Privacy Policy

Last updated: April 6, 2026

Digital Forge Studios Inc. (“we”, “us”, or “our”) operates the Digital Forge Agentic Systems (“DFAS”) platform at agents.dforge.ca(the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in through a third-party provider (Google, GitHub, LinkedIn), we receive basic profile information from that provider.

1.2 Connected Accounts

DFAS integrates with third-party services on your behalf (email via Gmail, calendars via Google Calendar, code repositories via GitHub, task management, and communication platforms). When you connect an account, we receive OAuth tokens that grant your agent limited access to act on your behalf according to the scopes you approve. We store these tokens securely and use them only to provide the Service.

1.3 Usage Data

We automatically collect certain information when you access the Service, including your IP address, browser type, operating system, referring URLs, pages visited, and timestamps. This data helps us operate, maintain, and improve the Service.

1.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full card details. Stripe may share limited transaction metadata (e.g., last four digits, expiration date, billing address) with us for billing administration.

1.5 Content & Instructions

When you use DFAS’s AI agent features, we process the guidelines, instructions, and preferences you provide so that the agent can act on your behalf. Email drafts, calendar events, and task data processed by the agent are handled according to the data residency and retention settings described below.

1.6 Anonymized Aggregate Pricing Data

When you add or update pricing information in DFAS (e.g., price book items, material costs), we may anonymize and aggregate that data to build market-average pricing benchmarks. This process:

Strips all personally identifiable information — no user IDs, names, email addresses, company names, or account references are stored in the aggregate dataset
Standardizes item names— product names are normalized to generic categories (e.g., “Acme Premium Paint 5gal” becomes “paint, interior, 5 gallon”)
Stores only statistical aggregates — average price, minimum, maximum, and sample count. Individual transaction prices are never stored.

This aggregate data powers our Price Intelligence feature, which helps users identify potential overpayments by comparing their prices against anonymized market averages. The aggregate dataset cannot be reverse-engineered to identify individual users, companies, or transactions.

Opt-out: Pro and Team plan users can disable pricing data contribution at any time from Account Settings → Privacy & Data. When you opt out, your future pricing data will not be included in the aggregate dataset. Existing aggregate statistics cannot be un-contributed because they contain no link to your account.

2. How We Use Your Information

To provide, operate, and maintain the Service
To process transactions and send related billing information
To execute agent actions on your behalf (drafting emails, scheduling, managing tasks)
To communicate with you about your account, updates, and support requests
To detect, prevent, and address technical issues and security threats
To improve and develop new features for the Service
To generate anonymized, aggregate market pricing benchmarks that help all users compare prices (see Section 1.6)
To comply with legal obligations

3. AI Processing & Data Sovereignty

DFAS uses artificial intelligence to act autonomously on your behalf. AI inference is processed through our secure cloud infrastructure. We maintain a zero-retention policy with our AI inference providers — your data is not used to train third-party AI models. Prompts and responses are processed transiently and are not stored by the inference provider beyond the duration of the request.

For customers using our local-first deployment option, all data remains in your browser or on-premises infrastructure and never traverses our servers except for authentication and AI inference (which is subject to the zero-retention policy above).

4. Data Sharing & Disclosure

We do not sell your personal information. Anonymized aggregate pricing data (as described in Section 1.6) is shared across the platform to provide market benchmarks but contains no personally identifiable information. We may also share information with:

Service providers — trusted third parties that help us operate the Service (hosting, payment processing, email delivery, authentication), bound by data protection agreements
Connected third-party services— only the data necessary to perform the actions you’ve authorized (e.g., sending an email via your Gmail account)
Legal requirements — when required by law, regulation, legal process, or governmental request
Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to you

5. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. Agent session logs are retained for up to 90 days for debugging and quality purposes, after which they are automatically purged. You may request deletion of your data at any time by contacting us.

6. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
OAuth 2.0 with scoped permissions for all third-party integrations
Secure, HTTP-only session cookies with SameSite protection
Content Security Policy (CSP), HSTS, and other security headers
Regular security audits and dependency scanning
Clear-Site-Data headers on logout to prevent data persistence

7. Your Rights

Depending on your jurisdiction (including under GDPR, PIPEDA, CCPA, and similar laws), you may have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Request deletion of your data
Export your data in a portable format
Withdraw consent for data processing
Object to or restrict certain processing activities
Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@dforge.ca.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. No data is shared with ad networks.

9. Children’s Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

10. International Data Transfers

Our infrastructure is hosted in Canada (Azure Canada Central). If you access the Service from outside Canada, your data may be transferred to and processed in Canada, which provides data protection recognized as adequate by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Email: privacy@dforge.ca
Website: dforge.ca