Privacy Policy

ReportForge is operated by the individual or entity identified on the reportforge.org WHOIS record. For privacy requests, email support@reportforge.org.

Account data

When you sign up, Clerk collects an email address and whatever profile fields you provide (name, organization). Clerk also sets a session cookie scoped to our domain. Lawful basis: performance of the contract (to give you an account).

Billing data

When you start a Subscription, Razorpay creates a customer record and processes the charge. We store the Razorpay customer ID and the subscription status (trialing, active, past_due, canceled) in Vercel KV so the reporter can verify entitlement. We do not see or store card numbers, CVVs, or bank-account details. Lawful basis: performance of the contract; legitimate interest in preventing fraud.

Machine fingerprints

The reporter sends a SHA-256 hash when it activates or refreshes a license. For CI environments the input is provider:repo (e.g. github:acme/web); for developer workstations it is hostname:mac-address. Only the hash reaches our server — we never see the plaintext. The fingerprint is used exclusively to enforce the 25-machine cap within a rolling 30-day window. Lawful basis: legitimate interest in enforcing license terms.

JWT issuance logs

When we issue a signed license JWT, we log the subscription ID, the machine fingerprint hash, the issuance timestamp, and the expiry. This lets us debug refresh failures and revoke a fingerprint if the cap was abused. Retention: 13 months, then automatically purged. Lawful basis: legitimate interest in operating the Service.

Transactional email

We use Resend to send welcome, trial-ending, payment-failed, and cancellation emails. Content includes the masked license key (never the plaintext) and a link to the dashboard. We do not send marketing email unless you separately opt in. Lawful basis: performance of the contract.

Error and uptime telemetry

The server uses Sentry (errors) and a lightweight page-view counter (e.g. Plausible) on the marketing site. Neither sets third-party advertising cookies or uses personal identifiers. Lawful basis: legitimate interest in service reliability.

What we do not collect

Test content from the PDFs you generate never leaves your environment. The reporter runs entirely in your CI/dev machine; the Service sees only the license key and the fingerprint hash. We do not have access to your test reports, screenshots, or source code.

We set only first-party cookies required for authentication (Clerk session, CSRF token). We do not use advertising cookies, third-party tracking pixels, or cross-site trackers. The marketing analytics we use are cookieless.

We rely on the following third parties, all covered by a Data Processing Agreement:

• Clerk — authentication and session management.
• Razorpay — payment processing, subscription billing.
• Vercel — hosting and edge functions.
• Vercel KV (Upstash Redis) — subscription and fingerprint store.
• Resend — transactional email delivery.
• Sentry — error telemetry (server-side only; never from the npm package).

An up-to-date list is available on request.

Account data is kept while your account is open, plus 30 days after deletion. Billing records are kept for the period required by tax law (typically 7 years). Machine fingerprints and JWT logs are kept for 13 months, then purged. Email delivery logs from Resend are retained per Resend's own policy.

Depending on where you live, you may have the right to access, correct, delete, or port your data, to restrict or object to processing, and to withdraw consent. To exercise any of these rights, email support@reportforge.org from the address on your account. We respond within 30 days.

EU/UK residents also have the right to lodge a complaint with a supervisory authority. California residents have rights under the CCPA including the right to know, delete, and opt out of "sale" — we do not sell personal information, so that opt-out is not applicable in practice.

Our infrastructure is hosted by Vercel and its sub-processors, which may store data in the US and the EU. Where data leaves the EEA/UK, we rely on Standard Contractual Clauses with the relevant processor.

We encrypt data in transit (TLS) and at rest (provider defaults on Vercel KV / Razorpay / Clerk). The Ed25519 private key used to sign license JWTs is stored only as an environment variable on our server infrastructure, never in the repository.

ReportForge is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

Material changes will be notified by email at least 14 days before they take effect. The effective date above indicates the most recent update.