Privacy Policy
Effective: January 1, 2026 — Last updated: March 2026
Forge is built on a simple principle: your code and your AI conversations are yours. This policy explains exactly what we collect, what we don't, and why.
1. Who We Are
Forge is developed and operated by Forge-NC ("we," "us," "our"), based in Wisconsin, USA. Contact: privacy@forge-nc.dev
2. What We Collect and Why
2a. Waitlist Email Address
When you join the waitlist, we collect your email address. We use it only to notify you when Forge is available. We do not sell, rent, or share it with third parties. You can unsubscribe at any time by emailing privacy@forge-nc.dev.
2b. Machine Identifier (License Activation)
When you activate a paid license, Forge generates a stable, anonymous machine identifier (a random hex string derived from your hardware) and sends it to our server once to associate it with your license. This identifier contains no personally identifiable information — it is not your name, IP address, or hardware serial number. After activation, license verification happens entirely offline on your device.
2c. Telemetry (Opt-In Only — Disabled by Default)
Forge includes an optional telemetry system that is disabled by default. You must explicitly enable it in your configuration (telemetry_enabled: true). If enabled, Forge may send a redacted audit bundle to our server at the end of a session. This bundle:
- Does not contain your code, file contents, AI prompts, or AI responses
- Does contain session metadata: model used, turn count, tool call counts, error types, hardware summary (GPU name, VRAM), Forge version, and current working directory path
- Is capped at 512KB per upload
- Is rate-limited to 10 uploads per machine per hour
Telemetry data is used solely to improve Forge's reliability and performance. It is not shared with third parties.
2d. Threat Intelligence Updates (Enabled by Default, Outbound Only)
Forge Crucible™ automatically fetches updated security signature definitions from forge-nc.dev on startup. This is enabled by default (threat_auto_update: true) and can be disabled in your config for air-gapped or offline deployments. This is a download-only request: Forge receives signature data but sends no user data to the server. No authentication, no machine identification, and no telemetry is transmitted during signature updates. To disable: set threat_auto_update: false in ~/.forge/config.yaml.
2e. Bug Reports (Owner/Operator Only)
The bug reporter is disabled by default (bug_reporter_enabled: false). If enabled by a Forge operator, it may file error reports to a private GitHub repository containing: exception type, stack trace (limited to Forge's own code), hardware info, and Forge version. No code, prompts, or file contents are included.
3. What We Never Collect
- Your source code or file contents
- Your AI prompts or AI-generated responses
- Your name, address, or other personal identifiers (unless you provide them to us directly)
- Browsing history or behavior across other websites
4. Cloud AI Providers (User-Configured)
Forge supports optional integration with third-party AI providers such as OpenAI and Anthropic. These integrations require you to supply your own API key and are entirely optional — Forge defaults to local AI via Ollama. If you configure a cloud provider, your conversations are sent to that provider under their own privacy policies. Forge-NC has no access to that data. We are not responsible for third-party providers' data practices.
5. Cookies and Website Analytics
The Forge website (forge-nc.dev) uses session cookies for account authentication only. We do not use advertising cookies, tracking pixels, or third-party analytics platforms.
6. Data Retention
- Waitlist emails: Retained until Forge launches and you are notified, or until you request removal
- License activation records: Retained for the life of your license
- Telemetry bundles: Retained for up to 90 days, then deleted
7. Your Rights
You may request access to, correction of, or deletion of any personal data we hold about you by emailing privacy@forge-nc.dev. We will respond within 30 days. EU and UK residents have additional rights under GDPR; California residents have additional rights under CCPA. Contact us to exercise any of these rights.
8. Children
Forge is not directed at children under 13. We do not knowingly collect data from anyone under 13.
9. Changes to This Policy
We will post updates here and note the "Last updated" date above. Continued use of Forge after changes constitutes acceptance.