Privacy Policy

Forge Metal plays two distinct roles under GDPR, UK GDPR, the California CPRA, and comparable laws:

• Controller for account administration, authentication, billing, and operational telemetry.
• Processor for the content your organization places into the substrate — durable VM disks, mailboxes, execution logs, and other workload artifacts. We act on your documented instructions under the Data Processing Addendum.

The categories below are the personal-data categories we hold as controller. Workload data you place into the substrate is governed by the DPA, not this section.

• Identity and account. Administrator name and email address, organization metadata, authentication events (timestamps, IP addresses, user-agent strings).
• Billing. Billing contact, tax identifier, payment instrument metadata (held by our payments subprocessor; we see descriptive tokens only), invoice line items, usage aggregates.
• Support correspondence. Anything you send to our policy, security, or support mailboxes.
• Operational telemetry. Logs, traces, and metrics emitted by the service as it runs your workloads. Retained per the Data Retention policy.

Published here to satisfy GDPR Article 30(1) and (2). Each activity identifies the role, purpose, data categories, and lawful basis.

We share personal data only with the subprocessors listed at /policy/subprocessors, and only for the purposes documented on that page. As of 2026-04-17, the list is Stripe, Cloudflare, Latitude.sh, Resend. Additions get 30 days' notice by email to administrators.

We do not sell personal data and do not share it for targeted advertising, in the sense CPRA and similar laws use those terms.

Under GDPR Articles 15–22, CPRA §1798.100 et seq., VCDPA, CPA, and comparable laws, you may request access to personal data about you, correction of inaccuracies, deletion, portability, and an objection to processing based on legitimate interests.

Where Forge Metal is the controller (billing contacts, organization administrators, support correspondence), send requests to the privacy mailbox below. We respond within 30 days under GDPR and 45 days under CPRA, with extensions only where the statute permits.

Where Forge Metal is the processor (workload data your organization processes about its end users), direct requests to the customer. If we receive one directly we forward it and cooperate with the response.

The primary Forge Metal deployment runs on bare-metal hardware in the region chosen by the founder. Some subprocessors process data in the United States and other regions as listed on /policy/subprocessors.

Where transfers cross the EEA/UK, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply via the subprocessor's DPA. The UK International Data Transfer Agreement or UK Addendum applies to UK transfers; the Swiss addendum applies where Swiss data protection law governs.

California (CPRA). You have the right to know, delete, correct, and limit the use and disclosure of sensitive personal information. We do not sell or share personal information in the sense §1798.140(ad) and (ah) use those terms. Authorized agents may submit requests with written authorization; we verify the request against the account record before responding.

European Economic Area, United Kingdom, Switzerland. The lawful bases above apply. You have the right to lodge a complaint with a supervisory authority in your jurisdiction (for example the CNIL, the ICO, or the FDPIC).

Other US states (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.). Rights under these statutes are honored on the same DSR pipeline.

Brazil (LGPD), Canada (PIPEDA). Rights under these statutes are honored on the same DSR pipeline. Where the statute requires a local representative, the Forge Metal entity named on your invoice serves that role or designates one in writing.

Personal data is retained according to the Data Retention policy. Billing records persist for the statutory windows listed there; operational telemetry is trimmed by per-table TTL; durable workload data follows the account lifecycle.

We implement the technical and organizational measures described in the Security Overview. Where we act as processor, the DPA supplements those measures with the Article 32 controls the customer is entitled to.

The service is an infrastructure product sold to organizations; we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact the privacy mailbox below and we will delete it.

Material changes take effect 30 days after they are announced by email to the administrators on each affected organization. The effective date at the top of this page is the date the current version took effect. Prior versions of all policies live at /policy/changelog, and every change is recorded there in commit-addressable form.

Policy identifier: privacy.

Questions and requests under this policy go to privacy@anveio.com. Security reports go to security@anveio.com and take precedence over routine policy correspondence. GDPR data-protection correspondence may be directed to dpo@anveio.com; abuse reports to abuse@anveio.com.