Privacy
_Last updated 2026-05-18. Questions? Email hello@promptforge.uk, that's me._
The short version
- I only hold what's needed to make the wizard work and to stop people abusing it.
- I don't sell your data, run ad trackers, or send you marketing emails.
- One click in Settings → Delete account wipes everything I have on you within 24 hours.
- If anything here looks wrong, email me at hello@promptforge.uk and I'll fix it.
Who I am
I'm Abdalla Bakr, UK sole trader, the one person running PromptForge. The site is promptforge.uk and the only contact email is hello@promptforge.uk (support, data requests, complaints, all me).
If you ever feel a UK or EU data-protection rule has been broken and I haven't fixed it, you can complain to the Information Commissioner's Office in the UK, or your local data-protection authority in the EU.
What I hold on you
Just the minimum the wizard needs, plus a tiny anti-abuse trail.
| Data | Why I have it | Where | How long |
|---|---|---|---|
| Email + provider id (from Google / GitHub sign-in) | So you can come back to your projects | Supabase (EU) | Until you delete the account |
| Your wizard answers | The generated plan is built from them | Supabase (EU) | 90 days, then auto-deleted |
| Generated outputs (your prompts and plans) | Your library so you can revisit and edit | Supabase (EU) | 30 days, then auto-deleted |
Browser fingerprint cookie (pf_anon) | Per-browser rate limit so people can't spam-burn the free credits | Upstash Redis (EU) | 30 days |
| Feedback comments (only if you submit one on an output) | Improve the product from real usage | Upstash Redis (EU) | 90 days, then auto-deleted |
| Request logs (IP + URL only, no payload) | Security and debugging | Railway (EU) | 72 hours, then overwritten |
What I don't do
- No ad trackers, no marketing pixels, no third-party share widgets.
- No behavioural analytics. I don't know which buttons you clicked, how long you stayed, or where your mouse moved.
- No marketing emails ever. The only emails I'd send are if you triggered them (password reset, account deletion confirmation).
- No card data, there's no paid plan to enter one against.
- No data from third parties about you. All I see is what your sign-in provider passes back (email, display name) and what you type into the wizard.
Where your data goes
A handful of vendors run pieces of the stack. Each one has its own privacy policy and a standard data-processing agreement with me.
| Vendor | What goes there | Region |
|---|---|---|
| Supabase | Sign-in + your saved data | EU (Frankfurt) |
| Railway | Backend hosting + short-lived logs | EU (Amsterdam) |
| Vercel | The site you're reading | Global edge |
| Anthropic | The text from your wizard answers, used to generate your plan. Anthropic's commercial terms say inputs are not used to train their models. | US |
| Cloudflare | DNS for promptforge.uk | Global |
| Upstash | Redis (rate-limit counters) | EU |
The only data leaving the EU is the wizard text going to Anthropic in the US. UK/EU rules cover that under the UK IDTA + EU Standard Contractual Clauses.
Cookies
Tiny set. Each one is strictly necessary under PECR, no consent banner needed because they exist to make the site work, not to track you.
| Cookie / storage | What it does | How long |
|---|---|---|
sb-* | Keeps you signed in (Supabase) | 1 hour, auto-refreshed |
pf_anon | Per-browser anti-abuse fingerprint | 30 days |
promptforge.invite_token | Holds an invite link across sign-in | Cleared once redeemed |
promptforge.research_checklist_dismissed | Remembers you dismissed the pre-wizard hint | Until you clear browser data |
pf_theme | Remembers your light/dark mode pick | Until you clear browser data |
If I ever turn on analytics, this page changes and a banner appears before any tracker loads. I'd rather not, so for now I haven't.
What you can do with your data
- See it, Settings → Export. Or email me.
- Take it, the export is plain JSON, yours to keep.
- Delete it, one click in Settings. Everything I have on you is
gone within 24 hours. I keep a small log so I can prove I did it if you ever ask.
- Correct it, profile fields are editable in Settings; anything
else, email me.
- Object, push back on any of the legitimate-interest processing
above (rate-limit logs, anti-abuse cookie).
- Complain, UK → ICO; EU → your local authority.
I'll respond to any request within 30 days. Account deletion is self-serve and runs within 24 hours.
Sharing your outputs
Sharing is off by default. Your projects and generated plans are private until you click Share on a specific output. If you don't click Share, nothing leaves your library. If you do click Share, I mint a random token URL, anyone with that exact URL can read that one output, nothing else. You can revoke the link any time from your library. Most people never share, and that's fine, the whole point of PromptForge is that the plan is yours.
Children
PromptForge isn't built for under-16s. If you think a child has signed up, email me and I'll delete the account.
Changes to this page
If I change anything that meaningfully affects you, I'll email you 14 days before it takes effect. Small clarifications get updated in place with the date below.
History
- 2026-05-14, Plain-English rewrite.
- 2026-04-30, First version.