Privacy
_Last updated 2026-05-14. Questions? Email hello@promptforge.uk — that's me._
The short version
- I only hold what's needed to make the wizard work and to stop people abusing it.
- I don't sell your data, run ad trackers, or send you marketing emails.
- One click in Settings → Delete account wipes everything I have on you within 24 hours.
- If anything here looks wrong, email me at hello@promptforge.uk and I'll fix it.
Who I am
I'm Abdalla Bakr — UK sole trader, the one person running PromptForge. The site is promptforge.uk and the only contact email is hello@promptforge.uk (support, data requests, complaints — all me).
If you ever feel a UK or EU data-protection rule has been broken and I haven't fixed it, you can complain to the Information Commissioner's Office in the UK, or your local data-protection authority in the EU.
What I hold on you
Just the minimum the wizard needs, plus a tiny anti-abuse trail.
| Data | Why I have it | Where | How long |
|---|---|---|---|
| Email + provider id (from Google / GitHub sign-in) | So you can come back to your projects | Supabase (EU) | Until you delete the account |
| Your wizard answers | The generated plan is built from them | Supabase (EU) | 90 days, then auto-deleted |
| Generated outputs (your prompts and plans) | Your library so you can revisit and edit | Supabase (EU) | 30 days, then auto-deleted |
Browser fingerprint cookie (pf_anon) | Per-browser rate limit so people can't spam-burn the free credits | Upstash Redis (EU) | 30 days |
| Request logs (IP + URL only, no payload) | Security and debugging | Railway (EU) | 72 hours, then overwritten |
What I don't do
- No ad trackers, no marketing pixels, no third-party share widgets.
- No behavioural analytics. I don't know which buttons you clicked, how long you stayed, or where your mouse moved.
- No marketing emails ever. The only emails I'd send are if you triggered them (password reset, account deletion confirmation).
- No card data — there's no paid plan to enter one against.
- No data from third parties about you. All I see is what your sign-in provider passes back (email, display name) and what you type into the wizard.
Where your data goes
A handful of vendors run pieces of the stack. Each one has its own privacy policy and a standard data-processing agreement with me.
| Vendor | What goes there | Region |
|---|---|---|
| Supabase | Sign-in + your saved data | EU (Frankfurt) |
| Railway | Backend hosting + short-lived logs | EU (Amsterdam) |
| Vercel | The site you're reading | Global edge |
| Anthropic | The text from your wizard answers — used to generate your plan. Anthropic's commercial terms say inputs are not used to train their models. | US |
| Cloudflare | DNS for promptforge.uk | Global |
| Upstash | Redis (rate-limit counters) | EU |
The only data leaving the EU is the wizard text going to Anthropic in the US. UK/EU rules cover that under the UK IDTA + EU Standard Contractual Clauses.
Cookies
Tiny set. Each one is strictly necessary under PECR — no consent banner needed because they exist to make the site work, not to track you.
| Cookie / storage | What it does | How long |
|---|---|---|
sb-* | Keeps you signed in (Supabase) | 1 hour, auto-refreshed |
pf_anon | Per-browser anti-abuse fingerprint | 30 days |
promptforge.invite_token | Holds an invite link across sign-in | Cleared once redeemed |
promptforge.research_checklist_dismissed | Remembers you dismissed the pre-wizard hint | Until you clear browser data |
pf_theme | Remembers your light/dark mode pick | Until you clear browser data |
If I ever turn on analytics, this page changes and a banner appears before any tracker loads. I'd rather not, so for now I haven't.
What you can do with your data
- See it — Settings → Export. Or email me.
- Take it — the export is plain JSON, yours to keep.
- Delete it — one click in Settings. Everything I have on you is
gone within 24 hours. I keep a small log so I can prove I did it if you ever ask.
- Correct it — profile fields are editable in Settings; anything
else, email me.
- Object — push back on any of the legitimate-interest processing
above (rate-limit logs, anti-abuse cookie).
- Complain — UK → ICO; EU → your local authority.
I'll respond to any request within 30 days. Account deletion is self-serve and runs within 24 hours.
Sharing your outputs
Sharing is off by default. Your projects and generated plans are private until you click Share on a specific output. If you don't click Share, nothing leaves your library. If you do click Share, I mint a random token URL — anyone with that exact URL can read that one output, nothing else. You can revoke the link any time from your library. Most people never share, and that's fine — the whole point of PromptForge is that the plan is yours.
Children
PromptForge isn't built for under-16s. If you think a child has signed up, email me and I'll delete the account.
Changes to this page
If I change anything that meaningfully affects you, I'll email you 14 days before it takes effect. Small clarifications get updated in place with the date below.
History
- 2026-05-14 — Plain-English rewrite.
- 2026-04-30 — First version.