Privacy Policy
Last updated: June 2026 · Effective: June 2026
This Privacy Policy describes how UpgradIQ, Inc. ("UpgradIQ," "FORG," "we," "us," or "our") collects, uses, and shares information about you when you use our services, including the FORG agent, the forg.pro website, and the FORG dashboard (collectively, the "Service").
1. Information we collect
1.1 Account information
When you create a FORG account, we collect your email address, name, and payment information (processed by Stripe — we do not store card numbers). We also assign you a license key in the format lic_<20hex>.
1.2 Signal data
The FORG agent is designed to collect metadata fields from your AI tool sessions (FORG Signal Schema v3):
- Session identifier (ephemeral UUID, not linked to your account identity in the signal payload)
- Workspace type or adapter family
- Model class or provider-reported identifier, normalized in user dashboards
- Timestamp
- Token counts (input, output, cache_read, cache_write)
- Computed cost in USD
- Latency metrics (time-to-first-token, total latency)
- Dimension tags (hashed user identifier, project name, team, environment)
FORG is metadata-only and zero-trace: we do not store prompt text, completion content, code, tool inputs or outputs, system prompts, or other message content. Those content fields are designed not to leave your machine, and the server-side sanitizer enforces this boundary.
1.3 Usage data
When you use the forg.pro website or dashboard, we may collect standard operational and analytics metadata such as page views, browser type, referring URL, and IP address.
1.4 Communications
If you contact us by email or through our support system, we retain those communications to provide support and improve our service.
2. How we use your information
- To provide, maintain, and improve the FORG service
- To process payments and manage your subscription
- To send transactional emails, including license activation, billing receipts, and budget alerts
- To respond to support requests
- To detect fraud and enforce our Terms of Service
- To comply with legal obligations
We do not sell your personal information. We do not use your signal metadata to train machine learning models without your explicit consent.
3. Compliance posture
FORG holds no third-party compliance certifications today. GDPR and CCPA alignment are self-attested based on metadata-only collection, self-serve export, and self-serve cascading deletion workflows; they are not independently audited certifications. HIPAA support and BAAs are not offered today.
4. Data sharing
We share your information with sub-processors necessary to provide the service:
- Cloudflare — edge compute, storage, network services, TLS, and DDoS mitigation
- Supabase — database infrastructure
- Stripe — payment processing
- Email provider — transactional email
We do not share your personal information with third parties for their own marketing or advertising purposes.
5. Data retention
Signal data retention depends on your plan: ~90 days (Solo), ~24 months (Team), and custom retention (Enterprise). Account information is retained for the lifetime of your account plus 90 days after deletion. Audit logs are retained per plan terms.
6. Data residency
By default, metadata is processed and stored in the United States. Enterprise customers may elect EU data residency for applicable metadata where available.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate personal information
- Delete your personal information
- Export your data in a portable format
- Object to or restrict certain processing
- Lodge a complaint with a supervisory authority
You can export and delete your data through self-serve workflows where available, or contact us at hello@forg.pro. We will respond within 30 days.
8. California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:
- Right to know — the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties we share it with
- Right to delete — request deletion of your personal information, subject to certain exceptions
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
- Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service
- Right to non-discrimination — we will not discriminate against you for exercising these rights
To exercise your CCPA rights, use the self-serve export or deletion workflows where available, or contact hello@forg.pro. We will respond within 45 days (extendable by 45 additional days with notice). We do not respond to browser Do Not Track signals.
In the preceding 12 months, we have collected the following categories of personal information: identifiers (email, IP address), commercial information (subscription history), and internet/electronic activity metadata. We have not sold or shared personal information.
9. Security
We implement security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, metadata-only server-side sanitization, MFA for administrative access, and daily point-in-time recovery backups with 30-day retention. No penetration test has been completed yet.
10. Children
FORG is not directed to children under 16. We do not knowingly collect personal information from children under 16.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on forg.pro/legal/privacy with an updated effective date.
12. Contact
UpgradIQ, Inc.
Privacy inquiries: hello@forg.pro
Legal entity: UpgradIQ, Inc. (Delaware corporation)