Skip to main content
ForgeDeveloper platform

// legal

Privacy Policy

Last updated: [REPLACE WITH DATE OF YOUR LAST POLICY REVIEW]

This policy describes how REPLACE WITH YOUR LEGAL COMPANY NAME collects, uses, and protects your personal information when you use the Forgeplatform.

1. Information We Collect

Account information

When you create an account, we collect your name, email address, and hashed password. If you sign up through a third-party provider (GitHub, Google), we receive your name, email, and profile picture from that provider.

API & usage data

We automatically collect information about how you interact with Forge, including API calls made, endpoints accessed, SDK versions, webhook delivery logs, and performance metrics. This helps us improve the platform and debug issues.

Payment information

Payment processing is handled by our third-party payment provider [CUSTOMISE: your payment processor]. We never store your full credit card number, CVV, or bank details. We retain only the last four digits of your card and billing address for receipt purposes.

Device & log data

We collect IP addresses, browser type, operating system, referral URLs, and device identifiers. Server logs are retained for 90 days and then permanently deleted.

2. How We Use Your Information

Service delivery

We use your data to provide, maintain, and improve the Forge platform — including routing your API requests, managing your keys, delivering webhook events, and providing support.

Communication

We may send transactional emails (API key rotations, billing receipts, incident alerts) and, with your consent, product updates and changelog summaries. You can unsubscribe from marketing emails at any time.

Analytics & improvement

Aggregated, anonymised usage data helps us understand feature adoption, fix bugs, and prioritise our roadmap. We do not sell individual usage data to third parties.

Legal compliance

We may process your data to comply with applicable laws, respond to legal requests, or protect our rights and safety.

3. Data Sharing & Third Parties

Service providers

We share data with trusted providers who help us operate (payment processing, hosting, email) — [CUSTOMISE: list your sub-processors]. Each provider is bound by data processing agreements.

No selling of data

We do not sell, rent, or trade your personal information to advertisers or data brokers. Period.

Business transfers

If REPLACE WITH YOUR LEGAL COMPANY NAME is acquired or merged, your information may be transferred. We will notify you via email and provide options before any such transfer.

4. Security & Data Storage

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are stored using one-way hashing — we never store raw keys after initial generation. Database backups are encrypted and stored in geographically separate regions.

Infrastructure

Forge is designed to support [CUSTOMISE: your compliance commitments, e.g. SOC 2 or ISO 27001] across multiple availability zones. We conduct regular penetration tests and maintain a responsible disclosure programme for security researchers.

Data residency

By default, data is stored in [CUSTOMISE: your primary cloud provider and region]. Enterprise customers can choose alternative data residency for compliance with local regulations.

5. Data Retention

Account data

We retain account data for the lifetime of your account plus 90 days post-deletion. This grace period allows account recovery if deletion was accidental.

API logs

API request and webhook delivery logs are retained for 30 days by default. Enterprise customers can configure retention periods from 7 to 365 days.

Backups

Encrypted backups are retained for 30 days and then permanently destroyed. We do not retain backups of deleted accounts beyond the 90-day grace period.

6. Your Rights & Choices

UK / EU GDPR rights (per right, individually)

If you are a UK or EU resident, the UK GDPR / EU GDPR grants you the following rights, each exercisable independently by emailing privacy@yourbrand.com: (a) right of access — request a copy of the personal data we hold about you (Art 15); (b) right to rectification — correct inaccurate or incomplete data (Art 16); (c) right to erasure / "right to be forgotten" — delete your data subject to legal-retention exceptions (Art 17); (d) right to restrict processing — pause our use of your data while a dispute is resolved (Art 18); (e) right to data portability — receive your data in a structured, machine-readable format (JSON) (Art 20); (f) right to object — object to processing based on legitimate interests or for direct marketing (Art 21); (g) right not to be subject to solely automated individual decision-making (including profiling) that produces legal or similarly significant effects — you may request human review of any such decision by contacting us (Art 22); (h) right to withdraw consent — withdraw any consent you previously gave, at any time, without affecting prior lawful processing (Art 7(3)); (i) right to lodge a complaint with a supervisory authority — your local data protection regulator (UK ICO, Irish DPC, German BfDI, etc.) (Art 77). We respond to verifiable requests within 30 days. We do not charge a fee for the first request in any 12-month period.

California CCPA / CPRA rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights, exercisable by emailing privacy@yourbrand.com: (i) right to know — what categories of personal information we collect, the sources, the business purposes, and the categories of third parties we share it with (Cal. Civ. Code §1798.110); (ii) right to delete — request deletion of personal information we collected from you, subject to statutory exceptions (§1798.105); (iii) right to correct — correct inaccurate personal information (§1798.106); (iv) right to opt out of sale or sharing — direct us to stop selling or sharing your personal information for cross-context behavioural advertising (§1798.120 / §1798.121). See our /do-not-sell/ page; we also automatically honour the Global Privacy Control browser signal (see DNT below). (v) right to limit use of sensitive personal information — direct us to limit use of sensitive PI to what is necessary to provide the service (§1798.121). (vi) right of non-discrimination — you will not receive a different price or quality of service for exercising any of the above (§1798.125). We respond to verifiable consumer requests within 15 business days (CPRA) or 45 days (CCPA original framework), whichever applies; the timer starts when we receive enough information to verify your identity.

Other US states (Colorado, Connecticut, Virginia, Texas, +)

Residents of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), and other states with comprehensive privacy statutes have rights closely modelled on California's framework — access, delete, correct, opt out of targeted advertising / sale / profiling, and appeal a denial of any of the above. Email privacy@yourbrand.com to exercise these rights; please state which state you are a resident of so we can apply the correct statutory deadlines.

Account export & deletion (universal)

Independent of jurisdiction, you can export all your data (API logs, webhook history, account settings) at any time from Settings > Data Export — JSON format, delivered within 24 hours — and delete your account from Settings > Account. All personal data is purged within 30 days, except where we are legally required to retain it (e.g. tax records, fraud investigation).

Do Not Track (DNT) and Global Privacy Control (GPC)

We honour two browser-level privacy signals. **Global Privacy Control (GPC)**: when your browser sends GPC, our cookie-consent banner auto-rejects all non-essential cookies and never shows the banner. We treat GPC as a valid universal opt-out under California CCPA/CPRA, Colorado CPA, and Connecticut CTDPA. **Do Not Track (DNT)**: the legacy DNT header is no longer maintained by major browser vendors and is not a uniformly-defined opt-out signal under any current US state-privacy law. We do not honour DNT as an opt-out, but we do not collect cross-site behavioural-advertising data regardless. If you want to opt out of any analytics processing we perform, decline non-essential cookies in our consent banner or send a request to privacy@yourbrand.com.

Cookies

We use essential cookies for authentication and preferences. Optional analytics, marketing, and functional cookies are only set with your explicit consent via the cookie banner. See our /cookie-policy/ for the per-cookie inventory.

Questions about your privacy?

Contact our Data Protection Officer at privacy@yourbrand.com