Privacy Policy

1. Who we are

This Privacy Policy describes how Ferrumlabs (“we,” “us,” or “our”) collects, uses, and shares information when you use the Ferrumlabs SDK generator and related websites, applications, and services (collectively, the “Service”), including during our beta period.

Contact us by signing in and using our feedback form (we use your account email to reply).

2. Scope

This policy applies to visitors and registered users of ferrumlabs.io and related beta environments (for example, test or staging hosts we operate). It does not apply to third-party websites, OAuth providers, or payment processors, which have their own privacy policies.

3. Information we collect

We collect information in the following categories:

3.1 Account and authentication data

When you sign in with Google or GitHub, we receive and store:

• Name, email address, and profile image URL (if provided by the provider)
• OAuth provider name and provider user ID
• Subscription plan, Stripe customer ID, and Stripe subscription ID (if you subscribe)

Email addresses are stored using one-way hashing and encryption where applicable to reduce exposure in the event of a database compromise.

3.2 OpenAPI and Swagger specifications (“Specs”)

When you generate an SDK, you submit an OpenAPI or Swagger specification. We process Specs to:

• Parse and validate structure, detect common issues, and build an internal representation
• Generate SDK source code via deterministic templates
• Optionally run compile checks and mock-server integration tests (Pro Verify tier)

Important: Specs may contain sensitive information (internal API URLs, schema details, example credentials, or business logic). Do not upload secrets you are not willing to process on our infrastructure.

For signed-in users, we may store a copy of the Spec text in our database with your build record so you can re-download generated SDKs from your account history. Ephemeral build workspaces on disk are deleted automatically (see Section 6).

3.3 Generated outputs and build metadata

• Generated SDK files (temporarily on disk; see retention)
• Build status, language, file counts, verification results, and error logs
• Project identifiers and timestamps
• Optional MCP server artifacts (Pro Verify), which may be produced with the help of third-party AI services when that feature is enabled

3.4 Payment data

Paid subscriptions are processed by Stripe. We do not store full payment card numbers. Stripe provides us with billing identifiers, subscription status, and limited customer metadata needed to manage your plan.

3.5 Technical and usage data

• IP address, browser type, device information, and request logs
• Session cookies and authentication tokens required to operate the Service
• Aggregated usage metrics (e.g., build counts, errors, queue depth) to maintain and improve the beta Service

3.6 Communications

If you contact us or submit product feedback, we collect the content of your message and your contact details.

4. How we use your information

We use personal information to:

• Provide, operate, and improve the beta SDK generation and validation Service
• Authenticate you and manage your account and subscription
• Enforce plan limits (e.g., free-tier monthly build caps) and prevent abuse
• Run isolated Docker-based compile and test jobs when you request validation
• Display build history and enable re-download of SDKs you generated
• Send service-related communications (e.g., billing receipts via Stripe)
• Comply with law, respond to lawful requests, and protect our rights and users

We do not sell your personal information. We do not use your Specs to train public machine-learning models. During beta, we may analyze aggregated, de-identified failure patterns to improve parsers and templates.

5. Legal bases (EEA/UK users)

Where applicable data-protection law requires a legal basis, we rely on:

• Contract: processing necessary to provide the Service you requested
• Legitimate interests: security, fraud prevention, service improvement, and beta analytics, balanced against your rights
• Consent: where required (e.g., non-essential cookies, if we offer them separately)
• Legal obligation: tax, accounting, or compliance requirements

6. Data retention

• Build workspaces (disk): Generated SDK files and temporary workspace directories are typically deleted within two (2) hours by an automated sweeper, subject to operational delays.
• Account and build records (database): Build metadata and stored Spec text associated with your account are retained until you delete your account or we delete them as part of account closure, unless a longer period is required by law.
• Billing records: Retained as required for tax and accounting, often via Stripe according to their policies.
• Logs: Server and security logs are retained for a limited period appropriate for operations and incident response, then rotated or deleted.

Because the Service is in beta, retention practices may change; we will reflect material changes in this policy.

7. How we share information

We share information only as described below:

• Service providers (subprocessors): companies that help us run the Service, under contractual obligations to protect your data, including:
  • Stripe (payments)
  • Google and GitHub (OAuth authentication)
  • Cloud hosting and infrastructure providers
  • Docker-based tooling for validation (runs on our infrastructure)
  • Third-party AI API providers, only when MCP or similar LLM-assisted features are invoked for your build
• Legal and safety: when required by law, court order, or to protect rights, safety, and integrity of the Service
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice where required by law

8. International transfers

We may process information in the United States and other countries where we or our subprocessors operate. If you access the Service from outside the United States, your information may be transferred to jurisdictions that may not provide the same level of data protection as your home country. Where required, we implement appropriate safeguards (such as standard contractual clauses) for cross-border transfers.

9. Security

We implement reasonable technical and organizational measures designed to protect your information, including:

• HTTPS encryption in transit
• Isolated, non-privileged Docker containers for validation workloads
• Access controls on production systems and encrypted storage for sensitive fields where feasible
• Automated workspace cleanup to reduce exposure of generated code on disk

No method of transmission or storage is 100% secure. As a beta service, we cannot guarantee absolute security.

10. Your rights and choices

Depending on your location, you may have rights to:

• Access, correct, or delete personal information we hold about you
• Export your data in a portable format where feasible
• Object to or restrict certain processing
• Withdraw consent where processing is consent-based
• Lodge a complaint with a supervisory authority (EEA/UK)

You can delete your account from the account settings page, which removes your profile and associated build records subject to legal retention requirements. For privacy requests, use our feedback form (category: Privacy & data request).

California residents: We do not sell personal information as defined by the CCPA/CPRA. You may request access, deletion, or correction as described above.

11. Children

The Service is not directed to individuals under 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us data, submit a message via our feedback form and we will delete it.

12. Third-party links

The Service may link to third-party sites (e.g., documentation, OAuth providers). We are not responsible for their privacy practices.

13. Changes to this policy

We may update this Privacy Policy for beta launches, new features, legal requirements, or subprocessors. Material changes will be posted on this page with an updated date. Continued use after changes become effective constitutes acceptance where permitted by law.