Privacy Policy

Last updated: February 28, 2026

This Privacy Policy describes how Magnitude Labs Inc., a Delaware corporation ("Company," "we," "us," or "our"), collects, uses, and protects your personal information when you use the FORGE platform, website (goforgeit.com), desktop application, and cloud services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1. Information You Provide

Account Information. When you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Contact Information. If you contact us for support, submit feedback, or request a download, we collect your email address and any information you include in your message. Our feedback feature may also collect screenshots and technical context that you voluntarily submit.

Billing Information. If you subscribe to a paid plan, our payment processor Stripe collects your payment method details (credit card, billing address). We receive your Stripe customer ID and subscription status but do not directly store your payment card numbers.

User Settings and Preferences. We store your application settings, including privacy preferences, telemetry controls, and feature configurations, locally on your device at ~/.forge/settings.json.

1.2. Information Collected Automatically

Usage Analytics. We use PostHog to collect analytics data including: pages visited, features used, session duration, button clicks, and other interaction events. See Section 6 for details on our tiered privacy controls.

Device and Browser Information. We collect browser type and version, operating system, device type, screen resolution, timezone, and locale.

IP Address. Your IP address is collected for analytics and approximate geographic location. We do not use IP addresses for precise geolocation tracking.

Cookies. We use cookies as described in Section 10 below.

Application Logs. In cloud mode, application-level logs (errors, warnings, and informational events) may be transmitted to our infrastructure for debugging and service reliability purposes. These logs do not contain AI conversation content unless you have enabled content sharing (see Section 6).

1.3. AI Agent and Terminal Data

When content sharing is enabled, we collect:

• AI conversation messages (prompts you send and responses received)
• Terminal output and session buffers
• Tool calls and their responses
• Code snippets visible in terminal sessions

When content sharing is disabled, we do not collect any of the above. Basic usage analytics (page views, feature usage, session duration) are still collected as described in Section 6.

1.4. Source Code

In local mode, your source code and project files remain entirely on your device. We do not access, collect, or transmit your source code through the Service. However, if you have content sharing enabled, code snippets that appear in terminal output or AI conversations may be included in the data described in Section 1.3.

1.5. API Keys and Credentials

Your AI Service API Keys. You provide your own API keys for AI services (such as Anthropic Claude, Google Gemini, or OpenAI). These keys are stored locally on your device (in ~/.forge/settings.json or your system environment variables). We do not transmit your API keys to our servers.

OAuth Tokens. If you connect third-party services (see Section 4), OAuth access and refresh tokens are stored locally on your device with restricted file permissions (owner-only read/write). These tokens are not transmitted to our servers.

2. How We Use Your Information

We use the information we collect to:

Provide the Service. Authenticate your identity, manage your Account, process subscriptions, and deliver the features you use.

Improve the Service. Analyze usage patterns to understand how the Service is used, identify bugs, and prioritize features.

Communicate with You. Send transactional emails (download links, verification), respond to support requests, and notify you of material changes to the Service or these policies.

Process Payments. Manage your Subscription, process charges, and handle billing inquiries through Stripe.

Ensure Security. Detect and prevent fraud, abuse, and unauthorized access.

Comply with Law. Respond to legal requests and enforce our Terms of Service.

We do not use your information to serve advertisements. We do not sell your personal information.

3. Third-Party AI Service Providers

The Service enables you to interact with third-party AI services using your own API keys. When you use these services through FORGE, your prompts, code context, and other inputs are sent directly from your device to the AI provider. We do not intercept, proxy, or store this data on our servers.

Each AI provider has its own privacy policy, data retention practices, and terms of service. By using these providers through the Service, you are subject to their respective terms:

3.1. Anthropic (Claude)

When you use Claude through FORGE, your prompts and AI responses are governed by Anthropic's policies:

• Training: Anthropic does not use API data to train models (this differs from their consumer products).
• Retention: API inputs and outputs are retained for 7 days for abuse monitoring, then deleted.
• Zero Data Retention: Available for enterprise API customers by agreement with Anthropic.
• Anthropic's Privacy Policy: https://www.anthropic.com/privacy

3.2. Google (Gemini)

When you use Gemini through FORGE, your prompts and AI responses are governed by Google's policies:

• Training (Paid API): Google does not use paid-tier API data to train models.
• Training (Free Tier): If you are using a free-tier Gemini API key, Google may use your inputs and outputs to improve their products and services, and human reviewers may read your data. We strongly recommend using a paid-tier API key if you are working with sensitive or proprietary code.
• Retention: Prompts and responses are retained for up to 55 days for abuse monitoring.
• Google's Gemini API Terms: https://ai.google.dev/gemini-api/terms

3.3. OpenAI (GPT / Codex)

When you use OpenAI models through FORGE, your prompts and AI responses are governed by OpenAI's policies:

• Training: OpenAI does not use API data to train models by default (opt-in only).
• Retention: API inputs and outputs are retained for up to 30 days for abuse monitoring, then deleted.
• Zero Data Retention: Available for eligible customers by agreement with OpenAI.
• OpenAI's Privacy Policy: https://openai.com/policies/privacy-policy

3.4. Deepgram (Voice Transcription)

If you use voice features in the Service, audio data is sent to Deepgram for speech-to-text transcription:

• Data Sent: Audio recordings in WebM/Opus format.
• Purpose: Real-time transcription of voice input.
• Deepgram's Privacy Policy: https://deepgram.com/privacy

3.5. Your Responsibility

You are responsible for reviewing and agreeing to each AI provider's terms before using their services through FORGE. We recommend reviewing their data handling practices, especially if you are working with confidential, proprietary, or regulated data.

4. Third-Party Connected Services (OAuth Integrations)

The Service optionally supports connecting to third-party productivity services via OAuth. These connections are initiated by you and can be disconnected at any time. When connected, the Service accesses data from these services on your behalf:

4.1. Google Workspace

If you connect Google Workspace, the Service may access:

• Gmail: Read, compose, and manage email messages and labels.
• Google Calendar: View and manage calendar events.
• Google Drive: Search and access files.
• Google Docs: Read and edit documents.
• Google Sheets: Read and write spreadsheet data.

4.2. Slack

If you connect Slack, the Service may access:

• Channel lists, message history, and direct messages.
• User profiles within your workspace.

4.3. Asana

If you connect Asana, the Service may access:

• Tasks, projects, and workspaces.
• Task assignments and status updates.

4.4. Microsoft 365

If you connect Microsoft 365, the Service may access:

• Outlook: Email messages and calendar events.
• Microsoft To Do: Task lists and items.

4.5. How Connected Service Data Is Handled

• OAuth tokens are stored locally on your device with restricted file permissions.
• Data from connected services is accessed in real-time and is not permanently stored by the Service.
• We do not transmit your OAuth tokens or connected service data to our servers.
• You can disconnect any service at any time through the Service's settings, which revokes the OAuth tokens.

4.6. MCP (Model Context Protocol) Servers

Connected services may be accessed through MCP servers, which are local processes that run on your device. These servers facilitate communication between AI agents and third-party services using your stored OAuth tokens. MCP server traffic remains local to your device unless the connected service itself requires network communication.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1. Service Providers

We use the following third-party services to operate the Service:

These providers process data on our behalf and are contractually obligated to protect it.

5.2. Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Magnitude Labs Inc., our users, or the public.

5.3. Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such transfer.

5.4. With Your Consent

We may share your information for any other purpose with your explicit consent.

6. Privacy Controls and Telemetry Tiers

The Service implements a tiered privacy model that gives you control over what data is collected. You can adjust these settings at any time through the Privacy section in Settings.

6.1. Tier 1: Basic Usage (Mandatory)

This data is always collected and cannot be disabled. It includes:

• Page views and navigation events
• Authentication events (sign-in, sign-out)
• Application health and error metrics
• Performance measurements
• Subscription and billing status
• Session duration

This data does not include any content from your AI conversations, terminal sessions, or code.

6.2. Tier 2: Project Metadata (Configurable)

This data includes project and track names, task progress and completion rates, command execution patterns, feature usage statistics, and workflow metrics.

• Free-tier users: This data is collected by default and cannot be disabled.
• Pro and Trial users: This data collection is disabled by default and can be enabled in Settings.

6.3. Tier 3: Conversation and Content (Configurable — Enabled by Default)

This data includes AI conversation messages, terminal output, tool calls and responses, and code snippets visible in sessions.

• All users: This data collection is enabled by default. You can disable it at any time in Settings by turning off "Share Content."
• When disabled, no conversation content, terminal output, or code snippets are transmitted to our servers.

6.4. Offline Buffering

When your device is offline or our servers are temporarily unavailable, telemetry events and logs are buffered locally on your device (in ~/.forge/telemetry/). This buffered data is automatically transmitted when connectivity is restored, subject to your current privacy settings at the time of transmission.

7. Cloud Relay Mode (Pro Feature)

Pro subscribers may use Cloud Relay mode, which enables features such as mobile access and cross-device session management. In Cloud Relay mode:

7.1. Data Transmitted to Our Cloud Infrastructure

• Session metadata: Session identifiers, state updates, and notifications.
• Terminal data: If content sharing is enabled (see Section 6.3), terminal input and output is streamed in real-time through our cloud infrastructure via WebSocket connections.
• Application logs: Informational, warning, and error-level application logs are batched and transmitted to our cloud servers.

7.2. Data Retention in Cloud Relay

• Terminal session data that passes through our cloud infrastructure is not stored beyond the active session unless you have content sharing enabled (Section 6.3).
• When content sharing is enabled, session data may be retained for the analytics retention period specified in Section 9.
• Application logs transmitted to the cloud are retained for the period specified in Section 9.

7.3. Security in Cloud Relay

• All cloud relay connections use TLS/HTTPS encryption.
• Authentication uses JWT bearer tokens.
• WebSocket connections are authenticated and encrypted.

8. Telegram Integration (Chief of Staff Feature)

If you enable the Chief of Staff Telegram integration, the following data is involved:

• Telegram Bot Token: Stored locally in your settings file on your device.
• Allowlisted Usernames: You specify which Telegram users can interact with the bot; this list is stored locally.
• Chat IDs: Known Telegram chat identifiers are stored locally for message routing.
• Message Content: Messages sent to and from the Telegram bot are processed locally on your device. If content sharing is enabled (Section 6.3), message content may be included in the telemetry data transmitted to our servers.

We do not operate the Telegram service. Your use of Telegram is subject to Telegram's privacy policy.

9. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

Account information (name, email)	Duration of your Account, plus 30 days after deletion
Session cookies	7 days
Download verification cookies	30 days
Agent authentication tokens	90 days (configurable)
Cloud relay JWT tokens	Duration of active session
OAuth refresh tokens	Until disconnected or revoked by you
Subscription and billing records	Duration of Account plus 7 years (tax/legal compliance)
Analytics data (Tiers 1–3)	12 months
Application logs (cloud relay)	12 months
Support correspondence	2 years
Offline telemetry buffers (local)	Until transmitted, then deleted locally

After the retention period, data is deleted or anonymized.

10. Cookies

We use a limited number of cookies to operate the Service:

forge_session — Cloud authentication session	7 days (Essential)
forge_local_user — Desktop mode user identity	Session (Essential)
conductor_session — Legacy cloud authentication session	7 days (Essential, deprecated)
conductor_local_user — Legacy desktop user identity	Session (Essential, deprecated)

Third-Party Cookies. PostHog may set cookies for analytics purposes. You can opt out of PostHog tracking by enabling "Do Not Track" in your browser settings.

We do not use advertising cookies or tracking pixels.

11. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

• Encryption in transit (TLS/HTTPS) for all data transmitted to and from the Service.
• Encryption at rest for stored data on our cloud infrastructure.
• HMAC-SHA256 signed session tokens with timing-safe comparison.
• HttpOnly, Secure cookies with SameSite protections.
• PKCE (Proof Key for Code Exchange) for all OAuth flows.
• Restricted file permissions (owner-only read/write) for locally stored credentials and tokens.
• Access controls limiting employee access to personal data.
• Regular security reviews and dependency updates.

Local Storage Note: API keys and OAuth tokens stored locally on your device (in ~/.forge/settings.json and ~/.forge/oauth-tokens/) are stored in plaintext with restricted file permissions. We recommend ensuring your device has full-disk encryption enabled for additional protection.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we strive to use commercially reasonable protections.

12. Your Rights

12.1. All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you.
• Delete your account and associated personal information.
• Control your privacy settings, including disabling content sharing and project metadata collection (see Section 6).
• Disconnect any third-party service integrations at any time.
• Opt out of non-essential data collection as described in Section 6.

12.2. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.

Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing a transaction, security).

Right to Opt-Out of Sale. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

Exercising Your Rights. To exercise any of these rights, contact us at legal@goforgeit.com. We will verify your identity before processing your request and respond within 45 days.

Authorized Agents. You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization, and we may require you to verify your identity directly.

12.3. European Economic Area, Switzerland, and United Kingdom (GDPR)

If you are located in the EEA, Switzerland, or the UK, you have the following additional rights under the General Data Protection Regulation (GDPR):

Right of Access. You have the right to obtain confirmation of whether we process your personal data and to access that data.

Right to Rectification. You have the right to correct inaccurate personal data.

Right to Erasure. You have the right to request deletion of your personal data, subject to legal obligations.

Right to Restriction. You have the right to restrict processing of your personal data in certain circumstances.

Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object. You have the right to object to processing of your personal data based on legitimate interests.

Exercising Your Rights. To exercise any of these rights, contact us at legal@goforgeit.com. We will respond within 30 days.

International Transfers. The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to legitimize such transfers where required. Our third-party AI service providers (Anthropic, Google, OpenAI) each maintain their own data processing agreements with Standard Contractual Clauses for international data transfers.

13. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal information, contact us at legal@goforgeit.com.

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service with at least 30 days' notice. The "Last Updated" date at the top indicates when the policy was last revised. Continued use after changes take effect constitutes acceptance.

16. Contact Us

For questions, concerns, or requests related to this Privacy Policy, contact us at:

For privacy-specific requests (data access, deletion, opt-out), please include "Privacy Request" in your email subject line.