Forge

Legal

Privacy Policy

Effective date: January 1, 2027. Last updated: March 18, 2027.

This Privacy Policy describes how Forge Technologies Ltd. (“Forge,” “we,” “us,” or “our”) collects, uses, and shares information when you use the Forge form builder, headless API, and associated services at useforge.cloud. By using Forge, you agree to the collection and use of information as described in this policy.

TL;DR: We collect only what we need to run the service. We never sell your data. Your form respondents' data belongs to you — we process it only on your behalf. You can export and delete all data at any time.

1. What Data We Collect

1a. Account Data (Data Controller: Forge)

When you register for a Forge account, we collect:

  • Email address and name (required for account authentication)
  • Payment information (processed by Stripe — we store only the last 4 digits and card type)
  • Workspace name and billing details for invoicing

1b. Usage Data (Data Controller: Forge)

We automatically collect:

  • API usage logs (endpoint, timestamp, status code, response time) for billing and debugging
  • Dashboard interaction events via our internal analytics (no third-party tracking by default)
  • Error traces sent to Sentry (our sub-processor) — personally identifiable fields are scrubbed before transmission

1c. Form Submission Data (Data Controller: You — our customer)

When your end-users submit forms you have created on Forge, that submission data is collected and stored on your behalf. You are the Data Controller of this data. Forge acts solely as the Data Processor. We do not access, analyze, or use submission data for any purpose other than delivering the Service to you.

We explicitly do not use form submission data to train AI models. We do not share submission data with third parties, except as instructed by your webhook configurations or as required by applicable law.

2. Legal Basis for Processing (GDPR)

Under GDPR Article 6, our legal bases are:

  • Contract (Art. 6(1)(b)): Processing your account data to deliver the Service you signed up for
  • Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and product improvement
  • Legal Obligation (Art. 6(1)(c)): Retaining financial records as required by UK tax law
  • Consent (Art. 6(1)(a)): Marketing emails — opt-in only, removable at any time

3. Cookies

We use minimal cookies:

  • Session cookie: Strictly necessary for authentication — no consent required
  • Preference cookie: Stores your theme preference (light/dark) — strictly necessary
  • Analytics cookies: Only if you opt in — tracks usage patterns to improve the product. Never sold.

Forge embed scripts embedded on third-party websites set no cookies from the useforge.cloud domain.

4. Data Retention

  • Account data: Retained while your account is active and for 30 days after deletion
  • Form submissions: Retained until you delete them or your account is deleted, subject to your per-form retention settings
  • API access logs: 90 days by default
  • Billing records: 7 years as required by UK tax law

5. Sub-Processors

We use the following approved sub-processors to deliver the Service. All EU sub-processors operate under Standard Contractual Clauses (SCCs):

  • Amazon Web Services (AWS) — cloud infrastructure (us-east-1 / eu-west-1)
  • Supabase — PostgreSQL database and authentication
  • Stripe — payment processing
  • Resend — transactional email delivery
  • Sentry — error monitoring (PII scrubbed before transmission)
  • Vercel — application hosting and edge CDN

For a complete, always-current sub-processor list, see our Trust Center.

6. Your Rights

For EU/EEA residents (GDPR)

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data
  • Right to Restriction of Processing (Art. 18): Restrict how we use your data
  • Right to Data Portability (Art. 20): Export your data in JSON or CSV format
  • Right to Object (Art. 21): Object to processing based on legitimate interest

To exercise any right, contact privacy@useforge.cloud. We respond within 30 days.

For California residents (CCPA)

You have the right to know what personal information we collect, delete personal information, and opt out of data selling. Forge does not sell personal information. To submit a CCPA request, email privacy@useforge.cloud or use the “Delete My Account” option in your account settings.

7. International Data Transfers

Forge is based in the United Kingdom. If you access the Service from the EU/EEA, data is transferred to our UK servers under the UK GDPR framework. For customers requiring EU-only data residency, EU data residency is available on the Secure plan, keeping all data within AWS eu-west-1 (Ireland) and covered by EU SCCs.

8. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact privacy@useforge.cloud for immediate deletion.

9. Data Security

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. See our Security Whitepaper for full details including penetration testing cadence and vulnerability disclosure procedures.

10. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you via email or a prominent in-app notice at least 30 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions or requests: privacy@useforge.cloud
For GDPR DPA requests: legal@useforge.cloud

Related: Terms of Service · Trust Center · Security Whitepaper · Effective January 1, 2027