Privacy Policy - FragonForge
Last updated: 2026-07-16
1. Controller
The controller responsible for data processing under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is:
Fragon Studios e.U. Moosfelderstraße 45, 4030 Linz, Austria Email: office@fragonstudios.com Privacy contact: legal@fragonstudios.com
Full company details are in our Imprint.
We have not appointed a Data Protection Officer. Austrian law does not require one for an undertaking of this size and processing profile.
A note on roles. For the personal data of our own customers and website visitors (account data, billing data, server logs), Fragon Studios e.U. is the controller and this policy applies. For personal data that may be contained inside the repositories, issues, and code a customer connects to FragonForge, the customer is the controller and Fragon Studios e.U. acts as a processor on the customer's documented instructions. That relationship is governed by a separate Data Processing Agreement, not by this policy.
2. Scope
This policy explains how we process personal data when you:
- visit the marketing website fragonforge.com;
- create and use a FragonForge account;
- connect a source-code forge and run the agent;
- contact us by email.
3. Data we process, purposes, and legal bases
3.1 Website visit (server logs)
- Data: IP address, date and time of the request, requested URL, referrer, user agent, and similar technical data automatically transmitted by your browser.
- Purpose: delivering the website, ensuring stability and security, defending against abuse.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, functioning website).
3.2 Account data
- Data: name, email address, hashed password, TOTP two-factor secret and recovery codes, organization name, role (Owner, Admin, Member, Viewer), personal access tokens (stored as hashes), session and login metadata.
- Purpose: creating and securing your account, authentication, access control, account administration.
- Legal basis: Art. 6(1)(b) GDPR (performance of the contract) for the account itself; Art. 6(1)(f) GDPR (legitimate interest in account security) for two-factor data, session management, and the audit log.
3.3 Forge access tokens
- Data: the access token you provide for your source-code forge (GitLab, GitHub / GitHub Enterprise, Gitea, Forgejo, Bitbucket), encrypted at rest, plus webhook secrets.
- Purpose: connecting to your forge to check out code, push branches, and open merge or pull requests on your instruction.
- Legal basis: Art. 6(1)(b) GDPR (performance of the contract).
- Security: each organization has its own data encryption key; tokens, webhook secrets, and TOTP seeds are encrypted with it (AES-GCM). Forge tokens are never placed inside an agent sandbox; clone and push run on the control plane.
3.4 Repository metadata
- Data: repository identifiers, connection settings, branch and merge- request metadata, issue and label metadata used to trigger and track runs.
- Purpose: configuring connections and operating the issue-to-merge- request loop.
- Legal basis: Art. 6(1)(b) GDPR.
3.5 Issue and code content processed during runs
- Data: the content of issues and source code that the agent reads and modifies while a run executes. This can incidentally contain personal data if your code or issues contain it.
- Processing model: each run executes in a dedicated, ephemeral Kubernetes sandbox that is destroyed after the run. The repository clone inside the sandbox lives on a pod-local volume that dies with the pod. The control plane's own working clone is deleted after every run. Where this content constitutes personal data, the customer is the controller and we act as a processor; see the DPA.
- Legal basis: Art. 6(1)(b) GDPR in our relationship with the customer; as processor, we act only on documented instructions under Art. 28 GDPR.
3.6 Run logs
- Data: the agent's own output for a run, passed through a secret- redaction filter and capped at 64 KiB per run. Run logs hold agent output, not a copy of your repository.
- Purpose: letting you see what a run did; troubleshooting.
- Legal basis: Art. 6(1)(b) GDPR.
- Retention: run history is retained according to your plan: 30 days on Free, 90 days on Solo, 1 year on Team and Business.
3.7 Code search index (RAG), paid plans only
- Data: on paid plans, an optional code index stores chunked source- code text (in the database) and vector embeddings (in the vector store), so the agent can search your codebase.
- Purpose: giving the agent codebase context (retrieval-augmented generation).
- Processing model: the index is tenant-isolated at both the database and the vector store, and is purged atomically together with everything else when you offboard.
- Legal basis: Art. 6(1)(b) GDPR; processor role as above.
3.8 LLM egress (bring your own key)
- What happens: the agent's model calls leave through an egress proxy that forwards requests to the LLM provider whose key you configured, and streams responses back. The proxy does not log or persist request or response bodies. Your provider's own logs and bill are the complete record of what the agent sent to the model.
- Important: the LLM provider is engaged under your own contract with that provider, using your own API key. The LLM provider is therefore not our sub-processor; it is a recipient you have chosen and contracted with directly. See the Sub-processor list.
- Legal basis: Art. 6(1)(b) GDPR for operating the proxy; responsibility for the provider relationship and its data terms rests with you as the account holder.
3.9 Billing data
- Data: billing contact, plan, subscription status, and the identifiers needed to link your account to a payment. Card data is handled by our payment provider, Stripe, not stored by us.
- Purpose: managing your subscription, invoicing, cancellation.
- Legal basis: Art. 6(1)(b) GDPR (performance of the contract) and Art. 6(1)(c) GDPR (compliance with tax and accounting obligations, including retention under the Bundesabgabenordnung and the Unternehmensgesetzbuch).
- Retention: billing and invoice records are retained for the statutory period of seven years.
3.10 Telemetry
- Data: traces and metrics that record identifiers, durations, and token counts. Telemetry carries no code and no prompts. Emails we send never contain repository content.
- Purpose: operating, monitoring, and improving the service.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a reliable service).
3.11 Email contact
- Data: your email address, message content, and any information you choose to include.
- Purpose: answering your enquiry.
- Legal basis: Art. 6(1)(b) GDPR where the enquiry relates to a contract or its initiation, otherwise Art. 6(1)(f) GDPR (legitimate interest in responding).
4. Recipients and sub-processors
We do not sell personal data. We share it only with service providers who process it on our behalf under Art. 28 GDPR, and only as necessary.
Our current infrastructure sub-processor is Hetzner Online GmbH (Germany), which provides hosting. Payments are processed by Stripe. Further sub-processors (for example a transactional email provider) are listed, as they are confirmed, in our Sub-processor list.
Your LLM provider is not our sub-processor: you bring your own key and contract directly with that provider. See section 3.8.
5. RAG, agent output, and automated processing
FragonForge runs an autonomous coding agent that reads and writes code. Its output (branches, merge or pull requests) is proposed, never merged automatically; a human reviews and decides. This processing does not produce a decision that has legal or similarly significant effects on a data subject within the meaning of Art. 22 GDPR.
6. Data residency and international transfers
The platform runs on dedicated servers in the EU (Hetzner, Germany). Data at rest stays in the EU. Database backups are point-in-time-recovery backups to EU object storage with a 30-day retention window.
We do not transfer personal data outside the EU/EEA in the course of operating the platform itself. One exception applies to billing: payment processing through Stripe may involve a transfer of billing data to Stripe, Inc. (USA) under the EU-US Data Privacy Framework or standard contractual clauses, as set out in Stripe's own data processing terms; see our sub-processor list.
Note on LLM providers: if you configure a provider that processes data outside the EU/EEA, that transfer occurs under your own contract with that provider, for which you are responsible as controller.
7. Retention
We keep personal data only as long as necessary for the purposes above or as required by law. Summary:
- Account data: for the life of the account, then deleted on offboarding.
- Forge tokens, repository metadata, code index: for the life of the account, then purged on offboarding.
- Run logs / run history: per plan (30 days Free, 90 days Solo, 1 year Team and Business).
- Billing/invoice records: 7 years (statutory).
Offboarding is a real purge, not a soft delete: database rows, the code search index, stored keys and tokens, and billing links are removed. It is self-serve from the app. Statutory retention obligations (for example for invoices) are the documented exception and survive account deletion until they lapse.
8. Your rights
Under the GDPR you have the right to:
- access your personal data (Art. 15);
- rectification (Art. 16);
- erasure (Art. 17);
- restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on Art. 6(1)(f) (Art. 21);
- withdraw consent at any time, where processing is based on consent (Art. 7(3)), without affecting prior processing.
To exercise these rights, contact legal@fragonstudios.com. Where we act as a processor for repository content, direct requests concerning that content to the customer who is the controller; we will assist them as required by the DPA.
Right to complain
You have the right to lodge a complaint with a supervisory authority. The authority for Austria is:
Österreichische Datenschutzbehörde (DSB) Barichgasse 40-42, 1030 Wien, Austria Web: https://www.dsb.gv.at
9. Is provision of data required?
Providing account and billing data is necessary to enter into and perform the contract; without it we cannot provide the service. Providing a forge token and repository access is necessary to use the agent. There is no statutory obligation to provide data, but the service cannot function without the data described above.
10. Security
We describe our security architecture in detail on our public security page, including per-run sandbox isolation, default-deny networking, per-organization encryption of secrets, role-based access control, a tenant-scoped audit log, and EU data residency.
11. Changes to this policy
We may update this policy as the service or the law changes. The current version is always available at fragonforge.com. Material changes affecting you will be communicated by an appropriate means.