Legal

Privacy Policy

Last updated: May 28, 2026 · Effective: May 28, 2026

This Privacy Policy describes how UpgradIQ, Inc. ("UpgradIQ," "FORG," "we," "us," or "our") collects, uses, and shares information about you when you use our services, including the FORG agent, the forg.pro website, and the FORG dashboard (collectively, the "Service").

1. Information we collect

1.1 Account information

When you create a FORG account, we collect your email address, name, and payment information (processed by Stripe — we do not store card numbers). We also assign you a license key in the format lic_<20hex>.

1.2 Signal data

The FORG agent is designed to collect metadata fields from your AI tool sessions (FORG Signal Schema v3):

  • Session identifier (ephemeral UUID, not linked to your account identity in the signal payload)
  • Workspace type or adapter family
  • Model class or provider-reported identifier, normalized in user dashboards
  • Timestamp
  • Token counts (input, output, cache_read, cache_write)
  • Computed cost in USD
  • Latency metrics (time-to-first-token, total latency)
  • Dimension tags (hashed user identifier, project name, team, environment)

FORG is designed not to collect prompt text, completion content, file contents, system prompts, or other content of your AI interactions. This boundary is enforced at the agent level.

1.3 Usage data

When you use the forg.pro website or dashboard, we collect standard web analytics including page views, browser type, referring URL, and IP address. We use Vercel Analytics for web analytics, which does not use cookies.

1.4 Communications

If you contact us by email or through our support system, we retain those communications to provide support and improve our service.

2. How we use your information

  • To provide, maintain, and improve the FORG service
  • To process payments and manage your subscription
  • To send transactional emails (license activation, billing receipts, rule alerts)
  • To respond to support requests
  • To detect fraud and enforce our Terms of Service
  • To comply with legal obligations

We do not sell your personal information. We do not use your signal data to train machine learning models without your explicit consent.

3. k-anonymity and data aggregation

All aggregated query responses enforce a minimum cohort size of k ≥ 5. Queries that would reveal data about fewer than 5 individuals are suppressed. This applies to all dashboard views, API responses, and FORG Atlas answers.

4. Data sharing

We share your information with sub-processors necessary to provide the service:

  • Cloudflare, Inc. — edge compute, TLS, DDoS mitigation
  • Supabase, Inc. — database and vector storage
  • Amazon Web Services — transactional email (SES)
  • Vercel, Inc. — website hosting and web analytics (Vercel Analytics; cookieless)
  • Stripe, Inc. — payment processing

We do not share your personal information with third parties for their own marketing or advertising purposes.

5. Data retention

Signal data retention depends on your plan: 90 days (Developer), 180 days (Team), 1 year (Business), configurable (Enterprise). Account information is retained for the lifetime of your account plus 90 days after deletion. Audit logs are retained per plan terms.

6. Data residency

By default, signal data is processed and stored in the United States. Business+ customers may elect EU data residency. License and identity data (Cloudflare D1) is US-resident regardless of the signal data residency election.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your personal information
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Lodge a complaint with a supervisory authority

To exercise these rights, contact us at hello@forg.pro. We will respond within 30 days.

8. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

  • Right to know — the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties we share it with
  • Right to delete — request deletion of your personal information, subject to certain exceptions
  • Right to correct — request correction of inaccurate personal information
  • Right to opt out of sale/sharing — we do not sell or share personal information for cross-context behavioral advertising
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service
  • Right to non-discrimination — we will not discriminate against you for exercising these rights

To exercise your CCPA rights, contact hello@forg.pro. We will respond within 45 days (extendable by 45 additional days with notice). We do not respond to browser Do Not Track signals.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (email, IP address), commercial information (subscription history), and internet/electronic activity (usage logs). We have not sold or shared personal information.

9. Security

We implement industry-standard security measures including TLS encryption in transit, encryption at rest, HMAC-authenticated signals, OS-native keystore for license bundles, and Row-Level Security on all database tables. See our Security page for details.

10. Children

FORG is not directed to children under 16. We do not knowingly collect personal information from children under 16.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on forg.pro/legal/privacy with an updated effective date.

12. Contact

UpgradIQ, Inc.
Privacy inquiries: hello@forg.pro
Legal entity: UpgradIQ, Inc. (Delaware corporation)