ForgeBoards

Privacy Policy

Last updated: May 5, 2026

This Privacy Policy explains what information ForgeBoards (operated by Austin Barikdar) collects, why we collect it, how we use it, and the rights you have over it. By using the Service you agree to the practices described below.

1. Information We Collect

Account information

When you create an account we collect your email address, a display name, and (if you sign in with Google or GitHub) the basic profile fields those providers share with us. Passwords, when used, are stored only as salted hashes by our authentication provider (Supabase Auth).

Content you create

Boards, lists, cards, comments, checklists, attachments, and any text you ingest into an AI agent’s memory are stored on our backend so we can render them back to you and your collaborators.

Operational data

We collect logs and metadata necessary to run the Service: timestamps of API requests, IP addresses for rate limiting, error traces, OAuth client identifiers, AI quota usage counters, and a lightweight activity feed of board events. We do not collect precise location, device fingerprints, or behavioural advertising data.

Cookies

We use a small number of strictly necessary cookies to keep you signed in and to remember your interface preferences (such as light/dark theme). We do not use third-party advertising or analytics cookies.

2. How We Use Your Information

  • To operate the Service: authenticate you, render your boards, sync changes, send notifications.
  • To enforce our security model: rate limits, AI operation quotas, abuse prevention.
  • To provide AI-assisted features: text you embed flows through our embedding pipeline so the agent can recall it later. We do not use Your Content to train any machine-learning model.
  • To communicate with you: account-related emails (sign-in confirmations, password resets, security alerts) and, where you opt in, occasional product updates.
  • To comply with legal obligations.

3. AI and Agent Features

Connecting an MCP-compatible agent (such as Claude Desktop) to ForgeBoards authorises that agent to act on your behalf within the permission level you hold on each board. Information the agent reads is processed by the agent’s vendor under that vendor’s privacy terms — not ours. Embeddings (numeric representations of text) used by the semantic-memory feature are computed inside our infrastructure and stored scoped to the originating board.

4. Sharing and Disclosure

We do not sell your personal information. We share data only:

  • With board collaborators you explicitly add.
  • With anyone who possesses a public read-only share link you (or an editor on your board) created — until that link expires or is revoked.
  • With our infrastructure subprocessors (see the next section), under contracts that bind them to confidentiality and use limitations.
  • When required by law, valid legal process, or to protect the rights and safety of users or the public.
  • In the event of a merger, acquisition, or asset sale, in which case we will give you advance notice.

5. Subprocessors

ForgeBoards runs on the following infrastructure providers, who process limited data on our behalf:

  • Supabase — managed Postgres, authentication, storage, and Edge Functions. Stores your account and Your Content.
  • Vercel — application hosting and CDN.
  • Cloudflare — DNS and edge security.
  • Upstash — Redis-based rate limiting (request metadata only; no Your Content).

We will update this list when we add or change material subprocessors.

6. Data Retention

We retain Your Content while your account is active. When you delete an account, we delete or anonymise associated personal data within 30 days, except where retention is required by law or for legitimate operational reasons (such as fraud prevention or backup-rotation cycles, after which copies expire automatically). Activity-log entries are pruned after 90 days. Expired share links and OAuth authorisation codes are removed on a recurring schedule.

7. Security

We use industry-standard safeguards including TLS in transit, encryption at rest at the infrastructure layer, row-level security on every database table, scoped service-role usage, OAuth 2.1 with PKCE for agent authorisation, and refresh-token rotation with family-based replay detection. No system is perfectly secure; if you discover a vulnerability, please report it to Austinbarikdar@gmail.com.

8. Your Rights

Depending on where you live, you may have rights under privacy laws such as the GDPR (EU/UK) or CCPA/CPRA (California), including:

  • The right to access, correct, or delete your personal information.
  • The right to receive a copy of your data in a portable format.
  • The right to object to or restrict certain processing.
  • The right to withdraw consent for processing based on consent.
  • The right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at Austinbarikdar@gmail.com. You can also delete your account at any time from the profile screen, which removes your personal data from active systems.

9. Children

ForgeBoards is not directed at children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children below that age; if you believe we have, contact us and we will delete it.

10. International Transfers

Our infrastructure providers may store and process data in regions outside your home country. Where required (for example, transfers out of the EEA/UK), our subprocessors operate under standard contractual clauses or equivalent safeguards.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material we will give reasonable notice (in-product or by email). The “Last updated” date at the top of this page reflects the latest revision.

12. Contact

For privacy questions or to exercise your rights, email Austinbarikdar@gmail.com.