F
Forgeby DWA CRM

Privacy Policy

This Privacy Policy explains how Digital Web Automations (“Digital Web Automations”, “we”, “us”) collects, uses, shares, and protects personal information when you use Forge by DWA CRM (the “Service”).

Effective date: May 7, 2026.

1. Information We Collect

We collect the following categories of personal information:

  • Account information. Your email address, name, password (hashed with bcrypt), timezone, and locale.
  • Workspace data. Workspace names, member roles, posts, scheduled jobs, media files, and analytics records you create or upload.
  • Connected social accounts. When you authorise a social platform, we store your platform-side handle, public profile URL, and an OAuth access token (and refresh token, where issued). All tokens are encrypted at rest with AES-256-GCM before being written to our database.
  • Configuration secrets. Super-admins may paste API keys for AI providers, billing (Stripe), email (SMTP), and storage (S3/R2) into the Integrations page. Sensitive values are encrypted at rest with AES-256-GCM and only ever returned to authenticated super-admins.
  • Usage data. Server logs (request paths, status codes, timestamps, truncated error messages with sensitive fields redacted), publish-attempt records, and AI-generation records (provider, model, prompt, output, token count). Logs do not contain access tokens, passwords, or API keys; the logger redacts these by default.
  • Billing. If you subscribe to a paid plan, billing is processed by Stripe. We store a Stripe customer ID and subscription ID; we do not store your card number.

2. How We Use Information

  • To operate, maintain, and improve the Service;
  • To act on your behalf via the Connected Platforms and LLM Providers you have authorised;
  • To bill subscriptions and manage account access;
  • To detect, investigate, and prevent fraud, abuse, or violations of the Terms;
  • To comply with legal obligations.

We do not sell personal information. We do not use your Content or prompts to train any machine-learning model. We do not run advertising on the Service.

3. Sharing With Third-Party Sub-processors

To deliver the Service we transmit data to a small number of sub-processors. The following list is illustrative — only the providers you have configured for your workspace will receive data:

  • Hosting & infrastructure: the operator of our Linux VPS, plus PostgreSQL and Redis running on that VPS;
  • LLM Providers: OpenAI, Anthropic, Google (Gemini), OpenRouter, or a self-hosted Ollama instance — receive only the prompt + system prompt you submit;
  • Connected Platforms: Facebook/Instagram (Meta), X (X Corp), LinkedIn (Microsoft), YouTube/Google, TikTok, Pinterest, Threads, WordPress.com — receive the content you publish;
  • Object storage: Amazon S3 or Cloudflare R2, if configured — receive the media files you upload;
  • Email delivery: the SMTP provider you configure — receives transactional emails (password reset, invitations);
  • Billing: Stripe — processes subscriptions;
  • Error monitoring: Sentry, if a DSN is configured — receives stack traces with sensitive fields redacted.

Each sub-processor has its own privacy practices; review their policies for complete information.

4. Data Retention

  • Account & workspace data: retained for as long as your account is active.
  • OAuth tokens: retained until you disconnect the account or it is revoked at the platform side.
  • System logs: retained up to 30 days for security and debugging.
  • Backups: retained up to 30 days; backups are encrypted at rest.
  • When you delete your account, we delete or anonymise associated data within 30 days, except where retention is required by law (e.g., financial records for tax compliance).

5. Security

We use industry-standard practices including: HTTPS in transit (TLS 1.2+, HSTS, secure cookies), encryption at rest for OAuth tokens and provider API keys (AES-256-GCM), bcrypt for password hashing, server-side rate limits, magic-byte file-type validation for uploads, multi-tenant data isolation in every query, defence against SQL injection via parameterised ORM queries, and HTTP security headers including Content-Security-Policy and X-Frame-Options. No security measure is infallible; please report suspected vulnerabilities to privacy@dwacrm.com.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate information;
  • Delete your account and associated personal information;
  • Export your data in a portable format;
  • Object to or restrict certain processing;
  • Withdraw consent (where processing is based on consent).

Most rights can be exercised directly from your account settings. For the rest, email privacy@dwacrm.com; we will respond within 30 days.

7. International Transfers

Our infrastructure and several sub-processors operate outside your country of residence. Where data transfers cross borders, we rely on standard contractual clauses or other lawful transfer mechanisms.

8. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information, please contact us and we will delete it.

9. Cookies

We use a small number of strictly-necessary cookies for authentication (session token), CSRF protection, and rate-limit identification. We do not use advertising cookies and do not embed third-party analytics on the public site.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

11. Contact

Privacy questions or requests: privacy@dwacrm.com. Service URL: https://forge.dwacrm.com.

This policy is a starting template. We strongly recommend a review by counsel licensed in your jurisdiction (and applicable to your customers’ jurisdictions, e.g. GDPR for EEA users, CCPA/CPRA for California, etc.) before relying on it in production.