Privacy Policy
Effective date: 2026-04-24 Last updated: 2026-04-24 Controller: ForgeRift LLC, a Wisconsin limited liability company ("ForgeRift", "we", "us", or "our"). Contact: support@forgerift.io
Short version. ForgeRift operates on a two-layer architecture. The plugin layer — the open-source code that runs on your machines — collects nothing about you, your systems, your commands, or your usage. It never phones home. This is an auditable property of the public source code. The subscription service layer — forgerift.io, Stripe billing, and Resend email — collects the minimum data needed to operate a paid service: your email address, billing information (held by Stripe), and transactional email records (held by Resend). This Privacy Policy explains both layers in detail.
1. Scope
This Privacy Policy explains how ForgeRift handles personal data in connection with:
- The forgerift.io website,
- The
local-terminal-mcpandvps-control-mcpplugins and their repositories on GitHub, - Our support channels (email and GitHub issues),
- Paid Subscriptions (current and future), including billing via Stripe and transactional email via Resend.
It does not cover third-party platforms (Anthropic, GitHub, Stripe, Resend, Let's Encrypt / sslip.io) except to describe how we use them. Those platforms have their own privacy practices and policies, which you should review directly.
2. What we collect — the two-layer architecture
2.1 Plugin layer — collects nothing
Neither local-terminal-mcp nor vps-control-mcp transmits usage data, command history, output, credentials, filesystem contents, telemetry, crash reports, or any other data to ForgeRift or any third party under ForgeRift's control. Audit logs produced by the plugins are stored on Your Systems only and never leave them. This is a deliberate design choice and an auditable property of the publicly available source code — you can verify it by reading the source at github.com/forgerift. This applies to official releases as published in the ForgeRift GitHub repositories. Users should verify plugin integrity using checksums published in each GitHub release. The Plugins do not transmit data to Anthropic beyond the normal Claude API interactions you initiate through the Claude interface.
The plugin layer is the source-available software distributed in each repository. It runs entirely on infrastructure you own or control. ForgeRift has no network access to your machines, no visibility into your commands, and no telemetry pipeline.
2.2 Subscription service layer — collects minimum necessary data
When you interact with forgerift.io or create a paid Subscription, ForgeRift (or its sub-processors on our behalf) collects:
- Email address — collected at sign-up; used to identify your account, send transactional emails (receipts, renewal reminders, support replies), and communicate material service changes.
- Billing information — payment is processed by Stripe, Inc. ForgeRift receives a Stripe Customer ID, last-four card digits, card brand, and billing country from Stripe. We do not receive or store your full card number, CVC, or bank account details — those are held by Stripe under their PCI-DSS Level 1 certification.
- Subscription and invoice records — plan type, billing period, invoice dates, and payment status, retained for accounting and support purposes.
- Transactional email records — delivery and open events for receipts and system notifications, processed by Resend, Inc. on our behalf. Email open events are recorded via a standard 1×1 tracking pixel embedded in transactional emails; you can prevent open tracking by disabling automatic image loading in your email client.
The free tier does not require an account — no email address is collected from you unless you create a paid Subscription or contact us for support.
2.3 When you email support
If you email support@forgerift.io or any other ForgeRift address, we receive: the email address you send from, any name or signature you include, the body and attachments of your message, and standard email metadata. We use this only to respond to you and to maintain a support history in case of follow-up.
2.4 When you use our GitHub repositories
If you open an issue, discussion, or pull request on a ForgeRift repository at github.com/forgerift/*, GitHub processes your GitHub username, any personal data you include in the post, and standard GitHub metadata. This content is public. We review, respond to, and retain that content to support the project.
2.5 When you visit forgerift.io
The forgerift.io website is a static site served by GitHub Pages. GitHub logs standard web-server information (IP address, user agent, request path, referrer) in accordance with the GitHub Privacy Statement. GitHub Pages may set functional cookies necessary for serving the static site (e.g., session or load-balancing cookies set by GitHub's infrastructure). ForgeRift does not add any analytics, advertising pixels, fingerprinting, or session recording scripts to forgerift.io. If we introduce privacy-respecting analytics in the future (e.g., Plausible or Fathom — no cookies, aggregated IPs only), we will update this Policy and disclose the processor before enabling them. See also our Cookie Policy at forgerift.io/cookies for the full list of cookies set on this site.
2.6 When you contact us for security disclosure
If you email security@forgerift.io or use GitHub's private vulnerability reporting, we receive your report and any contact detail you provide. We treat security correspondence confidentially and use it only to triage and remediate.
3. How we use your data
We use the data described in Section 2 only to:
- Operate, bill, and support your paid Subscription,
- Respond to your support requests, security reports, and GitHub activity,
- Send transactional emails (receipts, renewal reminders, payment failure notices, material service changes),
- Maintain a support history for continuity if you contact us again,
- Comply with legal obligations and defend against legal claims.
We do not sell, rent, or share your personal data with third parties for their own marketing. We do not use your data to train machine-learning models. We do not profile you for advertising.
4. Legal bases (GDPR / UK GDPR)
For users in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing are:
- Performance of a contract (Art. 6(1)(b) GDPR): operating and billing your paid Subscription, handling support requests you initiate.
- Legitimate interests (Art. 6(1)(f) GDPR): maintaining support history, handling security reports, defending legal claims, operating and improving forgerift.io. We balance these interests against your rights and provide the objection right in Section 7.
- Legal obligation (Art. 6(1)(c) GDPR): responding to valid legal process, retaining records for tax and accounting law.
- Consent (Art. 6(1)(a) GDPR): used only if we later add an opt-in marketing list. Consent is not used for any processing today.
5. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Google LLC (Gmail / Google Workspace) | Support inbox for inbound email at support@forgerift.io and security@forgerift.io | U.S. (global infrastructure) | Email content, sender address, attachments |
| GitHub, Inc. | Source code hosting, issue tracker, static site hosting (GitHub Pages), private vulnerability reporting | U.S. (global infrastructure) | GitHub username, post content, standard web-server logs |
| Stripe, Inc. | Payment processing, subscription management, invoicing | U.S. (global infrastructure) | Email address, Stripe Customer ID, billing country, card brand and last four digits, invoice records |
| Resend, Inc. | Transactional email delivery (receipts, renewal reminders, payment failure notices) | U.S. | Email address, delivery and open events for system notifications |
| Supabase, Inc. | Subscription record storage and authentication token lookup for paid plugins (forgerift-payments service) | U.S. (AWS us-east-1) | Email address, authentication token, subscription plan, subscription status, Stripe Customer ID, Stripe Subscription ID, trial and grace-period timestamps |
| Cloudflare, Inc. | Support email routing (Cloudflare Email Worker forwards inbound email at support@forgerift.io to our inbox) | U.S. (global infrastructure) | Email address, email content, sender metadata — in transit only; not stored by Cloudflare beyond standard log retention |
| Let's Encrypt / ISRG, and sslip.io | TLS certificate issuance for vps-control-mcp installations (on your VPS, not on ours) |
U.S. / Germany | Domain name, certificate requests — no personal data passes through ForgeRift in this flow |
International transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. We will update this list before adding a new sub-processor that materially expands processing of personal data.
6. Retention
The table below shows, for each data category, where the data actually lives, how long it is kept, and how you can get a copy or request deletion.
| Data category | Actual keeper | Retention duration | Export / deletion path |
|---|---|---|---|
| Support email (inbound and our replies) | Gmail (Google Workspace) | Up to 3 years after last correspondence | Email support@forgerift.io to request deletion. Gmail export available on request. |
| GitHub issues, PRs, and discussions | GitHub, Inc. | As long as the repository exists; public content remains public unless the post is deleted | Delete your post via GitHub, or contact GitHub to remove your data under their privacy policy. |
| Security reports (via email or GitHub) | Gmail / GitHub | Up to 5 years for audit and regulatory purposes | Contact support@forgerift.io or GitHub. Deletion may be limited where retention is required by law. |
| Subscription and account records (email, plan, status) | Stripe, Inc. + ForgeRift records | Until Subscription ends, then 7 years for tax/accounting compliance | Request via support@forgerift.io. Stripe Customer Portal self-service once enabled. |
| Billing and payment data (card brand, last four, invoices) | Stripe, Inc. | Per Stripe's retention policy (typically 7 years for tax records) | Managed via Stripe Customer Portal or request via support@forgerift.io. |
| Transactional email delivery records | Resend, Inc. | Per Resend's retention policy (typically 90 days of event logs) | Request deletion via support@forgerift.io. |
| forgerift.io web-server logs | GitHub Pages (GitHub, Inc.) | Controlled by GitHub's standard logging policies | Governed by GitHub's Privacy Statement; contact GitHub directly. |
Shutdown / service closure. If ForgeRift ceases operations, we will give at least 30 days' notice, delete or anonymize all personal data we directly hold within 90 days of closure, and assist subscribers in requesting deletion from Stripe and Resend as applicable.
7. Your rights
Depending on where you live, you may have rights under GDPR, UK GDPR, the California Consumer Privacy Act / CPRA, and other laws:
- Access the personal data we hold about you,
- Correct inaccurate data,
- Delete personal data ("right to be forgotten") subject to exceptions,
- Restrict or object to certain processing,
- Port your data in a machine-readable format,
- Withdraw consent at any time (where processing relies on consent),
- Not be subject to discrimination for exercising your rights (CCPA),
- Lodge a complaint with a supervisory authority (for EU/UK users — typically the authority in your country of residence).
To exercise any of these rights, email support@forgerift.io. We aim to respond within thirty (30) days; GDPR allows one extension of up to sixty (60) days for complex requests.
Additional U.S. state privacy rights. Residents of states with comprehensive consumer privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (SB 6), Utah (UCPA), and Texas (TDPSA) — have similar rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of certain processing. Virginia, Colorado, and Connecticut residents additionally have the right to appeal our response to a privacy rights request: if we deny your request, you may submit an appeal to support@forgerift.io with the subject line "Privacy Rights Appeal" and we will respond within the timeframe required by applicable law, along with a written explanation of our decision. If your appeal is denied, you may contact your state Attorney General.
We do not sell personal data, do not share it for cross-context behavioral advertising, and do not engage in automated decision-making that produces legal or similarly significant effects on you. The "do not sell or share" disclosure required under CCPA and equivalent state laws applies trivially here — there is nothing to opt out of.
Business customers requiring a Data Processing Agreement may request one — see Section 5.2 of the Terms of Service at forgerift.io/terms.
8. Children
The Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. If we learn we have collected such data, we will delete it promptly. Contact us at support@forgerift.io if you believe a child under 13 has provided us personal data.
9. Security
We use industry-standard measures to protect data we hold: account credentials are stored with reputable providers (Gmail, GitHub, Stripe, Resend) that enforce two-factor authentication and role-based access controls, administrative access is limited to ForgeRift personnel, and security correspondence is handled confidentially. No system is perfectly secure. If we learn of a breach affecting your personal data, we will notify affected users as required by applicable law.
10. International transfers
ForgeRift operates in the United States. If you are outside the U.S., your data may be transferred to and processed in the U.S. and other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards.
11. Accessibility
ForgeRift is committed to making forgerift.io reasonably accessible to people with disabilities. We aim to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA on a best-effort basis. This is an ongoing effort — if you encounter an accessibility barrier on forgerift.io, please contact us at support@forgerift.io and we will work to address it. This commitment applies to the forgerift.io website; accessibility of third-party platforms (Anthropic Claude, GitHub, Stripe) is governed by those platforms' own policies.
12. Do Not Track
Our website does not respond to Do Not Track signals. We do not track you across sites for advertising purposes, so there is nothing meaningful to respond to.
13. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated Policy at forgerift.io/privacy and revise the "Last updated" date. For changes that materially reduce your privacy rights, we will give at least thirty (30) days' advance notice through the Services or by email (if we have it). Your continued use of the Services after an update means you accept the updated Policy.
14. Contact and complaints
For privacy questions, requests, or complaints, email support@forgerift.io.
- EU / EEA users: you may also complain to your local data protection authority. A list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
- UK users: you may complain to the Information Commissioner's Office at https://ico.org.uk.
- California users: you may contact the California Privacy Protection Agency or California Attorney General.
ForgeRift LLC 5821 W Mineral St, West Allis, WI 53214, U.S.A. Email: support@forgerift.io Security: security@forgerift.io Website: https://forgerift.io
End of Privacy Policy.