Privacy Policy

This policy explains what personal data DawForge collects, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Belgian law.

1. Controller

Disme SRL, Rue Leopold Procureur 20, 1090 Bruxelles, Belgium (KBO 0753.504.413, VAT BE 0753.504.413) is the data controller for personal data processed via dawforge.com. Contact: billing@dawforge.com.

2. What data we collect

Account data

• Email address and name (provided to our authentication provider).
• A pseudonymous identifier issued by the authentication provider, which we store to link sessions to your account.

Billing data

• Payment instrument data (card number, expiry, etc.) is collected and stored only by Stripe. We never see or store your card details.
• We retain a customer identifier, checkout session ID, purchase history, VAT identifier (if you provide one), billing country, and invoice metadata.

Product data

• Expression maps and related content you create or upload, your credit balance, and a ledger of credit grants and consumption events.
• Technical records required to run the service (e.g. request logs, feature flags).

Abuse-detection data

• To protect the knowledge base from automated extraction, we record per-request access logs (timestamp, route, library identifier, your account's pseudonymous user identifier), aggregated daily metrics (libraries opened, request cadence statistics), and IP-derived country information.
• Authorised Disme SRLadministrators may review this activity to investigate suspected abuse. The administrator interface presents only behavioural data tied to a pseudonymous identifier; access to your email and name (“reveal”) requires an explicit administrator action with a documented written reason, which itself is logged for audit.
• Where activity matches automated-extraction patterns we may automatically and temporarily restrict access (a “soft block”) and queue the account for manual review. Permanent termination (account closure) is performed only by an administrator and is recorded in the same audit log.

Newsletter / waitlist data

• If you submit your email through the marketing-site subscribe form, we use a double opt-in: we send you a confirmation email (via Resend) and only add your address to our marketing-email provider (MailerLite) after you click the confirmation link. Until you confirm, the address is held only in our own database as a pending, unconfirmed entry. The subscribe form is protected against automated abuse by Cloudflare Turnstile.
• If you are an existing customer, we may add you to our newsletter on a soft opt-in basis after a purchase, to send you release notes and major updates about the product you bought. You can opt out at any time from the footer of any email we send, or from your account settings.
• We keep a record of each marketing-consent action (opt-in, confirmation, opt-out, unsubscribe) — including the email address, timestamp, and where available the IP address — as proof of consent. You can unsubscribe at any time from the footer of any email we send.
• When you close your account, we ask whether you wish to remain subscribed to the newsletter. If you do not affirmatively choose to stay subscribed, we remove your address from all marketing when your account is deleted.

Analytics and error data

• With your consent (EU users): product analytics events such as page views, sign-ups, map creations, and purchases, captured via PostHog.
• Error reports captured by Sentry when the application misbehaves. These include a stack trace, the URL, the user identifier, and browser/runtime metadata.

3. Legal bases

We rely on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — for account creation, authentication, credit ledger, map storage, and transaction processing.
• Legal obligation (Art. 6(1)(c)) — for keeping invoices and tax records (typically 7 years under Belgian law).
• Consent (Art. 6(1)(a)) — for product analytics cookies and non-essential tracking, and for newsletter marketing emails to non-customers (collected via the double-opt-in subscribe form). You can withdraw consent at any time via the cookie settings or by unsubscribing.
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, error diagnostics, and direct marketing to existing customers about similar products (soft opt-in), which you can object to at any time. We balance these uses against your rights and keep them proportionate.

4. Sub-processors

We use the following sub-processors to deliver DawForge. Each receives only the data needed for its function.

• Clerk (authentication) — email, name, session metadata. Clerk uses EU Standard Contractual Clauses for any transfers outside the EEA.
• Stripe Payments Europe, Ltd. (payments, tax) — payment and billing data. Controller for payment card data under PCI-DSS.
• Supabase (managed Postgres, AWS Frankfurt eu-central-1) — all account and product data at rest.
• Vercel (web hosting) — request metadata and server logs.
• Vercel Blob (object storage for uploaded files) — Cubase Track Archive XML files you upload while importing or re-importing a template. Files are short-lived: uploaded blobs are deleted as soon as the import has been parsed and persisted to Supabase, typically within a minute.
• Ably (realtime messaging for the Flow live bridge) — when you pair the mobile remote with the desktop Flow page, signed scoped tokens authorise both ends to publish/subscribe on a per-session channel. The channel carries selected-track names and articulation trigger events while a session is live; Ably retains no message history for these channels.
• Resend (transactional email, EU region) — email address, receipt contents, and newsletter confirmation (double opt-in) emails. Resend handles transactional and confirmation mail only; it does not hold our marketing list.
• MailerLite (marketing email) — email address and, if provided, name. Only addresses that have confirmed (double opt-in) or existing customers (soft opt-in) are sent here. Every email includes a one-click unsubscribe.
• PostHog (product analytics, EU cloud eu.i.posthog.com) — analytics events keyed to your user ID when you have consented.
• Sentry (error tracking, EU region de.sentry.io) — error reports with user ID and runtime context.
• Cloudflare (DNS, email routing for dawforge.com, and Turnstile bot protection on the newsletter subscribe form) — DNS queries, inbound email metadata, and (for Turnstile) the challenge token and IP address of visitors submitting the subscribe form.

Static assets (web fonts, JavaScript bundles) are hosted on Vercel's edge network and the CDN edge nodes covering your region. No personal data is sent in those requests beyond the standard HTTP metadata.

5. International transfers

Data is stored primarily in the EU. Where a sub-processor (for instance, Clerk, Vercel, Stripe, PostHog) involves transfer to or access from outside the EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where relevant, supplementary measures such as encryption in transit and at rest.

6. Retention

• Account data: kept for the life of your account and deleted within 30 days after closure, except where we are required to retain it longer.
• Billing records: retained for 7 years to meet Belgian tax-law requirements.
• Analytics events: retained for up to 12 months.
• Error reports: retained for up to 90 days.
• KB access logs: retained for up to 90 days. Aggregated daily abuse metrics are retained for up to 12 months. Administrator action records (reveals, closures, suspensions) are retained for 7 years for audit purposes.
• Newsletter subscription: kept until you unsubscribe. If, at account closure, you affirmatively choose to remain subscribed, your email address is retained for that purpose only until you unsubscribe.
• Marketing-consent records: the proof-of-consent log (opt-in, confirm, opt-out, unsubscribe) is retained for up to 7 years to demonstrate lawful consent, even after the underlying account is deleted.

7. Your rights

Under GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests or for direct marketing. Where processing is based on consent, you can withdraw consent at any time.

To exercise any of these rights, email billing@dawforge.com. We will respond within one month. If you believe we have mishandled your data you may lodge a complaint with the Gegevensbeschermingsautoriteit / Autorité de Protection des Données.

8. Security

We protect your data with TLS in transit, encryption at rest for the database and object storage, least-privilege access to production systems, and audit logging on our sub-processors. No system is perfectly secure; in the unlikely event of a personal data breach affecting you we will notify you and the supervisory authority in accordance with Articles 33–34 GDPR.

9. Children

DawForge is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.

10. Changes

We may update this policy. Material changes will be announced by email or in-product notice. The “Last updated” date at the bottom of this page reflects the current version.