This page is the long version of a short commitment: we collect the minimum we need, we store it in one place we can point at, and we don't sell it. Below is the specific list, with the limitations of being a small operation stated where they exist.
What data we collect
- Email address. One per account. Used to sign you in, send receipts, and contact you if something breaks.
- License key state. Which tier you're on, which subscription it's tied to, and renewal date. Stored on our license server.
- Payment processing is handled entirely by Stripe. We never see card numbers, CVV codes, or bank details. Stripe sends us a token and a status; that's it.
- Forge installation events. An anonymous counter on first launch. No username, no hostname, no IP beyond what's in an HTTP request log.
- Scheduling and Email Marketing (when launched): OAuth tokens for calendar integrations you explicitly authorize, and the email list data you upload. Same principle - we store what you give us, nothing more.
What we don't collect
- No browsing or tracking pixels.
- No third-party analytics on the main site. No Google Analytics, no Hotjar, no Mixpanel, no Segment.
- No selling or sharing data with third parties. Ever. There isn't a premium tier where we sell your data. There isn't any tier where we sell your data.
- No training of AI models on your data. Your data stays yours. We don't feed it to anyone else's model either.
- No advertising ID tracking.
Where your data lives
Primary VPS with OVH in the France region, IP 15.204.8.77. We disclose the provider and IP because transparency is easier than vagueness.
- SQLite databases, local to the VPS. Not a cloud SQL service, not a managed database - just files on disk, with the usual backup discipline.
- Backups run weekly, automated, retained for 30 days.
- If you export your data and delete your account, your data is removed from production within 7 days. It's removed from backups at the next backup cycle plus 30 days - a total window of at most about 37 days before every copy is gone.
Forge specifically
Forge IDE runs on your machine. This is not a cloud IDE. No code, no data, no variables, no project files are sent to any Commons server.
The only network traffic Forge IDE makes is:
- License validation on startup. Sends your license key, receives yes or no.
- Update checks. Sends your current version, receives "newer exists: yes/no" and a download URL if yes.
- PyPI package index fetch. Only when you explicitly run pip install. This goes to PyPI, not to us.
Telemetry. We send anonymous counters for installation events and feature usage frequencies. No personal data, no code, no data from your projects. You can disable this with forge --no-telemetry or by setting FORGE_TELEMETRY=off in your environment.
What we don't have (yet)
- No SOC 2 certification. We're too small for that to be meaningful. Ask us in a few years.
- No GDPR Data Processing Agreement boilerplate, but we do honor GDPR principles: right to access, right to deletion, right to portability. Email info@thecommons.cc to exercise any of these and we'll handle it.
- No HIPAA compliance. Do not store PHI in any Commons product.
- No bug bounty program yet. We're a small operation. Responsible disclosures to info@thecommons.cc are appreciated and we will acknowledge them.
If you want to leave
Every product exports to standard formats. You're never locked in.
- Forge IDE: your .m files are plain text on your disk. There is nothing to export - they're already yours.
- Scheduling: iCal export for your calendar, CSV export for bookings.
- Email marketing: CSV export for your subscriber list, HTML export for your templates.
You are never locked in. The code is open. The data is portable.
Incident response
- We monitor uptime publicly at thecommons.cc/status.
- Security incidents: we commit to notifying affected users within 72 hours of confirming the incident.
- Data breaches: full disclosure, including what was accessed and what we're doing about it. No euphemisms, no "may have been affected" hand-waving where we know better.
Contact
- Email info@thecommons.cc for any security question.
- For responsible disclosure, prefix the subject with
[SECURITY]. - We commit to acknowledging within 48 hours.
Commons Infrastructure LLC is a Delaware-registered company with a sole founder and no employees. That shapes what we can and can't do. Everything on this page reflects the current state of a small operation that prefers honest limits to marketing copy.