Legal

Privacy Policy

How Optima Forge collects, uses, and protects your data.

Effective Date: March 1, 2026

Last Updated: March 1, 2026

Optima Forge ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, APIs, and related services (collectively, the "Service"). Please read this policy carefully to understand our practices regarding your personal data.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, company name, and billing information when you create an account or subscribe to a paid plan.
  • API Keys and Credentials: Provider API keys you configure for LLM routing. These are encrypted at rest and never logged in plaintext.
  • Communications: Information you provide when contacting support, submitting feedback, or participating in surveys.
  • Payment Information: Credit card numbers and billing details processed through our payment processor (Stripe). We do not store full card numbers on our servers.

1.2 Information Collected Automatically

  • Usage Data: API request metadata, including request timestamps, response times, provider selections, token counts, and error rates. We do not log request or response content by default.
  • Device and Browser Data: IP address, browser type, operating system, and device identifiers when you access the Forge Dashboard.
  • Observability Data: Performance traces, cost metrics, and quality scores collected by our Langfuse integration for service improvement.
  • Cookies and Tracking: Session cookies for authentication and analytics cookies for understanding platform usage. See Section 8 for our cookie policy.

1.3 Information from Third Parties

  • Authentication Providers: Identity information from Clerk (our authentication provider), including SSO/SAML assertions for enterprise accounts.
  • Forge Connect: When you connect third-party accounts via Forge Connect (powered by Pipedream), we receive OAuth tokens and account metadata. We do not access or store the underlying data from connected services beyond what is necessary for tool execution.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service, including AI routing, security pipeline processing, and memory systems.
  • Process payments and manage subscriptions, including x402 micropayment credits.
  • Enforce security policies through our 7-layer ForgeGuard pipeline, including input/output scanning, PII detection, and prompt injection prevention.
  • Generate usage analytics and cost reports for your dashboard.
  • Send service-related communications, including security alerts, billing notifications, and feature announcements.
  • Detect, prevent, and address fraud, abuse, and security vulnerabilities.
  • Comply with legal obligations and enforce our Terms of Service.
  • Improve our routing algorithms, quality scoring, and cost optimization (using anonymized, aggregated data only).

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

  • LLM Providers: API requests are forwarded to your configured LLM providers (e.g., OpenAI, Anthropic, Google) for processing. Each provider's privacy policy governs their handling of that data.
  • Service Providers: We use sub-processors for infrastructure (Oracle Cloud), authentication (Clerk), payments (Stripe), observability (Langfuse), and connectivity (Pipedream). Each operates under data processing agreements.
  • Legal Requirements: When required by law, court order, or governmental authority, or to protect our rights, safety, or property.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
  • With Your Consent: When you explicitly authorize sharing with a specific third party.

4. Data Retention

  • Account Data: Retained for the duration of your account plus 30 days after deletion.
  • API Usage Logs: Metadata retained for 90 days (Pro), 1 year (Ultimate), or per agreement (Enterprise). Free tier logs are retained for 7 days.
  • Memory Data: Retained per your tier: 7 days (Free), 90 days (Pro), unlimited (Ultimate/Enterprise). You can delete memory data at any time via the API.
  • Billing Records: Retained for 7 years as required by tax and financial regulations.
  • Audit Logs: Security audit logs retained for 30 days (Pro), 1 year (Ultimate), or unlimited (Enterprise).

5. Data Security

We implement comprehensive security measures to protect your data:

  • All data encrypted at rest using AES-256 encryption.
  • All data encrypted in transit using TLS 1.3.
  • API keys stored using Agent-Vault with credential isolation.
  • 8-stage ForgeGuard security pipeline processes every request.
  • SpiceDB and OPA enforce authorization on every API call.
  • Regular penetration testing and vulnerability assessments.
  • SOC 2 compliance program (Type I in progress, Type II planned).

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to Portability: Receive your personal data in a structured, machine-readable format.
  • Right to Restrict Processing: Request limitation of processing in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@optima-forge.com. We will respond within 30 days. Enterprise customers with a Data Processing Agreement should contact their account team.

7. Your Rights Under CCPA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose.
  • Right to Delete: Request deletion of personal information we have collected from you.
  • Right to Opt-Out: We do not sell personal information. If this changes, we will provide a clear opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact privacy@optima-forge.com. We will verify your identity before processing your request.

8. Cookie Policy

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and core platform functionality. Cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the platform. Can be disabled via your browser settings.
  • Preference Cookies: Remember your settings, such as theme preferences and dashboard configurations.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

9. International Data Transfers

Our primary infrastructure is hosted on Oracle Cloud. Data may be transferred to and processed in countries outside your jurisdiction. For EEA users, we rely on Standard Contractual Clauses (SCCs) for international data transfers. Enterprise customers can configure data residency routing to keep data within specific geographic regions.

10. Children's Privacy

Optima Forge is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for significant changes, by sending an email to the address associated with your account. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

For EU/EEA residents, you also have the right to lodge a complaint with your local data protection supervisory authority.