Privacy Policy | Forge Tomorrow

1. Introduction

This Privacy Policy explains how Forge Tomorrow ("we," "us," "our") collects, uses, stores, shares, and protects your personal information when you use our website, applications, and services (the "Services").

We respect your privacy and do not sell your personal data, including as "sale" or "sharing" is defined under the GDPR, UK GDPR, or CCPA/CPRA.

We also do not use behavioral or tracking-based advertising. Any ads on our platform are contextual only and never involve the sale or disclosure of your personal data to advertisers.

This Policy applies to all users worldwide.

2. Data We Collect

2.1 Information You Provide

Account data (name, email address, hashed password)
Professional profile details (bio, skills, work history, links)
Uploaded content (documents, résumé files, portfolios, posts, images)
Messages and communications with other users
Billing information (processed by PCI-compliant payment processors)

2.2 Automatically Collected Data

IP address and approximate region
Browser, device, and operating system details
Log data and interaction patterns
Cookies, session tokens, and authentication data
Anonymous or aggregated usage analytics

2.3 Sensitive Data

Forge Tomorrow does not request, collect, or process sensitive personal data, including:

Health or medical information (PHI)
Biometric identifiers (face data, fingerprints, voiceprints)
Genetic data
Sexual orientation
Religious or philosophical beliefs
Racial or ethnic origin
Precise geolocation
Union membership

We do not use facial recognition, voice recognition, or other biometric authentication systems. Users should not upload medical records or similarly sensitive documents to the platform.

3. How We Use Your Data

We use your personal data only for legitimate and clearly defined purposes:

To provide, operate, and improve the Services
To enable messaging, networking, and collaboration
To deliver AI-powered insights, content summaries, and opportunity recommendations
To personalize your experience within the platform
To process payments and manage subscriptions
To detect, prevent, and investigate fraud, abuse, or security incidents
To comply with legal obligations

3.1 Contextual, Non-Tracking Ads

Forge Tomorrow may display contextual, non-behavioral ads based solely on the page or feature you are using (for example, showing résumé services while you are using the Résumé Builder).

These ads:

Do not use personal or behavioral profiling
Do not track you across sites or sessions
Do not use third-party ad pixels or tracking scripts
Do not share or sell personal data to advertisers

We never use interest-based or behavioral advertising.

4. Legal Bases for Processing (GDPR & UK GDPR)

Where required by European or UK law, we rely on the following legal bases:

Performance of a contract – to provide and support the Services you request.
Your consent – for optional features such as certain AI tools or non-essential cookies.
Legitimate interests – such as securing our Services, preventing fraud, improving functionality, and supporting business operations, when these interests are not overridden by your rights.
Compliance with legal obligations – for example, financial record-keeping and responding to lawful requests.

5. Messaging Privacy

Messages you send through Forge Tomorrow are private and encrypted in transit.

Automated systems may scan message content only for security, spam, or violations of our acceptable use policies.

We do not sell, share, or use private messages for advertising or training external AI models.

6. Cookies & Tracking Technologies

We use cookies and similar technologies primarily for:

Authentication and keeping you signed in
Session management and load balancing
Security and fraud prevention
Basic, privacy-preserving performance analytics

We do not use third-party advertising or cross-site tracking cookies.

Users in the EU, UK, and other applicable regions will see a cookie consent banner where required by law.

7. AI Data Processing

Our AI features may analyze your profile, posts, and uploaded documents to generate insights, summaries, recommendations, or to help match you with opportunities. This occurs only when you use those AI features.

We minimize the use of identifiable personal data and never train third-party generative AI models on your personal data without your explicit, opt-in consent.

8. Sharing of Personal Data

We do not sell your personal data and we do not share it for advertising or cross-context behavioral advertising purposes under any privacy law.

We only disclose personal data in the following limited cases:

Service providers and sub-processors – trusted third parties under contract with us, who process data solely to help us operate the Services, such as:
- Cloud hosting, storage, and infrastructure (e.g., Vercel, Railway, Supabase)
- Payment and billing processors (e.g., Stripe)
- Email delivery and messaging (e.g., Zoho Mail / Workplace, Brevo, EmailJS)
- AI model inference (e.g., OpenAI, Grok/xAI, Groq) – only when you actively use AI features and only with the minimum necessary data
- Security, cookie consent, and analytics tools (e.g., privacy- preserving analytics, Cookie-Script)
- Professional advisors (lawyers, accountants, auditors) bound by confidentiality obligations
A complete, up-to-date list of our current sub-processors and the limited data each receives is available at forgetomorrow.com/subprocessors or by emailing privacy@forgetomorrow.com.
Other Forge Tomorrow users – when you choose to interact with them (for example, messaging, sending a connection request, applying to a job, or making your profile or posts public).
Legal and safety reasons – when required by law, in response to valid legal process, or to protect the rights, property, or safety of Forge Tomorrow, our users, or the public.
Corporate transactions – in connection with a merger, acquisition, financing, or sale of all or part of our business. Where legally feasible, we will provide notice before your data is transferred or becomes subject to a different privacy policy.

9. International Data Transfers

Your personal data may be transferred to and processed in countries other than your own, including the United States. These countries may have data protection laws that are different from those in your country.

Whenever we transfer personal data internationally, we use appropriate safeguards such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Privacy Framework participation by certain service providers (where applicable)
Contractual and technical protections with our sub-processors to safeguard your information

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law.

Typical retention periods include:

Account data: retained while your account is active and for up to 180 days after deletion, to allow for audit, fraud prevention, and backup integrity.
Messages: typically retained for up to 2 years after your last activity, to help investigate abuse or security issues.
Billing records: retained for up to 7 years to meet tax, audit, and legal requirements.

After these periods, data is either securely deleted or irreversibly anonymized.

11. Security & Multi-Factor Authentication

We use industry-standard technical and organizational measures to protect your personal data, including encryption in transit, access controls, and infrastructure monitoring.

We may offer optional multi-factor authentication (MFA) to add an extra layer of security to your account. MFA may use email-based verification codes or time-based one-time passcodes (TOTP) generated by an authentication app. MFA does not require biometrics or other sensitive personal data.

12. Your Privacy Rights

Depending on your location and applicable law, you may have some or all of the following rights:

Access your personal data
Correct inaccurate or incomplete data
Delete your personal data
Restrict or object to certain processing
Request data portability
Withdraw consent where processing is based on consent (this does not affect the lawfulness of processing before withdrawal)
Opt out of AI training use where applicable
Lodge a complaint with a supervisory authority if you believe your rights have been violated

To exercise these rights, contact us at privacy@forgetomorrow.com. We will respond within 30 days or within the timeframe required by applicable law.

California residents: You have additional rights under the CCPA/CPRA. We do not "sell" or "share" your personal information as those terms are defined by the CCPA/CPRA.

13. Children

Our Services are not directed to individuals under 16 years of age, and we do not knowingly collect personal data from children under 16. When you register for an account, you are asked to confirm that you are at least 16 years of age. If we learn that we have collected personal data from a child under 16, we will take steps to delete that information as soon as possible and may suspend or terminate the associated account.

If you are a parent or legal guardian and believe that your child has provided personal data to us in violation of this Policy, please contact us at privacy@forgetomorrow.com so we can review and, where appropriate, delete the information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make material changes, we will notify you by email, in-app notification, or a prominent notice on our website before the changes take effect. Where required by law, we will obtain your consent to significant changes.

15. Contact Information

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, you can contact us at:

Email: privacy@forgetomorrow.com

Legal entity: Forge Tomorrow, Inc.
Registered address: PO Box, Cottontown, TN, USA

Effective Date: December 2025

FORGE TOMORROW – PRIVACY POLICY