When you create an account, we collect information such as your name, email address, organization name, and billing information.
We collect information about how you use the Service, including run logs, audit events, API requests, and configuration data associated with your workspaces and infrastructure runs.
We automatically collect certain technical information when you use the Service, including IP addresses, browser type, operating system, referring URLs, and device identifiers.
Customer Data includes infrastructure code, state files, credentials (which are encrypted and never read by Forgecroft staff), and other content you submit to the Service. Forgecroft accesses Customer Data only as necessary to provide the Service and as described in these Terms.
If you contact us, we collect the contents of your messages along with any information you provide.
We use the information we collect to:
We do not sell your personal information or Customer Data to third parties.
Cloud provider credentials you provide to Forgecroft are encrypted at rest using AES-256 and in transit using TLS 1.2+. Credentials are injected into execution environments at run time and are never logged, persisted unencrypted, or accessible to Forgecroft personnel in plaintext. Access to decryption keys is strictly controlled and audited.
We retain account and usage data for the duration of your account and for a reasonable period thereafter to fulfill the purposes set out in this Policy. Run logs and audit trails are retained according to your plan's default retention policy. Enterprise customers may configure custom data retention periods. Upon account termination, Customer Data is deleted within 90 days unless a longer retention period is required by law.
You may request deletion of your personal information at any time by emailing privacy@forgecroft.com with the subject line "Data Deletion Request." Include the email address associated with your account and specify whether you are requesting deletion of specific data or complete account and data deletion.
We will verify your identity via the email address on your account before processing the request. We will acknowledge your request within 5 business days and complete deletion within 30 days of verification. If additional time is needed (up to 90 days for complex requests), we will notify you with a reason and expected completion date.
Upon a verified request, we will delete your personal information from our active systems, remove your Customer Data, and instruct our service providers to do the same. We may retain certain information where required by law, for fraud prevention, to resolve disputes, or to enforce our agreements. Backup copies may persist for up to 90 days before being overwritten in normal rotation. We will confirm completion of the deletion by email.
We share information with trusted third-party service providers who assist us in operating the Service. These providers have access only to the information necessary to perform their functions and are contractually obligated to protect it. Our key service providers include:
We may disclose information if required by law, regulation, legal process, or governmental request.
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.
We implement and maintain commercially reasonable technical and organizational security measures designed to protect your information against unauthorized access, loss, disclosure, or alteration. These measures include encryption at rest and in transit, access controls, and regular security reviews. No security system is impenetrable, and we cannot guarantee absolute security.
In the event of a security breach affecting your personal information, we will investigate promptly and take appropriate steps to contain and remediate the incident. We will notify affected users and relevant authorities without undue delay and within the timelines required by applicable law. Notifications will include the nature of the breach, the categories of data affected, likely consequences, and the measures we have taken or propose to take to address the breach.
Depending on your location, you may have rights regarding your personal information, including:
To exercise any rights, contact us at privacy@forgecroft.com. We will respond within the timeframes required by applicable law.
You can manage non-essential cookie preferences through your browser settings. Note that disabling essential cookies will prevent the Service from functioning. We plan to honor "Do Not Track" browser signals; implementation of this feature is in progress.
The Service integrates with and may link to third-party websites and services, including Google and GitHub for authentication, Stripe for billing, and external code repositories. Your interactions with these third-party services are governed by their respective privacy policies and terms. We encourage you to review the privacy practices of any third-party service you access through the Service.
Your information may be transferred to and processed in countries other than your own. We take steps to ensure that any such transfers comply with applicable data protection laws, including through the use of standard contractual clauses where required.
The Service is a business-to-business platform intended for use by organizations and their authorized personnel. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from individuals outside of this professional context.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice within the Service. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.
For questions about this Privacy Policy or our data practices:
Forgecroft, Inc. · privacy@forgecroft.com