Legal
Privacy Policy
Last updated: 13 July 2026
1. About this Privacy Policy
Forge API respects your privacy and is committed to handling personal information responsibly.
This Privacy Policy explains what information we collect, why we collect it, how we use it, who we may share it with, how long we keep it and the rights available to you.
This policy applies when you use the Forge API website, dashboard, account features, subscriptions and hosted mock API services available through:
https://getforgeapi.com2. Who we are
Forge API currently operates from the United Kingdom under the trading name Forge API.
For personal information relating to Forge API accounts, website visitors, subscriptions and support communications, Forge API normally acts as the data controller.
Trading name: Forge API
Website: https://getforgeapi.com
Privacy email: privacy@getforgeapi.com
Support email: support@getforgeapi.com
Business location: United Kingdom
3. Information you provide to us
Account information
- Your full name.
- Your email address.
- Your password credentials, which are handled securely by our authentication provider.
- Your email-verification status.
- Your account identifier.
- Your account creation date.
- Your profile settings.
- Your current subscription plan.
Project and endpoint information
- Project names.
- Project descriptions.
- Generated public project keys.
- Endpoint names and paths.
- HTTP request methods.
- HTTP response status codes.
- Response headers.
- JSON response bodies.
- Endpoint activation settings.
- Response-delay settings where available.
- Creation and modification timestamps.
Payment and subscription information
- Your selected plan.
- Your subscription status.
- Stripe customer and subscription identifiers.
- Billing name and address where provided.
- Billing country.
- VAT or tax details where required.
- Payment dates and renewal information.
- Limited payment-method details such as card type and final digits.
Communications
When you contact us, we may collect your name, email address, message, attachments and any information required to respond to your enquiry.
4. Information collected automatically
When you use the website, dashboard or generated mock API endpoints, we may automatically collect technical and usage information.
- IP address.
- Browser type and version.
- Device type.
- Operating system.
- Requested URL.
- Project key and endpoint path.
- HTTP request method.
- HTTP response status.
- Request date and time.
- Monthly request count.
- Endpoint usage statistics.
- Error and diagnostic information.
- Rate-limit activity.
- Security and abuse indicators.
- Approximate country or region derived from an IP address.
- Referring website where available.
We aim to collect only the information reasonably required to operate, secure and improve Forge API.
5. Mock API content
You must not upload:
- Real passwords.
- Private encryption keys.
- Production access tokens.
- Complete payment-card details.
- Confidential production credentials.
- Medical or health information.
- Information about children.
- Sensitive employee or customer records.
- Personal information that is not genuinely required for testing.
Generated endpoint URLs may be accessible to anyone who knows or discovers the URL. You should therefore assume that mock responses are publicly accessible.
Where you place personal information in a mock response, you are responsible for ensuring that you have a lawful basis, appropriate permissions and suitable safeguards.
6. How we use personal information
We may use personal information to:
- Create and administer user accounts.
- Verify email addresses.
- Authenticate users.
- Provide the Forge API dashboard.
- Create and operate mock API projects.
- Return configured JSON responses.
- Generate public project URLs.
- Calculate monthly usage.
- Enforce project, endpoint and request limits.
- Manage plans and subscriptions.
- Process payments and billing events.
- Send verification, password-reset and security emails.
- Send service and billing notices.
- Provide customer support.
- Investigate errors and outages.
- Protect accounts and infrastructure.
- Detect fraud, abuse and malicious activity.
- Improve service reliability and performance.
- Comply with accounting, tax and legal requirements.
- Establish, exercise or defend legal claims.
- Send optional marketing communications where legally permitted.
7. Our lawful bases
Performance of a contract
We process information where necessary to provide the services you request, including account creation, authentication, subscriptions, hosted endpoints and customer support.
Legitimate interests
We may process information where necessary for legitimate interests such as:
- Maintaining service security.
- Preventing fraud and abuse.
- Monitoring infrastructure.
- Troubleshooting technical problems.
- Improving product reliability.
- Understanding service usage.
- Enforcing our Terms and Conditions.
- Protecting our legal rights.
Legal obligations
We may process and retain information where required for tax, accounting, regulatory, legal or fraud-prevention purposes.
Consent
We may rely on consent for optional analytics technologies, promotional communications or other processing where consent is legally required.
You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
8. Authentication
Forge API uses Supabase to provide account authentication and session management.
Authentication information may include:
- Your email address.
- Encrypted password credentials.
- Verification status.
- Authentication session information.
- Password-reset activity.
- Security and login metadata.
Forge API does not intend to store your password in readable form.
9. Payments
Paid subscriptions may be processed by Stripe.
Stripe may collect and process payment information, billing details and fraud-prevention data according to its own privacy practices.
Forge API may receive limited information from Stripe, including:
- Stripe customer identifier.
- Stripe subscription identifier.
- Subscription status.
- Selected price or plan.
- Payment success or failure status.
- Billing period dates.
- Card brand and final digits where available.
10. Transactional emails
Forge API may use Resend or another email-delivery provider to send:
- Email-verification codes.
- Password-reset messages.
- Security notifications.
- Billing notifications.
- Usage-limit notifications.
- Important service notices.
These messages may be necessary to operate and secure your account and may not be optional while your account remains active.
11. Hosting and infrastructure
Forge API currently uses service providers including:
| Provider | Purpose |
|---|---|
| Supabase | Authentication, PostgreSQL database and backend services |
| Vercel | Website hosting, deployment and server infrastructure |
| Stripe | Payment and subscription processing when enabled |
| Resend | Transactional email delivery when enabled |
We may replace or add service providers where reasonably necessary to operate Forge API.
12. Who we share information with
We may share information with:
- Cloud hosting and database providers.
- Authentication providers.
- Payment processors.
- Transactional email providers.
- Security and fraud-prevention providers.
- Error-monitoring and technical-support providers.
- Professional advisers such as accountants, insurers and solicitors.
- Regulators, courts or law-enforcement authorities where legally required.
- A buyer or successor if Forge API is sold, merged or reorganised.
Service providers should only process information for authorised purposes and subject to appropriate contractual terms.
13. International data transfers
Some providers may process information outside the United Kingdom.
Where required, international transfers will rely on an appropriate safeguard, such as:
- A United Kingdom adequacy regulation.
- The UK International Data Transfer Agreement.
- The UK Addendum to approved standard contractual clauses.
- Another legally recognised transfer mechanism.
You may contact us for more information about safeguards relevant to your personal information.
14. Cookies and local storage
Forge API may use cookies or similar browser technologies for:
- Authentication sessions.
- Account security.
- Fraud prevention.
- Remembering essential preferences.
- Password-reset and verification flows.
- Billing processes.
- Cookie-consent choices.
Essential cookies may be used where necessary to provide and secure the service.
Optional analytics or advertising technologies will not be activated where consent is legally required until appropriate consent has been obtained.
15. Analytics
Forge API may collect limited usage statistics to understand:
- Which pages are used.
- How users navigate the service.
- Which features are popular.
- Where technical failures occur.
- How quickly pages and API responses load.
If non-essential third-party analytics are introduced, this policy and any cookie controls will be updated accordingly.
16. Request logs
Forge API may record technical information about calls to generated endpoints.
Logs may include:
- Request time.
- Project and endpoint identifiers.
- HTTP method.
- HTTP response status.
- IP address.
- User-agent information.
- Usage count.
- Rate-limit result.
- Security or abuse indicators.
We do not intend to permanently store incoming request bodies unless a future feature clearly requires it and appropriate notice is provided.
17. Data retention
We retain personal information only for as long as reasonably necessary for the purposes described in this policy.
| Information category | Intended retention period |
|---|---|
| Active account information | For the life of the account |
| Deleted account information | Normally deleted or anonymised within 90 days |
| Projects, endpoints and JSON responses | Until deleted by the user or the account is closed |
| Backup copies | May remain for up to 90 additional days |
| Detailed technical and API logs | Normally up to 90 days |
| Monthly usage totals | Normally up to 24 months |
| Security and abuse records | Up to 12 months or longer where an investigation requires it |
| Billing and tax information | Normally 6 years where required by law |
| Customer-support communications | Normally up to 2 years after the enquiry is closed |
| Marketing preferences | Until consent is withdrawn or the record is no longer required |
Information may be kept for longer where necessary for legal obligations, fraud investigations, disputes, legal claims or regulatory requirements.
18. Security
We use reasonable technical and organisational measures designed to protect personal information.
These measures may include:
- HTTPS encryption.
- Secure authentication services.
- Encrypted password handling.
- Restricted administrative access.
- Protected server-side environment variables.
- Database access controls.
- Row Level Security.
- Rate limiting.
- Abuse detection.
- Error and security monitoring.
- System backups.
- Incident-response procedures.
No online service can guarantee absolute security. You are also responsible for selecting a strong password and protecting your account and generated project URLs.
19. Data breaches
Where a personal-data breach occurs, we will investigate and take reasonable steps to contain and address it.
We will notify affected users and relevant authorities where required by applicable data-protection law.
20. Your data-protection rights
Depending on the circumstances, you may have the right to:
- Request access to your personal information.
- Request correction of inaccurate information.
- Request deletion of personal information.
- Request restriction of processing.
- Object to certain processing.
- Receive certain information in a portable format.
- Withdraw consent.
- Object to direct marketing.
- Complain to a data-protection authority.
These rights may be subject to legal conditions, exemptions and identity-verification requirements.
To submit a request, contact:
21. Account deletion
You may request account deletion by contacting:
Deleting an account may result in:
- Loss of dashboard access.
- Deactivation of generated endpoint URLs.
- Deletion of projects and endpoints.
- Deletion or anonymisation of personal account information.
- Retention of billing, legal or security records where required.
- Temporary retention of backup copies until normal backup rotation completes.
22. Marketing communications
We may send promotional messages where permitted by law.
You may unsubscribe using the link included in the message or by contacting us.
Unsubscribing from marketing does not stop essential messages such as:
- Email-verification messages.
- Password-reset messages.
- Security warnings.
- Billing messages.
- Subscription notices.
- Important service updates.
23. Automated safeguards
We may use automated rules to:
- Apply monthly request limits.
- Apply per-second or per-minute rate limits.
- Detect suspicious registrations.
- Block malicious traffic.
- Identify unusual usage.
- Prevent attempts to bypass plan limits.
- Temporarily suspend abusive requests.
These safeguards do not normally make decisions that produce legal or similarly significant effects.
Contact us if you believe an automated action has incorrectly affected your account.
24. Children
Forge API is not intended for anyone under 18 years old.
We do not knowingly collect personal information from children. If you believe that a child has created an account, contact us so that we can investigate.
25. External links
Forge API may contain links to websites operated by third parties.
We are not responsible for the content, security or privacy practices of websites that we do not control.
26. Business transfers
If Forge API is involved in a merger, acquisition, restructuring, financing or sale, personal information may be transferred as part of that transaction.
Any recipient will be expected to handle the information in accordance with applicable law.
27. Complaints
Please contact us first so that we can investigate and try to resolve your concern:
You may also have the right to complain to the UK Information Commissioner's Office or another relevant supervisory authority.
28. Changes to this Privacy Policy
We may update this Privacy Policy where:
- The Forge API service changes.
- New features are introduced.
- Service providers change.
- Security practices change.
- Legal requirements change.
- New categories of information are processed.
The revised date will be displayed at the top of the page.
Where a change materially affects how personal information is used, we may provide additional notice.
29. Contact us
For privacy questions, rights requests or data-protection concerns, contact:
Trading name: Forge API
Website: https://getforgeapi.com
Privacy email: privacy@getforgeapi.com
Support email: support@getforgeapi.com
Business location: United Kingdom
Please also read our Terms and Conditions.