Privacy Policy
Last updated: April 6, 2026
Syntax Forge ("we," "our," or "us") operates the website at https://syntax-forge.com(the "Site"). This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information.
By using the Site or placing an order, you agree to the practices described in this policy.
1. Information We Collect
Information you provide directly
- Account registration: name, email address, username, and password (stored as a bcrypt hash — we never store your plaintext password).
- Orders: email address, shipping address, and order contents. Payment card details are collected and processed exclusively by Stripe — we never see or store card numbers.
- Quote requests: name, email, and project description submitted through the quote form.
- Settings updates: changes to your display name, username, or email.
Information collected automatically
- IP address: collected temporarily for rate limiting on login, registration, and password reset endpoints to prevent brute-force attacks. Processed by Upstash Redis and not retained beyond the rate limit window.
- Session data: a session token is stored in a secure, HTTP-only cookie to keep you logged in. This token contains your user ID and role — no browsing history or tracking data.
- Server logs: standard request logs (URL, timestamp, status code) may be retained by our hosting provider (Vercel) for a limited period for operational purposes.
2. How We Use Your Information
- To process and fulfil your orders (physical shipment or digital download delivery).
- To send transactional emails: order confirmations, download links, shipping updates, and password reset requests.
- To maintain your account and provide access to your order history and Digital Vault.
- To enforce rate limits and prevent abuse of our platform.
- To respond to quote requests and support enquiries.
- To comply with applicable legal obligations (e.g., tax record keeping).
We do not sell your personal information. We do not use your data for behavioural advertising.
3. Third-Party Service Providers
We share your information only with the service providers necessary to operate the Site. Each provider is bound by their own privacy policy and data processing agreements.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Order total, email, shipping address, cart metadata |
| Vercel | Website hosting & serverless functions | All requests pass through Vercel infrastructure |
| Neon | PostgreSQL database | All application data (users, orders, products) |
| Resend | Transactional email delivery | Recipient email address, email content |
| Cloudflare R2 | File storage (digital products & product images) | Uploaded files; download requests proxied through our server |
| Upstash | Rate limiting (Redis) | IP address (ephemeral, for rate limit window only) |
4. Cookies
We use one first-party cookie:
- Session cookie — set when you sign in. HTTP-only and Secure flags are applied; JavaScript cannot read it. It contains a signed JWT with your user ID and role. It expires when you sign out or the session expires. This cookie is strictly necessary for authentication and cannot be opted out of while using the site.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
5. Data Retention
- Order records — retained for a minimum of 7 years to comply with tax and accounting obligations.
- Account data — retained until you request deletion (see Your Rights below).
- Password reset tokens — deleted immediately after use or after 1 hour (whichever comes first).
- Email verification tokens — deleted immediately after use or after 24 hours.
- Rate limit data (IP) — retained for the duration of the rate limit window (60 seconds to 15 minutes depending on the endpoint), then automatically purged.
6. Your Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information (you can update most information yourself in Settings).
- Delete your account and associated personal data (subject to legal retention obligations for orders).
- Object to processing or request restriction of processing.
- Data portability — receive a copy of your data in a structured format.
To exercise any of these rights, contact us using the quote form on the Site. We will respond within 30 days.
7. Data Security
We implement technical and organisational measures to protect your data, including:
- Passwords hashed with bcrypt (cost factor 12) — plaintext passwords are never stored.
- HTTPS enforced with HTTP Strict Transport Security (HSTS, 2-year preload).
- Session tokens stored in HTTP-only, Secure cookies — inaccessible to JavaScript.
- Digital download links use HMAC-SHA256 signed tokens with expiry.
- Admin routes protected at middleware level and server action level (defence in depth).
- Stripe handles all payment card data — we are never in scope for PCI DSS card storage.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately and change your password.
8. Children's Privacy
The Site is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the Site after changes constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions or to exercise your rights, use the contact form on the Site. We aim to respond within 30 days.