Privacy Policy
Last updated: April 2026
What Forge Is
Forge is a Slack bot that helps software teams by connecting to their GitHub repositories and providing AI-powered project awareness. It is operated by Strand & Stone (“we”, “us”).
What Data We Access
- Slack messages — Forge reads messages in channels it’s invited to, and direct messages sent to it. It uses these to understand project context and respond to questions.
- GitHub repository data — Commits, pull requests, issues, and file contents from repositories you connect. Accessed via GitHub’s API using a GitHub App installation token.
- Your AI provider API key — Stored encrypted on our server. Used solely to make AI API calls on your behalf. Never shared with anyone other than the provider you chose.
What We Store
- Workspace configuration — Your Slack workspace ID, linked repositories, GitHub installation IDs, and Slack bot tokens.
- Conversation memory — Key facts extracted from conversations (e.g., “team uses React”, “deploy target is Fly.io”). These help Forge give better answers over time.
- Recent message buffer — A rolling buffer of the last 100 messages per channel for short-term context. Older messages are not retained.
- Channel summaries — Aggregated digests of channel history when you run
history ingest. We do not store full message history. - Usage logs — Token counts, model names, and call timestamps for cost tracking and budget enforcement.
- API keys and tokens — Your AI provider API key, embedding key (if set), and Slack bot tokens, stored encrypted at rest with AES-256-GCM.
What We Don’t Do
- We do not sell your data to anyone.
- We do not use your data to train AI models.
- We do not share your data with third parties beyond the subprocessors listed below.
- We do not store your credit card information. Payments are processed by Stripe.
AI Processing
Forge supports three AI providers and you choose one during setup. All AI calls use your own API key for the provider you selected. The provider’s data-handling policies apply to those API calls.
Supported Providers
- Anthropic (Claude) — default models
claude-sonnet-4-6for chat andclaude-haiku-4-5-20251001for lightweight tasks. Anthropic privacy policy. - OpenAI — default models
gpt-4ofor chat andgpt-4o-minifor lightweight tasks. OpenAI privacy policy. - OpenRouter — gateway to 100+ models including Llama, Gemini, Mistral, plus Claude and GPT-4 via a single key. OpenRouter privacy policy.
You can switch providers at any time via the switch provider DM command.
Accuracy Disclaimer
AI-generated responses may be inaccurate or incomplete. Forge grounds its answers in your actual codebase and conversation history, but outputs should not be treated as authoritative without verification. Always confirm critical information independently.
Data Sent to AI Providers
When Forge responds to a question or generates a brief, it sends relevant context to your chosen AI provider. This may include: recent Slack messages from the channel, GitHub commit and PR data, extracted conversation memories, and file contents from connected repositories. None of the supported providers use API data for model training under their default API terms; refer to each provider’s privacy policy linked above.
Embeddings (Optional)
If you enable semantic memory search, Forge sends short text snippets (the extracted memory text) to your embedding provider (OpenAI text-embedding-3-small or Voyage AI voyage-3.5-lite) using your own embedding key. The resulting vector is stored alongside the memory in our database for retrieval.
Workspace Isolation
Each workspace’s data is fully isolated. Data from one workspace is never accessible to another workspace, never used to improve Forge’s AI capabilities, and never shared with third parties beyond the API calls made with your own keys.
Your API Keys
You provide and control your own AI provider API keys (BYOK model). Forge uses these keys solely to make API calls on your behalf. You are responsible for your accounts, usage, and associated costs. API keys are stored encrypted server-side and never shared with third parties beyond the provider whose key it is.
Subprocessors
Forge uses the following subprocessors to deliver the service. Each is contracted to handle data responsibly and we cycle through them only as needed for the features you use.
- Anthropic, Inc. — AI inference (when you choose Anthropic as your provider). Privacy policy.
- OpenAI, L.L.C. — AI inference (when you choose OpenAI as your provider) and embeddings (when you enable semantic search with OpenAI). Privacy policy.
- OpenRouter, Inc. — AI inference gateway (when you choose OpenRouter as your provider). Privacy policy.
- Voyage AI — Embeddings (when you enable semantic search with Voyage). Privacy policy.
- Stripe, Inc. — Payment processing for the Forge subscription. We never receive your card data. Privacy policy.
- Slack Technologies, LLC — The platform Forge runs on. Privacy policy.
- GitHub, Inc. — Repository hosting we read from via your installed GitHub App. Privacy policy.
- Fly.io — Application hosting and managed database storage. Privacy policy.
Data Retention & Deletion
Your data is retained while your workspace is active. When you uninstall Forge from Slack, your workspace is soft-deleted; we hard-delete all data after a 30-day retention window unless you reinstall. You can also DM Forge delete my data at any time to permanently delete everything immediately, or DM export my data to download a JSON bundle of your workspace data.
Security
API keys and bot tokens are encrypted at rest with AES-256-GCM. All connections use TLS 1.2+. Sensitive fields are protected by a workspace-scoped HMAC token system. The dashboard token can be regenerated at any time via the dashboard or DM.
Forge is hosted on Fly.io. Daily backups are retained for 7 days plus 4 weekly snapshots. Forge is not currently SOC 2 certified; we encrypt at rest and in transit and follow least-privilege access controls.
Breach Notification
If we discover a security breach affecting your data, we will notify the workspace administrator (the user who installed Forge) by email and Slack DM within 72 hours of confirmed discovery, per GDPR Article 33.
Your Rights (GDPR / EEA)
If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation, including:
- Access — Request a copy of your data via DM
export my data. - Portability — The export is a machine-readable JSON bundle.
- Rectification — Edit or flag wrong memories from the workspace dashboard.
- Erasure — DM
delete my datato permanently delete everything. - Objection — Email us to object to a specific processing purpose.
- Lodging a complaint — You may complain to your local data-protection authority.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect about you, to delete it, and to opt out of any “sale” of personal information. We do not sell personal information. To exercise these rights, DM Forge delete my data or export my data, or email us.
International Data Transfers
Forge is operated from the United States and our hosting provider has data centers globally. By using Forge, you consent to your data being transferred to and processed in the United States and other jurisdictions where our subprocessors operate. We rely on standard contractual clauses with subprocessors where required.
Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for customers in regulated industries or jurisdictions that require one. Email privacy@strandandstone.com.
Changes to This Policy
We may update this policy as the product evolves. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be announced in the workspace dashboard and via DM.
Contact
Questions about this policy or to exercise any of the rights above? Email privacy@strandandstone.com. We respond within two business days.