Privacy Policy

1. Information We Collect

Personal Information

When you create an account, we collect information you provide directly, including:

• Name and email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Billing information (processed securely via Stripe — we do not store card numbers)

Product Data

When you use Forevibe to create plans, we store:

• Product descriptions and discovery session transcripts
• Generated plans, stories, gates, and blind spots reports
• .forevibe build contract files and IDE rule files
• Chat history within planning sessions

Usage Data

We collect technical usage data including IP address, browser type, pages visited, and plan run counts. This data is used solely for service operation, security monitoring, and aggregated analytics. We do not build individual behavioural profiles.

2. How We Use Your Information

• To provide, maintain, and improve our services
• To generate AI-powered implementation plans for your products
• To process payments and manage your subscription and credits
• To send important service notifications (e.g. plan limits, security alerts, payment receipts)
• To respond to support requests
• To detect and prevent fraud and abuse
• To analyse aggregated, anonymised usage patterns to improve the platform — individual product data is never used for this purpose

3. AI & Data Processing

Forevibe uses AI models to generate implementation plans. Important details:

• We do not train AI models on your product data. Your ideas, plans, and content remain entirely yours.
• Product descriptions are transmitted to our AI provider solely for the purpose of plan generation. Our AI provider agreements prohibit them from using this data for model training.
• All AI processing is performed in real-time. Data is not retained by AI providers beyond the duration of the request.

4. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Passwords are hashed using bcrypt with a cost factor of 12
• Database access is restricted and audited
• We conduct regular security reviews
• Access controls follow the principle of least privilege

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under UK GDPR Article 34.

5. Data Sharing & Third Parties

We do not sell your personal information. We share data only with the following processors, each bound by a Data Processing Agreement:

• Stripe — Payment processing (card data never touches our servers)
• OpenAI — AI plan generation (no data retention for training)
• Railway — PostgreSQL database hosting
• Vercel — Application hosting and edge delivery

We will not share your data with any other third party without your explicit consent, except where required to comply with a legal obligation.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: Retained while your account is active
• Plan and project data: Retained while your account is active; deleted within 30 days of account deletion
• Payment records: Retained for 7 years to comply with financial regulations
• Inactive accounts: Accounts with no activity for 12 months will receive a notice and data may be purged after a further 30-day period
• Deleted accounts: All personal data removed within 30 days of deletion request, except where legal retention is required

7. Your Rights

Under UK GDPR and applicable data protection law, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we restrict processing of your data in certain circumstances
• Objection: Object to processing based on legitimate interests or for direct marketing
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing

To exercise any of these rights, contact us at hi@forevibe.com. We will respond within one calendar month.

Right to complain: If you are based in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are based in the EEA, you may contact your local data protection supervisory authority.

8. Cookies

We use essential cookies for authentication and session management only. These cookies are strictly necessary for the Service to function and cannot be disabled without breaking core functionality. We do not use third-party advertising, tracking, or profiling cookies. Analytics data is collected in aggregated, anonymised form and does not require consent under the legitimate interest basis.

9. Children's Privacy

Forevibe is not directed at or intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at hi@forevibe.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice in the application at least 14 days before changes take effect. Your continued use of Forevibe after changes become effective constitutes acceptance.

11. UK GDPR & EEA — Legal Bases for Processing

Forevibe LTD is established in the United Kingdom and processes personal data in accordance with UK GDPR. For users in the EEA, we process personal data in compliance with EU GDPR. Our legal bases for processing are:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide our services as agreed in our Terms — account management, plan generation, billing
• Legitimate Interest (Article 6(1)(f)): Security monitoring, fraud prevention, and aggregated service analytics — always balanced against your rights
• Legal Obligation (Article 6(1)(c)): Retention of financial records, responding to lawful requests from authorities
• Consent (Article 6(1)(a)): Optional marketing communications — you may withdraw consent at any time

12. International Data Transfers

Your data may be transferred to and processed in countries outside the UK and EEA (including the United States) by our third-party service providers listed in Section 5. We ensure appropriate safeguards are in place for all such transfers, including UK International Data Transfer Agreements (IDTAs) and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission. You may request details of these safeguards by contacting us at hi@forevibe.com.