Privacy Policy

Q: Does Forge APIs sell my personal data?

No, we never sell your personal data. We do not sell, rent, or trade your personal information to third parties for marketing purposes or any other reason. Your data is used solely to provide our services to you.

Q: What data does DupeCheck store from my uploaded invoices?

DupeCheck never stores your actual invoice data. When you upload a file, we process it entirely in server memory and immediately delete it after analysis. We only retain high-level summaries for 90 days. We never store vendor names, amounts, invoice numbers, or any sensitive financial information.

Q: How long do you keep my data?

Retention periods vary by data type: DupeCheck analysis summaries (90 days), API request logs (30 days), account information (active + 90 days after closure), payment records (7 years for legal compliance), and uploaded files (immediately deleted after processing).

Q: What security measures protect my data?

We implement TLS 1.3 encryption for all data transmission, bcrypt password hashing, encrypted API key storage, regular security audits, rate limiting, secure data centers, limited staff access, and automatic session expiration. We recommend using strong passwords and enabling two-factor authentication.

Q: Can I request a copy of all my data?

Yes, you can request a complete export of your personal data in machine-readable format (JSON or CSV) by emailing privacy@forgeapis.com. We'll respond within 30 days with your data export including account information, analysis summaries, and API usage logs.

Q: Do you use cookies or tracking?

We use minimal tracking. DupeCheck stores authentication tokens and an anonymous device identifier (deleted after 7 days). We do not use advertising cookies, social media trackers, or third-party analytics. APIs don't use cookies and authenticate via headers only.

Q: What happens if there's a data breach?

In the event of a data breach, we will notify affected users within 72 hours via email, explain what data was compromised, detail our response, and advise on protective steps. We'll also notify relevant supervisory authorities as required by law and document all breaches thoroughly.

Q: Can I delete my account and all my data?

Yes, you can delete your account anytime through account settings or by contacting privacy@forgeapis.com. Most data is deleted within 90 days, except payment records retained for 7 years for legal compliance. You'll receive confirmation once deletion is complete.

Q: Who has access to my data at Forge APIs?

Access is strictly limited on a need-to-know basis. Only authorized employees and contractors who require access can view your data. All staff sign confidentiality agreements, receive privacy training, and we use role-based access controls with audit logs.

Overview: At Forge APIs ("we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our products including DupeCheck, RiskScore API, and other services.

By using our services, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Information You Provide

Account Information: Email address, name, and company name when you sign up
Payment Information: Processed securely through Stripe (we don't store card details)
API Usage Data: API keys, request logs, and usage metrics (API products only)
Uploaded Files: Temporarily processed files for analysis (DupeCheck)
Support Communications: Information you provide when contacting support

Information Collected Automatically

Log Data: IP addresses, browser type, operating system, and request timestamps
Usage Analytics: Feature usage, response times, and error rates
Device Information: Anonymous device identifiers for usage tracking
Local Storage: Authentication tokens and user preferences

Product-Specific Data Handling

🔍 DupeCheck - Duplicate Invoice Detector

What we process:

Invoice files (CSV/Excel) are processed in server memory only
Files are analyzed for duplicate patterns and immediately discarded
We NEVER store your actual invoice data, vendor information, or amounts

What we store:

Registered Users: Analysis summaries (filename, counts, date) for 90 days
Paid Users Only: Top 20 duplicate summaries (no sensitive data) for 90 days
Anonymous Users: Device token for 7 days (usage tracking only)
All Users: No raw invoice data is ever stored

📊 RiskScore API

What we process:

API request data for risk scoring algorithms
Pattern analysis without creating persistent profiles
No automated decision-making about individuals

What we store:

API request logs for 30 days (debugging and security)
Aggregated usage metrics (non-identifiable)
No personal profiles or individual tracking

Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds:

Contract Performance: To provide the services you've subscribed to
Legitimate Interests: For fraud prevention, security, and service improvement
Legal Obligation: To comply with applicable laws and regulations
Consent: For marketing communications (where applicable)

How We Use Your Information

We use the collected information for:

Providing and maintaining our services
Processing payments and managing subscriptions
Sending service updates and technical notices
Responding to support requests
Monitoring and analyzing usage patterns to improve our services
Detecting and preventing fraud or abuse
Complying with legal obligations

We do not sell, trade, or rent your personal information. We may share information with:

Service Providers:
- Stripe - Payment processing
- Railway - Application and database hosting
- Cloudflare - CDN and security
Legal Requirements: When required by law, court order, or government request
Business Transfers: In connection with a merger, acquisition, or sale of assets
Your Consent: When you explicitly agree to sharing
Aggregated Data: We may share anonymized, aggregated data that cannot identify you

Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

All data transmission is encrypted using HTTPS/TLS
Passwords are hashed using bcrypt (never stored in plain text)
API keys are encrypted and securely stored
Regular security audits and vulnerability assessments
Limited access to personal data on a need-to-know basis
Secure data centers with physical security controls
Rate limiting to prevent abuse

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Data Retention Periods

We retain your information for as long as necessary to provide our services and comply with legal obligations:

DupeCheck Specific:

Analysis Summaries: 90 days (automatically deleted)
Anonymous Usage: 7 days (automatically deleted)
Uploaded Files: Immediately deleted after processing

General:

Account Data: Active account + 90 days after closure
API Request Logs: 30 days
Payment Records: 7 years (legal requirement)
Support Communications: 2 years after resolution
Password Reset Tokens: 1 hour

Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data:

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (subject to legal requirements)
Portability: Request your data in a portable format
Objection: Object to certain processing of your data
Restriction: Request restriction of processing
Withdraw Consent: Where processing is based on consent

To exercise these rights, please contact us at privacy@forgeapis.com.

For users in the European Economic Area (EEA) and United Kingdom:

We process data based on legitimate interests, contract fulfillment, or consent
You have additional rights under GDPR including data portability and erasure
We respond to all valid requests within 30 days
You have the right to lodge a complaint with your supervisory authority
We maintain records of processing activities as required
Data transfers outside the EEA use Standard Contractual Clauses

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

Right to Know: What personal information we collect, use, and share
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do NOT sell personal information
Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, California residents can contact privacy@forgeapis.com.

Cookies & Local Storage

We use minimal browser storage for functionality:

DupeCheck:

Authentication: JWT tokens in localStorage
Device Tracking: Anonymous identifier for free usage limits
User Preferences: Email for display purposes
No tracking cookies: We don't use analytics or advertising cookies

API Products:

APIs don't use cookies - authentication via headers
Dashboard may use session cookies for login

Age Restrictions

Our services are strictly for users 18 years and older.

We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@forgeapis.com for deletion.

Data Breach Notification

In the event of a data breach that poses risk to your rights and freedoms:

We will notify affected users within 72 hours of discovery
We will notify relevant supervisory authorities as required by law
We will document all breaches and measures taken
We will provide information about the nature and impact of the breach
We will advise on steps you can take to protect yourself

Frequently Asked Questions About Privacy

Does Forge APIs sell my personal data?

No, we never sell your personal data. We do not sell, rent, or trade your personal information to third parties for marketing purposes or any other reason. Your data is used solely to provide our services to you. We may share data with essential service providers (like payment processors) but only to the extent necessary to operate our services.

What data does DupeCheck store from my uploaded invoices?

DupeCheck never stores your actual invoice data. When you upload a file, we process it entirely in server memory and immediately delete it after analysis. We only retain high-level summaries (like "analyzed 500 invoices, found 12 duplicates on January 15th") for 90 days to show in your dashboard history. We never store vendor names, amounts, invoice numbers, or any sensitive financial information.

Is Forge APIs GDPR compliant?

Yes, we are fully GDPR compliant for EU and UK users. We act as a data processor for your data, implement appropriate security measures, respect all data subject rights (access, deletion, portability, etc.), maintain processing records, provide data breach notifications within 72 hours, and use Standard Contractual Clauses for any data transfers outside the EEA. You can exercise your GDPR rights by contacting privacy@forgeapis.com.

How long do you keep my data?

Retention periods vary by data type: DupeCheck analysis summaries are kept for 90 days then automatically deleted; API request logs are retained for 30 days; account information is kept while your account is active plus 90 days after closure; payment records are retained for 7 years (legal requirement); and uploaded files are immediately deleted after processing. You can request deletion of your data at any time by contacting us.

What security measures protect my data?

We implement industry-standard security including: TLS 1.3 encryption for all data transmission, bcrypt password hashing (never storing plain text), encrypted API key storage, regular security audits, rate limiting to prevent abuse, secure data centers with physical security, limited staff access on a need-to-know basis, and automatic session expiration. However, no internet transmission is 100% secure, so we recommend you also follow security best practices like using strong passwords and enabling two-factor authentication.

Can I request a copy of all my data?

Yes, you have the right to data portability. You can request a complete export of your personal data in a machine-readable format (JSON or CSV) by emailing privacy@forgeapis.com with your account details. We'll respond within 30 days with your data export. This includes your account information, analysis summaries, API usage logs, and any other personal data we hold about you.

Do you use cookies or tracking?

We use minimal tracking. DupeCheck stores authentication tokens and user preferences in localStorage, plus an anonymous device identifier for free usage limits (automatically deleted after 7 days). We do not use advertising cookies, social media trackers, or third-party analytics cookies. Our APIs authenticate via headers and don't use cookies at all. The dashboard may use session cookies only for login authentication, which expire when you close your browser.

What happens if there's a data breach?

In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery via email. We'll explain what data was compromised, what we're doing to address it, and steps you can take to protect yourself. We'll also notify relevant supervisory authorities as required by GDPR and other privacy laws. All breaches are documented and investigated thoroughly to prevent recurrence.

Can I delete my account and all my data?

Yes, you can delete your account at any time through your account settings or by contacting privacy@forgeapis.com. Upon deletion, we immediately remove access to your account and schedule all associated data for permanent deletion. Most data is deleted within 90 days, except payment records which we must retain for 7 years for legal compliance. You'll receive confirmation once the deletion is complete.

Who has access to my data at Forge APIs?

Access to personal data is strictly limited on a need-to-know basis. Only authorized employees and contractors who require access to provide or improve our services can view your data. All staff sign confidentiality agreements and receive privacy training. We use role-based access controls, audit logs to track data access, and revoke access immediately when no longer needed. We never share access credentials and require multi-factor authentication for all internal systems.

Changes to This Policy

Current Version: 1.2
Effective Date: January 2025
Material changes will be notified via email to registered users
Continued use after changes constitutes acceptance
Previous versions available upon request

Contact Information

For questions about this Privacy Policy or our data practices:

Privacy Inquiries: privacy@forgeapis.com
General Inquiries: hello@forgeapis.com
Website: forgeapis.com
Response Time: Within 48 hours (within 30 days for GDPR requests)
Terms of Service: View our Terms of Service
Data Processing Agreement: Contact us for enterprise DPA

Final Important Notice

By using Forge APIs services, you acknowledge that:

You have read and understood this Privacy Policy
You agree to our data processing practices
You are responsible for any data you submit to our services
You will comply with applicable privacy laws for your own users