GDPR & Data Protection

1.Our commitment to UK and EU GDPR

We are committed to processing personal data lawfully, fairly and transparently, and to upholding the principles set out in the UK GDPR and, where relevant, the EU GDPR. That means we collect only the data we need, use it only for the purposes we have told you about, keep it secure, and retain it no longer than necessary.

Our supervisory authority in the UK is the Information Commissioner's Office (ICO). Conso4s Ltd is registered with the ICO under registration number [ICO registration number].

2.Controller and processor roles

Whether we are a controller or a processor depends on which data is involved. Understanding the distinction matters because it determines who is responsible for which obligations under data protection law.

Where we are the controller

Conso4s Ltd is the data controller for personal data relating to your Appfora account and your use of our website. This includes your account details, billing and subscription information, support enquiries you send us, and the analytics and log data generated as you use appfora.io. We decide why and how this data is processed, and our Privacy Policy governs it.

Where we are the processor

When you connect a code repository and Appfora scans it to generate your legal documents, support assistant, growth strategies and test validation, any personal data contained within or derived from your product is processed on your behalf and under your instructions. For that end-user and customer data, you (our customer) are the controller and Conso4s Ltd acts as your processor. Our handling of that data is governed by our Data Processing Agreement (see below).

3.Lawful bases for processing

Where we act as a controller, we rely on the following lawful bases under Article 6 of the UK GDPR, depending on the activity:

• Performance of a contract — to create and operate your account, deliver the pillars you subscribe to, and provide support.
• Legitimate interests — to keep the platform secure, prevent abuse, meter usage, and improve our services, balanced against your rights and freedoms.
• Legal obligation — to meet our accounting, tax and other regulatory duties.
• Consent — for non-essential cookies and analytics, which you can give or withhold through our cookie banner.

Where we act as a processor on a customer's behalf, the customer is responsible for establishing the lawful basis for the data they route through their product. Our role is to process that data only on the customer's documented instructions, as set out in the Data Processing Agreement.

4.Categories of data we process

The main categories of personal data involved when you use Appfora are:

• Account data — name, email address, hashed password, organisation membership, authentication and session data, and multi-factor authentication details.
• Billing data — your subscription, plan and usage metering. Card payments are processed securely by Stripe; we do not store full card numbers.
• Product and usage data — the one-way code fingerprint, scan-derived metadata, generated outputs (legal documents, support knowledge base, growth strategies and test reports), and API usage and metering.
• Support content — questions and messages you submit to the support assistant.
• Website data — cookies and analytics, and basic device and log data.

Appfora creates a one-way structural fingerprint of your repository for analysis. We never store your raw source code, API keys, secrets, credentials or environment variables, and the source is discarded once analysis is complete.

5.Your data-subject rights

If we are the controller of your personal data, you have the following rights under the UK GDPR:

• The right to be informed about how we use your data.
• The right of access to the personal data we hold about you.
• The right to rectification of inaccurate or incomplete data.
• The right to erasure (the right to be forgotten).
• The right to restrict processing in certain circumstances.
• The right to data portability — to receive your data in a structured, commonly used and machine-readable format.
• The right to object to processing based on our legitimate interests.
• Rights related to automated decision-making and profiling.
• The right to withdraw consent at any time, where we rely on consent.

How to exercise your rights

To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by the UK GDPR; if your request is complex we may extend this and will tell you why. There is normally no charge.

If you are an end user whose data is processed through one of our customers' products, the customer is the controller of that data. In that case, please direct your request to the relevant customer; we will support them in responding as their processor.

6.Data Processing Agreement (DPA)

Business customers who use Appfora to process personal data can enter into a Data Processing Agreement with us. The DPA sets out the subject matter and duration of processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the rights and obligations of both parties under Article 28 of the UK GDPR.

Our DPA expressly prohibits the use of customer data to train AI models. We process customer data only on the customer's documented instructions and to deliver the services they have subscribed to. To request a copy of the DPA, contact [email protected].

7.Sub-processors

We use a small number of trusted third parties to help us deliver the platform. Each is engaged under a Data Processing Agreement that requires appropriate safeguards. Our current sub-processors include:

• Stripe — payment processing.
• [cloud hosting provider] — cloud hosting and infrastructure.
• AI/LLM model providers — used to generate the pillar outputs, under DPAs that prohibit training on customer data.
• [analytics provider] — website analytics.

This list is non-exhaustive and subject to change. We maintain Data Processing Agreements with all of our providers. Where we engage a new sub-processor that affects customer data, we handle it in line with the change provisions of our DPA.

8.International data transfers

Some of our sub-processors may process personal data outside the UK or the European Economic Area. Where data is transferred internationally, we put appropriate safeguards in place to ensure it remains protected to UK and EU GDPR standards.

Depending on the destination, these safeguards include the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for transfers from the UK, and the EU Standard Contractual Clauses (SCCs) for transfers from the EEA, together with any supplementary measures required following a transfer risk assessment.

9.Technical and organisational security measures

We protect personal data with technical and organisational measures appropriate to the risk. These include:

• Encryption — AES-256 for data at rest and TLS 1.3 for data in transit.
• Product isolation — each customer product runs in its own isolated container with dedicated compute and storage, on no shared infrastructure; internal services communicate over private networks with no cross-tenant traffic.
• Security headers enforced on every response — Content Security Policy, HTTP Strict Transport Security, CORS controls, frame denial and a referrer policy.
• Scoped API key access using keys formatted af_live_... with defined scopes.
• Data minimisation by design — a one-way code fingerprint with no storage of raw source code, secrets, credentials or environment variables.

Conso4s Ltd holds ISO 27001 certification for information security and ISO 9001 certification for quality management. A SOC 2 report is available to qualified customers on request; please contact [email protected].

10.Personal-data breach handling

We maintain procedures to detect, report and investigate personal-data breaches. Where a breach is likely to result in a risk to people's rights and freedoms and we are the controller, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it.

Where a breach is likely to result in a high risk to affected individuals, we will inform those individuals without undue delay. When we act as a processor, we will notify the relevant customer (the controller) without undue delay so that they can meet their own notification obligations.

11.Data retention and deletion

We keep personal data only for as long as necessary for the purposes for which it was collected, or as required to meet legal, accounting or reporting obligations.

You can request full deletion of a product from your account settings. When you do, all generated documents, models and metadata for that product are permanently removed within 30 days. For more detail on retention periods, see our Privacy Policy.

12.Data protection contact

For any data protection question, including DPA requests, data-subject requests or breach queries, you can reach our data protection contact at [email protected]. For general privacy enquiries, use [email protected].

You can also write to us at: Conso4s Ltd, [Conso4s Ltd registered office address]. Company number: [company number].

13.Supervisory authority and complaints

We would always prefer the chance to resolve any concern directly, so please contact us first at [email protected]. If you remain dissatisfied, you have the right to lodge a complaint with a supervisory authority.

In the UK, that authority is the Information Commissioner's Office (ICO). If you are in the EEA, you may also complain to the supervisory authority in your country of residence, workplace or where the alleged infringement took place.

14.How this page relates to our Privacy Policy

This page sets out our GDPR commitments, the roles we play, and the safeguards and processes behind them. Our Privacy Policy gives the full detail of the personal data we collect, the purposes and lawful bases for each use, retention periods, and how cookies are handled.

Read the two together for a complete picture. For details on cookies and the consent choice we store in your browser, see our Privacy Policy.