This Privacy Policy explains how Codelogy Labs Pte. Ltd. (UEN 202618954W), a company incorporated in Singapore, trading as Fostery ("Fostery", "we", "us", "our"), collects, uses, discloses, and protects personal data when you use the Fostery platform at fostery.dev, the Fostery web dashboard, the locally installed Fostery Station software, and any related services (together, the "Service").
We are committed to handling personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA"). Where you are located outside Singapore, additional laws may apply to you, and we address some of these in Section 13.
By creating an account or using the Service, you acknowledge that you have read and understood this Policy.
Fostery is an orchestration platform. It coordinates AI coding agents through a software development lifecycle, but it is built so that your codebase never reaches our infrastructure.
Your code is read and written only on your own machine by the Fostery Station software, and it flows directly between your machine and the AI model provider you choose (for example Anthropic, OpenAI, or a local model). We never receive, store, scan, or process your full source code or repository, and we never act as an intermediary for the AI calls that operate on it. We coordinate what work happens; your machine and your chosen provider do the work.
There is one narrow exception you should understand. During bug investigation and fixing, the AI agents produce artifacts — for example root-cause analyses, fix plans, decision logs, and implementation reports — and these artifacts can include limited excerpts of code that the agents quoted while diagnosing the problem or describing the fix. Those artifacts are saved to your workspace on our infrastructure (see Sections 3 and 4), so we do store the code snippets that appear inside them. This is not a scan or copy of your codebase; it is the small amount of code that naturally appears in a written diagnosis or fix. We treat that content as confidential, and we do not use it to train any AI model.
This boundary is a core architectural choice of the current Service. If we ever materially change this architecture in a way that would cause us to receive or process your source code differently, we will update this Policy and notify users where appropriate before the change takes effect. The rest of this Policy concerns the categories of data we do handle.
Data controller: Codelogy Labs Pte. Ltd.
Registered office: 60 Paya Lebar Road, #06-28, Paya Lebar Square, Singapore 409051
Data Protection Officer (DPO): Data Protection Officer
Contact for privacy matters: privacy@fostery.dev
You may contact our DPO for any question, request, or complaint relating to your personal data or this Policy.
We collect the following categories of personal data.
Account and identity data. When you register, we collect your name, email address, and a password. Authentication is handled through our cloud provider (AWS); your password is stored in hashed form and is not visible to us. On registration we automatically create a workspace ("Organisation") associated with your account.
Workspace and usage data. Information about your apps, builds, bug investigations, stories, stations, and the activity and audit records generated as you use the Service (for example: timestamps, status transitions, approval-gate decisions, and the identity of the user who took each action).
Content you provide and content the Service generates. This includes product requirement documents (PRDs/URDs) and bug reports you upload or enter; any file attachments you add to a bug (subject to file-type and size limits); diagnostic logs the Service retrieves from your connected cloud infrastructure when you ask it to investigate a bug; and the artifacts the AI agents produce (for example solution designs, technical stories, root-cause analyses, fix plans, decision logs, implementation guides, test reports, and knowledge-base lessons). Some of these artifacts, particularly those from bug investigation and fixing, may contain limited excerpts of your source code that the agents quoted while diagnosing or fixing a problem, as described in Section 1. Uploads and artifacts may also contain personal data if you choose to include it. We treat this content as confidential and do not use it to train any AI model.
Payment data. If you subscribe to a paid plan, payments are processed by Stripe. Stripe collects your payment-card and billing details directly; we do not receive or store full card numbers. We receive limited information from Stripe such as your billing name, the last four digits of your card, transaction status, and subscription state.
Messaging-integration data (optional). If you choose to link Telegram for mobile approval and notifications, we store the identifiers needed to route messages to your Telegram account (such as your Telegram chat ID and a link token). You can unlink this at any time.
Technical data. Limited technical information necessary to operate the Service, including IP address, browser and device information, and data about your local Station's connection state (for example online/offline heartbeat, machine readiness, and connection identifiers).
We do not intentionally collect NRIC numbers, government identifiers, financial account numbers (beyond what Stripe handles), or special categories of sensitive personal data, and we ask that you not place such data into PRDs, bug reports, or attachments.
Diagnostic logs, attachments, and bug materials may contain personal data, confidential information, credentials, tokens, or secrets. You are responsible for ensuring that anything you provide to the Service is appropriate to submit and does not contain information you are not authorised to disclose. We do not guarantee the detection or removal of secrets from material you submit.
We use personal data for the following purposes:
We do not sell personal data, and we do not use your content or artifacts to train AI models — ours or anyone else's. This commitment applies to Fostery. The use of any data and code your Station sends to your chosen AI Provider is governed by your agreement with that provider, not by this Policy (see Section 6).
Under the PDPA we collect, use, and disclose personal data either with your consent (which you give by creating an account and using the Service for the purposes described above) or where permitted or required without consent under the PDPA (for example, to fulfil a contract with you, for certain business or legal purposes, or where an applicable exception applies).
You may withdraw consent for any purpose by contacting our DPO, subject to reasonable notice. Withdrawing consent for processing that is necessary to operate the Service may mean we can no longer provide the Service to you.
Fostery uses a "bring your own model" architecture. You connect your own AI provider account and credentials, and the orchestration instructions Fostery generates are executed by your chosen provider on your machine.
When your Station calls your AI provider, that interaction is governed by your own agreement and privacy terms with that provider (for example Anthropic's or OpenAI's terms), not by this Policy. We are not a party to that relationship and do not receive the contents of those calls. You are responsible for understanding how your chosen provider handles the data and code your Station sends to it. If you run a local model, no third-party provider is involved at all.
We disclose personal data only to the following categories of recipients, and only as needed to run the Service:
| Recipient | Purpose | Notes |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, authentication, database, storage, and service infrastructure | Primary processing in the Singapore region (ap-southeast-1) |
| Stripe | Payment and subscription processing | Used only for paid plans; Stripe is the controller of the card data it collects and may process data overseas |
| Telegram | Optional approval and notification messaging | Only if you link Telegram; only routing identifiers; may process data overseas |
We will update this list when we add or replace a material subprocessor. If we later use a separate email, error-monitoring, logging, analytics, or customer-support provider that processes personal data for the Service, we will add it to this list.
We may also disclose personal data: to professional advisers (such as lawyers and accountants) under confidentiality; to a successor entity in connection with a merger, acquisition, or sale of assets; and where required by law, regulation, court order, or a lawful request from a public authority.
We do not otherwise disclose your personal data to third parties for their own purposes.
Within your Organisation. If you join or are added to an Organisation that someone else owns or administers (for example, your employer's or team's workspace), the owner and administrators of that Organisation may be able to see account and activity information associated with your use of the Service within that Organisation, such as your email, the builds and bugs you work on, and audit and activity records of actions you take. If you do not want this, use a personal Organisation rather than joining a shared one.
Your account data, workspace data, uploaded content, and generated artifacts are stored on AWS infrastructure in the Singapore region. Content uploads and artifact overflow are stored in storage partitioned by Organisation, so one Organisation's data is logically isolated from another's.
Some recipients listed in Section 7 (for example Stripe and Telegram) may process limited data outside Singapore. Where personal data is transferred outside Singapore, we take reasonable steps, as required by the PDPA, to ensure a comparable standard of protection through contractual and technical safeguards. Where we use overseas recipients or subprocessors, we rely on contractual terms, provider data-processing terms, and technical safeguards to protect the transferred personal data.
We keep personal data for as long as your account is active and for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
Certain operational records expire automatically (for example, short-lived encryption keys and rate-limit counters are deleted by an automatic time-to-live mechanism within a short period). When you delete content, or when you close your account, we delete or de-identify the associated personal data and content within 30 to 90 days, except where we are required or permitted to retain it. Residual copies may persist in encrypted backups for up to 90 days before being overwritten. We retain billing, tax, and accounting records for as long as required by law, typically 5 to 7 years. You may request export or deletion of your Organisation's data as described in Section 10.
Subject to the PDPA, you may:
To exercise any of these rights, contact our DPO at privacy@fostery.dev. We may need to verify your identity before acting on a request. We will respond within the timeframes required by the PDPA. We may charge a reasonable fee for an access request as permitted by the PDPA, and will tell you of any fee in advance.
A note on the privacy boundary inside the Service: Fostery personnel are not permitted to access the content of your stories, artifacts, PRD text, bug reports, attachments, or review comments except where necessary to provide support you have requested, to investigate a security or abuse issue, to comply with law, or to protect the Service. In ordinary operation, administrative access is limited to metadata such as identifiers, statuses, timestamps, and counts. Any content access is restricted to authorised personnel and is logged where technically practicable.
We maintain technical and organisational security measures appropriate to the nature of the data, including:
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If we become aware of a data breach affecting personal data in our control, we will assess it promptly. Where we determine that a breach is notifiable under the PDPA (broadly, where it is likely to result in significant harm to affected individuals or affects 500 or more individuals), we will notify the Personal Data Protection Commission ("PDPC") as soon as practicable and, in any event, no later than three (3) calendar days after making that determination, and notify affected individuals where required.
Fostery is operated from Singapore and this Policy is primarily designed to explain our obligations under the Singapore Personal Data Protection Act 2012 ("PDPA").
If you access or use the Service from outside Singapore, privacy and data-protection laws in your jurisdiction may give you additional rights. Where those laws apply to us, we will handle your personal data in accordance with those applicable requirements.
For users in the European Economic Area or the United Kingdom, these rights may include rights to access, correct, delete, restrict, or object to certain processing of personal data, and the right to data portability. Where we process personal data on behalf of an Organisation customer, that customer is generally the controller of that data and we act as a processor or data intermediary.
We do not sell personal data. We also do not use your content, artifacts, or source-code excerpts to train AI models.
If we are required to provide additional jurisdiction-specific disclosures, contractual terms, transfer mechanisms, or privacy rights processes, we will update this Policy or provide separate terms, such as a Data Processing Addendum.
If the content you submit (for example PRDs, bug reports, attachments, or diagnostic logs) contains personal data relating to your own employees, customers, or other third parties, then in respect of that data you are the controlling organisation and we act as a data intermediary processing it on your behalf and on your instructions. In that role:
You are responsible for ensuring you have a lawful basis and the necessary rights to provide that personal data to the Service. Enterprise customers who require a separate Data Processing Addendum may contact our DPO.
We use only the cookies and local-storage mechanisms necessary to operate the Service, primarily to keep you signed in and to remember interface preferences during a session. We do not use third-party advertising or cross-site tracking cookies. If we later add analytics, marketing trackers, or similar technologies, we will update this section and, where required, provide appropriate notice or consent controls.
The Service is a professional developer tool and is not directed to, or intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact our DPO and we will delete it.
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you through the Service or by email. Your continued use of the Service after a change takes effect means you accept the updated Policy.
If you have a concern about how we handle your personal data, please contact our DPO first so we can try to resolve it. You also have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.