Privacy Policy
Effective Date: March 17, 2026
Last Updated: March 17, 2026
This Privacy Policy explains how Eka Yantra Limited ("we", "us", "our"), a company incorporated in Ireland (registration number 793221), operates the Microfactory platform and processes your personal data.
Registered Address: Workhub, 77 Camden Street Lower, Dublin, Dublin 2, Ireland, D02 XE80.
Contact: privacy@microfactory.dev
1. Data We Collect
1.1 Account Information
When you create an account, we collect your username, email address, display name, and password. Passwords are cryptographically hashed using bcrypt and are never stored in plain text.
1.2 OAuth Authentication Data
If you sign in via Google or GitHub, we receive and store your name, email address, profile photo URL, and authentication tokens (access/refresh tokens) necessary to maintain your session and, for GitHub, to access repositories you authorize.
1.3 Team and Collaboration Data
We store team names, URL slugs, member roles and permissions, subscription plan details, and billing information associated with your team.
1.4 Idea and Product Data
Content you create on the platform including idea titles, descriptions, AI-generated research reports, specifications, votes, comments, and timeline events.
1.5 Repository Data
When you connect a GitHub repository, we store repository metadata (name, description, URL), technology stack information, programming language statistics, code structure analysis (via Repomix), and AI-generated summaries. We do not store your source code.
1.6 Billing Data
We store your Dodo Payments customer identifier, subscription identifier, product identifier, seat count, and credit balances. All payment card data is handled directly by Dodo Payments (our Merchant of Record) and is never stored on our servers.
1.7 Usage Data
We track AI credit consumption and feature usage to enforce plan limits and improve the product.
1.8 Push Notification Subscriptions
If you opt in to push notifications, we store your browser push endpoint URL and encryption keys required to deliver notifications.
1.9 Preferences
Your chosen theme (light/dark), notification settings, and quiet hours configuration.
2. How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve the Microfactory platform
- Authenticate your identity and manage your account
- Process your ideas through AI-powered research and analysis tools
- Enable team collaboration features (voting, comments, specs)
- Process billing, manage subscriptions, and enforce plan limits
- Send transactional emails (invitations, notifications, security alerts)
- Deliver push notifications you have opted into
- Detect and prevent security threats (rate limiting, account lockout)
- Monitor and fix errors to maintain platform reliability (via Sentry)
We do not sell your personal data. We do not serve advertising. We do not profile you for automated decision-making.
3. Legal Bases for Processing (GDPR)
As an Irish company, we process personal data under the General Data Protection Regulation (GDPR). Our legal bases are:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide your account, team features, idea pipeline, AI-powered research, and billing.
- Legitimate Interest (Art. 6(1)(f)): Security measures (rate limiting, account lockout, error tracking), platform reliability monitoring, and usage analytics for product improvement.
- Consent (Art. 6(1)(a)): Push notifications and optional OAuth sign-in. You may withdraw consent at any time.
- Legal Obligation (Art. 6(1)(c)): Retention of billing records for tax and regulatory compliance.
5. Third-Party Data Processors
We share personal data with the following third-party service providers, all of whom process data on our behalf under appropriate data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Cloud Platform | Hosting, database, file storage, job queuing, secrets management | All platform data | US (us-central1) |
| Anthropic (via Azure Foundry) | AI research and spec generation | Idea descriptions, research context | US |
| Google AI (Gemini, Vertex AI) | AI research generation, repository analysis | Idea data, code structure | US |
| Tavily | Web search for research | Search queries | US |
| Dodo Payments | Billing (Merchant of Record) | Customer info, payment data | US |
| Resend | Transactional email delivery | Email addresses, notification content | US |
| Sentry | Error tracking (production only) | Error traces, request context, performance data | US |
| Cal.com | Meeting scheduling (Request a Build) | Attendee name, email, timezone | US |
| GitHub | OAuth authentication, repository integration | Repository metadata, authentication tokens | US |
Note on Dodo Payments: Dodo Payments acts as a Merchant of Record and is an independent data controller for payment processing data. Their own privacy policy governs the handling of your payment card information.
6. AI Data Processing
Microfactory uses artificial intelligence to generate research reports, specifications, and repository analyses. When you use these features:
- Your idea descriptions, research context, and code structure data are sent to AI providers (Anthropic and Google AI) for processing.
- AI-generated outputs (research reports, specifications) are stored on our platform and owned by you.
- Your data is not used to train AI models. Both Anthropic and Google are contractually committed to not using API inputs for model training.
- AI-generated content is clearly labeled as such within the product.
7. Data Storage and Security
We implement the following technical and organizational measures:
- Database: PostgreSQL hosted on Google Cloud SQL (US-central1) with encryption at rest.
- File storage: Google Cloud Storage (US-central1). Research reports and specifications are accessible via direct URL.
- Encryption at rest: AES-256-GCM for sensitive fields stored in the database.
- Encryption in transit: TLS 1.2 or higher for all network communications.
- Passwords: Bcrypt-hashed. Minimum 8 characters with uppercase letter and number required.
- Session caching: Redis with 30-second TTL.
- Rate limiting: Redis-backed rate limiting on sensitive endpoints (login: 5 attempts per 15 minutes, registration: 10 per hour).
- Account lockout: 5 consecutive failed login attempts trigger a 30-minute lockout with email notification.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion. Soft-deleted first, then permanently removed after a reasonable period. |
| Session data (JWT) | 7 days |
| Session cache (Redis) | 30 seconds |
| Ideas, research, specs, files | Until team deletion. Files in cloud storage may persist after soft-delete until permanent cleanup. |
| Billing records | Retained as required for legal and tax compliance obligations. |
| Error logs (Sentry) | 90 days |
| Push notification subscriptions | Until you unsubscribe or revoke browser permission. |
9. International Data Transfers
Our company is incorporated in Ireland (EU/EEA). Your data is processed and stored in the United States by our third-party service providers. These transfers are safeguarded by:
- Standard Contractual Clauses (SCCs) approved by the European Commission, in place with our major processors including Google Cloud Platform, Anthropic, and Sentry.
- Data Processing Agreements (DPAs) with all significant processors.
10. Your Rights
Under the GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate personal data.
- Right to Erasure: Request deletion of your personal data. Account deletion removes personal data; anonymized aggregate data may be retained.
- Right to Data Portability: Request your data in a structured, machine-readable format.
- Right to Restriction: Request that we limit processing of your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent (e.g., push notifications), you may withdraw at any time.
To exercise any of these rights, contact us at privacy@microfactory.dev. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (our lead supervisory authority).
11. Push Notifications
Push notifications are strictly opt-in. You must grant browser permission to receive them. You can disable push notifications at any time through your user preferences within Microfactory or by revoking permission in your browser settings. When you unsubscribe, your push subscription data (endpoint URL and encryption keys) is deleted from our database.
12. Children's Privacy
Microfactory is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the platform. The "Last Updated" date at the top of this page will be revised accordingly.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@microfactory.dev
- Post: Eka Yantra Limited, Workhub, 77 Camden Street Lower, Dublin, Dublin 2, Ireland, D02 XE80