Privacy Policy

Potforge ("we", "us", "our") operates the website potforge.com and the Potforge Studio web application (together, the "Service"). This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

The Service is currently in a pre-launch beta phase. Some features described below may not yet be available to all users.

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address — used for authentication, account recovery, and service-related communications.
• Password — stored only as a secure, one-way cryptographic hash (PBKDF2 with SHA-256). We never store or have access to your plaintext password.
• Display name — optional, used within the app interface.
• Beta access code — if you sign up with a beta code during our pre-launch phase, we record the code used and grant your account beta access. The code itself is not linked to your personal data beyond this association.

1.2 Newsletter & Launch Updates

When you sign up for launch updates on our website, we collect:

• Email address (required) — used solely to notify you about Potforge launch updates and major announcements.
• Name (optional) — used to personalise communications.
• Consent record — the exact text of the consent checkbox you agreed to, and the date and time of your consent, to comply with GDPR requirements.
• IP address — recorded for audit and anti-abuse purposes. Not displayed publicly or shared with third parties.

Newsletter data is used solely to send launch updates. You can unsubscribe at any time by emailing support@potforge.com and requesting removal. We will delete your newsletter data within 30 days of such a request.

1.3 Saved Projects

When you save pot designs to your account, we store the design parameters (shape, texture, dimensions, color choices) as JSON data. Saved projects may also include a small thumbnail image of your design.

1.4 Feedback Submissions

If you submit feedback through the app, we collect the email address and message you provide, along with the feedback category you select.

1.5 Automatically Collected Information

We collect minimal technical information necessary for the Service to function:

• Authentication tokens — stored in your browser's localStorage to keep you signed in between visits.
• Preference flags — such as cookie consent status, tutorial completion state, display quality settings, and beta access state, stored in localStorage.
• Cloudflare Turnstile challenge data — when you submit forms (account signup, newsletter signup, feedback), Cloudflare Turnstile verifies that you are a real user. Turnstile does not use tracking cookies and does not collect personal information; it generates a single-use token per form submission that we validate server-side. See Cloudflare's Privacy Policy for details.

We do not use tracking cookies, analytics cookies, or any third-party advertising trackers.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Account management — to create and maintain your account, authenticate your identity, and manage your subscription tier and beta access status.
• Service delivery — to save and load your pot designs, generate export files, and provide the core functionality of the Service.
• Launch updates — to send you notifications about Potforge's launch and major updates, if you signed up for our newsletter. We will not send marketing emails unrelated to Potforge.
• Service communications — to send essential emails such as welcome messages, password reset links, and important service updates.
• Improvement — to understand how the Service is used at an aggregate level and to fix bugs.

We do not sell, rent, or share your personal information with advertisers or third-party marketers.

3. Cookies & Local Storage

Potforge uses only essential browser storage for the Service to function correctly. We do not use any analytics or tracking cookies.

Storage Key	Purpose	Type
Authentication token	Keeps you signed in between visits	Essential
Cookie consent flag	Remembers that you acknowledged this notice	Essential
Autosave data	Recovers unsaved work after browser crashes	Essential
Display preferences	Quality settings, tutorial state, UI preferences	Essential
Beta access state	Caches your beta access status to control studio access during pre-launch	Essential

Since we use only essential storage required for the Service to function, no opt-in consent is required under the ePrivacy Directive. We show an informational cookie banner as a courtesy.

4. Third-Party Services

We use the following third-party services to operate the Service:

• Cloudflare (Pages, Workers, D1, R2) — hosting, API infrastructure, database, and file storage. Cloudflare may process your IP address for security and performance purposes. See Cloudflare's Privacy Policy.
• Cloudflare Turnstile — bot protection on signup forms. Does not use cookies or track users. See Cloudflare's Privacy Policy.
• Resend — sends transactional emails (welcome messages, password resets). Receives only the email address needed for delivery. See Resend's Privacy Policy.

We do not use Google Analytics, Facebook Pixel, or any other advertising or behavioral tracking services.

5. Data Storage & Security

Your data is stored on Cloudflare's globally distributed infrastructure. We take the following measures to protect your information:

• Passwords are hashed using PBKDF2 with 100,000 iterations and SHA-256 before storage.
• All data is transmitted over HTTPS (TLS encryption).
• Authentication uses JSON Web Tokens (JWT) with HMAC-SHA256 signing.
• API endpoints are rate-limited to prevent abuse.
• Saved project files are isolated per user — you can only access your own files.

6. Data Retention

• Account data — retained as long as your account is active. Deleted within 30 days of account deletion.
• Saved projects — retained as long as your account is active. Deleted when you delete them or when your account is deleted.
• Newsletter data — retained until you request removal by emailing support@potforge.com. Deleted within 30 days of your request.
• Feedback submissions — retained for up to 2 years for product improvement purposes.
• Authentication tokens — expire automatically (7 days for access tokens, 30 days for refresh tokens).
• Beta access codes — usage records are retained for the duration of the beta period. Codes expire automatically based on their configured expiry date.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access — you can request a copy of all personal data we hold about you.
• Right to rectification — you can ask us to correct any inaccurate personal data.
• Right to erasure — you can request deletion of your personal data. You can also delete your account directly from the Account Settings page, which removes all associated data.
• Right to data portability — you can request your data in a structured, machine-readable format (JSON).
• Right to object — you can object to processing of your personal data.
• Right to restrict processing — you can ask us to restrict how we process your data while a complaint is being resolved.

To exercise any of these rights, contact us at support@potforge.com. We will respond within 30 days.

If you signed up for our newsletter and wish to unsubscribe, you can do so at any time by emailing support@potforge.com. We will remove your data within 30 days.

Our legal basis for processing your data is: contractual necessity (providing the Service you signed up for), consent (newsletter sign-up), and legitimate interest (improving the Service and preventing abuse).

8. International Data Transfers

Your data may be processed in countries outside the EEA through Cloudflare's global infrastructure. Cloudflare provides appropriate safeguards in compliance with GDPR, including Standard Contractual Clauses.

9. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email.

We encourage you to review this page periodically to stay informed about how we protect your information.

11. Contact Us