Privacy Policy — ThemeForge

Last updated: March 29, 2026

ThemeForge ("we", "our", "us") operates the ThemeForge AI-powered Shopify theme generator. This Privacy Policy describes what personal data we collect, how we use it, how long we keep it, and your rights. ThemeForge is operated by [PLACEHOLDER: legal entity name and address].

1. Data we collect

Account data

Email address — collected at sign-up, stored in Supabase Auth
Hashed password (email/password sign-up only) — we never store your plaintext password; Supabase handles bcrypt hashing
OAuth profile (Google or GitHub sign-in) — we receive your email address and OAuth provider ID; Supabase manages the token exchange
Subscription tier and generation count — stored in our profiles table
Stripe customer ID and subscription ID — references to your payment records in Stripe, stored in our profiles table

Theme generation data

When you use the theme wizard, we collect and store the inputs you provide in our themes table:

Store name, industry category, and store description (up to 500 characters)
Visual style preference and mood description
Color palette — primary, secondary, accent, background, and text colors (hex values)
Sample product data — names, prices, and descriptions for up to 6 products (used solely to generate realistic theme previews)
Feature selections — a checklist of 12 predefined theme features (e.g., hero slideshow, newsletter signup, testimonials)
The complete AI-generated theme files — Liquid templates, CSS, and JSON config, stored as JSONB

This data is associated with your account and retained until you delete the theme or your account.

Billing data

We never see or store your card number, CVV, or full payment details. All payment data is handled directly by Stripe under their PCI-DSS compliance program.
We store only the Stripe customer ID and subscription ID — opaque references that let us look up your subscription status.

Automatically collected data

IP address and HTTP request logs — collected by Vercel (our hosting provider) as part of standard infrastructure logging. We do not store IP addresses in our application database.
Server error logs — application errors are logged server-side. Logs do not intentionally include personal data and are not retained beyond standard hosting log retention.

2. Lawful basis for processing (GDPR)

For EU/EEA residents, the table below identifies our lawful basis for each processing activity under GDPR Article 6.

Data / Activity	Lawful Basis	Explanation
Email address, password hash	Contract (Art. 6(1)(b))	Required to create and manage your account
Wizard inputs, generated theme files	Contract (Art. 6(1)(b))	Required to deliver the theme generation service
Stripe IDs, subscription tier	Contract (Art. 6(1)(b))	Required to manage paid subscriptions and enforce plan limits
Sending wizard inputs to Anthropic API	Contract (Art. 6(1)(b))	Core service delivery — theme generation requires Claude AI
Webhook event log	Legitimate interest (Art. 6(1)(f))	Preventing duplicate Stripe event processing to protect billing integrity
Vercel infrastructure logs (IP, HTTP)	Legitimate interest (Art. 6(1)(f))	Security monitoring and abuse prevention
Agency client names and emails	Legitimate interest (Art. 6(1)(f))	Enabling agency project management; agency subscriber is the data controller for their clients' data

3. How we use your data

To provide the service— We send your wizard inputs to Anthropic's Claude API (model: claude-sonnet-4) to generate your Shopify theme. Your wizard data (store name, description, style, colors, sample products, features) is included in the prompt.
To manage your account — Account data and subscription status are used to authenticate you and enforce plan limits.
To process payments — We share your email and Supabase user ID (as metadata) with Stripe to create and manage your subscription.
To send transactional emails — We may email you about email verification, password reset, subscription changes, or material changes to these policies. We do not send marketing or promotional emails.
To prevent abuse — We use rate limiting (5 generation requests per hour per user) and Supabase Row Level Security to prevent unauthorized access and misuse.

4. Third-party services & sub-processors

We share data with the following sub-processors to operate the service:

Service	Purpose	Data shared	Location
Supabase	Auth & database	Email, theme data, subscription metadata, client/team data (Agency)	AWS us-east-1 (default)
Stripe	Payments	Email, Supabase user ID (as metadata)	USA / EU
Anthropic	AI theme generation	Wizard inputs: store name, description, style, colors, sample products, features	USA
Vercel	Application hosting	All request traffic (IP address, HTTP logs)	USA / Edge global
Google Fonts	Web fonts (Instrument Serif, DM Sans)	IP address, browser user-agent (on font load)	Google global CDN

We do not sell your personal data to any third party. We do not use your data for advertising.

Google Fonts: when your browser loads the Instrument Serif and DM Sans typefaces, Google receives your IP address and browser user-agent. Google's use of this data is governed by Google's Privacy Policy. You can block this request using a browser extension.

5. Cookies and browser storage

Cookies

ThemeForge sets only authentication cookies. We do not use analytics, advertising, or tracking cookies.

Cookie name	Set by	Purpose	Duration	PII
sb-[project-id]-auth-token	Supabase	Stores your login session (JWT + refresh token)	1 year (refresh token)	Yes — session token
sb-[project-id]-auth-token-code-verifier	Supabase	PKCE code verifier for OAuth sign-in flow	Session (cleared after OAuth callback)	No

Both cookies are set as HttpOnly and Secureby Supabase's SSR library. You can clear them by logging out or via your browser's cookie settings; clearing them will end your session.

localStorage

Key	Purpose	Contains
themeforge-wizard	Persists wizard progress across page reloads so you don't lose your work	Current wizard step and all form inputs (store name, colors, products, etc.). Stays on your device — not transmitted until you submit.
themeforge_plan_intent	Carries your selected plan (Pro/Agency) from sign-up page to checkout	String: 'pro' or 'agency'. Removed immediately after checkout is initiated.

localStorage data is stored on your device only. You can clear it at any time via your browser's developer tools (Application → Local Storage → themeforge.dev).

6. Agency tier — client and team data

Agency subscribers may store third-party data in ThemeForge as part of the client workspace feature:

Client data: client names, email addresses, and free-form notes stored in the client_themes table
Team member data: email addresses, roles, and invitation/acceptance timestamps stored in the team_members table

The Agency subscriber is the data controller for client and team data they input. ThemeForge acts as a data processor for this data. We process it only as instructed — to display, organize, and associate themes with clients. We do not use client or team data for any other purpose.

Agency subscribers are responsible for ensuring they have a lawful basis to store their clients' personal information in ThemeForge and for responding to any data subject requests from those individuals.

7. Data retention

Account data — Retained for the lifetime of your account. Deleted when you request account deletion.
Generated themes — Retained until you delete them from the dashboard or delete your account.
Client and team data (Agency) — Retained until you delete the client record or team member, or until you delete your account.
Stripe webhook event log — Event IDs are stored for 7 days to prevent duplicate processing, then deleted automatically.
Stripe billing records — Stripe retains payment transaction records for their own legal retention purposes, independent of your ThemeForge account deletion.
Vercel infrastructure logs— Retained per Vercel's standard log retention policy (typically 30 days for pro plans).
Browser localStorage — Wizard data persists until you complete a generation, clear your browser storage, or uninstall your browser.

8. International data transfers

ThemeForge is operated from [PLACEHOLDER: country]. Our sub-processors are primarily based in the United States. If you are located in the EU/EEA or UK, your personal data is transferred to the US to operate the service.

We rely on the following transfer mechanisms for EU/EEA and UK personal data:

Supabase — Supabase is GDPR-compliant and processes EU data under Standard Contractual Clauses (SCCs, EU Commission June 2021 version, Controller-to-Processor module). Supabase can be configured to store data in EU regions (e.g., eu-central-1).
Stripe — Stripe processes EU personal data under SCCs and is certified under the EU-US Data Privacy Framework.
Anthropic— Wizard input data is processed by Anthropic in the US. We have entered into Anthropic's Data Processing Addendum covering EU/UK transfers via SCCs (Controller-to-Processor module).
Vercel— Infrastructure logs are processed under Vercel's DPA and SCCs.

UK residents: transfers are covered by the UK International Data Transfer Addendum (IDTA) where our sub-processors support it, or by the EU SCCs with the UK addendum.

9. Your rights

GDPR rights (EU/EEA/UK residents)

Access (Art. 15) — Request a copy of the personal data we hold about you
Rectification (Art. 16) — Request correction of inaccurate data
Erasure (Art. 17) — Request deletion of your account and all associated data
Portability (Art. 20) — Request your data in a structured, machine-readable format (JSON)
Restriction (Art. 18) — Request that we restrict processing of your data in certain circumstances
Objection (Art. 21) — Object to processing based on legitimate interests
You have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).

CCPA/CPRA rights (California residents)

Right to know — Request the categories and specific pieces of personal information we collect, use, and share
Right to delete — Request deletion of your personal information (subject to exceptions for legal obligations)
Right to correct — Request correction of inaccurate personal information
Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising
Non-discrimination — We will not discriminate against you for exercising your privacy rights

How to submit a request

Email support@themeforge.dev with the subject line "Data Request — [type]"(e.g., "Data Request — Erasure"). Include the email address associated with your account. We will verify your identity before processing the request and respond within 30 days (GDPR) or 45 calendar days (CCPA).

Authorized agent requests (CCPA)

California residents may designate an authorized agent to submit requests on their behalf. We require the following to process an agent-submitted request:

A signed permission letter from the consumer authorizing the agent, including the consumer's full name, email address, the agent's name, and the scope of authorization; or a valid power of attorney under California Probate Code §§ 4000–4465
Government-issued photo ID of the agent (for identity verification)
We will send a direct verification email to the consumer's email address on file before fulfilling the request

Response timelines for agent requests are the same as direct requests (45 calendar days).

10. Data breach notification

In the event of a personal data breach, we will notify affected users and, where required, supervisory authorities, according to the following timelines:

GDPR (EU/EEA): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to your rights (GDPR Art. 33). Where the breach is likely to result in a high risk, we will notify affected individuals without undue delay (GDPR Art. 34).
UK GDPR: We will notify the ICO within 72 hours and affected individuals without undue delay if the breach results in a high risk.
CCPA (California): We will notify California residents in the most expedient time possible and without unreasonable delay following discovery of a breach involving unencrypted personal information.

Examples of reportable breaches in our context include: unauthorized access to account credentials or theme data, exposure of client email addresses (Agency tier), or compromise of the Supabase service role key.

11. Security

We implement the following technical and organizational measures to protect your data:

Row-level security (RLS) — enforced at the Supabase database level; users can only read and write their own data
HTTPS — all data in transit is encrypted via TLS
Secret key isolation — all API keys (Anthropic, Stripe, Supabase service role) are server-side environment variables, never exposed to the client
Stripe webhook verification — all incoming Stripe webhooks are verified by signature before processing
Input validation and sanitization — all user inputs are length-limited and validated (hex color regex, feature whitelist) before being passed to the AI
Rate limiting — 5 generation requests per hour per user to mitigate abuse

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to support@themeforge.dev.

12. Children

ThemeForge is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete the account promptly.

13. Changes to this policy

We may update this policy as the service evolves. We will update the "Last updated" date at the top. For material changes, we will notify you by email at least 14 days before the effective date. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions or data requests, email us at support@themeforge.dev with subject line "Privacy".

[PLACEHOLDER: registered business address]