protected] and we will delete the relevant data promptly.

In jurisdictions where the minimum age of digital consent is higher than 13 (for example, 16 in certain EU member states), we apply the higher age threshold.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify you by email (to the address associated with your account) or by displaying a prominent notice on gabforge.ai at least 14 days before the changes take effect. The current version of this policy is always available at gabforge.ai/privacy/. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the updated terms.

14. Contact

For any privacy-related questions, data subject requests, or concerns about how we handle your personal data, please contact us:

We aim to respond to all privacy enquiries within 5 business days and to all formal data subject requests within the statutory timeframe (30 days). If you are not satisfied with our response, you have the right to escalate to your local data protection authority as described in Section 10.