Privacy Policy

We collect the minimum amount of information needed to provide FORGE and keep it running smoothly. Here is exactly what we collect and why:

Account information — your name, email address, hashed password, and company name. We need this to create and maintain your account.

Billing information — payment processing is handled entirely by Stripe. We never see, store, or have access to your full card number. Stripe provides us with a reference ID and basic transaction details (amount, date, status) so we can display your billing history.

Usage data — pages visited, features used, and timestamps. This helps us understand how people use FORGE so we can improve the product.

Device and browser information — browser type, operating system, and screen size. We use this to ensure FORGE works well across devices.

Cookies — we use session cookies for authentication. These are strictly necessary to keep you logged in. We do not use tracking cookies or third-party advertising cookies.

Your data is used for the following purposes:

• Provide and maintain the service — your account data powers the features you use every day.
• Process payments — we share billing details with Stripe to handle subscriptions and invoices.
• Send transactional emails — welcome emails, password resets, billing receipts, and important account notifications. We do not send marketing emails unless you explicitly opt in.
• Improve the product — aggregated usage data helps us prioritize features and fix issues.

We want to be crystal clear about what we do not do with your data:

• We do not sell your data. Ever.
• We do not use your data for advertising.
• We do not share your data with third parties for marketing purposes.

We use a small number of trusted third-party services to operate FORGE. Each is chosen for reliability, security, and privacy practices:

• Stripe — payment processing. Stripe handles all card data directly. Their privacy policy governs how your payment information is handled.
• Resend — transactional email delivery. Used to send account-related emails like password resets and billing receipts.
• Sentry — error tracking. Captures error context (stack traces, browser info) to help us fix bugs. No personal data is intentionally collected by Sentry.
• Hetzner — infrastructure hosting. All servers and data are hosted in Hetzner's data center in Helsinki, Finland (EU).

Active accounts — your data is retained for as long as your account is active and you continue using the service.

After account deletion — all personal data is removed from our production systems within 30 days of your deletion request.

Backups — automated backups are retained for 30 days, then permanently deleted. Your data may exist in backups for up to 30 days after deletion from production.

Billing records — invoices and transaction records are retained for 7 years to comply with tax and accounting requirements.

You have full control over your data. Specifically, you can:

• Access — request a complete copy of all data we hold about you at any time.
• Export — download your data in open formats (JSON, CSV) directly from your dashboard.
• Deletion — request complete deletion of your account and all associated data.
• Correction — update or correct your personal information from your account settings at any time.

To exercise any of these rights, email us at privacy@forgehq.in. We will respond within 30 days.

If you are located in the European Economic Area (EEA), the following applies:

• Legal basis — we process your data based on contract performance (providing the service you signed up for) and legitimate interest (improving the product).
• Data controller — Nirav Gondaliya (FORGE), Rajkot, Gujarat, India.
• EU data residency — all data is stored on Hetzner servers in Helsinki, Finland. Your data stays within the EU.
• Data Processing Agreement — available on request. Email privacy@forgehq.in.

FORGE is compliant with India's Digital Personal Data Protection Act, 2023 (DPDP Act). All rights of Data Principals under the Act are honored, including the right to access, correct, and erase personal data.

If you believe your rights under the DPDP Act have not been addressed, you may contact us at privacy@forgehq.in.

We take the security of your data seriously. Key measures include:

• All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Passwords are hashed with bcrypt using 12 salt rounds — we never store plain text passwords.
• We conduct regular security reviews and monitor for vulnerabilities.

For more details, visit our Security page.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email before the changes take effect. Continued use of FORGE after changes are posted constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or how we handle your data, contact us at privacy@forgehq.in.