subforge — Privacy Policy
Effective date: June 2026
Last updated: 16 June 2026
This Privacy Policy explains how Hidef Software Limited ("subforge", "we", "us") collects, uses, and protects personal data when you use the subforge hosted SVN platform and website (the "Service").
We are the data controller for the personal data described in this policy, except where we act as a processor for content you and your team upload (see Section 9). Our contact details are in Section 13.
1. What we collect
Information you give us
- Account details: username, full name (if provided), and email address.
- Authentication data: a hashed version of your password (we store a bcrypt hash, never your plaintext password). Password-reset and invite tokens.
- Communications: messages you send us (e.g. support requests), and the email address you submit to the pricing/waitlist form to register interest in paid plans.
Information we collect automatically
- Session data: a session identifier (stored in an essential cookie — see our Cookie Policy), and, for each session, your IP address, browser user-agent, and timestamps (created, last seen, expiry).
- Operational logs and metrics: technical logs needed to run and secure the Service (e.g. requests, errors, rate-limiting events) and aggregate system metrics. These can include IP addresses and usernames.
Content you upload ("repository content")
- Source code, files, binary assets, commit messages, and commit author metadata (which may include names and email addresses recorded by SVN clients). For most purposes we handle this as your data — see Section 9.
- For repository mirrors, the upstream source URL and any credentials you provide so we can sync from it.
We do not use third-party advertising or analytics trackers, and we do not sell personal data.
2. How we use personal data, and our legal basis
| Purpose | Data used | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Create and manage your account | Account details, password hash | Contract |
| Authenticate you and keep you signed in | Session data, IP, user-agent | Contract |
| Operate, secure, and maintain the Service | Logs, IP, metrics, session data | Legitimate interests (running a secure, reliable service) |
| Prevent abuse, fraud, and protect the Service (incl. rate limiting) | IP, account and usage data | Legitimate interests / legal obligation |
| Send service and security emails (e.g. password reset, invites, important notices) | Email address | Contract / legitimate interests |
| Respond to your support requests | Communications, account details | Legitimate interests / contract |
| Handle the paid-plan waitlist | Email you submit | Consent |
| Comply with law (e.g. valid takedown or legal requests) | Relevant data | Legal obligation |
Where we rely on legitimate interests, we have considered your rights and believe our use is proportionate. You can object — see Section 8.
We do not carry out automated decision-making that produces legal or similarly significant effects about you.
3. Cookies
We set a single essential session cookie to keep you signed in. We do not use advertising, analytics, or tracking cookies. See the Cookie Policy for details.
4. Who we share data with
We share personal data only with:
- Sub-processors / service providers who help us run the Service, under
contract and only as needed. Our current list is in
sub-processors.mdand includes our email provider and our hosting/storage. We do not authorise them to use your data for their own purposes. - Other users, only as a result of how you use the Service — e.g. collaborators you grant access to a repository, your username/display name on commits, and anything in a repository you make public.
- Authorities or third parties where required by law, to enforce our Terms, or to protect the rights, safety, or security of users, the public, or us.
- A successor in the event of a reorganisation, merger, or sale, subject to this policy.
5. International transfers
We store and process personal data — including your account data and all repository content — in the United Kingdom.
The one exception is transactional email: our email provider, Scaleway,
processes the recipient's email address and the content of the message within
the EU (France) in order to deliver notifications such as password resets and
invites. Repository content is never sent to the email provider. Because
this processing stays within the EEA, it relies on UK adequacy and involves no
international transfer to the United States. See
sub-processors.md for the full list.
6. How long we keep data
- Account data: for as long as your account is active, and for a reasonable period after closure to handle disputes, legal obligations, and abuse prevention, then deleted or anonymised.
- Repository content: until you or your workspace admin delete it, or until a reasonable period after account termination (see the Terms), after which it may be permanently deleted.
- Session data: sessions expire after 7 days; expired sessions are cleared in the ordinary course.
- Tokens: password-reset and invite tokens expire shortly after issue.
- Logs and backups: retained for a limited period for security and operational purposes, then deleted or rotated in the ordinary course.
7. How we protect data
We use measures appropriate to a service of our size, including: encrypted transport (HTTPS), password hashing with bcrypt, opaque session tokens with HttpOnly cookies, rate limiting on authentication endpoints, access controls, and restricted internal/admin interfaces. No service can be perfectly secure; see Section 12 of the Terms on disclaimers, and our Security Policy for reporting vulnerabilities.
8. Your rights
Under UK data protection law you have the right to: access your data; have inaccurate data corrected; have data erased; restrict or object to processing; data portability; and to withdraw consent (where we rely on it) at any time. You can exercise these by emailing [email protected]. We will respond within the statutory timeframe (normally one month).
You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, though we'd appreciate the chance to resolve concerns first.
9. When we are a processor (repository content)
When you or your organisation upload repository content, that content — and any personal data it happens to contain (e.g. committer names/emails, or personal data inside files you choose to store) — is controlled by you. We process it on your behalf to provide the Service, under our Terms and, where applicable, a Data Processing Addendum. You are responsible for having a lawful basis for any personal data you put into your repositories, and for responding to data-subject requests relating to that content. We will assist you as reasonably required.
10. Children
The Service is not directed to children. You must be at least 16 to use it, and you must not create an account if you are younger. If we learn we have collected data from someone under that age without appropriate consent, we will delete it.
11. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, take reasonable steps to notify you.
12. Marketing
We do not currently send marketing emails. If we introduce them, we will only do so with your consent where required, and every marketing email will include an unsubscribe option. Service and security emails (e.g. password resets) are not marketing and are sent as part of operating your account.
13. Contact us
Data protection / privacy enquiries: [email protected]
Controller: Hidef Software Limited, 22 Wyburn Avenue, High Barnet EN5 5TG
(registered in England & Wales, company number 09007533)
We are not required to appoint a statutory Data Protection Officer given the
small scale of our processing; privacy enquiries go to [email protected].