Privacy Policy

This Privacy Policy explains how ROKITA LABS LLC (“ROKITA LABS”, “we”, “our”, “us”) collects and processes data when you use LightForge desktop / CLI applications, the LightForge Client Portal, and our payment pages.

1. Summary

LightForge is designed to function without collecting personally identifiable information (PII).
We gather only anonymous telemetry that helps us keep the product secure, stable, and up to date.
Payment-related PII (e-mail, billing address, card details) is handled exclusively by our payment processor, Stripe, and never stored on ROKITA LABS servers.
We do not use any data for advertising, profiling, resale, or cross-context behavioral advertising.

2. What We Collect

  • Device & OS metadata – operating-system name and version, CPU architecture, locale, and an anonymized device hash.
    Purpose: diagnose OS-specific issues and plan compatibility.

  • Application events – install/upgrade success, launch time, crash stack traces, and feature-usage counters.
    Purpose: improve performance, stability, and product roadmap.

  • License-validation data – license-key hash, device hash, timestamp, and LightForge version.
    Purpose: enforce the three-device limit and verify authenticity.

  • Portal access logs – date/time, IP address*, request path, and HTTP status code.
    Purpose: detect abuse and maintain security.

3. What Stripe Collects on Our Behalf

When you purchase a LightForge license you are redirected to Stripe Checkout.
Stripe may collect your name, e-mail address, payment-card details, billing address, and device IP for fraud prevention.

That information is processed under Stripe’s own Privacy Policy (https://stripe.com/privacy) and is not stored or processed by ROKITA LABS except for non-sensitive transaction metadata (amount, currency, transaction ID) returned to us.

4. What We Do Not Collect

  • Card numbers, CVC codes, or full payment details.
  • File contents, project names, source code, or any user-generated data processed by LightForge.
  • Persistent hardware IDs (e.g., MAC address, serial number).
  • Behavioral profiling or advertising identifiers.

5. Legal Basis for Processing (GDPR / UK GDPR)

  • Crash / usage telemetry: Legitimate interest – Article 6 (1)(f).
  • License validation: Contract performance – Article 6 (1)(b).
  • Security logging: Legitimate interest – Article 6 (1)(f).
  • Payment processing: Contract performance – Article 6 (1)(b), carried out by Stripe as an independent controller.

You may object to processing based on legitimate interest (see Section 10 “Your Rights”).

6. How We Collect Data

  • TLS-encrypted HTTPS requests sent automatically by the LightForge application during launch, crash submission, update check, or periodic license validation.
  • HTTPS requests you initiate when signing in to the Client Portal or completing checkout on Stripe.

No data is gathered via cookies or third-party trackers inside the desktop application.
The Client Portal uses a session cookie that expires on logout or after 24 hours of inactivity.

7. Data-Retention Periods

  • Crash and usage telemetry: retained 12 months, then aggregated or deleted.
  • License-validation records: rolling 18-month window; inactive devices are purged.
  • Portal access logs (including IP addresses): deleted automatically after 30 days.
  • Transaction metadata from Stripe: retained for accounting and tax compliance for 7 years, as required by law.

8. Storage & Security

All telemetry and license data are stored on ISO 27001-certified servers in the United States and encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access is limited to vetted ROKITA LABS employees with MFA and audit logging.
Payment data is stored only on Stripe’s PCI-DSS-certified infrastructure.

9. CCPA / CPRA Disclosures (California)

  • We do not sell or share personal information as those terms are defined by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
  • We do not use personal information for targeted or cross-context behavioral advertising.
  • California residents have the rights to know, delete, correct, and opt out of the sale or sharing of personal information, as well as the right to limit the use of sensitive personal information.
  • You or your authorized agent can exercise any of these rights by e-mailing [email protected]. We will verify your request in accordance with California law.

10. Your Rights (Worldwide)

Depending on your jurisdiction you may have the right to:

  1. Access the personal data we hold about you.
  2. Correct inaccurate or incomplete data.
  3. Erase data where no legal basis for retention exists.
  4. Restrict or object to processing based on legitimate interest.
  5. Receive your data in a portable format.

To exercise any right, e-mail [email protected]. We respond within 30 days.

11. Disclosures & Third Parties

We never sell or rent your data. We share data only:

  • with Stripe for payment processing;
  • with infrastructure sub-processors (e.g., AWS) bound by confidentiality agreements;
  • if required by law or lawful order;
  • in connection with a merger or acquisition, with prior notice.

A current list of sub-processors is available on request.

12. Children

LightForge is not directed to children under 16. We do not knowingly collect data from them.
If you believe a child has provided data, contact us and we will delete it.

13. International Transfers

We rely on the EU–US Data Privacy Framework certification of our hosting provider and Standard Contractual Clauses, as applicable, to safeguard transfers from the EEA/UK to the United States.

14. Changes to This Policy

We may update this Privacy Policy at any time. Any revised version becomes effective immediately upon posting in the Client Portal or within the LightForge application. We are not obligated to provide advance notice of changes.

15. Contact

For privacy-related questions or requests, e-mail [email protected].