Privacy Policy

1. Who we are

LaunchForge AI("we", "us") is operated by LaunchForge AI. You can reach us at support@launchforge.co for any privacy question, deletion request, or data subject access request.

2. What this service does

LaunchForge AI helps you turn a product idea into a go-to-market plan and execute against it. You answer an intake wizard, we generate milestones, tasks, and assets with the help of an AI model, and you track progress as you ship. We host your account and project data and use the third-party subprocessors listed in Subprocessors to authenticate you, bill subscriptions, run AI features, and deliver email.

3. Information we process

We collect the minimum data we need to run the service. Specifically:

• Account identifiers. Email address, hashed password (if you sign up with email), Google account ID (if you sign in with Google), display name, locale.
• Profile data. Anything you choose to put in your settings page, including avatar, timezone, and notification preferences.
• Project content. Intake-wizard answers, the AI-generated GTM plan, milestones, tasks, asset descriptions, and any notes you add. This content is yours; we never use it to train third-party AI models.
• Billing data. Subscription plan, billing email, last four digits of card and country (held by Stripe — we never see full card numbers). Payment history.
• Usage data. Daily AI generation counts (for plan-tier quotas), feature interaction logs, error reports, and aggregated analytics that help us improve the product.
• Technical data. IP address, browser user-agent, request timestamps, and session cookies needed to keep you signed in. We do not run advertising trackers.
• Communications. Email you send to support, plus any in-app feedback you submit.

We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

4. How we use information

We process the data above for these purposes:

• Run the service (contract). Authenticate you, store your projects, generate AI plans on request, deliver email receipts and notifications, and provide support.
• Bill subscriptions (contract). Process payments through Stripe, surface invoices, handle plan changes and cancellations, recover failed payments.
• Keep the service safe and reliable (legitimate interest). Enforce rate limits, prevent abuse, debug errors, monitor performance.
• Improve the service (legitimate interest). Aggregate de-identified usage signals to identify patterns and roll improvements back into the platform. You can opt out of cross-user pattern contribution in Settings.
• Send transactional email (contract). Receipts, password resets, project-collaborator invites, security alerts. These are not marketing and cannot be turned off while your account is active.
• Send product email (consent). Weekly summaries, feature announcements, occasional product news. You can opt out in Settings or via the unsubscribe link in any product email.
• Comply with law (legal obligation). Tax records, fraud prevention, lawful process responses.

We do not sell personal data and we do not share it with third parties for their own marketing.

5. Subprocessors

We rely on five third-party services to deliver the platform. Each is bound by a Data Processing Addendum and provides commitments at least as protective as our own:

• Supabase — authentication, primary database, file storage. United States (AWS).
• Stripe — subscription billing and payment processing. United States and Ireland.
• OpenAI — AI model that generates plan content. United States. We use the API tier, which is contractually excluded from model training.
• Resend — transactional and product email delivery. United States.
• Vercel — application hosting, edge runtime, CDN. United States and additional global regions.

The current list and provider DPA links live at Subprocessors. We give at least 30 days' notice before adding a new subprocessor that processes personal data.

6. Retention and deletion

We keep your data for as long as your account is active, then for a short grace window so you can change your mind. Specifically:

• Account data and project content: retained while your account is active.
• Deletion grace window: 30 days after you request deletion from Settings. During this window you can cancel the request from the same screen.
• Hard deletion: within 30 days of the grace window ending, your rows are removed from the live database. Routine database backups are overwritten on a 35-day cycle, so residual copies in backups expire within ~65 days of your initial request.
• Billing records: retained for the period required by tax law (typically 7 years) at the payment processor, even after account deletion. We cannot delete these until the legal hold expires.
• Anonymized analytics: we may retain aggregate, non-identifying signals (e.g., "X% of Pro users complete the wizard") after deletion. These cannot be reconnected to you.

You can also download a full copy of your data as JSON before deletion from Settings.

7. Your rights

Depending on where you live, you have some or all of these rights:

• Access — see what we hold about you. Self-serve via the data export in Settings.
• Correction — fix anything inaccurate. Most fields are editable directly in Settings.
• Deletion — ask us to delete your account. Self-serve via Settings, subject to the legal retention exceptions above.
• Portability — get a copy of your data in a machine-readable format. Self-serve JSON export in Settings.
• Objection — opt out of marketing email and cross-user pattern contribution from Settings.
• Complaint — file a complaint with your local data protection authority if you believe we have mishandled your data. Email us first so we can fix it.

We respond to data subject requests within 30 days. If a request requires identity verification, we will ask you to confirm from the email address on file.

8. Security

We use industry-standard controls to protect your data: TLS in transit, encryption at rest at the storage layer, row-level security on every database table, multi-factor authentication available on every account, and short-lived sessions with server-side revocation. No system is perfectly secure; we report material incidents to affected users without undue delay.

9. International transfers

Your data may be processed in the United States and other countries where our subprocessors operate. Where required by law (for example, when EU or UK personal data is transferred outside the EEA or UK), we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework, or another lawful transfer mechanism with the relevant subprocessor.

10. Cookies

We use a small number of cookies that are necessary for the service to work (your authentication session and your language preference). We do not run advertising or cross-site tracking cookies. If we ever add analytics or marketing cookies, we will ask for your consent first. See the cookie banner on your first visit.

11. Changes to this policy

We may update this policy as the product evolves or laws change. We will post the updated version here with a new "Last updated" date. For material changes (adding a new subprocessor, changing how we use data, expanding what we collect), we will notify you by email at least 30 days before the change takes effect.

12. Contact

Questions, requests, or complaints: support@launchforge.co.