Privacy Policy

Last updated: May 17, 2026

Ad Forge Studios, LLC ("AdForge," "we," "our," or "us") operates the AdForge platform at adforgestudios.com. This Privacy Policy describes the personal information we collect, how we use and share it, and the choices you have.

AdForge is currently targeted at the United States market. Our hosted infrastructure runs primarily in US data centers; some sub-processors may transfer or process data outside the US. See Section 5 (Subprocessors).

1. Information We Collect

a. Account & authentication data

When you sign up we collect your email address and a hashed authentication credential, which are managed through Supabase Auth. We may also collect OAuth identifiers if you sign in with a third-party provider.

b. Business & workspace data you submit

Anything you upload into the platform: brand names, descriptions, website URLs, product information, logos, inspiration images, audience criteria, persona inputs, and the prompts you send to the AI features.

c. Generated content

Outputs the platform creates on your behalf: AI-generated personas, audiences, ad copy, headlines, image creatives, intelligence reports, Design Review transcripts, and Ad Kits. These are stored against your account so you can retrieve them later.

d. Intelligence-report source data

Intelligence reports are built from publicly-available data scraped from third-party websites via BrightData (see Section 5). The platform processes posts, comments, reviews, profile metadata, and ad-library entries about the brands and products you instruct it to research. We store derived analysis and a record of the scraping tasks (snapshot IDs, status, cost) in our database. Raw scraped payloads are not retained long-term — see Data Retention.

e. Billing data

Subscriptions are processed by Stripe. Stripe collects your payment-method details directly; AdForge does not see or store your card number, CVV, or full bank details. We store the Stripe customer ID, subscription ID, tier, status, current period dates, and the price ID, plus a record of any tier changes.

f. Cost & usage telemetry

For every external AI / data-provider call we record provider, model, feature tag, input/output token counts, USD cost, and the time the call took, along with the related brand or report. This data is used to operate billing limits, enforce per-report spend caps, debug failures, and analyze platform health.

g. Diagnostic & error data

We use Sentry to capture errors and performance traces. These records may include your user ID, the route you were on, a stack trace, and HTTP request metadata. Sensitive fields are redacted at the logger boundary.

h. Analytics & cookies

The marketing site uses Google Analytics (GA4) to measure aggregate traffic — pages viewed, referrers, session counts, and similar metrics. GA4 sets cookies on your browser and processes a hashed IP address. We do not run third-party advertising / re-targeting trackers, and we do not sell your information to ad-tech brokers. The application itself uses strictly-necessary cookies for authentication (Supabase session tokens) and CSRF protection.

2. How We Use Your Information

• Provide, operate, secure, and improve the AdForge platform
• Authenticate you and protect your account
• Process subscription payments through Stripe
• Generate AI text and image outputs by passing the relevant inputs to our AI sub-processors
• Collect web data for intelligence reports via BrightData on the brands and products you specify
• Enforce subscription limits, per-report spend caps, and rate limits
• Send transactional email (account confirmations, billing receipts, report-ready notifications)
• Diagnose errors and monitor performance via Sentry
• Detect and prevent abuse, fraud, and violations of our Acceptable Use Policy
• Comply with our legal obligations

We do not use your Customer Content to train foundation AI models for third parties. AI providers we call operate under their own terms — see Section 5.

3. Legal Bases (where applicable)

Where data-protection law (such as GDPR) applies to you, we process personal data on the bases of: performance of our contract with you (to deliver the platform you subscribed to); our legitimate interests (operating, securing, and improving the platform; preventing abuse); your consent (for non-essential cookies / analytics, where required); and compliance with legal obligations.

4. We Do Not Sell Your Personal Information

AdForge does not sell, rent, or share your personal information with third parties for their own marketing or advertising. We share data only with the sub-processors listed below, and only as needed to operate the platform. See our Do Not Sell or Share My Personal Information page.

5. Sub-Processors

We use the following sub-processors to deliver the platform. A full table — including the data each receives, processing region, and privacy-policy link — is maintained on the Subprocessors page.

• Supabase — managed Postgres database, authentication, file storage (US, us-east-2)
• Vercel — application hosting, serverless functions, edge delivery
• Stripe — subscription billing and payment processing
• OpenRouter — gateway to large-language-model providers (Anthropic Claude) for text generation, intelligence analysis, ad-copy, persona generation, and Design Review simulation
• Google (Gemini) — Gemini 3.1 Flash Image (a.k.a. Nano Banana 2) for AI image generation
• BrightData — web data collection (SERP, Web Unlocker, and Web Scraper API) used for intelligence reports
• Jina AI Reader — landing-page text extraction used by intelligence reports
• Resend — transactional email delivery
• Sentry — error monitoring and performance telemetry
• Google Analytics (GA4) — aggregate marketing-site analytics

Anthropic and other LLM providers are reached via OpenRouter as our gateway. We may add, remove, or change sub-processors over time; the canonical list is at /subprocessors.

6. Data Retention

Retention periods by data category, deletion mechanics, and what is preserved in backups are detailed on the Data Retention page. In short:

• Account, brand, product, persona, audience, creative, intelligence-report, and uploaded-media records are kept until you delete them.
• Cost-telemetry and collection-task records are retained for billing-audit and dispute-handling purposes.
• Database backups are retained for 7 days on a rolling basis.
• Object storage (uploaded files, generated images) is not currently replicated cross-region.
• Sentry events are retained per Sentry's policy (typically 90 days).

7. Data Export & Deletion

You can export your intelligence reports as DOCX or PDF from the report detail page in the dashboard. To delete your account and associated data, go to Settings → Delete Account, or email privacy@adforgestudios.com. After confirmation, your data is removed per the schedule in Data Retention; data may persist in backups for up to 7 additional days.

8. Security

We protect data in transit with TLS and at rest with encryption provided by our managed-database and storage vendors (AES-256 on Supabase). Database tables enforce per-user Row-Level Security policies so a signed-in user can only read or write their own records. Service-role credentials are restricted to server-side workloads (cron jobs, webhooks, intelligence worker). Suspected vulnerabilities can be responsibly disclosed to support@adforgestudios.com.

No system is perfectly secure. In the event of a breach affecting your personal information we will notify you and applicable regulators where required by law.

9. Your Privacy Rights

United States (CCPA / similar state laws)

If you are a California resident (or a resident of another US state with a comparable law), you may have the right to know what personal information we have about you, to request a copy, to request deletion, to correct inaccurate information, and to opt out of any "sale" or "sharing" for cross-context behavioral advertising. AdForge does not sell or share personal information for those purposes — see the Do Not Sell or Share page. We will not discriminate against you for exercising any of these rights.

EU / UK (GDPR)

AdForge is built for the US market and we do not currently offer a formal GDPR-controller compliance program (no EU representative, no SCC packet, no DPO appointment). If you are an EU or UK resident, you can still contact us at privacy@adforgestudios.com to request access, deletion, or correction of your data, and we will honor those requests on a best-effort basis. We will not misrepresent our compliance posture.

How to exercise your rights

1. Self-service: Most requests can be fulfilled from Settings (export, delete).
2. Email: privacy@adforgestudios.com. We respond within 45 days. We may need to verify your identity using your account email before fulfilling a request.

10. Children

AdForge is not directed to children. You must be at least 18 years old to create a paid account. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently done so, contact privacy@adforgestudios.com and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

12. Contact

Privacy questions: privacy@adforgestudios.com
Other support: support@adforgestudios.com