1. Introduction
PolicyForges, Inc. ("PolicyForges," "we," "our," or "us") is committed to protecting the privacy of our customers, users, and visitors. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our enterprise policy and compliance management platform at policyforges.io (the "Platform") or any related services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use our Services.
2. Information We Collect
2.1 Information You Provide to Us
We collect information that you voluntarily provide when using our Services, including:
- Account Registration: Name, email address, job title, company name, phone number, and password when creating an account.
- Organizational Information: Company size, industry, geographic location, and organizational structure details necessary to configure your policy management environment.
- Policy Content: Documents, policies, procedures, governance frameworks, and other content you create, upload, or manage within the Platform.
- Payment Information: Billing address, payment method details processed securely through our payment processor. We do not store full credit card numbers.
- Communications: Messages, support tickets, survey responses, and any other information you provide when contacting our team.
- Employee Data: Information about your employees submitted through the Platform for policy distribution, acknowledgement tracking, and compliance monitoring purposes.
2.2 Information Collected Automatically
When you access our Services, we automatically collect certain technical information, including:
- IP address, browser type and version, operating system, device identifiers, and network information
- Usage data including pages visited, features used, time spent, click patterns, and navigation paths
- Log files recording errors, access attempts, and system events
- Session tokens, authentication logs, and security audit records
- Performance metrics and application diagnostics
2.3 Cookies and Tracking Technologies
We use cookies, web beacons, and similar tracking technologies to operate and improve our Services. Please review our Cookie Policy for detailed information about how we use these technologies and how to manage your preferences.
3. How We Use Your Information
PolicyForges uses the information we collect for the following purposes:
- Providing, operating, and maintaining the Platform and our Services
- Processing your subscription, billing, and account management
- Authenticating users and maintaining platform security
- Enabling policy creation, distribution, approval workflows, and employee acknowledgement tracking
- Sending transactional communications including policy notifications, approval requests, and acknowledgement reminders
- Providing customer support and responding to inquiries
- Analyzing usage patterns to improve product features and user experience
- Detecting, investigating, and preventing fraudulent or unauthorized use
- Complying with legal obligations, regulatory requirements, and lawful requests
- Protecting the rights, property, and safety of PolicyForges, our customers, and others
4. Legal Basis for Processing (EEA/UK Customers)
If you are located in the European Economic Area (EEA) or United Kingdom, our legal basis for collecting and processing your personal data includes:
- Contract Performance: Processing necessary to fulfill our contractual obligations to provide the Services under your subscription agreement.
- Legitimate Interests: Processing necessary for our legitimate business interests in operating and improving the Platform, provided these interests are not overridden by your rights.
- Legal Obligation: Processing required to comply with applicable laws and regulations.
- Consent: Processing based on your explicit consent where required, including for certain marketing communications.
5. How We Share Your Information
PolicyForges does not sell, rent, or trade your personal information. We may share information only in the following limited circumstances:
- Service Providers: Trusted third-party vendors that assist in operating our Platform, including cloud infrastructure providers, payment processors, email delivery services, and analytics providers. These parties are contractually bound to protect your data.
- Business Transfers: In connection with a merger, acquisition, asset sale, or similar transaction, your information may be transferred as part of the business assets.
- Legal Requirements: When required by law, subpoena, court order, or governmental authority, or when necessary to protect our legal rights.
- With Your Consent: With your explicit consent or at your direction for purposes you have authorized.
6. Data Retention
We retain your personal data for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy. Specifically:
- Account data is retained for the duration of your subscription plus 90 days following termination to facilitate data export.
- Audit logs and compliance records are retained for a minimum of 7 years to support regulatory compliance requirements.
- Billing and financial records are retained as required by applicable tax and accounting laws.
- Marketing data is retained until you withdraw consent or opt out.
7. Data Security
PolicyForges implements comprehensive technical and organizational security measures to protect your information, including AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, multi-factor authentication, regular security assessments, and SOC 2 Type II ready infrastructure. However, no electronic transmission or storage system is 100% secure, and we encourage you to use strong passwords and protect your account credentials.
8. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data, subject to our legal retention obligations.
- Portability: Request transfer of your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Restriction: Request restriction of processing in certain circumstances.
- Withdrawal of Consent: Withdraw consent where processing is based on consent.
To exercise these rights, contact our Privacy Team at privacy@policyforges.io. We will respond within 30 days (or as required by applicable law).
9. International Data Transfers
PolicyForges operates globally. If you access our Services from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required.
10. Children's Privacy
Our Services are designed for enterprise business use and are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such information, please contact us immediately.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. We will notify you of material changes via email or prominent notice within the Platform at least 30 days before changes take effect. Your continued use of the Services after changes become effective constitutes your acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
PolicyForges, Inc. — Privacy Team
Email: privacy@policyforges.io
Address: PolicyForges, Inc., San Francisco, CA, USA
Data Protection Officer: dpo@policyforges.io