Privacy Policy

1. Scope

This Privacy Policy describes how FORK Apps, Inc. ("Fork", "we", "us") collects, uses, stores, and shares information when you use fork.me, any *.fork.me subdomain, our APIs, our CLI, our mobile clients, or any related service (the "Service").

This policy is part of, and incorporated into, our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

2. What we collect

Account information

• Email address (for sign-in, transactional email, and account recovery).
• Display name and username (you choose these; they appear on your public profile).
• Avatar image (optional; uploaded by you).
• OAuth identifiers from Google or Apple Sign-In, if you use them — we receive your email, name, and a stable identifier from the provider, plus the avatar URL Google returns. We do not receive your password.
• An invite code if your account was gated behind one.

Content you create

• The apps you build — every file in your virtual filesystem (HTML, CSS, JS, assets, server-side functions you write).
• Your messages to our AI agents (Manager and Builder), including any attached images, screenshots, voice notes, or selected page elements.
• App descriptions, dashboards, version history (commits), and any reports you submit about other users or apps.
• Direct messages you send to other users on the platform.

Technical & usage data

• IP address, user agent, request headers, and approximate location derived from IP — used for rate-limiting, abuse prevention, and basic operational logging.
• Device push tokens (APNs / FCM) if you opt into push notifications.
• Application logs (error stack traces, build durations, agent iteration counts) — retained for debugging and reliability.
• API access tokens you mint (e.g. CLI / fork-ssh tokens) — stored hashed; the plaintext is shown to you exactly once.

Payment data

• If you subscribe, we collect billing identifiers and the last four digits / brand of your card from our payment processor. We do not store your full card number or CVV — those go directly to the processor.

We do not intentionally collect special categories of data (health, biometric, political, religious). Don't put such data into your apps or your messages to our agents — see Prohibited Content.

3. How we use your data

We use the data above only for the following purposes:

• Run the Service. Authenticate you, store your apps, serve them on fork.me subdomains, route AI agent traffic, deliver push and email notifications you've enabled, process payments.
• Generate AI output for you. Forward your messages, attached media, and existing app files to our AI providers so they can return code or images you can use. See AI processing for details.
• Keep the Service safe. Detect abuse, enforce rate limits, investigate reports submitted against users or apps, comply with legal requests.
• Improve the Service. Aggregate usage statistics, debug crashes, measure agent performance. Where this involves your individual content we work with the minimum data necessary and prefer aggregated / anonymized signals.
• Communicate with you. Send transactional email (sign-in codes, billing receipts, security alerts) and — if you opt in — product updates.

We do not sell your personal information, and we do not use it for third-party advertising. We do not train Fork-internal machine-learning models on your private app code or your conversations with our agents. (Anthropic's and Google's training policies for traffic we forward to them are described under AI processing.)

4. Legal bases (EEA / UK)

If GDPR or UK GDPR applies to you, we rely on the following legal bases:

• Contract — to deliver the Service you signed up for (account, AI generation, hosting, billing).
• Legitimate interests — to keep the Service secure, prevent abuse, debug failures, and improve features. We balance these interests against your rights and minimize the data used.
• Legal obligation — to respond to lawful requests, retain billing records, comply with sanctions and tax law.
• Consent — for optional product emails, push notifications, and anything we explicitly ask permission for.

5. Who we share it with

We share data with a small number of subprocessors to run the Service. We do not sell data and do not share it for advertising.

• Anthropic, PBC. AI agent traffic — your messages, attached media, and the app files relevant to a build — are sent to Anthropic to generate code or edits via the Claude API.
• Google LLC. Image generation requests are sent to Google's Gemini API. Optional Google Sign-In returns your basic profile.
• Apple Inc. Apple Sign-In returns a stable identifier and (on first login) name + email if you opted to share them.
• DigitalOcean, LLC. Hosts our servers and stores app version snapshots and uploaded assets in object storage (Spaces).
• Apple (APNs) and Google (FCM). Deliver push notifications to your device if you've enabled them.
• An email provider for transactional email (sign-in codes, billing receipts).
• A payment processor for subscription billing. They handle card details directly; we receive only billing metadata.
• Other Fork users — only the parts of your account you choose to make public: profile, published apps, comments / reactions you post, follows, and anything you share via direct message.
• Law enforcement / regulators when required by valid legal process. We push back on overbroad requests where we can.
• A successor in the event of a merger, acquisition, or insolvency — the buyer steps into our shoes under this Policy or a successor with materially equivalent protections.

6. AI processing

Anthropic processes API traffic to deliver responses and may retain inputs/outputs for a limited period to monitor for abuse and improve safety classifiers. Their commercial API terms (in effect at the time of this policy) state that Claude API inputs and outputs are not used to train Anthropic's foundation models. See Anthropic's privacy policy for the controlling terms.

Google processes image-generation traffic similarly under Gemini's API terms. See Google's privacy policy for the controlling terms.

We do not use your private app code or your messages to train any Fork-internal AI models. Public apps you publish remain visible to other users on the platform — that visibility is part of what "publishing" means and is governed by the Terms, not by this Policy.

7. Cookies & local storage

The Service uses a small set of first-party cookies and browser localStorage entries to keep you signed in, remember your theme, last-open chat, language, and sidebar state. We do not use third-party advertising or analytics cookies.

Public app pages served at {app-id}.fork.me may use additional storage governed by the app you visit, not by us. The author of that app is responsible for disclosing what their app does — see Apps built on Fork.

8. Retention

• Account & content — retained while your account is active. If you delete your account, we remove or anonymize your account data within 30 days, with limited exceptions for backups (typically purged within 90 days), ledger entries we are required to keep, and abuse / safety records associated with reports filed against you.
• Soft-deleted apps — moved to your trash and recoverable; permanent deletion clears them from the database. Object-storage snapshots are purged on a rolling schedule.
• Operational logs — kept for up to 90 days for debugging and abuse-response, then aggregated or deleted.
• Billing records — retained as long as required by tax and accounting law in our jurisdictions (typically 7 years).
• Reports filed via /users/{id}/report or /apps/{id}/report — retained while we may need them to investigate or respond to disputes; the reporter and target identifiers stay associated with the row.

9. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you and request a copy.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data (subject to the retention exceptions in §8).
• Object to or restrict certain processing.
• Port your data to another service in a structured, machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local data-protection authority.

Many of these you can exercise yourself — your apps and profile are editable from the account; account deletion is available in settings. For requests we can't fulfill in-app (data export, objection, complaints), email privacy@co.fork.me. We respond within 30 days.

California residents have rights under the CCPA / CPRA, including the right to know what we collect, the right to delete, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information within the meaning of those laws. Use the same contact above to exercise any CCPA right; we will not discriminate against you for doing so.

10. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we learn we have collected data from a child without parental consent, we delete it. Contact us at privacy@co.fork.me if you believe a child has provided us data.

11. International transfers

We are based in the United States. Our subprocessors operate primarily in the United States and the European Union. When we transfer personal data out of the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses or another lawful transfer mechanism. By using the Service from outside the United States, you consent to your data being processed in the United States.

12. Security

We use industry-standard measures to protect your data: TLS in transit, hashed passwords (where you use email login), JWT-based session tokens, hashed API keys, encrypted backups. Access to production systems is limited to staff who need it and is logged.

No service is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.

13. Apps built on Fork

Apps published by other users on fork.me subdomains are not controlled by us. Each app's author is the data controller for whatever that app collects from its visitors. Authors are required by our Terms to publish their own privacy notice when they collect personal data from end users. We are at most a processor on their behalf for hosting infrastructure.

If you visit an app on fork.me and have a privacy question about it, contact the app's author. If the app violates our policies, report it via the three-dot menu on the app toolbar or email abuse@co.fork.me.

14. Changes

We may update this Policy from time to time. The "Last updated" date at the top reflects when the current version took effect. For material changes we will take reasonable steps to notify you — typically by email or an in-product banner — before they apply to data we've already collected. Continued use of the Service after the effective date means you accept the updated Policy.

15. Contact

FORK Apps, Inc.
1111b South Governors Avenue, Suite 84934
Dover, DE 19904, United States

Privacy: privacy@co.fork.me
General: hi@fork.me
Abuse / takedown: abuse@co.fork.me