Privacy Policy

• Forge requires you to sign in with your Apple ID. Your data is encrypted in transit and at rest, stored in our database (Supabase), and accessible only to you via your authenticated account.
• Row-level security ensures other users cannot access your data through the app. Forge's developers have administrative database access for maintenance, support, and account deletion, but our strict internal policy is never to read user content without your explicit consent.
• Your AI coach conversations generate short pastoral summaries that are stored so the coach can remember context across sessions. Full message transcripts are not kept long-term.
• We do not run advertising inside Forge. We do not sell your data to anyone. Ever.
• You can permanently delete your account and all your data anytime from Settings → Account → Delete account. Cascade deletion is immediate and irreversible.

Information you provide directly

When you complete onboarding, Forge asks for:

• Your first name
• Your Christian tradition (Catholic, Protestant, Orthodox, Non-denominational, or Exploring faith)
• Your self-assessment answers about struggle duration, triggers, relapse feelings, and goals
• The virtues you want to embody
• Your future-self vision
• Your preferred reminder times

Information you create while using Forge

• Morning intentions you write
• Evening examen responses (strength, weakness, gratitude)
• Reflections saved during the panic flow
• Relapse events with optional triggers, feelings, and reflections
• Conversations with the AI coach

Information collected automatically

• Authentication identifiers: when you sign in with Apple, we receive a unique user identifier and (optionally) your email address — which may be Apple's privacy-preserving relay address. We use this only to authenticate you.
• Subscription status: Apple tells us whether your subscription is active, in trial, or expired. We do not receive your payment details.
• Product analytics: We use PostHog to understand how the app is used (which screens are reached, where users drop off, which features are tapped). Before you sign in, these events are anonymous. After sign-in, events are tied to your authenticated user identifier so we can analyze whether features actually help users succeed. Analytics events do not include the content of your messages, journals, or reflections.

Forge uses a cloud database (Supabase Postgres) to securely store your account data so it syncs across your devices and survives reinstalling the app. The data flow is straightforward:

• What's synced to our database: profile fields you set during onboarding (name, tradition, virtues, etc.), morning and evening check-in responses, panic-flow reflections, relapse events, AI coach session summaries, and your subscription status.
• Encryption: all data is encrypted in transit (HTTPS) and at rest (Supabase's standard at-rest encryption — the same security layer used by banking apps).
• Access control: row-level security policies tied to your authenticated identity prevent other users from reading your data through the app's API. Forge's developers have administrative database access for legitimate operational purposes (debugging, support, deletion requests). Our internal policy is to never access user content without explicit consent.
• End-to-end encryption: Forge does not currently provide end-to-end encryption. The AI coach feature requires the system to read your messages to generate responses, which is incompatible with E2E. If you have disclosures requiring strict confidentiality, please consider in-person spiritual direction or licensed therapy as more appropriate channels.
• What stays on your device: a local cache mirrors the cloud data so the app works offline. Writes you make while offline are queued and synced when connectivity returns.

The AI coach is the most sensitive feature of Forge, so we want to be specific about how it works:

• Your messages and limited context (your first name, tradition, chosen virtues, current streak, and today's focus) are sent through our backend (Supabase Edge Functions) to Anthropic's Claude API to generate pastoral responses. Communication is over HTTPS.
• We do not store full transcripts of your coach conversations long-term. After a coach session ends, the conversation is summarized into a brief 2-sentence pastoral note (e.g., "Discussed work stress and loneliness as triggers; identified a pattern of late-night isolation") which IS stored. These summaries enable the coach to remember context across sessions without retaining the raw messages themselves.
• Anthropic processes the messages we send them per their privacy policy. They do not train models on Forge users' messages.
• You can delete all your coach summaries (and everything else) by using Settings → Account → Delete account.

• To personalize the app experience (greeting you by name, showing scripture matched to your tradition, surfacing today's training tied to your chosen virtues, generating coach responses with your specific context)
• To send the check-in reminders you configured in Settings
• To sync your data across your devices when you sign in
• To understand usage patterns and improve the product
• To process your subscription through Apple

We do not use your information:

• For advertising or to sell to third parties
• For marketing emails (unless you explicitly opt in)
• To profile you outside the app
• To train AI models

• Account data stays in our database until you delete your account. Cascade deletion is immediate and irreversible.
• AI coach summaries are kept for as long as your account exists, with a rolling window of the most recent ~10 sessions used by the coach for memory.
• Raw coach message transcripts are not stored long-term — only the brief summaries.
• Analytics data is retained by PostHog under their standard retention policy.

You have full control over your data.

• Access: see everything you've written in the Journey timeline within the app.
• Edit: change your name, tradition, virtues, and reminder times in Settings at any time.
• Sign out: end your session on a device without affecting your cloud data. Settings → Account → Sign out.
• Delete: permanently remove your account and all associated data. Settings → Account → Delete account. We cascade-delete every record tied to your account — no backups, no traces.
• Notifications: enable, disable, or reschedule reminders in Settings → Notifications.
• For EU/UK/California residents: you may have additional rights under GDPR or CCPA, including the right to access, correct, delete, or export your data, and to object to processing. Contact us at the email below to exercise any of these.

Forge is intended for adults (18+). We do not knowingly collect data from children under 13. If you believe a child has used Forge, contact us and we will remove any associated data immediately.

We use HTTPS for all data in transit and Supabase's at-rest encryption for stored data. Authentication is handled by Sign in with Apple — Apple holds the credential, not us. Row-level security policies in our database prevent any one user from reading another user's data through the app. Forge's developers retain administrative database access for legitimate operational purposes (debugging, customer support, deletion requests, security incidents); our internal policy is to never read user content without explicit consent. We follow industry-standard security practices but cannot absolutely guarantee security against every conceivable attack.

If we update this policy, we will update the "Last updated" date above and, for material changes, notify you in the app or by email (if you've provided one).

Questions about this policy? Contact us at privacy@theforge.so.