Last updated: June 2026
ForgeSec collects your email address (for authentication and alerts), scan results from your system (CVE findings, package versions, system config status), and basic usage data (scan frequency, features used). We do not collect source code, file contents, or personal documents.
Your scan results are used solely to display your security dashboard and send you alerts when critical vulnerabilities are found. We do not sell your data, share it with third parties, or use it for advertising. Scan history is stored to track your security posture over time and can be deleted on request.
Your data is stored in Supabase (PostgreSQL) hosted in Southeast Asia. Scan results are retained for 12 months and then automatically deleted. Email addresses are retained until you delete your account.
All data is transmitted over HTTPS. API keys and credentials are never stored — ForgeSec only stores the findings, not the secrets it discovers. Row-level security ensures users can only access their own data.
We use Supabase (database/auth), Resend (email), OpenRouter (AI explanations), Vercel (hosting), and Railway (backend hosting). Each operates under their own privacy policy. AI scan explanations are processed by Anthropic's Claude model via OpenRouter — scan summaries (not your raw data) are sent for analysis.
You can request deletion of your account and all associated data at any time by emailing hello@forgesec.co. We will process deletion requests within 7 days.
For privacy questions: hello@forgesec.co