Privacy Policy

Effective Date: March 30, 2026 · Last Updated: 2026-03-31

1. Introduction

This Privacy Policy describes how Bandit Apps LLC ("we," "us," "our," or "Forge") collects, uses, stores, and protects your personal information when you use our services at forgesuite.ai, including QuoteAI, BOMSync, and SpecsAI (collectively, the "Services").

We are committed to protecting your privacy and being transparent about our data practices. Bandit Apps LLC is registered in Florida, USA. Our application infrastructure is hosted in Nuremberg, Germany (EU), which means your data is processed within the European Union.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name — to identify your account
• Email address — for account access, communications, and support
• Password — stored in hashed form; we cannot view your password

2.2 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card number, CVV, or bank account details. Stripe provides us with:

• Last four digits of your card (for your reference)
• Card brand and expiration date
• Billing address (if provided)
• Transaction records

2.3 Uploaded Documents

When you use our Services, you upload documents (RFQs, BOMs, datasheets, etc.) for AI processing. See Section 4 for how these documents are handled.

2.4 Usage Data

We collect basic usage data including:

• Document processing timestamps and counts
• Features used and service interactions
• IP address and general geographic location
• Browser type and operating system

2.5 Cookies

We use essential cookies only. See our Cookie Policy for details.

3. How We Use Your Information

We use your information solely to:

• Provide, maintain, and improve the Services
• Process your documents and deliver results
• Process payments and manage your subscription
• Send transactional emails (billing receipts, service notices, security alerts)
• Respond to your support requests
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not:

• Sell, rent, or trade your personal information to third parties
• Use your data for advertising or marketing purposes (beyond our own service communications)
• Use your uploaded documents to train, fine-tune, or improve any AI or machine learning models

4. Document Processing and Data Flow

When you upload a document to any of our Services:

1. Upload: Your document is transmitted via encrypted connection (TLS) to our server and held in memory
2. Processing: Your document is sent to our AI processing provider (Anthropic Claude) for analysis. Our provider does not retain API inputs or outputs and does not use API data for model training (see Section 5.1)
3. Results: The AI-generated results are returned to you and stored in your account
4. Purge: Your original document is purged from memory after processing completes. It is not written to disk, not backed up, and not recoverable by us or anyone else

Processed results (the output, not your original document) remain available in your account until you delete them or close your account.

We do not use your documents for any purpose other than delivering your requested results. No human at Bandit Apps LLC reviews, reads, or has access to your uploaded documents during or after processing.

5. Subprocessors

5.1 AI Processing Providers

We process your documents through the following AI provider:

Provider	Data Shared	Data Retention
Anthropic (San Francisco, CA, USA)	Document content for processing	Zero retention for API usage

Anthropic's Claude API maintains a zero data retention policy — your documents are not stored, logged, or used for model training. If we add additional AI providers in the future, we will update this section and notify active subscribers via email.

5.2 Infrastructure and Operations

Subprocessor	Purpose	Data Shared	Data Retention
Stripe, Inc.	Payment processing	Payment method details, billing address, transaction amounts	Per Stripe's data retention policy; PCI Level 1 compliant
Cloudflare, Inc.	CDN, DNS, DDoS protection, tunnels	IP address, request metadata	Minimal; per Cloudflare's privacy policy
Hetzner Online GmbH (Nuremberg, Germany)	Application hosting	All data processed by the Services transits Hetzner infrastructure	Per Hetzner's data processing agreement; GDPR-compliant EU hosting

Self-hosted infrastructure (not third-party subprocessors):

• PostgreSQL — Database for account data and processing results. Self-hosted on our dedicated server in Nuremberg, Germany (EU) under our direct control. No third-party database provider is used.

6. Data Storage and Security

6.1 Infrastructure

Your account data and processing results are stored in a PostgreSQL database hosted on infrastructure in Nuremberg, Germany (EU) under our direct control.

Your uploaded documents are not stored on disk. They are processed in memory and purged after results are delivered (see Section 4).

6.2 Security Measures

We implement reasonable security measures including:

• Encryption in transit (TLS/HTTPS for all connections)
• Hashed passwords (bcrypt)
• Token-based authentication
• Network segmentation and firewall rules
• Regular security updates

We do not claim SOC 2, ISO 27001, or other formal security certifications. We are a small operation that takes security seriously and implements industry-standard protections appropriate to our size.

7. Data Retention

Data Type	Retention Period
Account information	While your account is active, plus 30 days after account closure
Payment records	As required by tax and financial regulations (typically 7 years)
Uploaded documents	Deleted after processing is complete
Processing results	While your account is active; deleted within 30 days of account closure
Support correspondence	1 year after ticket resolution
Usage logs	90 days

8. Your Rights

Regardless of where you live, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and all associated data
• Export your data in a portable format
• Object to any processing you believe is unlawful
• Restrict processing of your data under certain circumstances

We do not sell your personal information. We have never sold personal information and have no plans to do so.

If you reside in the EEA, you also have the right to lodge a complaint with your local data protection authority. Your data is processed on servers located in Nuremberg, Germany (EU). The legal bases for our processing are: (a) contractual necessity to provide the Services (Art. 6(1)(b) GDPR), (b) your consent where specifically requested (Art. 6(1)(a) GDPR), and (c) our legitimate interests in operating, securing, and improving the Services (Art. 6(1)(f) GDPR). Note: document content is sent to Anthropic (USA) for AI processing — this international transfer is necessary for service delivery and is covered by Anthropic's standard contractual clauses.

To exercise any data rights, email [email protected] with the subject "Data Rights Request." We will verify your identity and respond within 30 days.

8A. Information for Users in the European Economic Area (EEA)

8A.1 Data Controller

Bandit Apps LLC acts as the data controller for your personal data. For privacy inquiries, contact us at [email protected].

8A.2 Data Processing Location

Your data is primarily processed on servers located in Nuremberg, Germany (EU). Document content is transmitted to Anthropic (San Francisco, USA) for AI processing with zero data retention. Payment data is processed by Stripe, Inc. (USA).

8A.3 International Data Transfers

When your data is transferred outside the EEA (to Anthropic for AI processing, or to Stripe for payments), these transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The receiving party's participation in recognized data protection frameworks
• Contractual obligations requiring equivalent data protection standards

8A.4 Your GDPR Rights

In addition to the rights listed in Section 8, EEA residents have the right to:

• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent — where processing is based on consent, you may withdraw it at any time
• Lodge a complaint — with your local Data Protection Authority (DPA)
• Object to processing — based on legitimate interests, including profiling

We will respond to all data subject requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

8A.5 Data Protection Agreement

If you are a business customer processing personal data of EU residents through our Services, we can provide a Data Processing Agreement (DPA) upon request. Contact [email protected] with the subject "DPA Request."

9. Data Breach Notification

In the event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of becoming aware of the breach
• We will notify relevant data protection authorities as required by applicable law
• Notification will include: the nature of the breach, data affected, steps we are taking, and steps you can take to protect yourself

10. Children's Privacy

Our Services are not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].

11. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via email at least 30 days before they take effect.

13. Contact

For privacy-related questions, data requests, or concerns:

• Email: [email protected]
• Website: forgesuite.ai

---

Forge is operated by Bandit Apps LLC, Florida.