PRIVACY POLICY

YOUR JOURNAL.
YOUR DATA.
FULL STOP.

Forge is built on one premise: what you write here is the most honest version of you. That data deserves to be protected like it matters — because it does.

Last updated: March 12, 2026
OUR COMMITMENTS
🔒
Your journal content never trains AI models.
Every AI call Forge makes goes through API-only access. Anthropic is contractually prohibited from using API data for model training. Your entries are processed to generate your coaching response — then that's it. No training. Confirmed in Anthropic's commercial terms.
🧱
Row-level security. Only you can read your data.
Our database (Supabase/PostgreSQL) has row-level security enabled on every table. Even if someone accessed our database directly, your journal entries, identity profile, and coaching sessions are cryptographically scoped to your user ID only.
Embeddings are math, not text.
To give the coach memory across sessions, we create a vector embedding of your entries — a numeric fingerprint used to find related content. OpenAI's embedding API receives this data. Crucially: embeddings cannot be reverse-engineered into readable text. It's a one-way mathematical transformation. Your words are never readable from embeddings.
🚫
We do not sell your data. Ever.
No advertising. No data brokers. No third-party sharing for commercial purposes. Your identity data is not a product. You are not a product. This is a commitment we will never walk back.
🗑️
Delete means delete.
When you delete your account, all your data — journal entries, identity profile, coaching history, The Letter, push subscriptions — is permanently removed within 30 days. No backups retained after that window. No exceptions.

1. What we collect

  • Account data: Email address and name when you create an account.
  • Journal entries: The text you write in daily sessions, stored encrypted in our database.
  • Imported journal entries: If you import past journals (Day One, Bear, etc.), those entries are stored and analyzed for patterns — only on your request, only for your benefit.
  • Identity profile: Your responses during the 13-stage onboarding — your current self, future self, sabotage patterns, non-negotiables, hidden fears. This is the most sensitive data we hold. It is treated accordingly.
  • Coaching sessions: Your conversation history with the coach, stored to give the coach memory across sessions.
  • Usage data: Login times, streak counts, features used — used to improve your experience, never shared externally.

2. AI providers — exactly what they receive

We use AI providers for coaching and embeddings. Here is precisely what each one sees:

ANTHROPIC (claude-sonnet-4-6 + claude-haiku)
  • Coach's Office: Your coaching messages + Identity File (OTT, NNs, archetype, etc.) are sent to Anthropic's claude-sonnet-4-6. Prompt caching is used — your Identity File is cached for 5 minutes, cutting both response time and cost.
  • Utility tasks: Daily prompts, scoring, check-in triggers — sent to claude-haiku. Minimal data, minimal exposure.
  • Training: Zero. Anthropic's commercial API terms explicitly prohibit using API requests and responses to train their models.
OPENAI (Embeddings only)
  • What we send: Your journal entries to create a vector embedding — a mathematical representation used to find related past entries.
  • What embeddings are: A numeric array (e.g., [0.023, -0.41, 0.78, ...]). They cannot be reverse-engineered into readable text.
  • Training: OpenAI's API data usage policy does not use API data for model training by default.

3. Security architecture

  • In transit: All data is encrypted via HTTPS/TLS 1.3. No unencrypted connections permitted.
  • At rest: Database encrypted at rest (AES-256). Supabase managed PostgreSQL with encryption enabled.
  • Row-level security: Every table has RLS policies enforced at the database level. Your rows are invisible to all other users — including Forge administrators running queries.
  • Authentication: Supabase Auth with JWT tokens. Passwords hashed with bcrypt. No plaintext credentials stored anywhere.
  • API security: Rate limiting on all write endpoints. Server-side validation on all inputs. No direct client-to-database writes.
  • Access control: Production database access restricted to authorized personnel only, with audit logging enabled.

4. Your rights

  • Access: Your journal entries, identity profile, and coaching history are readable in the app at any time.
  • Export: Request a full export of your data — all journal entries, identity profile, coaching history — by emailing privacy@forgeidentity.ai.
  • Deletion: Delete your account from Settings → Danger Zone. All data permanently removed within 30 days.
  • Portability: Your data is yours. We will provide it in a standard format on request.
  • GDPR (EU users): You have the right to access, rectify, erase, restrict processing, and object to processing. Contact us to exercise any of these rights.
  • CCPA (California users): You have the right to know what data we collect, request deletion, and opt out of sale (we do not sell data, so this is already satisfied).

5. Data retention

We retain your data for as long as your account is active.

When you delete your account: all journal entries, identity profile, coaching sessions, The Letter, push subscriptions, and usage data are scheduled for permanent deletion within 30 days. Stripe billing records are retained per legal requirements (7 years) but contain no journal or identity data.

6. Cookies

We use session cookies for authentication only (Supabase Auth JWT). No advertising cookies. No cross-site tracking. A cookie consent banner is shown on first visit — declining analytics cookies disables all non-essential tracking.

7. Children

Forge is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately at privacy@forgeidentity.ai and we will delete the account.

8. Changes to this policy

If we make material changes to how we handle your data, we will notify you by email and display a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision.

9. Contact

Privacy questions: privacy@forgeidentity.ai
General: coach@forgeidentity.ai
Forge Identity, LLC

QUESTIONS ABOUT YOUR DATA?
privacy@forgeidentity.ai →