Start free

SetForth Privacy Policy

Last updated: July 1, 2026

This Privacy Policy explains how SetForth, LLC ("SetForth," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with the SetForth platform and website at setforth.app (the "Service"). It is incorporated into our Terms of Service.

SetForth is a business-to-business platform that runs AI software agents on our customers' source code repositories and related content. This Privacy Policy focuses on the personal data for which SetForth decides the purposes and means of processing — primarily account, billing, website, and product-usage data. It does not govern how we handle data that we process on behalf of a business customer under that customer's instructions (see "Two roles" below).

If you are an individual whose data appears in a customer's content, please read "Two roles" and "Your rights" for how to direct your request.

1. Two roles: when we are a "controller" and when we are a "processor"

We handle personal data in two distinct capacities:

  • As a controller. For account registration, authentication, billing, website visits, communications, security, and product analytics, SetForth determines why and how the data is processed. This Privacy Policy governs that data.
  • As a processor (service provider). When our Service ingests and processes a customer's Customer Content — including source code in connected repositories, uploaded documents, prompts, and instructions, which may contain personal data — SetForth acts on the customer's behalf and under the customer's instructions. That processing is governed by our agreement with the customer, including the Data Processing Addendum, not by this Privacy Policy. The customer is the controller of that data. If you are an individual whose personal data may be within a customer's Customer Content and you wish to exercise rights over it, please contact that customer (the controller); we will assist them as required by law and our agreement.

2. Personal data we collect (as controller)

Account and identity data. When an account is created or an Authorized User signs in, we collect identifiers such as name, email address, profile image, organization affiliation and role, and — where the user authenticates through a third-party identity or code-hosting provider — identifiers from that provider (for example, a GitHub username, user ID, and avatar). Authentication is provided through our identity provider; we receive the identity attributes necessary to create and manage the account.

Authentication and security data. We collect data needed to authenticate users and secure the Service, including session identifiers, IP address, browser/device user-agent, timestamps, and tokens used to connect third-party services you authorize (which we store in encrypted form).

Billing and transaction data. For paid plans, we and our payment processor collect billing contact details, plan and subscription status, seat and usage counts, and transaction and credit-ledger records. Payment card details are collected and processed by our payment processor; SetForth does not store full payment card numbers.

Usage, device, and analytics data. We collect data about how the Service is used — pages and features viewed, actions taken, approximate location derived from IP, device and browser characteristics, and similar telemetry — through our own systems and product-analytics tools.

Diagnostic and log data. We collect logs, error reports, and performance diagnostics to operate, debug, and secure the Service. Error reports may incidentally include technical context.

Communications and support data. When you contact us or we contact you, we collect the content of those communications and related metadata.

We do not intentionally collect special categories of personal data for our own purposes, and we ask that you not submit them to us except as needed and permitted.

3. Customer Content (processed as processor)

To provide the Service, our Agents read, generate, and modify Customer Content, including code in connected repositories and uploaded documents, and transmit the portions necessary to perform requested work to our model provider (see Section 6). Customer Content may contain personal data that the customer controls. We process it under the customer's instructions and our agreement with the customer; this Privacy Policy does not expand or restrict those terms.

4. Sources of personal data

We collect personal data: (a) directly from you and your Authorized Users; (b) from the customer organization on whose behalf you use the Service; (c) from identity, code-hosting, and other providers you connect or use to authenticate; (d) from our payment processor; and (e) automatically through your use of the Service and website (including cookies and similar technologies).

5. How we use personal data (as controller)

We use personal data to: (a) provide, operate, maintain, and secure the Service and create and administer accounts; (b) authenticate users and enforce access controls; (c) process payments, manage subscriptions and Credits, and prevent and investigate fraud and abuse; (d) communicate with you, including service, security, and administrative messages, and (where permitted) product updates; (e) monitor, analyze, and improve the Service and develop new features; (f) provide support and respond to requests; (g) maintain the security and integrity of the Service and protect our and others' rights, safety, and property; and (h) comply with law and enforce our agreements. We rely on de-identified and aggregated data, which does not identify any individual, to analyze and improve the Service.

6. AI processing and our model provider

To perform the work customers request, the Service transmits the Customer Content necessary for a task — which can include source code and related material — for AI inference. Inference is performed through a managed AI service (Amazon Bedrock) operated by our cloud provider within our cloud environment, in the region we select.

Based on the terms governing that processing, the content sent for inference is not used to train any models, is not shared with the underlying model provider, and is not retained beyond what is needed to return a result, except where limited retention is required to detect and prevent abuse and enforce usage policies. We do not permit Customer Content to be used to train generally available models. Because inference runs through our cloud provider's managed service, the underlying model provider does not receive Customer Content.

7. How we disclose personal data

We disclose personal data only as described here:

  • To subprocessors / service providers that process data on our behalf to help us provide the Service, under contracts that require appropriate protection and restrict their use of the data. These fall into categories including: cloud hosting and storage; identity and authentication; payment processing; AI model inference; code-execution sandboxes; error monitoring and diagnostics; product analytics; email delivery; customer support and live chat; and source-code-hosting integration. A current list of subprocessors is available at setforth.app/legal/subprocessors.
  • Within your organization. The Service is multi-tenant and organization- scoped; data is accessible to your organization's Authorized Users and administrators according to their roles and permissions.
  • For legal, safety, and security reasons. We may disclose data to comply with law, regulation, legal process, or governmental request; to enforce our agreements; or to protect the rights, property, or safety of SetForth, our customers, or others. Where permitted by law and consistent with our customer agreements, we will give the affected customer notice before disclosing data processed on their behalf.
  • In a business transfer. In connection with a merger, acquisition, financing, reorganization, or sale of assets, data may be transferred subject to this Privacy Policy or a successor policy.
  • With your direction or consent.

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws.

8. Cookies and similar technologies; analytics

We and our providers use cookies and similar technologies for essential functions (such as authentication and session management) and for analytics to understand and improve how the Service is used. Some analytics may be performed by a third-party product-analytics provider; depending on your region, we will seek consent for non-essential cookies and you can manage your preferences. For details, see our Cookie Policy. You can also control cookies through your browser settings.

9. International data transfers

SetForth is based in the United States and processes data in the United States and other countries where we and our subprocessors operate. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss adaptations as applicable). You may request information about these safeguards using the contact details below.

10. Data retention

We retain personal data for as long as needed to provide the Service and for the purposes described in this Policy. Retention periods depend on the type of data and the reason we hold it. In general, we retain account data while the account is active and for a period afterward as needed for legal, tax, accounting, security, audit, and dispute-resolution purposes. Certain records — including financial and transaction records in our billing ledger — are retained on a longer or permanent basis where required for legal compliance and the integrity of our financial records, and such records are not deleted on request. Backups may persist for a limited additional period, and we may retain de-identified and aggregated data indefinitely. We delete or de-identify personal data when it is no longer needed, subject to these exceptions and to our customer agreements.

11. Security

We maintain reasonable and appropriate technical and organizational measures designed to protect personal data, including encryption of data in transit and encryption of sensitive credentials at rest, access controls, and tenant isolation. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for the security of the systems and content you connect to the Service.

12. Your rights and choices

Depending on where you live, you may have rights over your personal data, subject to legal exceptions:

  • EEA / UK / Switzerland (GDPR / UK GDPR). Rights of access, rectification, erasure, restriction, portability, and objection; the right to withdraw consent where processing is based on consent; and the right to lodge a complaint with your supervisory authority. Our legal bases for processing are: performance of a contract; our legitimate interests in operating, securing, and improving the Service (balanced against your rights); compliance with legal obligations; and, where applicable, your consent.
  • United States (including California, and other states with privacy laws). Rights to know/access, delete, and correct personal data; to opt out of the "sale" or "sharing" of personal data and of certain profiling (note: we do not sell or share personal data as defined by those laws); to limit the use of sensitive personal information; and to not receive discriminatory treatment for exercising your rights.

How to exercise. Submit a request to privacy@setforth.app. We will verify your identity before responding and will respond within the timeframes required by applicable law. You may use an authorized agent where the law permits.

Requests about Customer Content. Where we process personal data as a processor on behalf of a customer (Section 1), please direct your request to that customer; we will support the customer in responding as required.

13. Children's privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact privacy@setforth.app and we will take appropriate steps.

14. Data Protection Officer

We have not appointed a statutory Data Protection Officer; you may direct privacy questions and data-subject requests to privacy@setforth.app.

15. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice as required by law. Your continued use of the Service after the changes take effect constitutes acceptance.

16. Contact us

Questions or requests regarding this Privacy Policy or your personal data:

SetForth, LLC privacy@setforth.app 5900 Balcones Drive, Ste 100 Austin, TX 78731