ErdForgeData modeling workspace · v1.0.1

Privacy policy

Privacy Policy

ErdForge processes personal data only as needed to provide ERD authoring, team collaboration, email verification, and MCP integration. This policy explains what we collect, why we collect it, and how users can exercise their rights.

Effective date: June 2, 2026

1. Purpose of processing

  • Identify members, verify email, log in, and manage accounts.
  • Create workspaces, save ERDs, invite teams, and manage collaboration permissions.
  • Issue MCP tokens, limit workspace scope, and verify integration requests.
  • Prevent security incidents, analyze errors, operate the service reliably, and respond to support requests.

2. Personal data processed

CategoryItems
Account creation and authentication

Email, password authentication data, email verification token hashes, password reset token hashes, Google login identifier, display name, user ID, account status, and role.

Team and workspace collaboration

Team membership, invitation email, invitation status, workspace permissions, ERD table, column, relationship, note, and diagram settings data.

MCP integration

Token name, token identifier and hash, token prefix, expiration date, accessible workspace scope, and last used time.

Service operations

Session token hash, IP address, browser/device User-Agent, last access time, error records, and security response logs.

ErdForge does not store raw passwords, raw MCP tokens, or Google OAuth access tokens. We store only hashes or identifiers needed for authentication and verification.

3. Retention

We delete personal data without delay after the processing purpose is fulfilled, unless minimum records are needed for deletion evidence, recovery from mistakes, abuse prevention, dispute response, or legal retention requirements.

  • Active account data: until account withdrawal, account deletion completion, or service termination.
  • Deleted user evidence: separated and retained for 3 years with only user ID and email hash.
  • Unverified signup data: deleted after 30 days from signup request or verification email dispatch.
  • Deleted workspace backups: retained temporarily for up to 1 day, with up to 10 backup slots per user.

4. Third parties and processors

ErdForge does not sell personal data. We may use processors for email delivery, traffic routing, security, and Google account authentication where needed to provide the service.

5. User rights

Users may request access, correction, deletion, or suspension of processing. Contact us by email and we will take action after verifying the requester.

6. Cookies

ErdForge uses essential cookies for login sessions, language preference, and the last selected workspace. These cookies are not used for advertising tracking and can be deleted through logout or browser settings.

7. Privacy contact

Send privacy requests, complaints, or rights-related inquiries to:

[email protected]