This Privacy Policy explains how SafeForge AI ("SafeForge AI", "we", "us", "our") collects, uses, stores, discloses, and protects personal information in connection with SafeForge (the "Service").
SafeForge AI (ABN 89190664116) operates SafeForge. We are based in Victoria, Australia; our full registered postal address is available on request via support@safeforge.ai.
We handle personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). Where the General Data Protection Regulation (GDPR) applies to you, the additional provisions in Section 8 apply.
This Policy should be read together with our Terms and Conditions.
This Policy covers:
A note on roles. For the data you and your team enter into the Service — your hazard logs, controls, comments, and so on ("Customer Data") — your Organisation is the controller of any personal information within it, and we act as a processor on your Organisation's behalf and on its instructions. For the account, billing, and usage information we collect to run the Service and our business, we are the controller. This Policy describes both.
Account information. When you or your Organisation create an account, we collect your name and email address. Authentication is handled by our identity provider (Clerk) using passwordless sign-in; we do not collect or store passwords.
Billing information. Subscriptions are billed through our payment processor (Stripe). Stripe collects and processes your payment card details directly. We do not receive, store, or have access to your full card number. We receive a customer reference, your subscription status, plan, and seat count.
Usage and technical information. When you use the Service we collect technical information necessary to operate and secure it — including your IP address, browser and device information, log timestamps, and records of actions taken in the Service (which feed the audit trail).
Customer Data. You and your Authorised Users enter and import content into the Service: hazards, controls, threats, causes, consequences, requirements, assumptions, risk ratings, comments, and audit history. This is structured safety and risk data. It may contain personal information if you choose to put personal information into it (for example, the name of a risk owner). What Customer Data contains is determined by your Organisation, not by us.
Communications. If you contact us for support, we keep a record of that correspondence.
We do not use third-party advertising or analytics trackers, and we do not build behavioural profiles of you.
We use personal information to:
Lawful basis. Our primary lawful basis for processing the personal information needed to run the Service is contractual necessity — the processing is necessary to provide the Service you have signed up for. We also rely on our legitimate interests in securing and improving the Service, on consent where you have given it (for example, by enabling AI Features), and on legal obligation where the law requires us to process information.
We do not sell personal information. We may use Customer Data in aggregated and de-identified form — from which you and your Organisation cannot be identified — to maintain and improve the Service, in particular its import and column-mapping heuristics. We do not use Customer Data to train AI models, and our AI provider is contractually committed not to train on it either (see Section 4).
AI Features are optional and disabled by default. They are enabled only when an Organisation Admin turns them on at the Organisation level, and then per project.
What is sent. When an Authorised User runs an AI-assisted check, the Service sends the textual content of the specific entities being analysed to our third-party AI provider (Anthropic, the Claude API). Depending on the check, this includes hazard titles and descriptions, control titles and descriptions, threat and consequence descriptions, requirement text, and the relevant industry context.
What is not sent. The Service does not send your Organisation name, user names, user email addresses, project names, project metadata, dates, audit history, or file attachments to the AI provider. AI requests are assembled by a single, dedicated code path specifically so that this minimisation is enforced consistently.
No training on your data. Our AI provider does not train its models on data submitted through its API. This is a contractual commitment in the provider's API terms — it is not a setting we toggle and not a special arrangement.
Consent. Enabling AI Features is an explicit, recorded decision made by an Organisation Admin, who acknowledges the AI provider's API terms on the Organisation's behalf. AI Features can be disabled again at any time, which immediately stops any further data being sent for AI processing.
Advisory only. AI output is advisory and is never automatically applied to your Customer Data — see our Terms and Conditions for the full position.
We use a small number of trusted third-party service providers ("sub-processors") to run the Service. Each is bound by its own terms and data protection commitments.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Clerk | Authentication and identity management (passwordless sign-in, SSO) | United States |
| Neon | PostgreSQL database hosting (stores Customer Data and account data) | Australia (Sydney region) |
| Fly.io | Application hosting (runs the Service backend) | Australia (Sydney region) |
| Cloudflare | Content delivery, web application firewall, and temporary file storage | Global edge network |
| Stripe | Payment processing and subscription billing | United States / global |
| Anthropic | AI processing for optional AI Features (Claude API) | United States |
| Resend | Transactional email delivery (sign-in links, billing and account notices) | United States |
| Sentry | Application error monitoring | United States |
We disclose personal information to these sub-processors only as needed to provide the Service. We may also disclose personal information:
We do not otherwise sell, rent, or trade personal information.
Location. Customer Data and account data are stored in Australia (Neon and Fly.io, Sydney region). Some sub-processors that support the Service operate in other countries (see Section 5 and Section 8).
Encryption. Personal information is encrypted in transit (TLS) and at rest (AES-256 at the database and storage layers).
Structured data only. The Service stores structured data only — it does not operate as a document store. Reports and exports are generated on demand and streamed to your browser rather than retained on our servers. Uploaded import files are held only transiently while they are being processed and are then deleted. This design deliberately limits the amount of data at rest and reduces the impact of any compromise.
Access controls. Access to production systems is restricted. Multi-tenancy is enforced at multiple layers, including database row-level security, so that one Organisation cannot access another Organisation's data.
Audit trail. Significant actions in the Service are recorded in an append-only audit trail, which supports both your safety assurance needs and our security monitoring.
No method of transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.
You should export any records you are legally or contractually required to keep before your access ends.
Under the Australian Privacy Principles, you may:
Where the GDPR applies to you, you additionally have the right to erasure, restriction of processing, objection to processing, and data portability, and the right to lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact us using the details in Section 11. We will respond within the time required by law. Note that where we act as a processor for Customer Data on behalf of your Organisation, we may need to direct your request to that Organisation, which is the controller of that data. The Service also provides self-service export and deletion functionality for much of this.
International transfers. Some of our sub-processors are located outside Australia (see Section 5). Where the GDPR applies, transfers outside the EU/EEA — including to the Anthropic API in the United States when AI Features are enabled — are made under appropriate safeguards, including the sub-processor's data protection agreement and standard contractual clauses, and, for AI processing, only with the explicit consent described in Section 4.
The Service uses only functional cookies that are strictly necessary to operate it — principally to keep you signed in. We do not use advertising cookies, tracking cookies, or third-party behavioural analytics. Because we use only strictly necessary cookies, no cookie consent banner is required. If you block functional cookies, the Service will not be able to sign you in.
We maintain an incident response process. If a data breach occurs that is likely to result in serious harm, we will contain and assess the incident and notify affected Organisations within 72 hours, consistent with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and the GDPR. We will also notify the relevant regulator where required, remediate the root cause, and conduct a post-incident review.
For privacy questions, requests, or complaints:
SafeForge AI — Privacy
Email: support@safeforge.ai
SafeForge AI · ABN 89190664116 · Victoria, Australia · support@safeforge.ai
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or, where the GDPR applies to you, your local data protection supervisory authority.
The Service is a business tool intended for use by professionals. It is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it.
We may update this Privacy Policy from time to time. If we make a material change, we will give reasonable notice — for example, by email to Organisation Admins or by a notice in the Service — before the change takes effect. The "Last updated" date at the top of this document reflects the most recent version.