Privacy Policy

Last updated: 30 May 2026

This Privacy Policy explains how Conso4s Ltd ("Conso4s", "we", "us" or "our") collects, uses, shares and protects personal data when you use Appfora (appfora.io), our developer platform. It applies to our website, our application and our developer API.

We are committed to handling your data lawfully, fairly and transparently in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. A core design principle of Appfora is that we never store your raw source code: we analyse your repository, generate the outputs you ask for, and discard the source. This policy sets out the detail behind that commitment.

This document is provided for transparency. It should be reviewed by qualified legal counsel and any bracketed [placeholders] completed before it is relied upon.

1.Who we are and how to contact us

Appfora is a product operated by Conso4s Ltd, a company registered in England & Wales. Conso4s Ltd is the data controller responsible for the personal data described in this policy. Appfora.io is a registered trademark of Conso4s Ltd.

Our company registration and ICO registration details are set out below. Any value shown in brackets is a placeholder pending publication.

  • Company: Conso4s Ltd (registered in England & Wales)
  • Company number: [company number]
  • Registered office: [Conso4s Ltd registered office address]
  • ICO registration number: [ICO registration number]
  • Privacy enquiries: [email protected]
  • Data protection contact: [email protected]

If you have any question about this policy or about how we handle your personal data, please contact us at [email protected], or contact our data protection team at [email protected].

2.Personal data we collect

We collect and process the following categories of data. We do not collect more than we need for the purposes described in this policy.

Account data

  • Your name and email address
  • A hashed password (we never store passwords in plain text)
  • Organisation membership and role
  • Authentication and session data, including multi-factor authentication (MFA) details where enabled

Billing data

  • Your subscription, plan and selected pillars
  • Usage metering used to calculate charges and overages
  • Card payments are processed securely by Stripe; Enterprise customers may be invoiced. We store your subscription and metering data but do not store full card numbers.

Product and usage data

  • A one-way code fingerprint: a structural digest of your connected repository
  • Scan-derived metadata about your codebase
  • Generated outputs, such as legal documents, support knowledge bases, growth strategies and test reports
  • API usage and metering associated with your developer API keys

Support content

  • Questions and content you submit to the Appfora support assistant

Website and log data

  • Cookies and website analytics (see Cookies below and our separate Cookie Policy)
  • Basic device and log data, such as IP address, browser type and request logs

3.What we never store: source code, secrets and credentials

When you connect a code repository (GitHub, GitLab, Bitbucket, Azure, or a local path), Appfora scans the codebase to generate your chosen pillars. Rather than retaining your code, we create a one-way code fingerprint, which is a structural digest of the repository.

We never store any of the following:

  • Raw source code
  • API keys
  • Secrets and credentials
  • Environment variables

Your source is used only during analysis and is discarded once analysis is complete. The fingerprint is a one-way digest and is not a copy of your code, so it cannot be used to reconstruct your source.

4.How and why we use your data

We use your personal data for the following purposes:

  • To create and manage your account, organisation and sessions, including authentication and MFA
  • To provide the Appfora service: connecting your repository, generating the code fingerprint, and producing your Legal, Support, Growth and Test pillar outputs
  • To operate the developer API, including issuing and validating scoped API keys (formatted af_live_...) and metering usage
  • To process payments, manage subscriptions and bill usage and overages, through Stripe
  • To respond to your questions submitted to the support assistant and to provide customer support
  • To analyse website traffic and improve the experience (subject to your cookie choices)
  • To keep the service secure, prevent abuse, and maintain the integrity of our infrastructure
  • To meet our legal, regulatory and accounting obligations

5.Lawful bases under UK GDPR

Under Article 6 of the UK GDPR we must have a lawful basis for each processing purpose. We rely on the following bases, mapped to the purposes above.

Performance of a contract (Article 6(1)(b))

  • Creating and managing your account and organisation
  • Providing the platform, generating your pillar outputs, and operating the developer API
  • Processing payments and managing your subscription

Legitimate interests (Article 6(1)(f))

  • Keeping the service and our infrastructure secure and preventing abuse
  • Maintaining and improving the platform and understanding how it is used
  • Responding to support requests and communicating about the service

Where we rely on legitimate interests, we balance those interests against your rights and freedoms, and you may object to this processing (see Your rights).

Consent (Article 6(1)(a))

  • Non-essential cookies and website analytics, where you opt in via our consent banner
  • Any optional marketing communications we may send

You can withdraw consent at any time, without affecting processing carried out before withdrawal.

Legal obligation (Article 6(1)(c))

  • Retaining billing and transaction records to meet accounting and tax requirements
  • Responding to lawful requests and complying with applicable law

6.Sharing and sub-processors

We do not sell your personal data, and we do not use customer data to train AI models. We share data only with service providers who help us run Appfora, and only under written Data Processing Agreements (DPAs).

The following list of sub-processors is non-exhaustive and may change as our service evolves:

  • Stripe — payment processing
  • [cloud hosting provider] — cloud hosting and infrastructure
  • AI/LLM model providers — generation of pillar outputs, under DPAs that prohibit training on customer data
  • [analytics provider] — website analytics

Each provider is bound by a DPA that restricts use of the data to the services they provide to us. In particular, our DPAs with AI/LLM providers explicitly prohibit using your data to train models. We may also disclose data where required by law or to protect our rights, and in the context of a corporate transaction such as a merger or acquisition, subject to appropriate safeguards.

7.International transfers

Some of our providers may process personal data outside the United Kingdom. Where data is transferred outside the UK, we put in place appropriate safeguards as required by UK GDPR.

  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, for transfers from the UK
  • EU Standard Contractual Clauses (SCCs) where relevant
  • Transfers to countries covered by UK adequacy regulations, where applicable

You can request more information about the safeguards applied to a specific transfer by contacting [email protected].

8.Data retention and the 30-day deletion guarantee

We keep personal data only for as long as we need it for the purposes set out in this policy, or for as long as we are required to keep it by law (for example, billing and transaction records retained for accounting and tax purposes).

You can request full deletion of a product from your account settings at any time. When you do, all generated documents, models and metadata for that product are permanently removed within 30 days. Because we never store your raw source code in the first place, there is no source to delete: it is discarded after analysis.

9.How we protect your data

Security is built into Appfora. We apply technical and organisational measures appropriate to the risk, including:

  • Encryption: AES-256 at rest and TLS 1.3 in transit
  • Per-customer isolation: each customer product runs in its own isolated container with dedicated compute and storage; there is no shared infrastructure between customers and no cross-tenant traffic
  • Private internal networking between our services
  • Security headers enforced on every response, including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), CORS controls, frame denial and a referrer policy
  • Scoped developer API keys (formatted af_live_...) so access can be limited to what is needed

Conso4s Ltd holds ISO 27001 (information security) and ISO 9001 (quality management) certifications, and maintains Data Processing Agreements with all providers. A SOC 2 report is available to qualified customers on request. No system can be guaranteed completely secure, but we work continuously to protect your data and to limit the impact of any incident.

10.Personal data breaches

We maintain procedures to detect, investigate and respond to suspected personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay so that you can take any steps needed to protect yourself.

11.Your rights

Under UK GDPR you have a number of rights in relation to your personal data:

  • Access — to obtain a copy of the personal data we hold about you
  • Rectification — to have inaccurate or incomplete data corrected
  • Erasure — to have your personal data deleted in certain circumstances
  • Restriction — to ask us to limit how we use your data in certain circumstances
  • Portability — to receive certain data in a structured, commonly used, machine-readable format, or have it transferred to another controller
  • Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time
  • Withdraw consent — to withdraw any consent you have given, at any time, without affecting processing already carried out

To exercise any of these rights, contact us at [email protected]. Many actions, such as updating your details or deleting a product, can also be carried out directly in your account settings. We will respond within the time limits set by UK GDPR, normally one month. We will not charge a fee unless your request is manifestly unfounded or excessive.

12.Complaints to the ICO

If you have a concern about how we handle your personal data, we would like the chance to resolve it, so please contact us first at [email protected] or [email protected].

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.

13.Cookies

We use cookies and similar technologies to analyse traffic and improve the experience. We do not sell personal data.

When you first visit our website you can accept or decline non-essential cookies via our consent banner. Your choice is stored in your browser's localStorage under the key "appfora-cookie-consent" (with the value "accepted" or "declined"). For full details of the cookies we use and how to manage them, please see our Cookie Policy.

14.Children

Appfora is a developer platform intended for businesses and professional users. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact [email protected] and we will take appropriate steps to delete it.

15.Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our service, our providers, or legal requirements. When we make material changes, we will take reasonable steps to notify you, for example by email or through the platform. The date this policy was last updated is shown on this page. Your continued use of Appfora after an update means you accept the revised policy.