Summary: We collect only what we need to provide the ForgeAI service. We do not sell your personal data. We use Facebook Conversion API (server-side only) for ad tracking. You can request deletion of your data at any time.
1. Information We Collect
Information you provide directly:
- Account information: Your full name, email address, and password when you create an account.
- License key: The license key you use to activate your account.
- Payment information: Processed securely by Cashfree (India) or Gumroad (Global). We do not store your card details.
- Communications: Any messages you send us via email for support.
Information collected automatically:
- IP address: Used for location detection (INR vs USD pricing), fraud prevention, and Facebook CAPI tracking.
- Browser & device info: Browser type, operating system, device type — used for analytics and ad tracking.
- Usage data: Which engines and tools you access, timestamps of activity.
- Facebook parameters:
fbclid (Facebook click ID) and _fbp (Facebook browser cookie) if you arrive from a Facebook ad — used for conversion tracking.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|
| Provide the ForgeAI service | Email, name, tier, license key | Contract performance |
| Process your payment | Email, payment info | Contract performance |
| Send your license key | Email | Contract performance |
| Authenticate your login | Email, password (hashed) | Contract performance |
| Show correct pricing (INR/USD) | IP address | Legitimate interest |
| Facebook ad measurement (CAPI) | Hashed email, IP, fbclid, fbp | Legitimate interest / Consent |
| Send product updates (if opted in) | Email | Consent |
| Fraud prevention | IP, email, device info | Legitimate interest |
| Customer support | Email, order ID | Legitimate interest |
We do not sell your personal data to any third parties, advertisers, or data brokers — ever.
3. Third-Party Services
We use the following trusted third-party services to operate ForgeAI:
Facebook CAPI Note: We use Facebook's Conversion API (server-side tracking only — no browser pixel). Your email is SHA-256 hashed before being sent to Facebook. This means Facebook receives an unreadable fingerprint, not your actual email address.
4. Cookies & Tracking
Essential Cookies (always active):
- Authentication session: Keeps you logged in to your ForgeAI account.
- Security tokens: Prevent CSRF attacks and unauthorized access.
Analytics & Advertising Cookies:
- _fbp (Facebook browser ID): Set by Facebook if you have visited Facebook. Used with our CAPI tracking to measure ad effectiveness.
- fbclid (URL parameter): Facebook click ID passed in the URL when you arrive from a Facebook ad. Stored in session storage temporarily.
By using ForgeAI, you consent to these cookies. You can disable non-essential cookies in your browser settings, though this may affect some functionality. For full details, see our Cookie Policy.
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of an account deletion request.
- Purchase records: Retained for 7 years for tax and legal compliance purposes.
- Support emails: Retained for 2 years.
- Usage logs: Retained for 90 days.
6. Your Rights (GDPR & CCPA)
Depending on your location, you may have the following rights:
For EU/EEA users (GDPR):
- Right of access: Request a copy of all personal data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to data portability: Request your data in a machine-readable format.
- Right to object: Object to processing based on legitimate interests (e.g., marketing).
- Right to withdraw consent: Withdraw newsletter consent at any time.
For California users (CCPA):
- Right to know what personal information is collected and how it is used.
- Right to delete personal information.
- Right to opt-out of sale of personal information (we do not sell data).
- Right to non-discrimination for exercising your rights.
To exercise any of these rights, email us at
support@forgeai.digital with subject "Data Request — [Your Email]". We will respond within 30 days.
7. Data Security
- All data is transmitted over HTTPS (SSL/TLS encryption).
- Passwords are hashed using bcrypt — we never store plain-text passwords.
- Database is hosted on Supabase with row-level security (RLS) enabled.
- API keys and secrets are stored as environment variables, never in source code.
- Payment processing is handled entirely by PCI-DSS compliant payment processors.
While we implement industry-standard security measures, no system is 100% secure. In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR.
8. Children's Privacy
ForgeAI is not intended for children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately at support@forgeai.digital and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of ForgeAI after changes constitutes acceptance of the updated policy.