Data Protection
How we protect your data
AgentForge handles uploaded images, prompts, generations and account data. This page details the technical security we apply, what data we retain (and for how long), and your rights under India's Digital Personal Data Protection Act 2023.
DPDP Act 2023 — compliance status
Fully aligned: data principal rights, consent management, retention transparency, breach notification protocol and grievance officer disclosure are all implemented (see below).
Technical security
🔒Encryption in transit
All connections to AgentForge are forced HTTPS (TLS 1.2 or higher). Uploads, generations and account API calls travel over TLS.
🔒Encryption at rest
Uploaded images, generated outputs and account metadata are stored on Supabase Storage and Postgres, both encrypted at rest with AES-256.
🔒Row-level security (RLS)
Every database table that holds user data has Postgres Row-Level Security policies enabled. A logged-in user can only see their own rows — never anyone else's.
🔒Atomic credit operations
Credit deduction and refunds run through SECURITY DEFINER Postgres functions accessed only by our service role. Clients cannot tamper with credit balances directly.
🔒Authentication safeguards
Sign-in uses Supabase Auth — bcrypt password hashes, JWT session tokens, OAuth via Google. Sessions are refreshed and revocable at any time.
🔒Webhook signature verification
Payment webhooks (Razorpay) verify HMAC signatures before any credit grant is processed. Duplicate webhooks are blocked by a unique-payment-id constraint.
Data we collect
Account data
Email, optional full name, hashed password (Supabase Auth), profile photo URL if you sign in with Google. Phone number if you choose to add it.
Generation data
Uploaded source images, your prompts/settings, generated outputs, generation timestamps and status. Credits used and refunded.
Payment data
Razorpay order ID, payment ID, signature, plan name, amount. Card numbers and bank details are never seen by us — they're handled by Razorpay under their own security policies.
Usage data
Anonymous analytics (Google Analytics 4, Microsoft Clarity heatmaps, Meta Pixel) and server logs. No raw input data is sent to analytics — only event metadata.
Retention & deletion
Active accounts
All data is retained while your account is active so your gallery, generations and billing history stay available.
Account deletion
When you delete your account (Profile → Settings → Delete Account), we permanently remove your profile, generations and uploaded images within 30 days. Some billing records may be retained for tax/legal purposes per Indian law (typically 7 years).
Inactive accounts
Accounts inactive for 24 months may be archived. We send an email warning 30 days before any archival action.
Audit logs
Credit transactions (deductions, refunds) are retained for as long as the account exists, for dispute resolution.
Your rights under the DPDP Act 2023
✓Right to information
You can request a copy of all personal data we hold about you. Email info@aiagentforge.in with the subject "DPDP Information Request" — we respond within 30 days.
✓Right to correction & erasure
You can edit your profile data directly in-app or request correction/erasure for fields you can't edit yourself. Account-wide erasure is available via Profile → Settings → Delete Account.
✓Right to grievance redressal
Any data-related complaint can be filed with our Grievance Officer (details below). We acknowledge within 7 days and resolve within 30 days as required by the DPDP Act 2023.
✓Right to withdraw consent
You may withdraw consent for analytics tracking at any time using your browser's privacy controls. Service-essential data (account, generations) cannot be withdrawn without account deletion since they are required to operate the service.
✓Right to nominate
Under the DPDP Act, you may nominate a person to exercise your rights in the event of your death or incapacity. To register a nomination, email info@aiagentforge.in.
Data breach notification
In the event of a personal data breach that may pose a risk to data principals, AgentForge will notify the Data Protection Board of India and affected users within the timelines required by the DPDP Act 2023, with details of: the nature of the breach, the categories and approximate number of data principals affected, likely consequences, and mitigation actions taken.
Grievance Officer
Per Section 8(10) of the DPDP Act 2023 and Rule 3(11) of the IT (Intermediary) Rules 2021, AgentForge has appointed a Grievance Officer:
Name
AgentForge Grievance Officer
Acknowledgement window
Within 7 days of receipt
Resolution window
Within 30 days as required by DPDP
See also our Privacy Policy for the full collection-and-use disclosure.