How ForgeSystem collects, uses, and protects your information. Written in plain language so you always know where you stand.
ForgeSystem is a white-label agency platform that helps agencies manage their clients, communications, payments, and workflows. This Privacy Policy explains how we collect, use, store, and protect information when you interact with our platform, whether you are an agency owner, a team member, or an end client of an agency using ForgeSystem.
This policy applies to all services provided through ForgeSystem, including Invoicing & Payments, Contracts & E-Signatures, Custom Forms, Scheduling & Booking, Client Messaging, Email & SMS Marketing, Client Feedback, Onboarding & Checklists, Portfolio & Case Studies, Landing Pages, and Analytics & Reporting.
Because ForgeSystem operates as a white-label platform, our privacy responsibilities depend on the type of data involved. We operate under a three-tier model:
Understanding the three-tier model: ForgeSystem plays different roles depending on whose data is being processed. This distinction matters for your privacy rights and for determining who is responsible for what.
We act as the Data Controller for information related to agency accounts, billing, and platform usage. This includes the data agencies provide when they sign up, their payment information, and how they use the platform. We decide why and how this data is processed.
When agencies use ForgeSystem to manage their own clients, we act as a Data Processor. We process agency client data on the agency's behalf and according to their instructions. We do not use this data for our own purposes beyond providing the service.
Agencies that use ForgeSystem are Data Controllers for their own clients' data. They determine what data to collect, why, and how it is used within the platform. Agencies are responsible for maintaining their own privacy policies that inform their clients about data practices.
If you are the client of an agency using ForgeSystem: The agency you work with is the primary controller of your data. Please review their privacy policy for details on how they handle your information. This policy covers how ForgeSystem processes that data on the agency's behalf.
You can control cookies through your browser settings. Disabling essential cookies may prevent certain features from working correctly. Disabling analytics cookies will not affect your ability to use the platform.
We use information for the following purposes, each tied to a legal basis:
We do not sell personal information. We share data only in the following circumstances:
We use the following third-party service providers to operate ForgeSystem. Each processes only the data necessary for their specific function.
| Provider | Purpose | Data Processed |
|---|---|---|
| Amazon Web Services (AWS) | Email delivery via SES, infrastructure | Email content, recipient addresses, delivery metadata |
| Stripe | Payment processing (PCI DSS Level 1 certified) | Payment card details, billing addresses, transaction amounts |
| Supabase | Database hosting, authentication, file storage | Account data, application data, uploaded files, auth credentials |
| Netlify | Application hosting, serverless functions | Request data, access logs, function execution data |
For details on how each provider handles data, see their respective privacy policies:
We retain data for the minimum period necessary to fulfill the purposes described in this policy. Specific retention periods are:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 90 days post-deletion |
| Payment and billing records | 7 years (legal requirement) |
| Communication logs (email, SMS, chat) | 24 months |
| Usage analytics | 24 months |
| Server and access logs | 90 days |
| Agency client data | Deleted within 30 days of agency request or account termination |
When data reaches the end of its retention period, it is securely deleted or anonymized so it can no longer be linked to an individual.
We take the security of your data seriously and implement multiple layers of protection:
ForgeSystem's infrastructure is hosted primarily in the United States through AWS and other US-based providers. If you are located outside the US, your data may be transferred to and processed in the United States.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure an adequate level of data protection.
If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation:
We respond to all GDPR requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority if you believe your data has been mishandled.
If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with the following rights:
We respond to all CCPA/CPRA requests within 45 days.
We comply with applicable state privacy laws, including those in Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy legislation. If your state provides additional privacy rights, please contact us to exercise them.
ForgeSystem does not sell personal information. We do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA). Because we do not engage in these practices, a "Do Not Sell or Share My Personal Information" link is not necessary, but we honor such requests regardless if received.
All commercial emails sent through ForgeSystem comply with the CAN-SPAM Act. This means every marketing email includes:
Unsubscribe requests are honored within 10 business days.
SMS messages sent through ForgeSystem comply with the Telephone Consumer Protection Act (TCPA). This means:
Agencies using ForgeSystem are responsible for obtaining proper consent from their contacts before sending communications. ForgeSystem provides the tools for compliance, but agencies must ensure they have the appropriate permissions and consents in place.
ForgeSystem is a business platform and is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at the email address listed below.
In the event of a data breach that affects your personal information, we will:
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
Continued use of ForgeSystem after the notice period constitutes acceptance of the updated policy. If you disagree with any changes, you may close your account before the changes take effect.
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data is handled, please reach out:
Email: support@forgesystems.io
Subject line: "Privacy Inquiry"
Physical address: Available upon request.
We aim to respond to all privacy-related inquiries within 5 business days.