Privacy Policy

This policy explains what personal data DawForge collects, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Belgian law.

1. Controller

Disme SRL, Rue Leopold Procureur 20, 1090 Bruxelles, Belgium (KBO 0753.504.413, VAT BE 0753.504.413) is the data controller for personal data processed via dawforge.com. Contact: billing@dawforge.com.

2. What data we collect

Account data

  • Email address and name (provided to our authentication provider).
  • A pseudonymous identifier issued by the authentication provider, which we store to link sessions to your account.

Billing data

  • Payment instrument data (card number, expiry, etc.) is collected and stored only by Stripe. We never see or store your card details.
  • We retain a customer identifier, checkout session ID, purchase history, VAT identifier (if you provide one), billing country, and invoice metadata.

Product data

  • Expression maps and related content you create or upload, your credit balance, and a ledger of credit grants and consumption events.
  • Technical records required to run the service (e.g. request logs, feature flags).

Analytics and error data

  • With your consent (EU users): product analytics events such as page views, sign-ups, map creations, and purchases, captured via PostHog.
  • Error reports captured by Sentry when the application misbehaves. These include a stack trace, the URL, the user identifier, and browser/runtime metadata.

3. Legal bases

We rely on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)) — for account creation, authentication, credit ledger, map storage, and transaction processing.
  • Legal obligation (Art. 6(1)(c)) — for keeping invoices and tax records (typically 7 years under Belgian law).
  • Consent (Art. 6(1)(a)) — for product analytics cookies and non-essential tracking. You can withdraw consent at any time via the cookie settings.
  • Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and error diagnostics. We balance these uses against your rights and keep them proportionate.

4. Sub-processors

We use the following sub-processors to deliver DawForge. Each receives only the data needed for its function.

  • Clerk (authentication) — email, name, session metadata. Clerk uses EU Standard Contractual Clauses for any transfers outside the EEA.
  • Stripe Payments Europe, Ltd. (payments, tax) — payment and billing data. Controller for payment card data under PCI-DSS.
  • Neon (managed Postgres, AWS Frankfurt eu-central-1) — all account and product data at rest.
  • Vercel (web hosting) — request metadata and server logs.
  • Resend (transactional email, EU region) — email address, receipt contents.
  • PostHog (product analytics, EU cloud eu.i.posthog.com) — analytics events keyed to your user ID when you have consented.
  • Sentry (error tracking, EU region de.sentry.io) — error reports with user ID and runtime context.
  • Cloudflare (DNS, email routing for dawforge.com) — DNS queries and inbound email metadata.

5. International transfers

Data is stored primarily in the EU. Where a sub-processor (for instance, Clerk, Vercel, Stripe, PostHog) involves transfer to or access from outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where relevant, supplementary measures such as encryption in transit and at rest.

6. Retention

  • Account data: kept for the life of your account and deleted within 30 days after closure, except where we are required to retain it longer.
  • Billing records: retained for 7 years to meet Belgian tax-law requirements.
  • Analytics events: retained for up to 12 months.
  • Error reports: retained for up to 90 days.

7. Your rights

Under GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests or for direct marketing. Where processing is based on consent, you can withdraw consent at any time.

To exercise any of these rights, email billing@dawforge.com. We will respond within one month. If you believe we have mishandled your data you may lodge a complaint with the Gegevensbeschermingsautoriteit / Autorité de Protection des Données.

8. Security

We protect your data with TLS in transit, encryption at rest for the database and object storage, least-privilege access to production systems, and audit logging on our sub-processors. No system is perfectly secure; in the unlikely event of a personal data breach affecting you we will notify you and the supervisory authority in accordance with Articles 33–34 GDPR.

9. Children

DawForge is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.

10. Changes

We may update this policy. Material changes will be announced by email or in-product notice. The “Last updated” date at the bottom of this page reflects the current version.