Forge Clarity Privacy Policy
Effective Date: [Insert Date] · Version: 1.0 (Draft – for legal review)
This Privacy Policy explains how [Your Legal Company Name] (“we”, “us”) processes personal data when you use Forge Clarity (the “Service”). It is a draft for testing and must be reviewed by qualified lawyers before go-live. It should be read together with our Terms and Conditions.
1. Who we are
Controller: [Your Legal Company Name], [Company Address, City, Country]. Contact: [privacy@example.com]. [Optional: EU representative details if required.]
2. Scope
This Policy applies to personal data processed through the Service (web application), related support, and billing interactions. It does not govern third-party sites linked from the Service.
3. Categories of personal data
We may process:
- Account and profile: name, email address, password hash, role, organisation membership, preferences (e.g. language, theme, date format).
- Service content: project and program data you enter (objectives, health, risks, decisions, milestones, notes, documents metadata, etc.) which may include personal data about you or people you add (e.g. stakeholder names).
- Technical and security: IP address, device/browser type, approximate location from IP, logs, timestamps, session and authentication events.
- Support: messages you send us.
- Billing (via Stripe): billing contact details, subscription status, and payment metadata processed by Stripe; we do not store full payment card numbers.
- AI features (optional): when enabled, content you submit for summarisation may be sent to Azure OpenAI as described in our Terms; we configure processing in line with our agreements with Microsoft.
4. Purposes and legal bases (EU/UK framing — confirm with counsel)
- Provide the Service — performance of a contract / legitimate interests.
- Security, abuse prevention, audit logging — legitimate interests / legal obligation.
- Service communications — contract / legitimate interests.
- Billing and tax — contract / legal obligation.
- Product improvement and analytics (if any) — [legitimate interests or consent — to be confirmed].
5. Cookies and similar technologies
We use cookies and similar technologies for authentication, session, security, language/theme preferences, and (if applicable) analytics. [Insert cookie table or link to a separate Cookie Notice after lawyer review.]
6. Recipients and subprocessors
We use service providers (processors) such as [hosting provider], Stripe (payments), email delivery, and, when AI features are enabled, Microsoft Azure OpenAI. We enter into data processing terms where required. A current subprocessor list should be published or available on request after finalisation.
7. International transfers
If personal data is processed outside your country (e.g. EEA/UK), we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms [to be specified with counsel].
8. Retention
We retain personal data for as long as your account is active and for a limited period thereafter for backups, disputes, and legal obligations. Organisation administrators may control certain retention behaviours within the Service. [Insert specific retention periods per category after review.]
9. Your rights
Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to processing, and to lodge a complaint with a supervisory authority. The Service includes self-service export of personal data (JSON) and account deletion with anonymization where applicable. To exercise rights, contact [privacy@example.com].
10. Organisation tenants
For multi-user organisations, administrators manage users and access (including “Visible to Viewers” settings). Your organisation’s policies may also apply; resolve conflicts with your administrator.
11. Security
We implement technical and organisational measures appropriate to the risk. No online service is completely secure.
12. Children and changes
The Service is not directed at children under [16/18]. We may update this Policy; we will post the new version and adjust the effective date. Material changes should be communicated as described in the Terms.