Skip to main content
fremforge

Privacy policy

On this page

Effective Date: 2026-04-25 — Version: 1.0

Last updated: 2026-04-25

Introduction #

fremforge is a product operated by fremverk ApS (“we”, “us”, or “our”). This Privacy Policy explains how we handle personal data on www.frem.sh during the current pre-launch phase. A separate policy covers the fremforge product itself (the hosted Git and CI/CD service on frem.sh) and will be published the day we open signup.

Data controller #

fremverk ApS
CVR: 39150689
VAT: DK39150689
Ringager 4C, 2. tv, 2605 Brøndby, Denmark
Email: compliance@frem.sh · info@fremverk.com

fremforge is a product brand of fremverk ApS; fremverk ApS is the legal and GDPR-responsible entity for all personal data processed in connection with the fremforge pre-launch website.

What this website does not do #

We believe privacy claims should be verifiable, so we want to be explicit:

  • No advertising or analytics cookies — this website does not use cookies for analytics, advertising, or cross-site tracking
  • No tracking pixels or fingerprinting — there are no third-party tracking scripts
  • No external font loading — all fonts are self-hosted (no requests to Google, Adobe, or others)
  • No auto-loaded third-party widgets or maps — external services are contacted only if you choose to open an external link
  • Limited browser-side preference storage only — this site may use the browser’s localStorage API to remember an appearance preference (light/dark) if you explicitly use the theme switcher; this is not used for analytics, advertising, or cross-site tracking
  • Preferences are stored only after user action — nothing is written to localStorage unless you toggle a preference yourself
  • No consent banner for tracking — because we do not use non-essential cookies or similar technologies for analytics, advertising, or third-party tracking

You can verify this using your browser’s developer tools (Network and Application tabs).

If you choose to open an external link, that destination handles your request under its own policy. This site does not auto-load third-party widgets or embedded maps. Edge delivery and caching are covered separately in the Hosting section below; they are operational infrastructure rather than browser-side tracking.

Hosting #

This website is hosted on T Cloud (Deutsche Telekom), an EU-sovereign cloud provider. The origin is a T Cloud OBS bucket in the eu-de region, with twin-core datacenters in Biere and Magdeburg, Germany. The public website is delivered through Bunny CDN in front of the origin, restricted to EU points of presence.

To deliver, cache, and protect the site, T Cloud and Bunny process technical request data such as IP address, timestamp, requested URL, HTTP status code, and user agent in server or edge logs. We use this data solely for content delivery, security monitoring, abuse prevention, and troubleshooting. Operational access logs under our control are retained for a maximum of 30 days. The legal basis is legitimate interest (GDPR Art. 6(1)(f)) in maintaining the security, integrity, and availability of our website.

Private beta signup (email capture) #

The private-beta signup form on the home page is the only place on this site that collects personal data from visitors.

What we store

  • The email address you submit.
  • The timestamp of submission.
  • Nothing else. No IP address is stored against the submission, no browser fingerprint, no cookies.

Why

To contact you by email about the private beta — typically to schedule a short vetting call and walk through onboarding, and to answer any questions you raise by reply.

Where

Signup submissions are not stored in a fremverk-owned database or object store. The signup form sends two emails through Lettermint B.V. (Zwolle, Netherlands): a confirmation to you, and a notification to our ops@frem.sh shared mailbox hosted by Heinlein Hosting GmbH (mailbox.org) in Berlin, Germany. The ops@ inbox copy is the only persistent record we retain on our side; if you reply to either email, your reply lands in the same shared mailbox.

Legal basis

  • Consent (GDPR Art. 6(1)(a)) for sending you the confirmation and onboarding correspondence. You can withdraw consent at any time by replying “unsubscribe” to any message from us, or by emailing compliance@frem.sh.
  • Legitimate interest (Art. 6(1)(f)) in preventing abuse of the signup form.

How long

Until 90 days after you either complete onboarding or notify us that you no longer want to proceed, whichever comes first. We do not sell, share, or use signup addresses for any purpose other than the private-beta onboarding correspondence (and any reply you send us).

Analytics #

When we add analytics to this website, we will use a privacy-focused, EU-sovereign or self-hosted solution that does not use cookies or track individual visitors. Such tools work by aggregating page view counts, referrer information, and approximate geographic region (country level) without storing personal identifiers. If we deploy analytics on that basis, we do not expect a consent banner to be required for analytics because no non-essential cookies or comparable tracking identifiers would be used.

This section will be updated when analytics are deployed.

Information you provide directly #

If you contact us by email outside the private-beta signup form (for example at hello@frem.sh or security@frem.sh), we may receive:

  • Contact information: name, email address
  • Business information: company name, job title, questions or context you share

We use this information to respond to your inquiry and comply with legal obligations.

Under GDPR, we process your data based on:

  • Consent (Art. 6(1)(a)): for the private-beta signup confirmation and onboarding correspondence, and any other optional purpose you explicitly opt in to
  • Contractual necessity and pre-contractual steps (Art. 6(1)(b)): when responding to inquiries about future services
  • Legal obligation (Art. 6(1)(c)): when we need to retain records or comply with applicable law
  • Legitimate interest (Art. 6(1)(f)): for website delivery via T Cloud and Bunny, server and edge log processing, security monitoring, abuse prevention, and improving service reliability

Data sharing #

We do not sell, trade, or rent your personal information. We may share data with:

  • Lettermint B.V. — Zwolle, Netherlands — outbound transactional email (private-beta signup confirmations, system notifications). EU-only operating entity (NL — no US parent).
  • Heinlein Hosting GmbH (mailbox.org) — Berlin, Germany — shared-mailbox hosting (correspondence sent by you to support@, security@, compliance@, hello@, info@fremverk.com). EU-only operating entity, no US parent.
  • T Cloud (Deutsche Telekom AG) — Biere/Magdeburg, Germany — primary hosting (all platform data; the private-beta signup form does not store data on T Cloud, only emails through Lettermint).
  • Bunny CDN d.o.o. — EU PoPs only (HQ Slovenia) — edge delivery, WAF, DDoS for the marketing site.
  • Legal authorities when required by applicable law.

The private-beta signup form has no third-party bot-mitigation processor. Bot abuse is contained server-side via a honeypot field, a minimum-dwell-time check, per-IP throttling at the API gateway, and edge WAF. The Forgejo tenant signup form (post-vetting) uses Altcha (self-hosted, MIT-licensed, HMAC-signed proof-of-work; runs in-process inside the api monolith).

Data retention #

  • Server and edge logs: maximum 30 days
  • Private-beta signup email addresses: until 90 days after onboarding completes or you withdraw, whichever comes first
  • Direct email correspondence: for the duration of our business relationship plus 5 years, or as required by Danish bookkeeping legislation

Your rights #

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17), subject to GDPR Art. 17(3) carve-outs — specifically Art. 17(3)(b): where retention is required for compliance with a legal obligation under Union or Member-State law to which fremverk is subject. The principal carve-outs in practice are Danish Bogføringsloven §10 (5-year retention of accounting records: invoice line items + tenancy identifiers required to reconcile invoices) and the audit-trail retention promised in DPA Annex A.7 (3-year WORM archive for security-relevant audit events). Erasure of these subsets is suspended for the statutory period; PII fields not required for the legal-obligation purpose are pseudonymised separately on request, per DPA §9.
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))

To exercise these rights, contact us at compliance@frem.sh. We will respond within 30 days.

Supervisory authority #

You have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Website: datatilsynet.dk
Email: dt@datatilsynet.dk

Data security #

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS), least-privilege access controls, and operational monitoring on the hosting platform.

EU sovereignty / US extraterritorial law #

The fremforge marketing site, private-beta signup, and shared mailboxes run on a stack with no US-parented processor in the path: T Cloud (Deutsche Telekom, Germany), Bunny CDN (EU PoPs only), Lettermint B.V. (Zwolle, Netherlands), and Heinlein Hosting GmbH / mailbox.org (Berlin, Germany). Bot mitigation is server-side only; no third-party captcha vendor. Zero US-parented sub-processors on any path.

The product (post-signup) follows the same posture in tighter detail. See the product DPA for the full Article 28 processor terms and the product privacy notice for the data-subject view.

International transfers #

We keep website hosting within the European Economic Area (EEA). The private-beta signup emails route through Lettermint (NL) to our ops@frem.sh mailbox at Heinlein Hosting / mailbox.org (DE) — also EEA. If a service used for website operations involves a transfer outside the EEA, we will rely on an appropriate transfer mechanism under GDPR and update this policy accordingly.

Changes to this policy #

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the “Last updated” date at the top of this page.

A separate fremforge product privacy notice is published at /legal/privacy-product/ and supersedes this pre-launch website notice for product users once signup opens. The product notice covers repository and CI usage, log retention, billing data, sub-processor list, and data-subject request process in detail.

Change log #

VersionDateChange
1.02026-04-25Initial publication.