Privacy Policy

⚠ Shared Responsibility

Spanforge is a governance platform that helps you manage AI decision-making. This means:

• You control governance data — You decide what data goes into audit events, policies, and approval workflows. We're the processor; you're the controller.
• We're transparent about our own data collection — We collect account info, usage data, and cookies. This policy explains what and why.
• You remain responsible for ensuring audit events don't contain unnecessary personal data, complying with privacy laws when using Spanforge, notifying your end-users if you process their data, and implementing appropriate privacy practices in your AI systems.

1. Introduction

Spanforge Technologies Private Limited (“we”, “us”, “our”, “Company”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and process personal data in accordance with the GDPR, CCPA, and India's Digital Personal Data Protection Act (DPDP).

This policy applies to:

• Spanforge SDK — pip install spanforge
• Spanforge Platform — getspanforge.com, platform.getspanforge.com
• Spanforge Products — All SaaS products (GitHub App, Cloud, Managed SaaS, etc.)
• Spanforge Website — Marketing and documentation site

Questions? Email sriram@getspanforge.com.

2. Personal Data We Collect & Our Roles

Spanforge as a Data Processor: For audit events and compliance data you submit via the platform, we process data on your instructions. You (the organization/customer) are the “data controller.” See our Data Processing Addendum.

Spanforge as a Data Controller: For data we collect independently — your account information, login activity, API usage, website analytics, support tickets, payment records, and marketing communications — we are solely responsible.

Data we collect:

• Account information: Full name, email address, phone number (optional), organization name, billing address. Legal basis: Contractual necessity.
• Audit event metadata: Event IDs, timestamps, actor IDs, model IDs, action types, resource IDs, decision outcomes. We do not collect your actual business data, model inputs/outputs, or customer PII. Legal basis: Contractual necessity.
• Authentication data: Login events, hashed API keys/tokens (never stored in plaintext), role assignments, MFA data. Legal basis: Contractual necessity + Security.
• Website analytics: Page views, time on page, click events, download events (with consent). Legal basis: Consent — opt out at any time.
• Support data: Email messages, chat transcripts, attachments you send for debugging. Legal basis: Contractual necessity.
• Payment data: Billing name and address. Credit card details are not stored by us — handled by Stripe. Legal basis: Contractual necessity.
• Device & network data: IP address, browser type, OS, device identifiers, log data. Legal basis: Legitimate interest.
• Cookies: Session, security, analytics, and marketing cookies (see Section 8).

We are designed NOT to collect: your actual business data, end-user PII, model weights, complete API responses, unencrypted passwords, or children's data.

3. How We Use Personal Data

• Service delivery: Create and manage accounts, deliver the platform, send service notifications, provide support, process payments. Legal basis: Contractual necessity (GDPR Article 6(1)(b)).
• Compliance & legal obligations: Maintain audit trails, generate compliance reports, respond to legal requests, detect fraud, enforce Terms of Service. Legal basis: Legal obligation + Legitimate interest.
• Security & fraud prevention: Detect suspicious activity, prevent unauthorized access, secure communications, audit access logs. Legal basis: Legitimate interest (GDPR Article 6(1)(f)).
• Product improvement: Aggregated, anonymized usage analytics. Legal basis: Consent (opt-out available) + Legitimate interest for essential analytics.
• Marketing: Newsletters, feature announcements, event invitations, surveys. Case studies only with written consent. Legal basis: Consent — unsubscribe at any time.

4. How We Share Personal Data

We share data only with trusted service providers (processors) who have signed Data Processing Agreements per GDPR Article 28:

• Stripe — Payment processing
• AWS — Cloud infrastructure
• Datadog — Application monitoring
• Mailgun — Email delivery
• Okta (if enabled) — Single sign-on
• GitHub (P2 product) — GitHub App integration

We do NOT share data with: advertisers, data brokers, marketing partners, or business partners for commercial purposes without your permission.

Legally required disclosures: We may disclose when required by law (subpoenas, GDPR DSARs, CCPA/DPDP requests). We assess validity, notify you where permitted, and provide only the minimum data required.

International transfers: For EU/UK/Swiss users, we rely on EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), and UK/Swiss adequacy decisions. For India DPDP, we prioritize AWS ap-south-1 where feasible. Contact sriram@getspanforge.com for details.

Business transfers: If Spanforge is acquired or merges, we will notify you at least 30 days before transfer. You may opt out by deleting your account.

5. Your Rights

GDPR Rights (EU / UK / Switzerland):

• Article 15 — Access: Request a copy of all personal data. Response within 30 days.
• Article 16 — Rectification: Correct inaccurate data. Response without undue delay.
• Article 17 — Erasure: Request deletion. Exception: audit events retained up to 7 years per regulatory requirements. Response within 30 days.
• Article 18 — Restriction: Freeze processing without deletion. Response within 30 days.
• Article 20 — Portability: Receive your data in CSV or JSON. Response within 30 days.
• Article 21 — Object: Object to processing based on legitimate interest (marketing, analytics). Response without undue delay.
• Article 22 — Automated decisions: We do not make automated decisions about your account. All decisions (disputes, access issues) are made by humans.

Email for GDPR requests: sriram@getspanforge.com (subject: “[GDPR] [TYPE]”)

CCPA Rights (California Residents):

• Right to Know: What personal data we collect, use, and share. Response within 45 days.
• Right to Delete: Request deletion of personal data. Exceptions: legally required retention. Response within 45 days.
• Right to Opt-Out of Sales: We do not sell personal data. This right does not apply.
• Right to Correct: Correct inaccurate personal data. Response within 45 days.
• Non-discrimination: We will not charge higher prices, deny service, or provide worse service for exercising your rights.

Email for CCPA requests: sriram@getspanforge.com

DPDP Rights (India):

• Access, Correction, Erasure (§8, §10): Response within 30 days.
• Grievance Redressal (§5): If we don't respond within 30 days, contact our Grievance Officer: sriram@getspanforge.com.
• Withdraw Consent (§6): For optional data (analytics), use the unsubscribe link in emails or email us.

Email for DPDP requests: sriram@getspanforge.com

6. Data Retention

• Account profile (name, email, phone): Until deletion + 30 days
• Login / authentication logs: 90 days
• Audit events & compliance evidence: Up to 7 years (EU AI Act Article 28, regulatory/tax requirements)
• Support tickets & correspondence: 2 years
• Payment & billing records: 7 years (tax/accounting requirements)
• Website analytics: 14 months (anonymized)
• Deleted account data: Purged within 90 days (unless legal hold applies)

To request early deletion of audit trails, email sriram@getspanforge.com with “EARLY DELETION REQUEST.” We evaluate based on applicable legal requirements (no active legal proceedings, no regulatory investigations, no active contracts requiring retention).

7. Data Security

We implement industry-standard security measures:

• Encryption: AES-256 at rest, TLS 1.3 in transit; sensitive data cleared from memory after use
• Access control: OAuth2, SAML 2.0, JWT; MFA available; RBAC with 10 standard roles; API keys hashed and never stored in plaintext
• Audit logging: API calls logged with actor, resource, and timestamp; HMAC-SHA256 signing detects tampering; logs retained 90 days minimum
• Vulnerability management: Automated Dependabot/Snyk scanning; critical patches typically within 24 hours; quarterly penetration testing; bug bounty via sriram@getspanforge.com
• Infrastructure: AWS with SOC 2, ISO 27001, and HIPAA certifications; VPC isolation, WAF, DDoS mitigation; daily backups with geographically separate storage

Data breach notification: If we discover a breach, we notify you within 72 hours via email (GDPR Article 33) with details of what was affected, containment steps, and recommended actions. We report to applicable regulatory authorities as required.

8. Cookies & Tracking

Required cookies (no opt-out): session_id (keeps you logged in), csrf_token (prevents cross-site attacks), device_fingerprint (detects account takeover).

Optional cookies (opt-out available): Analytics cookies (_ga, _gat, utm_source) and marketing retargeting cookies. You can opt out via browser settings or by emailing sriram@getspanforge.com.

Third-party cookies: Google Analytics 4, Datadog RUM (performance monitoring), Stripe (payment processing), GitHub (GitHub App integration).

We do NOT use cookies for: selling your data to advertisers, cross-site behavioral tracking, or building shadow profiles.

9. Children's Privacy (COPPA)

The Spanforge platform is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child under 13 has created an account, contact us immediately at sriram@getspanforge.com to request deletion. We comply with COPPA (US Children's Online Privacy Protection Act).

10. Third-Party Links

Our website may link to third-party sites (GitHub, AWS, Stripe, etc.). This Privacy Policy does not apply to those sites. We recommend reviewing their privacy policies: GitHub, AWS, Stripe, Datadog.

11. Automated Decision-Making & Profiling

We do not use automated decision-making to make eligibility, access, or legal decisions about you. All account decisions are handled by humans on our team.

We do not build behavioral profiles, sell profiles to third parties, or use profiling for discrimination. Product analytics are aggregated, anonymized, and opt-out is available.

For AI systems you configure in Spanforge (automated policy enforcement, gates, alerts) — those are your responsibility. You must provide notice to affected parties, offer human review/appeal processes, and comply with GDPR Article 22 and applicable regulations.

12. Contact Us

• General privacy questions: sriram@getspanforge.com — Response within 3 business days
• Data subject requests (GDPR/CCPA/DPDP): sriram@getspanforge.com — Response within 30–45 days depending on jurisdiction
• Data Protection Officer (GDPR): sriram@getspanforge.com
• DPDP Grievance Officer (India): sriram@getspanforge.com
• Security disclosure: sriram@getspanforge.com

If we don't respond satisfactorily, you can escalate to your local data protection authority: EDPB (EU), ICO (UK), California AG (CCPA), or the Data Protection Board of India (DPDP).

13. Policy Updates

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to your registered address at least 14 days before they take effect. We will update the version number and “last updated” date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

See our Terms of Service for the full usage agreement.