Privacy Policy

Forge Foundation (“Forge,” “we,” “our,” or “us”) operates the Forge platform — a browser extension and web application that enables users to earn marks by watching ads and direct those marks to support charitable causes. We are committed to protecting your personal information and being transparent about how we use it.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and your rights as a data subject. It applies to all users of the Forge platform, including the Forge website, browser extension, and any related services (collectively, the “Service”).

By using the Service, you consent to the practices described in this policy. If you do not agree, please discontinue use of the Service.

Forge Foundation is the data controller responsible for your personal information. We are a U.S.-based organization. Users located in the European Union, United Kingdom, or Canada should note that by using our Service, their data may be transferred to and processed in the United States.

Contact for privacy matters: hello@yourforge.app

We do not have a designated Data Protection Officer (DPO) at this time. All privacy-related requests and inquiries should be directed to the contact above.

We serve users globally, including residents of the United States (including California), the European Union and United Kingdom, and Canada. Depending on your jurisdiction, additional privacy rights and obligations may apply:

• California residents: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• EU/EEA and UK residents: General Data Protection Regulation (GDPR / UK GDPR)
• Canadian residents: Personal Information Protection and Electronic Documents Act (PIPEDA)

Where applicable, jurisdiction-specific rights are described in Section 11.

We collect only the information necessary to operate the Service.

For users in the EU/EEA and UK, we process your personal data on the following legal bases:

• Consent (Article 6(1)(a) GDPR): You provide explicit consent when you create an account and agree to this Privacy Policy. You may withdraw consent at any time by deleting your account.
• Contract performance (Article 6(1)(b) GDPR): Processing necessary to deliver the Service — such as recording marks earned, processing ad views, and facilitating distributions.
• Legitimate interests (Article 6(1)(f) GDPR): Fraud prevention, platform security, and aggregated analytics that do not override your fundamental rights.
• Legal obligation (Article 6(1)(c) GDPR): Where required by applicable law.

We use the information we collect to:

• Operate, maintain, and improve the Forge platform
• Calculate marks earned and execute quarterly revenue allocations to causes
• Enforce daily ad limits and prevent fraudulent activity
• Send transactional emails (account creation confirmations, password resets, cycle notifications) via Resend
• Process advertiser billing and optional paid upgrade subscriptions via Stripe
• Respond to your support requests and privacy inquiries
• Comply with applicable legal obligations

We do not sell your personal information to third parties. We do not use your personal data for targeted advertising outside the Forge platform.

We share data only with trusted service providers that help us operate the Service, and only to the extent necessary. Each processor is bound by a data processing agreement or equivalent safeguard.

• Supabase— Our primary database and authentication provider. Hosts account data, activity records, and session management.
• Stripe— Payment processing for advertiser billing and optional paid upgrade purchases. Forge does not store payment card data.
• Resend— Transactional email delivery (account and cycle notifications). We share only your email address for delivery purposes.
• Vercel— Cloud hosting and deployment infrastructure for the Forge web application.
• Cloudflare— Content delivery, DNS, and edge network security. Cloudflare may process request metadata (including hashed identifiers) for security and performance.
• Advertisers— We share only aggregated, anonymized statistics (e.g., total impressions, completion rates). We never share individual user data with advertisers.
• Legal Requirements— We may disclose information when required by law, court order, or regulatory authority, or when necessary to protect the rights, property, or safety of Forge, our users, or the public.
• Business Transfers— If Forge is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email and/or a prominent notice on the Service prior to any such transfer.

Forge is based in the United States. If you are located outside the U.S., your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers of EU/UK personal data, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms where required. Our third-party processors (Supabase, Stripe, Vercel, Cloudflare, Resend) each maintain appropriate safeguards for international transfers as described in their respective privacy policies.

You may browse the Service and watch ads without creating an account. In this case, an anonymous session token is stored in your browser’s local storage. This token:

• Is not linked to any personally identifiable information
• Is used solely to track marks earned during your anonymous session
• Can be associated with a new account if you later choose to register, allowing anonymous marks to be claimed
• Is not transmitted to third parties

If you clear your browser storage or uninstall the extension, anonymous session data is permanently lost and cannot be recovered.

We use a minimal set of cookies and local storage mechanisms:

• Authentication cookies: session cookies managed by Supabase, required to keep you logged in. These are strictly necessary and cannot be disabled without affecting Service functionality.
• Extension local storage: the Forge browser extension stores anonymous session tokens and ad preference settings locally on your device. This data does not leave your browser except as described in this policy.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use fingerprinting or cross-site tracking technologies.

Most browsers allow you to control cookie settings. Disabling authentication cookies will prevent you from accessing your account.

We retain your data only as long as necessary for the purposes described in this policy:

• Account data (email, display name): retained for as long as your account is active, plus 30 days following account deletion to allow for recovery requests.
• Activity records (marks ledger, watch events): retained for auditing, fraud detection, and quarterly distribution purposes. These records may be retained for up to 3 years after your account is closed.
• Billing data: Stripe retains transaction records per their own retention obligations and applicable financial regulations.
• Anonymous session tokens: stored locally on your device and not retained on our servers beyond the active session.

After applicable retention periods, data is securely deleted or anonymized so it can no longer be associated with you.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS) and at rest via Supabase’s infrastructure
• Hashing of IP addresses before storage — raw IPs are never retained
• Access controls limiting data access to authorized personnel only
• Use of trusted, vetted third-party infrastructure providers

While we take security seriously, no method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities in accordance with applicable law.

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If you believe that a minor has provided us with personal information, please contact us immediately at hello@yourforge.app. We will take steps to delete such information promptly.

Our minimum age requirement of 18 is stricter than the COPPA threshold of 13 and the GDPR threshold of 16.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Notify registered users by email at least 14 days before the changes take effect
• Post the updated policy on our website with a revised “Last Updated” date
• For significant changes, provide a prominent notice on the Service

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree to the changes, you should stop using the Service and may request deletion of your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Forge Foundation — Privacy Inquiries
hello@yourforge.app

We aim to respond to all privacy-related inquiries within 5 business days.

This Privacy Policy was last reviewed and updated in April 2026.