Legal

Privacy Policy

Last updated: 4 June 2026

01Who we are

The Forge ("we", "us", "our") is a habit and self-development platform operated by The Forge Ltd, a company registered in England and Wales. We are the data controller responsible for your personal data under UK data protection law (the UK GDPR and the Data Protection Act 2018).

This policy explains what we collect when you register on theforgeltd.com, complete onboarding, support the project, or use the app, and what we do with it.

02The short version

We built The Forge specifically because most apps treat you like a product to be harvested. We do not. Here is the honest summary:

  • We collect the minimum we need to run the beta and your account.
  • We never sell your data. Ever.
  • We only email you marketing if you opt in — and you can leave any time.
  • We never see or store your password or your card details.
  • You can ask us to delete everything we hold on you, and we will.

The detail below explains exactly how that works.

03Information we collect

Depending on how you use The Forge, we may collect:

  • Identity & contact — your operator name and email address, provided when you register.
  • Onboarding profile — your answers to the onboarding questions (the Comfort Loop you want to break, your growth path, your motivation, your target and the reason for it), the character class you choose, and the plan tier you select.
  • Account credentials — when you create an account we use Firebase Authentication. If you sign up with email and password, your password is handled and stored by Firebase and is never visible to us. If you sign in with Google or Apple, we receive only the basic profile information you authorise (typically name and email).
  • Communication preferences — whether you opted in to product updates and news.
  • Supporter & payment information — if you contribute through a supporter tier or "Buy Me a Coffee", your payment is processed by Stripe or Buy Me a Coffee. We do not receive or store your full card details — only confirmation of the contribution and limited details such as the tier, amount, and the name or email associated with it.
  • Technical data — your IP address (used for security and rate-limiting), and basic device/browser information and local storage needed to make the site work.

04How we use your information, and our legal basis

Under the UK GDPR we must have a lawful basis for each use of your data. Ours are:

  • To provide the beta, your account and onboarding carry-over — basis: performance of a contract (or steps taken at your request before entering one).
  • To send you the TestFlight invite and essential service emails about your account — basis: performance of a contract.
  • To send product updates, launch news and operator news — basis: your consent, which you give via the opt-in toggle and can withdraw any time.
  • To process supporter contributions and deliver the associated perks — basis: performance of a contract and our legitimate interest in funding the build.
  • To keep the service secure, prevent abuse and rate-limit requests — basis: our legitimate interests in protecting the platform.
  • To meet accounting, tax and other legal duties relating to payments — basis: legal obligation.

05Who we share it with

We do not sell your data and we do not share it for anyone else's marketing. We do use a small number of trusted service providers ("processors") to run The Forge. Each only processes your data on our instructions:

  • Google Firebase (Authentication & Firestore) — account sign-in and storing your operator profile.
  • Resend — sending transactional emails and managing the optional mailing list.
  • Stripe — processing supporter-tier payments.
  • Buy Me a Coffee — processing voluntary contributions made through that platform.
  • Vercel — hosting the website and processing standard server logs.
  • Apple TestFlight — distributing the beta app, if you choose to install it.

We may also disclose data if required by law, or to protect our rights, safety, or property.

06International transfers

Some of our processors are based outside the UK, including in the United States. Where your data is transferred internationally, we rely on appropriate safeguards — such as UK adequacy regulations or the International Data Transfer Agreement / Standard Contractual Clauses — so that your data keeps an equivalent level of protection.

07How long we keep it

We keep your personal data only as long as we need it:

  • Account and profile data — for as long as your account is active, and for a reasonable period afterwards in case you return.
  • Marketing list — until you unsubscribe or ask to be removed.
  • Payment records — for as long as required by law (typically up to six years for UK accounting purposes).

When we no longer need your data, we delete or anonymise it.

08Your rights

Under UK data protection law you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased ("right to be forgotten").
  • Restrict or object to how we process your data.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where we rely on consent.

To exercise any of these, contact us using the details below. We will respond within one month. You also have the right to complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk, though we'd appreciate the chance to put things right first.

09Cookies & local storage

We keep this minimal. We use essential browser storage to make the site work — for example, to carry your details from registration into onboarding, and to keep you signed in. Our payment and authentication providers (Stripe, Firebase) may set their own cookies needed to function securely. We do not use invasive advertising trackers.

10Data security

We use reputable infrastructure providers, encrypted connections (HTTPS), and authentication handled by Google Firebase. No system is ever completely secure, but we take reasonable technical and organisational measures to protect your data.

11Children

The Forge is intended for users aged 16 and over. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12Changes to this policy

As The Forge grows out of beta, this policy may change. We will update the date at the top and, for significant changes, let you know by email or in the app.

13Contact us

For any privacy question or to exercise your rights, email hello@theforgeltd.com. The Forge Ltd is registered in England and Wales.

Terms of Service →Register as Operator