Skip to main content
DemoForge
$149Buy Back to Empire
ForgeDeveloper platform

// legal

Privacy Policy

Last updated: March 24, 2026

This policy describes how REPLACE WITH YOUR LEGAL COMPANY NAME collects, uses, and protects your personal information when you use the Forgeplatform.

1. Information We Collect

Account information

When you create an account, we collect your name, email address, and hashed password. If you sign up through enterprise sign-in, we receive the account data your configured provider shares, such as name, email, and profile picture.

API & usage data

We automatically collect information about how you interact with Forge, including API calls made, endpoints accessed, SDK versions, webhook delivery logs, and performance metrics. This helps us improve the platform and debug issues.

Payment information

Payment processing is handled by our PCI-DSS-compliant payment provider. We never store your full credit card number, CVV, or bank details. We retain only the last four digits of your card and billing address for receipt purposes.

Device & log data

We collect IP addresses, browser type, operating system, referral URLs, and device identifiers. Server logs are retained for 30 days and then permanently deleted.

2. How We Use Your Information

Service delivery

We use your data to provide, maintain, and improve the Forge platform — including routing your API requests, managing your keys, delivering webhook events, and providing support.

Communication

We may send transactional emails (API key rotations, billing receipts, incident alerts) and, with your consent, product updates and changelog summaries. You can unsubscribe from marketing emails at any time.

Analytics & improvement

Aggregated, anonymised usage data helps us understand feature adoption, fix bugs, and prioritise our roadmap. We do not sell individual usage data to third parties.

Legal compliance

We may process your data to comply with applicable laws, respond to legal requests, or protect our rights and safety.

3. Data Sharing & Third Parties

Service providers

We share data with trusted providers who help us operate, including our cloud infrastructure provider, billing processor, transactional email provider, and platform monitoring service. Each provider is bound by data processing agreements.

No selling of data

We do not sell, rent, or trade your personal information to advertisers or data brokers. Period.

Business transfers

If REPLACE WITH YOUR LEGAL COMPANY NAME is acquired or merged, your information may be transferred. We will notify you via email and provide options before any such transfer.

4. Security & Data Storage

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are stored using one-way hashing — we never store raw keys after initial generation. Database backups are encrypted and stored in geographically separate regions.

Infrastructure

Forge is designed to support SOC 2 Type II and ISO 27001-aligned controls across multiple availability zones. We conduct regular penetration tests and maintain a responsible disclosure programme for security researchers.

Data residency

By default, data is stored in our primary hosting region with encrypted replicas in a geographically separate secondary region. Specific regions are listed in the data processing agreement available to enterprise customers, who can also choose alternative data residency for compliance with local regulations.

5. Data Retention

Account data

We retain account data for the lifetime of your account plus 90 days post-deletion. This grace period allows account recovery if deletion was accidental.

API logs

API request and webhook delivery logs follow your plan's retention terms: Free retains events for 7 days, Pro for 90 days, and Enterprise retention is set per contract.

Backups

Encrypted backups are retained for 30 days and then permanently destroyed. We do not retain backups of deleted accounts beyond the 90-day grace period.

6. Your Rights & Choices

UK / EU GDPR rights (per right, individually)

If you are a UK or EU resident, the UK GDPR / EU GDPR grants you the following rights, each exercisable independently by emailing privacy@REPLACE-WITH-YOUR-DOMAIN.example.com: (a) right of access — request a copy of the personal data we hold about you (Art 15); (b) right to rectification — correct inaccurate or incomplete data (Art 16); (c) right to erasure / "right to be forgotten" — delete your data subject to legal-retention exceptions (Art 17); (d) right to restrict processing — pause our use of your data while a dispute is resolved (Art 18); (e) right to data portability — receive your data in a structured, machine-readable format (JSON) (Art 20); (f) right to object — object to processing based on legitimate interests or for direct marketing (Art 21); (g) right not to be subject to solely automated individual decision-making (including profiling) that produces legal or similarly significant effects — you may request human review of any such decision by contacting us (Art 22); (h) right to withdraw consent — withdraw any consent you previously gave, at any time, without affecting prior lawful processing (Art 7(3)); (i) right to lodge a complaint with a supervisory authority — your local data protection regulator (UK ICO, Irish DPC, German BfDI, etc.) (Art 77). We respond to verifiable requests within 30 days. We do not charge a fee for the first request in any 12-month period.

California CCPA / CPRA rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights, exercisable by emailing privacy@REPLACE-WITH-YOUR-DOMAIN.example.com: (i) right to know — what categories of personal information we collect, the sources, the business purposes, and the categories of third parties we share it with (Cal. Civ. Code §1798.110); (ii) right to delete — request deletion of personal information we collected from you, subject to statutory exceptions (§1798.105); (iii) right to correct — correct inaccurate personal information (§1798.106); (iv) right to opt out of sale or sharing — direct us to stop selling or sharing your personal information for cross-context behavioural advertising (§1798.120 / §1798.121). See our /do-not-sell/ page for manual opt-out instructions and Global Privacy Control handling when optional analytics are enabled. (v) right to limit use of sensitive personal information — direct us to limit use of sensitive PI to what is necessary to provide the service (§1798.121). (vi) right of non-discrimination — you will not receive a different price or quality of service for exercising any of the above (§1798.125). We respond to verifiable consumer requests within 15 business days (CPRA) or 45 days (CCPA original framework), whichever applies; the timer starts when we receive enough information to verify your identity.

Other US states (Colorado, Connecticut, Virginia, Texas, +)

Residents of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), and other states with comprehensive privacy statutes have rights closely modelled on California's framework — access, delete, correct, opt out of targeted advertising / sale / profiling, and appeal a denial of any of the above. Email privacy@REPLACE-WITH-YOUR-DOMAIN.example.com to exercise these rights; please state which state you are a resident of so we can apply the correct statutory deadlines.

Account export & deletion (universal)

Account exports are delivered as JSON files containing profile, workspace, API key metadata, webhook configuration, and billing records. Deletion requests are completed within 30 days unless legal retention obligations require a longer period.

Do Not Track (DNT) and Global Privacy Control (GPC)

This site does not load optional analytics or marketing cookies while cookie consent is disabled. If optional tracking is enabled later, the consent layer should honour Global Privacy Control before those scripts load.

Cookies

This site uses essential authentication and preference cookies only. Optional analytics or marketing cookies should be gated behind explicit consent before launch.

Questions about your privacy?

Contact our privacy team at privacy@REPLACE-WITH-YOUR-DOMAIN.example.com

DemoUI kit preview — content is fictional.