Privacy Policy

Last updated: January 15, 2026 • Effective: February 1, 2026

This Privacy Policy describes how OrgForge Inc. ("OrgForge," "we," "us," or "our") collects, uses, and shares information about you when you use our website and services (collectively, the "Service"). By using the Service, you agree to this Privacy Policy.

1. Information We Collect

We collect information you provide directly to us, information collected automatically when you use the Service, and information from third parties.

Information you provide directly:

• Account information: When you register, we collect your name, email address, and password. You may optionally add a profile picture, job title, and company name.
• Payment information: When you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed by our payment processor, Stripe Inc. We do not store full payment card details on our servers.
• User Content: The organizational data, names, roles, and any other information you input into your Org Charts.
• Communications: If you contact us for support or other inquiries, we retain the content of those communications.
• Survey and feedback data: If you participate in surveys or provide feedback, we collect that information.

Information collected automatically:

• Log data: When you use the Service, our servers record information including your IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps.
• Usage data: We collect information about how you interact with the Service — features used, actions taken, time spent, and error reports.
• Device information: Device type, screen resolution, and operating system version.
• Cookies and similar technologies: We use cookies and similar tracking technologies as described in Section 4 of this policy.

Information from third parties:

• If you sign in using a third-party service (e.g., Google OAuth), we receive basic profile information such as your name and email address from that service, subject to its privacy settings.
• We may receive information from analytics providers, advertising partners, and fraud prevention services.

2. How We Use Your Information

We use the information we collect to:

• Provide and improve the Service: Create and maintain your account, process transactions, deliver features, and personalize your experience.
• Communicate with you: Send transactional emails (account confirmations, invoices, password resets), product updates, and support responses. You may opt out of marketing emails at any time.
• Analytics and product development: Understand how users interact with the Service to improve features and fix bugs. We use aggregated and anonymized data where possible.
• Security and fraud prevention: Detect and prevent unauthorized access, abuse, and violations of our Terms of Service.
• Legal compliance: Fulfill legal obligations, respond to lawful requests from authorities, and enforce our agreements.
• Marketing: With your consent, send you information about new features, updates, or promotional offers. You can unsubscribe at any time.

We do not sell your personal information to third parties. We do not use your User Content (your Org Charts and organizational data) to train AI models or for advertising purposes.

3. How We Share Your Information

We may share your information in the following circumstances:

• Service providers: We share information with trusted third-party service providers who assist in operating the Service (cloud hosting, email delivery, payment processing, analytics, customer support). These providers are contractually obligated to protect your information and use it only for the purposes we specify.
• Business transfers: If OrgForge is acquired by, or merges with, another company, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.
• Legal requirements: We may disclose your information if required to do so by law or in response to valid legal process (subpoena, court order, or government request).
• Protection of rights: We may disclose information to protect the rights, property, or safety of OrgForge, its users, or others.
• With your consent: We may share your information for any other purpose with your explicit consent.

Key third-party service providers we use:

• Stripe Inc. (payment processing) — stripe.com/privacy
• Amazon Web Services (cloud infrastructure) — aws.amazon.com/privacy
• Google Analytics (usage analytics) — policies.google.com/privacy
• Postmark (transactional email) — postmarkapp.com/privacy-policy

4. Cookies and Tracking Technologies

We use cookies (small text files stored on your device) and similar tracking technologies to operate and improve the Service. Here is what we use them for:

• Essential cookies: Required for core functionality such as authentication, session management, and security. These cannot be disabled without breaking the Service.
• Preference cookies: Remember your settings and preferences (e.g., language, theme) to personalize your experience.
• Analytics cookies: Help us understand how you use the Service, which pages are visited most, and where errors occur. Data is aggregated and anonymized where possible.
• Marketing cookies: Used to track the effectiveness of our advertising campaigns. We only use these with your consent.

You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Note that disabling essential cookies may prevent you from using certain parts of the Service. For more information, see your browser's help documentation.

We respect "Do Not Track" signals where technically feasible.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. We also retain information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

When you delete your account, we will delete or anonymize your personal information within 90 days, except where we are required to retain it for legal or regulatory reasons, or where it is contained in backup archives that are not immediately accessible.

User Content (your Org Charts) is deleted within 30 days of account deletion.

6. Data Security

We implement industry-standard security measures to protect your information, including:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Regular security audits and penetration testing
• Access controls limiting employee access to personal data on a need-to-know basis
• Multi-factor authentication for all staff with access to production systems

Despite these measures, no security system is impenetrable. We cannot guarantee the absolute security of your information. In the event of a security breach affecting your personal data, we will notify you as required by applicable law.

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to certain legal exceptions.
• Portability: Request a machine-readable export of your personal information and User Content.
• Restriction: Request that we limit how we use your information in certain circumstances.
• Objection: Object to our processing of your information for direct marketing or based on legitimate interests.
• Withdraw consent: Where processing is based on your consent, withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@orgforge.app. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before fulfilling certain requests.

If you are in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority.

8. International Data Transfers

OrgForge is based in the United States. If you are located outside the United States, your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those of your country.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and other lawful transfer mechanisms.

9. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete that information. If you believe we have inadvertently collected information from a child under 16, please contact us at privacy@orgforge.app.

10. Third-Party Links

The Service may contain links to third-party websites and services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you visit, as we have no control over their practices.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and/or a prominent notice within the Service at least 14 days before the changes take effect. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

• Email: privacy@orgforge.app
• Mailing address: OrgForge Inc. — Privacy Team, 1234 Innovation Drive, Suite 100, Wilmington, DE 19801, USA
• Data Protection Officer: dpo@orgforge.app

We are committed to working with you to resolve any privacy-related issues. If we are unable to resolve your concern, you may have the right to escalate it to your local supervisory authority.