Trust & Privacy

IdeaForks uses email-and-password authentication and optional Google sign-in through our identity provider. Passwords are never stored by IdeaForks directly; they are handled by the authentication platform using industry-standard hashing and encryption in transit.

We also support long-lived API keys for programmatic access. API keys are stored as one-way hashes; only a prefix is shown in the UI so you can identify them. You can revoke an API key at any time from your Settings page.

Row-Level Security (RLS) is enabled on every database table. This means queries are automatically scoped to data you are allowed to see, even at the database level.

The application runs on a modern edge-hosted platform. Infrastructure includes managed PostgreSQL databases, edge compute for server functions, and a global CDN for static assets. The platform provider handles underlying infrastructure security including network isolation, patch management, and DDoS protection.

Application-level security — such as access controls, data validation, and what we log — is our responsibility and is described throughout this page.

• Account data: When you sign up, we create a user record and profile (username, optional display name, bio, and avatar). Your email address is held by the authentication provider for sign-in and account recovery.
• Content you create: Ideas (claims), evidence, sources, and forks are stored so they can be displayed on the platform. This content is public by design unless the platform explicitly supports private drafts.
• Activity data: We log anonymous view counts and session identifiers to understand content popularity. We also store notification records so you can see activity related to your ideas.
• Email data: We keep a log of transactional emails sent (template name, recipient, status) for deliverability and support. You can unsubscribe from non-essential emails at any time.

We do not sell your personal data. We use data only to operate the platform, improve the product, and communicate with you about your account.

IdeaForks relies on a small number of services to operate. These are our current subprocessors and integrations:

• Database & Auth: Managed PostgreSQL and authentication services (the backend platform).
• Analytics: PostHog — used to understand feature usage and product health. We configure it to respect your privacy choices.
• Email delivery: Transactional and notification emails are sent through the platform's managed email infrastructure.
• Hosting & CDN: Edge compute and static asset delivery through the platform provider.

We use cookies and local storage to keep you signed in and remember your preferences. Analytics cookies help us understand how the product is used so we can improve it.

You can clear cookies and local storage from your browser at any time. If you disable cookies, some features (like staying signed in) may not work correctly.

We keep your account data and content for as long as your account is active. If you delete your account, we will remove or anonymize your personal information within a reasonable timeframe. Some data (such as public ideas and evidence) may remain visible in anonymized form if they are part of a collaborative chain that other users depend on.

Transactional email logs are retained for a limited period for deliverability and support purposes, then removed.

You can export or delete most of your data directly from the app. To request a copy of your personal data, or to ask us to delete information we hold about you, email us at my@ideaforks.com.

If you have a security concern, notice something unusual, or want to report a potential vulnerability, please reach out directly:

my@ideaforks.com

We take all reports seriously and will respond as promptly as we can.

We welcome responsible disclosure. If you believe you have found a vulnerability in IdeaForks, please send details to my@ideaforks.com. Please include enough information for us to reproduce the issue, and give us a reasonable amount of time to address it before any public disclosure.

Platform-level infrastructure security (network, hardware, database patches, and DDoS protection) is managed by our hosting provider. Application-level security (access controls, data validation, secure coding practices, and how we configure third-party services) is our responsibility.

As a user, you are responsible for keeping your password and API keys safe, using the product in compliance with applicable laws, and not attempting to access data that does not belong to you.

IdeaForks does not currently hold formal third-party security certifications (such as SOC 2 or ISO 27001). We follow security best practices, enable row-level security on all data tables, use parameterized queries, validate inputs, and review access controls regularly.