AltForge
Log inGet started

Privacy Policy

Last updated: 18 April 2026

This policy explains what personal data we collect when you use AltForge, why we collect it, who we share it with, and your rights under UK GDPR.

Data controller: Fletcher Digital. Contact: [email protected].

1. What we collect

Account data

  • Email address (required)
  • Password (hashed with bcrypt — we never see or store the plaintext)
  • Optional: name, company, country
  • IP address and browser user-agent on each login (for security auditing)
  • Referral code you signed up with, if any

Billing data

  • Stripe customer ID (a reference; full card details stay with Stripe)
  • Purchase history: amounts, currencies, dates, pack chosen

Usage data

  • API key identifiers (we store a SHA-256 hash of the key, not the key itself)
  • Per-request logs: timestamp, image size, source domain, success/error status, AI token counts
  • Images you submit for alt-text generation — these are processed in memory, sent to the AI provider, and not retained on our servers after the request completes
  • Context you send alongside each image (site name, page URL, SEO keywords from your SEO plugin, surrounding text on the page)

2. Why we collect it (legal basis)

  • Contract performance — to provide the Service you signed up for: account data, billing data, usage logs.
  • Legitimate interest — IP/user-agent logging for security; aggregated usage analytics to improve the Service.
  • Consent — if and when we add marketing analytics cookies (Google Analytics, Meta Pixel), these only fire after you give explicit consent via our cookie banner.
  • Legal obligation — financial records we're required to keep for tax purposes (typically 6 years in the UK).

3. Third-party processors

We share specific data with specific providers, each under a Data Processing Agreement:

  • Stripe (payment processing) — your email, name, country, and card details (which you provide directly to Stripe on checkout).
  • SendGrid (transactional email) — your email and name only, to send verification, password reset, purchase confirmation, and expiry warning emails.
  • Anthropic (AI provider) — the images you submit and the prompt context (site name, page title, SEO keyword, surrounding text). We do not send your email, IP, or Stripe data to Anthropic. Anthropic's data handling terms apply to content sent to their API.
  • Vultr / Coolify (hosting) — server-level access to everything we host, as a normal hosting arrangement.

We do not sell your data or use it for targeted advertising.

4. Data retention

  • Account data: retained until you delete your account.
  • Billing records: retained for 6 years after last activity for tax compliance.
  • Usage logs (generation_logs, page_analysis_logs): retained for 12 months.
  • Uploaded images: not retained — processed in memory and discarded.
  • Sessions: retained until expiry or revocation (30 days default).

5. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the data we hold about you
  • Correct inaccurate data
  • Delete your account and associated personal data (subject to legal retention requirements)
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent (for anything we do on a consent basis)
  • Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any right, email [email protected]. We'll respond within 30 days.

6. International transfers

Some processors (notably Anthropic) are based in the United States. Transfers are covered by Standard Contractual Clauses or equivalent safeguards as required under UK GDPR.

7. Security

We use industry-standard measures including:

  • bcrypt-hashed passwords (12 rounds)
  • SHA-256-hashed API keys
  • HTTPS everywhere (HSTS enforced)
  • SameSite cookies, CSRF protection on state-changing requests
  • Stripe webhook signature verification
  • SSRF protections on the Page Analyser (rejects private IP ranges, non-HTTP schemes)

8. Cookies

See our Cookie Policy for details.

9. Changes to this policy

We'll notify you of material changes by email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

10. Contact

Privacy questions or data requests: [email protected].