Privacy Policy

Mindus Forge is committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our platform.

---

1. Data We Collect

1.1 Account Data

When creating a Mindus Forge account, we collect: email address, username, GitHub/GitLab identifiers (if you choose OAuth authentication), billing information (address, VAT ID), and communication preferences.

1.2 Projects and Source Code

Mindus Forge is designed to analyze and generate code. We collect:

• Connected repositories: when you authorize access to a GitHub/GitLab repository, we read the structure and files (public or private based on your permissions) to understand context. We do not store your entire source code except for the duration necessary for generation and synchronization.
• Generated code: files created by Forge are temporarily stored to enable review and push. You retain full ownership of all generated code.
• Project metadata: languages used, frameworks, detected architecture, to improve future suggestions.

1.3 Usage Data

We collect information about how you interact with Forge: features used, generation frequency, errors encountered, AI performance. This data is anonymized when possible and used to improve our models.

1.4 Technical Data

IP address, browser type, operating system, pages visited, timestamps, unique session identifiers. This data is necessary for service security and operation.

---

2. Legal Basis and Processing Purposes

We process your data on the following legal bases:

• Contract execution: provide code generation service, analyze your repositories, sync with Git, billing.
• Legitimate interest: improve our AI models, prevent fraud, secure the platform, analyze performance.
• Consent: for certain marketing communications or non-essential cookies.
• Legal obligation: invoice retention, response to judicial authorities.

In plain terms, we use your data to:

• Enable contextual code generation in your repositories
• Ensure offline resilience and synchronization
• Manage subscriptions and billing
• Continuously improve Forge's AI
• Communicate about major updates
• Comply with legal and tax obligations

---

3. Data Sharing with Third Parties

Mindus Forge does not sell your personal data. We may share certain information with selected subcontractors for service provision:

• Hosting and infrastructure: Render.com (United States and Europe) for production data.
• Payments: Stripe (PCI DSS certified) for credit card processing. We do not store your card numbers.
• Analytics and support: Sentry (errors), self-hosted analytics, Crisp (chat support).
• AI and models: Google Cloud (Vertex AI, Gemini) for model execution. No source code is used to train public models without strict anonymization.

All our subcontractors are contractually bound to comply with GDPR and guarantee a security level equivalent to ours.

---

4. Security Measures

We deploy advanced technical and organizational measures to protect your data:

• AES-256 encryption at rest for all databases containing code or personal data.
• TLS 1.3 encryption in transit.
• Mandatory multi-factor authentication for organization accounts.
• Strict environment isolation (containers, private networks).
• Regular security audits and penetration tests.
• Internal access management policy (least privilege, logging).
• Encrypted daily backups with limited retention.

In the event of a security incident affecting your data, we commit to notifying you within 72 hours as required by GDPR.

---

5. Data Retention Period

We retain your data as long as necessary to provide the service and comply with legal obligations:

• Account data: until account closure, then deletion within 30 days (excluding legal constraints).
• Projects and generated code: retained for the duration of your subscription. You can export or delete your projects at any time.
• Technical logs: maximum 6 months.
• Invoices and tax data: 10 years (legal obligation).
• Anonymized data: indefinitely to improve our models, with no possibility of re-identification.

---

6. Your Rights (GDPR & CCPA)

As a user, you have extensive rights over your data:

• Right of access: obtain a copy of your personal data.
• Right of rectification: correct inaccurate information.
• Right to erasure: request deletion of your data (subject to legal retention).
• Right to restriction: temporarily restrict processing.
• Right to portability: receive your data in a structured format (JSON).
• Right to object: object to processing for marketing or legitimate interest.
• Withdrawal of consent: at any time for consent-based processing.

To exercise these rights, contact our Data Protection Officer (DPO) at dpo@mindusforge.dev. We respond within 30 days.

---

7. Cookies and Trackers

Mindus Forge uses strictly necessary cookies for operation (authentication, session, security). We also use analytical cookies (self-hosted Matomo) to understand usage, without sharing with third parties. You can set your preferences via our cookie banner.

No advertising cookies are placed.

---

8. Generative AI and Training Data

Mindus Forge uses proprietary models and foundation models (Gemini, etc.). We want to clarify:

• Your source code is not used to train public Google models without your explicit consent.
• Prompts and generated code may be analyzed to improve our internal models, but only after strict anonymization (removal of identifiers, variable names, sensitive comments).
• You can disable improvement based on your data in your account privacy settings.
• If you use your own Gemini API key (Scale/Enterprise plans), no data is shared with us; the exchange is direct between you and Google.

---

9. Data Transfers Outside the EU

We prioritize infrastructure located within the EU. However, some subcontractors (e.g., Stripe, Google Cloud) may process data outside the EU. In such cases, we ensure adequate safeguards are in place:

• Standard contractual clauses of the European Commission.
• Compliance with the Privacy Shield framework (for US-GDPR transfers).
• Enhanced confidentiality commitments.

You can obtain a copy of these safeguards upon request.

---

10. Data Controller

The data controller is Mindus SAS, registered with the Lyon Trade and Companies Register under number 928 374 837, with registered office at 15 rue de la République, 69001 Lyon, France.

Our legal representative is Alexandre Moreau, CEO. For any questions regarding data protection, you can also contact our DPO at dpo@mindusforge.dev or by mail at the above address (attn: DPO).

---

11. Complaints

If you believe we have not respected your rights, you have the right to lodge a complaint with the CNIL (French data protection authority): www.cnil.fr.

---

12. Policy Changes

We may modify this policy to reflect changes in our services or legal requirements. Any material changes will be notified to you by email or via an in-app notification. The current version is always available on this page.

---