ApifyForge
Privacy Notice

OAuth identity (3 fields)

When you sign in to ApifyForge with GitHub OAuth or Google OAuth, ApifyForge receives exactly 3 fields from the OAuth provider: your name, email address, and profile avatar URL. ApifyForge uses this data solely to identify your dashboard session. ApifyForge requests the minimal read:userscope only — no repository access, contact lists, or other OAuth scopes are requested.

Computed analytics (metadata only)

ApifyForge calls the Apify API v2 on your behalf — either server-side from the dashboard (if you used the browser flow) or locally from the CLI — and stores computed results in your ApifyForge dashboard. These results include revenue figures, success rates, quality scores, and fleet health metrics, all derived from Apify run metadata (run counts, durations, statuses), not from your scraped data. Only aggregated metrics — not raw dataset items — are persisted to ApifyForge.

Apify API token (browser flow only, AES-256-GCM encrypted)

If you choose the browser flow (paste a scoped token into Settings → Apify API Token), ApifyForge stores your Apify API token encrypted at rest with AES-256-GCM using a server-held key. Each ciphertext carries its own initialisation vector and authentication tag, so tampering with the database record invalidates it. The token is decrypted in memory only when the dashboard needs to call the Apify API on your behalf, and the encrypted record is deleted in one click from Settings → Apify API Token → Delete token. Revoking the token in Apify Console → Integrations neutralises every copy of it everywhere, including ours. If you choose the CLI flow instead (npx apifyforge run <tool>), no Apify API token is stored on ApifyForge servers.

Payment information (2 fields from Stripe)

If you purchase featured listings or other paid features on ApifyForge, payment is processed entirely by Stripe. ApifyForge does not store credit card numbers or bank details. Stripe's PCI DSS Level 1 certification handles all sensitive payment data. Stripe provides ApifyForge with only 2 fields: a transaction reference ID and billing email.

ApifyForge stores your OAuth identity, computed analytics, and — if you used the browser flow — your AES-256-GCM-encrypted Apify API token in a PostgreSQL database hosted on infrastructure protected by Cloudflare WAF. Two layers of encryption apply: AES-256 at the storage layer (encryption at rest), and AES-256-GCM at the application layer for the Apify API token specifically, so the token ciphertext is unreadable even with raw database access. All data transmitted between your browser and ApifyForge is encrypted via TLS 1.3.

When you disconnect your ApifyForge account (Settings → Sign Out) or click Delete token on the Apify API Token panel, the affected records are purged immediately — not scheduled for later deletion, but removed in the same database transaction. If you reconnect to ApifyForge later, everything is pulled fresh from the Apify API; no previous data is restored.

ApifyForge integrates with exactly 4 third-party services. Each service receives only the minimum data required for its function. Each service's privacy policy is linked below.

ApifyForge does not train, host, or run its own AI/ML models. ApifyForge performs zero first-party model inference.

Two ApifyForge features use external large language model (LLM) APIs on an opt-in, user-triggered basis only:

• ApifyForge LLM Optimizer— sends actor metadata (title, description, README text) to an external model API to generate optimization suggestions. Triggered only when you explicitly run the tool.
• ApifyForge Actor Recommender— sends your plain-text query to an external model API to match it against the ApifyForge actor catalog. Triggered only when you submit a recommendation request.

ApifyForge sends no data to AI providers in the background or without your explicit action. Your scraped data (dataset items) is never sent to any AI provider by ApifyForge.

ApifyForge sets exactly 1 cookie: a first-party, HTTP-only, secure authentication session cookie required for your ApifyForge dashboard sign-in to persist across page loads. This cookie has no cross-site tracking capability.

ApifyForge uses 0 tracking cookies, 0 advertising cookies, and 0 third-party analytics cookies. ApifyForge displays no cookie consent banners because there are no non-essential cookies to consent to. This approach aligns with the EU data protection framework, which exempts strictly necessary cookies from consent requirements under Article 5(3) of the ePrivacy Directive (2002/58/EC), as interpreted by the European Data Protection Board (EDPB).

While connected: ApifyForge stores your OAuth identity for the duration of your account. Computed analytics are cached in the ApifyForge database and refreshed at regular intervals.

On disconnect:When you sign out or disconnect your ApifyForge account, all cached analytics data and any AES-256-GCM-encrypted Apify API token are purged from the ApifyForge database in the same transaction. Your ApifyForge dashboard resets to its initial empty state. You can also delete just the token (without disconnecting) from Settings → Apify API Token → Delete token.

Account deletion: To delete your ApifyForge account and all associated data, email [email protected] with your request. ApifyForge will confirm deletion within 30 days, as required by GDPR Article 17 (Right to Erasure). Disconnecting from ApifyForge has zero impact on your Apify account — your actors, runs, and datasets are completely unaffected.

If you are located in the European Economic Area (EEA), you have the following 6 rights regarding your personal data under GDPR Chapter III (Articles 15-20):

To exercise any of these 6 GDPR rights with ApifyForge, email [email protected]. ApifyForge will respond within 30 days, as required by GDPR Article 12(3).

For questions about this ApifyForge Privacy Notice, data handling practices, or to exercise your GDPR rights, contact ApifyForge at [email protected]. ApifyForge is operated by Ryan Clinton from the United States.