Privacy Policy

Last updated: July 14, 2026

1. TL;DR

Forge does not collect, store, or share any personal data. We do not set tracking cookies. Your API keys are generated client-side and stored only in your browser's localStorage. We never see them.

2. Data We Do Not Collect

Forge is engineered to be database-free. Specifically, we do NOT collect or persist:

  • Names, email addresses, or account credentials
  • IP addresses (used only transiently for in-memory rate limiting)
  • Request payloads, prompts, or completions
  • API keys (yours or upstream provider keys)
  • Browser fingerprints, analytics, or telemetry
  • Tracking cookies of any kind

3. In-Memory State

To provide the free tier, Forge maintains two ephemeral, in-process data structures that are wiped on every cold start:

  • Rate-limit buckets — a sliding 60-second window per IP address. The IP itself is hashed in memory and never written to disk.
  • Memorizer LRU cache — a small (5,000-entry) map used to round-trip compress → decompress within a single warm-server window. Each entry holds the original text for at most a few minutes before eviction.

Neither structure is ever persisted to disk, replicated, or shared with third parties. Restarting the server clears everything.

4. API Keys

Forge API keys are generated client-side using cryptographic random bytes and stored only in your browser's localStorage under the key forge.apiKey. They are sent as the X-Forge-Key header on requests, but the server treats them as opaque tracking tokens — they are never written to disk and never associated with your identity.

Optional OpenRouter or Gemini API keys (saved in forge.settings) are sent only when you explicitly enable the fallback in the playground. They are forwarded directly to the upstream provider and never logged.

5. localStorage Usage

Forge uses localStorage for the following functional purposes only:

  • Storing your generated Forge API key
  • Storing your optional fallback provider key
  • Remembering your theme preference (light/dark)
  • Remembering the tools you authored in the playground

Clearing your browser storage erases all of the above. Forge functions fine without any localStorage — you simply need to regenerate a key.

6. Third-Party Calls

When you enable the fallback in the playground, Forge's server forwards your request to OpenRouter or Google Gemini directly. Those providers' privacy policies apply to the data you send them. Without the fallback enabled, no third-party calls are made.

7. Children's Privacy

Forge is a developer tool and is not directed at children under 13. We do not knowingly collect any data from anyone.

8. Changes

If this policy ever changes, we will update the date at the top of this page and bump the version. We will never retroactively start collecting data — the architecture itself forbids it.