FForge Engine← Home

Privacy Policy

Last updated May 2026

This policy explains how Forge Engine collects, uses, and protects personal data. Forge Engine is a product of Nimbus Compute Ltd, a company registered in the United Kingdom and acting as the data controller for the personal data described below.

We follow UK GDPR and the Privacy and Electronic Communications Regulations (PECR). If you would prefer a plain-English summary, this whole page tries to be one.

1. Who we are

Controller: Nimbus Compute Ltd, United Kingdom.
Product: Forge Engine (forgeengine.io).
Contact: support@forgeengine.io for general privacy queries; security@forgeengine.io for suspected security issues.

2. The data we collect

We try to collect the minimum needed to make Forge work. The data falls into the following categories:

  • Account data: name, email address, hashed password (or OAuth identifier from Google / GitHub if you sign in that way), account creation date.
  • Profile data: optional display name, company name, time zone, avatar URL.
  • Uploaded content: the videos you upload or the URLs you submit, plus the intermediate artifacts our pipeline generates from them (transcripts, scene metadata, crop coordinates, thumbnails).
  • Generated content: the rendered clips, captions, titles, and hashtags that Forge produces from your sources.
  • Usage and billing data: which jobs you ran, how many source minutes they consumed, your plan, your Stripe customer ID (we never see card numbers), invoices, and top-up purchases.
  • Operational and technical data: request timings, error traces (with PII scrubbed before transmission), rate-limit counters, IP address used to access the site, and basic device/browser information for debugging and abuse prevention.
  • Support data: emails you send us and any context you attach (job IDs, screenshots). Stored in our support inbox while needed to help you.

3. Why we use it (lawful bases)

Each category maps to a UK GDPR Article 6 lawful basis:

  • Contract— running your jobs, delivering your clips, and handling billing. Without this data we can’t provide the service you signed up for.
  • Legal obligation— tax records, fraud prevention, and responding to lawful requests from regulators or law enforcement.
  • Legitimate interests— product analytics (only with your consent for non-essential cookies), security monitoring, abuse prevention, and improving the pipeline. We balance our legitimate interest against your rights and never use your video content to train third-party models.
  • Consent— non-essential cookies, marketing email (off by default; opt-in only), product-update email (off by default; opt-in at signup or in Settings → Notifications).

4. Where data is stored and who processes it

Account data and metadata live in our Supabase Postgres database (EU region). Uploaded videos and generated clips live in Cloudflare R2 (EU region by default). Errors and performance traces (with PII scrubbed) go to Sentry. Email is sent through Resend.

A current list of all third-party providers that process personal data on our behalf, including their region and a link to their privacy policy, is on the Subprocessors page.

5. International transfers

Some of our subprocessors are based in the United States. Where personal data leaves the UK / EEA we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by the technical safeguards each provider operates (encryption in transit, encryption at rest).

6. How long we keep it

  • Source uploads: up to 30 days after processing, then automatically removed from object storage by our retention janitor.
  • Generated clips: kept until you delete them or delete your account.
  • Job and usage records: kept while your account is active, plus up to 12 months after closure for billing reconciliation and fraud prevention.
  • Error logs and rate-limit counters: 90 days.
  • Support emails: kept while needed to help you (typically deleted within 24 months of last contact).
  • Billing records: 6 years, as required by UK tax law.

7. What we don’t do

  • We do not sell personal data.
  • We do not use your videos, transcripts, or clips to train AI models — ours or anyone else’s.
  • We do not run ad-network trackers.
  • We do not share your jobs or clips with other Forge users.

8. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the data we hold about you.
  • Rectification of inaccurate data.
  • Erasureof your data (“right to be forgotten”).
  • Restriction of how we use your data.
  • Portability— receive your data in a machine-readable format.
  • Object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent for any processing based on consent.

Most of these are self-serve from Settings → Data & Privacy: you can export everything we hold about you, delete individual jobs, or delete your entire account. For anything you can’t do from the UI, email support@forgeengine.io and we will respond within 30 days (usually much sooner).

If you are unhappy with how we’ve handled your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint. We’d appreciate a chance to fix it first.

9. Cookies

We use a small set of essential cookies (sign-in session, payment processing) and ask consent before setting any non-essential cookies. The cookie policy has the full breakdown.

10. Children

Forge Engine is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has signed up, email support@forgeengine.io and we will remove the account.

11. Changes to this policy

We will update this page when our practices change. Material changes will be surfaced in-product (a banner on the dashboard) before they take effect. The “Last updated” date at the top reflects the most recent revision.

12. Contact

Privacy queries: support@forgeengine.io.
Suspected security issues: security@forgeengine.io (see the security page first).