Privacy Policy
Effective May 25, 2026 · Version 1.0
This Privacy Policy describes how 11075586 CANADA INC., operating Portfork as a product brand under the registered Canadian trademark APLEXICA (collectively, “we,” “us”), collects, uses, and discloses personal information in connection with Portfork and Portfork Cloud.
1. Who we are
Portfork is a product brand of 11075586 CANADA INC., a corporation incorporated under the Canada Business Corporations Act with headquarters in Ontario, Canada. The corporation operates under the registered Canadian trademark APLEXICA; Portfork is one of its product brands. In this Policy, “we,” “us,” and “our” refer to 11075586 CANADA INC. and its operations under the Portfork brand. We build Portfork — open-source software for hosting the apps your AI agents build (the Portfork daemon and CLI, licensed under AGPL-3.0-or-later) — and operate a commercial managed counterpart, Portfork Cloud, which runs those apps in isolated microVMs that stay up 24/7 and scale to zero between runs.
2. Our minimum-collection posture
Portfork is a developer tool. We collect as little personal information as we reasonably can while still operating the service.
- Open Source Portfork in local mode — makes zero network calls to us in its default configuration. We do not see any data about You, Your apps, or Your machine when You self-host the open-source software.
- Marketing website — sets no tracking cookies. We do not run third-party analytics, advertising pixels, session replay, or fingerprinting.
- Portfork Cloud — collects only the personal information described in Section 3 below, plus the app data You choose to host with us.
3. Information we collect through Portfork Cloud
When You create a Portfork Cloud account, sign in, or host an app, we collect:
- Account information — Your email address (for sign-in, transactional notifications, and account recovery), and Your display name if You choose to provide one.
- Billing information — Your billing address, country, and tax identifiers as applicable. We do not store payment-card numbers. Payment processing is handled by Stripe; Stripe receives the card data directly and provides us with a tokenized reference.
- App data — the artifacts You deploy and the data Your hosted apps read and write at runtime, stored so that Your apps can run on Portfork Cloud. App secrets You configure are encrypted at rest and injected into the microVM at runtime; they are never written to logs.
- Service usage telemetry — request counts, run counts, node and storage usage, and similar aggregate metrics, used for billing accuracy, abuse detection, and operational reliability.
- Diagnostic logs — operational events (errors, retries, scheduling and routing decisions) recorded by our backend. Log entries may include Your account identifier, app identifier, and timestamp.
We host and run the apps You deploy. We access app data only as needed to operate, secure, and support the service, and to comply with law.
4. Information we collect from website visitors
When You visit portfork.com:
- Your IP address, user-agent string, and referrer URL may appear in CloudFront access logs processed in aggregate by us and our hosting provider for security monitoring and traffic-pattern analysis.
- We do not set advertising or analytics cookies.
- Session cookies are used only when You are signed in to Portfork Cloud, to maintain Your session.
5. Information we collect through direct contact
When You email us at legal@portfork.com, privacy@portfork.com, hello@portfork.com, or any other Portfork address, we receive Your email address, Your message, and any information You voluntarily include. We use this only to respond to You and to meet our legal recordkeeping obligations.
6. Why we collect this information
| Information | Purpose |
|---|---|
| Cloud account and billing | Provision and bill Portfork Cloud to You |
| App data and artifacts | Host and run the apps You deploy |
| Cloud usage telemetry | Bill You accurately; detect abuse; maintain operational reliability |
| Cloud diagnostic logs | Diagnose operational issues |
| Website access logs | Security monitoring; protect the site from abuse |
| Email correspondence | Respond to Your message |
We do not collect or use personal information for any purpose not described in this Policy.
7. Consent
By creating a Portfork Cloud account, You consent to the collection and use of the account, billing, and app data in Section 3 for the purposes in Section 6. By visiting the website or contacting us, You consent to the collection in Sections 4 and 5.
You may withdraw consent for future processing at any time by contacting our Privacy Officer (Section 14), subject to legal and contractual restrictions.
8. What we never do
- We never sell or rent Your personal information.
- We never share it with third parties for advertising.
- We never use the contents of the apps and data You host on Portfork Cloud for any purpose other than operating, securing, and supporting the service for You.
9. Sub-processors
We use a small number of third-party service providers to operate Portfork Cloud:
| Sub-processor | Purpose | Data |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Hosting and the Portfork Cloud control plane (account management, scheduling, dashboards, object storage, secrets) | Account identifiers, app data and stored artifacts, secrets (encrypted at rest), operational logs |
| Fly.io (Hobby Farm, Inc.) | Compute — the isolated per-app microVMs where Your hosted apps and scheduled jobs run | App data processed at runtime, app runtime logs, resource and usage metrics |
| Stripe, Inc. | Payment processing and billing for the paid Portfork Cloud tiers | Billing address, tax identifiers (where applicable), payment-card token (Stripe holds card data directly), subscription state |
Each sub-processor is contractually required to handle personal information consistently with this Policy and with applicable Canadian, U.S., and EU/UK law. We notify Cloud customers by email at least 30 days before adding a new sub-processor in a category that processes personal data.
10. Disclosure to third parties
Beyond the sub-processors listed in Section 9, personal information may be disclosed:
- To comply with legal requirements — a valid court order, subpoena, search warrant, or other legal process, or to protect our rights, property, or safety, or that of Our users or the public.
- In a business transfer — in a merger, acquisition, sale of all or substantially all of our assets, corporate reorganization, or change of control, the acquirer will inherit personal information subject to this Policy.
11. Retention
| Category | Retention |
|---|---|
| Cloud account information | Lifetime of Your account, plus 90 days after deletion for recovery |
| App data and artifacts | Lifetime of the app, plus 30 days after deletion for recovery |
| Cloud billing records | 7 years (tax recordkeeping requirement) |
| Cloud diagnostic logs | 90 days maximum |
| Cloud usage telemetry | 13 months (rolling) |
| Website access logs | 90 days maximum |
| Email correspondence | As long as needed to respond to Your message, plus retention as required by law |
12. Safeguards
We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold:
- Restricting access to personal information to personnel with a need to know
- Running each Cloud app in its own hardware-isolated microVM, with per-tenant separation enforced at the platform
- Storing app secrets encrypted at rest in AWS and injecting them into the microVM only at runtime
- Regular review of access controls and security practices
No system is perfectly secure. If we become aware of a personal-data breach that affects You, we will notify You consistent with applicable law (PIPEDA’s mandatory breach notification, GDPR Articles 33/34, or analogous obligations).
13. Your rights
You have the right to:
- Access the personal information we hold about You
- Correct inaccurate information
- Delete information we hold about You, subject to legal and contractual constraints
- Export Your data in a portable format where applicable
- Withdraw consent for future processing (with future effect, subject to legal/contractual constraints)
- Object to certain processing
- Lodge a complaint with the Office of the Privacy Commissioner of Canada (
https://www.priv.gc.ca) if You are dissatisfied with our handling of Your information
If You are in the European Union, European Economic Area, or United Kingdom, You also have rights under the GDPR / UK GDPR, including erasure and restriction of processing. The legal bases on which we process Your personal information are Your consent (where consent applies), the performance of a contract with You (for the Cloud service), our legitimate interests in operating and securing our services, and compliance with legal obligations. Customers in the EU/EEA/UK can request a Data Processing Agreement that incorporates Standard Contractual Clauses for transfers to the United States.
If You are a resident of California, You have rights under the California Consumer Privacy Act / California Privacy Rights Act, including the right to know, the right to delete, the right to correct, and the right to opt-out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law.
To exercise any right, contact our Privacy Officer at the address in Section 14. We respond within 30 days.
14. Privacy Officer and contact
For all privacy questions, requests, or complaints:
Portfork — Privacy Officer Email: privacy@portfork.com
If You are dissatisfied with our response, You may lodge a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca, or with Your local supervisory authority if You are in the EU, EEA, or UK.
15. International transfers
We are headquartered in Ontario, Canada, and our primary infrastructure is hosted in the United States. Personal information You provide may be transferred to, stored in, and processed in Canada and the United States.
Canada has been recognized by the European Commission as providing an adequate level of data protection for personal data transferred from the EU. For transfers from the EU/EEA/UK to the United States, we rely on Standard Contractual Clauses incorporated into our agreements with U.S. sub-processors. EU/EEA/UK customers may request a Data Processing Agreement that documents this directly.
16. Children’s privacy
Portfork is a developer tool and is not directed at children. We do not knowingly collect personal information from children under the age of 16. If we learn we have collected personal information from a child under 16, we will delete it. If You believe we have collected information from a child, please contact our Privacy Officer.
17. Changes to this Policy
We may update this Policy from time to time. The “Effective” date at the top of this Policy reflects the most recent revision. Material changes will be announced on the Portfork website at least 30 days before they take effect, where reasonable.