This Privacy Policy describes how Bandit Apps LLC ("we," "us," "our," or "Forge") collects, uses, stores, and protects your personal information when you use our services at forgesuite.ai, including ForgeAI Workshop (collectively, the "Services").
We are committed to protecting your privacy and being transparent about our data practices. Bandit Apps LLC is registered in Florida, USA. Our application infrastructure is hosted in Nuremberg, Germany (EU), which means your data is processed within the European Union.
When you create an account, we collect:
Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card number, CVV, or bank account details. Stripe provides us with:
When you use our Services, you upload documents (RFQs, BOMs, datasheets, etc.) for AI processing. See Section 4 for how these documents are handled.
We collect basic usage data including:
We use essential cookies only. See our Cookie Policy for details.
We use your information solely to:
We do not:
We distinguish between two categories of your data: Input Data (the files you upload) and Output Data (the results we generate from them). These are handled very differently.
When you upload a document (drawings, RFQs, BOMs, datasheets, etc.):
We do not retain your input files. Once processing finishes, the original document no longer exists on our systems. No human at Bandit Apps LLC reviews, reads, or has access to your uploaded documents during or after processing.
The AI-generated results from your uploads — extracted parts lists, RFQ analyses, BOM comparisons, quotes, work breakdowns, and other structured output — are retained in your account so you can revisit, re-download, and export them without re-uploading and re-processing.
Output data remains available until:
This approach saves you from re-uploading documents and incurring repeated processing costs while ensuring we never hold your original proprietary files.
You have full control over your output data at all times:
Deletions are immediate and permanent. Deleted data cannot be recovered.
We process your documents through the following AI provider:
| Provider | Data Shared | Data Retention |
|---|---|---|
| Anthropic (San Francisco, CA, USA) | Document content for processing | Zero retention for API usage |
Anthropic's Claude API maintains a zero data retention policy — your documents are not stored, logged, or used for model training. If we add additional AI providers in the future, we will update this section and notify active subscribers via email.
| Subprocessor | Purpose | Data Shared | Data Retention |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment method details, billing address, transaction amounts | Per Stripe's data retention policy; PCI Level 1 compliant |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, tunnels | IP address, request metadata | Minimal; per Cloudflare's privacy policy |
| Hetzner Online GmbH (Nuremberg, Germany) | Application hosting | All data processed by the Services transits Hetzner infrastructure | Per Hetzner's data processing agreement; GDPR-compliant EU hosting |
| Zoho Mail | Transactional email (account notifications, billing receipts, trial onboarding) | Email address, name, subscription tier | Per Zoho's data retention policy; GDPR compliant |
Self-hosted infrastructure (not third-party subprocessors):
Your account data and processing results are stored in a PostgreSQL database hosted on infrastructure in Nuremberg, Germany (EU) under our direct control.
Your uploaded documents are automatically deleted from disk after processing completes. Only the structured output (extracted data, quotes, comparisons) is retained in your account for your ongoing access (see Section 4).
We implement reasonable security measures including:
We do not claim SOC 2, ISO 27001, or other formal security certifications. We are a small operation that takes security seriously and implements industry-standard protections appropriate to our size.
| Data Type | Retention Period | Your Control |
|---|---|---|
| Account information | While your account is active, plus 30 days after account closure | Edit via Account settings; delete by closing account |
| Payment records | As required by tax and financial regulations (typically 7 years) | Managed by Stripe |
| Uploaded documents (input) | Automatically deleted immediately after processing | No action needed — we don't keep them |
| Processing results (output) | Until you delete them, or within 30 days of account closure | Delete individual jobs or all data via Account settings |
| Support correspondence | 1 year after ticket resolution | Request deletion via [email protected] |
| Usage logs | 90 days | Automatically purged |
Key distinction: We never retain your original uploaded files (drawings, BOMs, RFQs). These are deleted from our servers the moment processing completes. We do retain the structured output (extracted data, quotes, comparisons) so you can return to your results without re-uploading. You can delete this output data at any time through the application.
Regardless of where you live, you have the right to:
We do not sell your personal information. We have never sold personal information and have no plans to do so.
If you reside in the EEA, you also have the right to lodge a complaint with your local data protection authority. Your data is processed on servers located in Nuremberg, Germany (EU). The legal bases for our processing are: (a) contractual necessity to provide the Services (Art. 6(1)(b) GDPR), (b) your consent where specifically requested (Art. 6(1)(a) GDPR), and (c) our legitimate interests in operating, securing, and improving the Services (Art. 6(1)(f) GDPR). Note: document content is sent to Anthropic (USA) for AI processing — this international transfer is necessary for service delivery and is covered by Anthropic's standard contractual clauses.
To exercise any data rights, email [email protected] with the subject "Data Rights Request." We will verify your identity and respond within 30 days.
Bandit Apps LLC acts as the data controller for your personal data. For privacy inquiries, contact us at [email protected].
Your data is primarily processed on servers located in Nuremberg, Germany (EU). Document content is transmitted to Anthropic (San Francisco, USA) for AI processing with zero data retention. Payment data is processed by Stripe, Inc. (USA).
When your data is transferred outside the EEA (to Anthropic for AI processing, or to Stripe for payments), these transfers are protected by:
In addition to the rights listed in Section 8, EEA residents have the right to:
We will respond to all data subject requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
If you are a business customer processing personal data of EU residents through our Services, we can provide a Data Processing Agreement (DPA) upon request. Contact [email protected] with the subject "DPA Request."
In the event of a data breach that affects your personal information:
Our Services are not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites.
We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via email at least 30 days before they take effect.
For privacy-related questions, data requests, or concerns:
Forge is operated by Bandit Apps LLC, Florida.