LEGAL
PRIVACY POLICY
This Privacy Policy describes how The Forge(“we”, “us”) collects, uses, stores, and shares your personal data when you visit entertheforge.co, use our applications, or purchase our content. It is written to comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000.
1. Data We Collect
We collect only the data necessary to operate the Service:
- Account data — email address, full name, password hash, profile picture (optional)
- Transaction data — order history, subscription status, billing amounts, currency, payment status (the actual card/UPI/netbanking details are handled directly by Razorpay; we never see or store them)
- Reading data — which books you’ve opened, reading progress, last-accessed timestamps, daily streak data
- Device and log data — IP address, browser type, operating system, timestamps of requests (collected automatically by our hosting provider for security and reliability)
- Communications — emails you send to support, replies to our broadcast emails
2. How We Use Your Data
Your data is used for the following purposes:
- Service delivery — authenticating you, unlocking purchased content, syncing reading progress across devices
- Payments — processing subscriptions and one-time purchases via Razorpay; sending payment receipts
- Communications — onboarding emails, transactional notifications (order confirmation, password reset), and platform updates relevant to your subscription
- Personalisation — recommending books based on your reading history (you may opt out by emailing us)
- Content protection — burning a personalised watermark into PDFs delivered to subscribers; this helps us detect and respond to content leakage
- Safety and compliance — preventing fraud, enforcing our Terms, complying with legal requests
We do not sell your personal data. We do not share it with advertising networks or data brokers.
3. Legal Basis for Processing
Under the DPDP Act, we process your personal data on the basis of:
- Your consent, given when you create an account or subscribe
- Performance of a contract (delivering the books, audiobooks, or subscription you paid for)
- Legitimate purposes recognised under the DPDP Act, including fraud prevention and service operation
- Legal obligations we’re subject to in India
4. Third-Party Processors
We use carefully selected processors who handle data on our behalf under strict agreements:
- Supabase (database, authentication, file storage) — hosted in their EU/US data centres with encryption at rest
- Razorpay (payments) — RBI-licensed Indian payment gateway; PCI-DSS compliant
- Resend (transactional emails) — only your email address and the message body are processed
- Anthropic (book recommendations) — anonymised library data is sent to generate personalised picks; no PII is included in the prompt
- Vercel (hosting) — server logs, performance metrics
Each processor is bound by their own privacy commitments and data-processing terms.
5. Data Storage and Security
Data is stored in encrypted databases. Communication between your device and our servers uses HTTPS/TLS. Passwords are never stored in plaintext (they are hashed by Supabase Auth using bcrypt). Access to production databases is limited to authorised personnel and audited.
No method of transmission or storage is 100% secure. If we discover a personal data breach affecting you, we will notify you and the Data Protection Board of India as required by the DPDP Act.
6. Data Retention
- Account data — retained while your account is active and for up to 12 months after deletion (for fraud-prevention and tax records)
- Transaction records — retained for 7 years to comply with Indian tax law
- Reading and progress data — deleted within 30 days of account deletion
- Support communications — retained 24 months
7. Your Rights
Under the DPDP Act, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or outdated information
- Erase your personal data (subject to legal-retention exceptions)
- Withdraw consent at any time (this will not affect lawful processing already done)
- Nominate another individual to exercise your rights in case of your death or incapacity
- Lodge a grievance with our Data Protection contact (below)
To exercise any of these rights, email forgeverse@entertheforge.cowith the subject line “Data Request”. We will respond within 30 days.
8. Children
The Forge is intended for users 18 years and older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us their data, please contact us and we will delete it.
9. Cookies and Local Storage
We use essential cookies and browser local storage for: authentication session (required to keep you logged in), region detection (to show INR vs USD pricing), and shopping cart state. We do not use third-party advertising cookies or cross-site tracking.
10. International Transfers
Some of our processors (Supabase, Resend, Anthropic, Vercel) operate outside India. These transfers are made under appropriate safeguards as permitted under the DPDP Act, including standard contractual clauses where required.
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified by email at least 7 days before they take effect. The “Last updated” date at the top of this page indicates when the latest version was published.
12. Grievance Officer
For any concerns, complaints, or grievances related to your personal data, you may contact our designated Grievance Officer at:
Email: forgeverse@entertheforge.co
Subject line: “Grievance — DPDP”
We will acknowledge within 7 days and resolve within 30 days, in line with DPDP Act requirements.
