Last updated: 13 June 2026
This policy is written to align with the EU General Data Protection Regulation (GDPR) and Spain's Ley Orgánica 3/2018 (LOPDGDD). It is provided in good faith and is not legal advice. Bracketed placeholders (
[…]) must be completed before publication.
1. Data controller
The controller of your personal data is [YOUR NAME OR LEGAL ENTITY], based in Spain ([ADDRESS / REGION]). Contact for any privacy matter: privacy@forgeregistry.com.
We have not appointed a Data Protection Officer, as Forge's processing does not meet the threshold that requires one. You may still contact us about any data question at the address above.
2. What we collect, why, and our lawful basis
| Data | When | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Email address | You join the waitlist | Tell you about early access | Consent — Art. 6(1)(a) |
| GitHub login, avatar URL, OAuth access token | You sign in / publish | Verify repository ownership, attribute listings | Performance of a contract — Art. 6(1)(b) |
| IP address, request metadata | Any API request | Rate-limiting, abuse prevention, security, debugging | Legitimate interests — Art. 6(1)(f) |
| Your LLM API key (if you use AI search with your own key) | Per request only | Forward your query to your chosen AI provider | Performance of a contract — Art. 6(1)(b) |
We do not collect special-category data, and we do not use your data for advertising or profiling.
3. Your API key (AI search)
If you use the natural-language search with your own API key, that key is sent with your request, used once to call your chosen provider, and never written to our logs or storage. It lives only in your browser's local storage on your device. If you use AI search without a key, your query is sent to our default provider using our key; the query text is processed to return results and is not retained beyond what is needed to serve the request.
4. Who we share data with (processors and recipients)
We use the following service providers. Some are located outside the EU/EEA (notably the United States); where so, transfers rely on the EU Standard Contractual Clauses or an applicable adequacy decision.
- Vercel — website and API hosting (US).
- Upstash — registry data storage (Redis). [CONFIRM REGION].
- Formspree — waitlist form handling (US).
- GitHub — authentication and repository-ownership verification (US).
- Anthropic / OpenAI / Google — only if you use AI search; receives your query (and, if you provide one, your own API key) (US).
We also make outbound requests to npm, the OSV vulnerability database, and Sigstore to assess packages. These requests concern package names and versions and do not include your personal data.
We do not sell your personal data.
5. Retention
- Waitlist email — until early access concludes or you ask us to delete it, whichever is first.
- Publisher records (GitHub login, verification, signatures) — for as long as the listing is published, plus a reasonable period in the append-only audit log for integrity and abuse-investigation purposes.
- Security/rate-limit metadata — short-lived; counters expire within days.
- API keys — not retained (see §3).
6. Your rights
Under the GDPR and LOPDGDD you have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time (without affecting prior processing). To exercise any of these, email privacy@forgeregistry.com; we respond within one month.
You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD) — www.aepd.es, C/ Jorge Juan 6, 28001 Madrid.
7. Cookies and local storage
Forge uses no advertising or tracking cookies and runs no third-party analytics. We use only strictly necessary, technical client-side storage:
- a theme preference (light/dark) saved in your browser's local storage;
- your AI-search settings (provider choice and, optionally, your API key) saved in your browser's local storage on your device only.
Because these are strictly necessary / technical, no consent banner is required under the LSSI-CE. We will update this section and request consent before introducing any non-essential cookies or analytics.
8. Children
Forge is a developer tool not directed at children and is not intended for anyone under 14 (the age of digital consent in Spain). We do not knowingly collect data from children.
9. Changes
We may update this policy; the "Last updated" date reflects the latest version. Material changes affecting how we use your data will be communicated where appropriate.
10. Contact
Privacy questions or rights requests: privacy@forgeregistry.com.