Legal

Privacy Policy

Version 1.1 · Effective June 25, 2026 · Operator: Forge and Boom LLC (Tennessee)

Effective date: June 25, 2026
Version: 1.1
Operator: Forge and Boom LLC, a Tennessee limited liability company ("we," "us," "our," "Company")
Principal office: 116 Agnes Rd Ste 200, Knoxville, TN 37919
Registered agent (Tennessee): Northwest Registered Agent Inc., 116 Agnes Rd Ste 200, Knoxville, TN 37919
Contact: chase@forgeandboom.com


1. About this Policy

This Privacy Policy describes how Forge and Boom LLC collects, uses, discloses, and protects information when you visit forgeandboom.com or use the design tool, account features, sharing features, and support flows made available through it (collectively, the "Service"). By using the Service, you agree to the practices described here. If you do not agree, do not use the Service.

This Policy is governed by Tennessee law and applies to U.S. residents only. The Service is not directed to, or intended for use by, residents of any other jurisdiction.

2. The short version

  • You can use the design tool without an account. Anonymous use stores everything in your browser, on your machine. We do not see it.
  • You can create an account with just an email address. We send you a one-time sign-in link. We do not ask for a password.
  • Once you sign in, your saved racks are stored on our servers so you can access them from any device.
  • We use analytics (Google Analytics and Microsoft Clarity) to understand how the site is used so we can improve it — but only if you accept cookies in the banner shown on your first visit. You can decline, and everything still works.
  • If you ask for product news through the "Get Updates on Racks" form, we'll email you occasional updates. You can unsubscribe any time.
  • We share your data only with the service providers that run the Service (database, email, hosting, analytics, payments). We never sell your data and we do not run ads.
  • You can delete your racks at any time. You can ask us to delete your account or remove you from updates by emailing chase@forgeandboom.com.

The rest of this document is the detailed version.

3. Information we collect

3.1 Information you give us

Email address. When you sign in, we collect the email address you use to receive the one-time sign-in link. This is the only identifier we use to recognize you across sessions and devices.

Rack designs. When you create or edit a rack while signed in, we store the rack's name, dimensions, per-tube angles, fuse sequences, and your associated preferences (e.g., timing-aligned spacing, American Flag color pattern). These are linked to your account.

Share tokens. If you choose to share a rack, we generate a random share token associated with that specific rack. Anyone with the token's URL can view a read-only copy of the rack. You can revoke a share token at any time from the share dialog.

Contact-form messages. If you submit a message through the /contact page, we store the message text, your email (if provided), and the timestamp.

Rack-updates signups. If you submit the "Get Updates on Racks" form, we store your email address, which rack option you said you're interested in, any optional feedback you write, and the timestamp. We use this to gauge interest and to email you product updates. You can unsubscribe or ask us to delete this any time.

Founders Club / Season Pass entitlements. When you claim a Founders Club free pass or purchase a Season Pass, we record the entitlement (pass type, granted-via flag, granted timestamp) linked to your account. We do not store payment-card details. Payment processing is handled by Stripe, Inc.; see Section 4.

3.2 Information collected automatically

Server access logs. Our hosting provider (Vercel) records standard HTTP access logs that include your IP address, request timestamp, requested URL, user-agent string, and HTTP response code. We use these logs only for security, abuse prevention, and operational debugging. We retain them for the period set by Vercel (typically 30 days).

Authentication telemetry. Supabase, the backend that hosts our database and authentication, records minimal metadata about each sign-in event (timestamp, IP address, user-agent). We use this metadata only to operate the authentication system and to investigate suspected account-security issues.

Analytics (only with your consent). If you accept cookies in the consent banner, we use Google Analytics 4 and Microsoft Clarity to understand how the Service is used. These tools collect usage information such as the pages and features you interact with, clicks and scrolls, approximate location derived from your IP address, and device/browser type. Microsoft Clarity also records anonymized session replays and heatmaps (it masks text you type by default). We use this only to improve the Service. If you decline in the banner, these tools do not load and this data is not collected. (We exclude our own devices from analytics.)

Local browser storage. The Service uses your browser's localStorage to remember your preferences (e.g., audio preferences, printer dimensions, custom prices, the active rack ID, the local mirror of cloud-saved racks, and your cookie-consent choice). This information stays on your device. We do not read it from our servers. You can clear it through your browser's developer tools or by clearing site data.

3.3 What we do not collect

We do not collect your real name, postal address, phone number, or government identifiers (beyond what you may choose to write in a contact-form or updates message); payment-card details (handled by Stripe); geolocation beyond what your IP address loosely implies; or audio/video from your device.

We do not use third-party advertising networks or social-media ad trackers, we do not sell your data to data brokers, and we do not track you across other companies' websites for advertising. The analytics described in Section 3.2 are first-party measurement tools used only to improve our own Service, and only with your consent.

4. Service providers we use

The Service relies on a small number of third-party providers to operate. We share only the data each provider needs for its function:

  • Supabase — Database (Postgres) + authentication. We share: email, racks, share tokens, entitlements, contact messages, updates signups. Policy: supabase.com/privacy.
  • Resend — Transactional + update email. We share: recipient email, message body. Policy: resend.com/legal/privacy-policy.
  • Vercel — Web hosting, CDN, edge runtime. We share: IP addresses + request metadata for access logs. Policy: vercel.com/legal/privacy-policy.
  • Google LLC — Google Analytics 4 (usage analytics), only with your consent. We share: usage events, approximate location, device/browser. Policy: policies.google.com/privacy.
  • Microsoft Corporation — Microsoft Clarity (heatmaps + session replay), only with your consent. We share: usage events, anonymized session replay. Policy: privacy.microsoft.com.
  • Cloudflare / Route 53 — DNS resolution. We share: public DNS query metadata only.
  • Stripe (when paid launch goes live) — Payment processing for Season Pass purchases. We share: email, purchase amount, Stripe-issued customer/payment identifiers. Policy: stripe.com/privacy.

We use each provider under their standard data-processing terms. We do not authorize any provider to use your data for advertising, profiling, or any purpose beyond running and improving the Service. We do not enable Google Analytics advertising features or Google Signals.

5. How we use information

We use the information described in Section 3 for the following purposes:

(a) Operating the Service. Letting you sign in; saving your racks; rendering shared racks via your share tokens; granting paid features once you have an entitlement; delivering contact-form notifications to the operator.

(b) Supporting you. Replying to messages you send us; investigating issues you report; restoring lost data when feasible.

(c) Securing the Service. Detecting and responding to abuse, fraud, unauthorized access, and security incidents.

(d) Compliance. Meeting legal obligations applicable to the Service, including responding to lawful requests from courts and government authorities.

(e) Communicating about the Service. Sending you transactional emails directly related to your account or your use of the Service (sign-in links, contact-form replies). If you opt in through the "Get Updates on Racks" form, we also send occasional product-update emails. Every update email includes an unsubscribe link, and you can ask us to remove you at any time by emailing chase@forgeandboom.com.

(f) Improving the Service. If you consent to analytics, understanding which pages and features people use so we can make the Service better.

We do not use your data to train any machine-learning model.

6. Cookies and local storage

The Service uses the following categories of in-browser storage:

Authentication session token. When you sign in, Supabase stores a session token in your browser so subsequent requests recognize you. This is a functional cookie. You cannot disable it and still remain signed in. Clearing site data signs you out.

Local preferences (localStorage). As described in Section 3.2, we use your browser's localStorage to remember preferences, your locally-cached racks, and your cookie-consent choice. This data never leaves your device unless you explicitly choose to save a rack to the cloud (which requires you to be signed in).

Analytics cookies (consent-based). On your first visit, we show a consent banner. If you click Accept, Google Analytics 4 and Microsoft Clarity set cookies/identifiers to measure usage as described in Section 3.2. If you click Decline, these tools do not load and no analytics cookies are set. We remember your choice so we don't ask again; you can change it by clearing site data. We do not embed third-party advertising pixels.

7. Sharing of information

We share information only as described in Section 4 (service providers). We do not sell your information, rent it, or share it for cross-context behavioral advertising. We do not share it with data brokers.

We may disclose information when required to comply with a subpoena, court order, or other lawful request from a government authority; to investigate suspected fraud, abuse, or violation of the Terms of Service; or to protect the rights, property, or safety of the Company, our users, or any other person. Where the law permits, we will attempt to notify you of any such request before disclosing.

If the Company is acquired, merged, or its assets transferred, the information described in this Policy may be transferred to the successor entity, subject to that entity's continued obligation to honor this Policy (or to notify you of any changes and offer you the chance to delete your data first).

8. Children

The Service is not directed to, or intended for use by, children under eighteen (18) years of age. You may not use the Service or provide any information to us if you are under 18. We do not knowingly collect information from children under 18. If you believe a child has provided us with their information, please contact us at chase@forgeandboom.com and we will delete it promptly.

9. Data retention

We retain information for as long as your account is active or as needed to provide the Service. Specifically:

  • Email + account. Retained until you ask us to delete your account.
  • Racks. When you delete a rack from within the Service, it is soft-deleted (marked with a deleted_at timestamp) for up to thirty (30) days to allow accidental-deletion recovery. After that window, the row is purged. Anonymous racks (stored in your browser only) are not retained by us at all — they live and die with your browser's local storage.
  • Share tokens. Retained while the rack exists. Revoking a token deletes the token immediately.
  • Contact-form messages. Retained until they have served their support purpose, typically up to twelve (12) months.
  • Rack-updates signups. Retained until you unsubscribe or ask us to delete them.
  • Analytics data. Retained per the analytics providers' defaults (Google Analytics and Microsoft Clarity), typically up to fourteen (14) months for Google Analytics.
  • Server access logs. Retained per Vercel's retention defaults (typically 30 days).
  • Founders Club / Season Pass entitlement records. Retained for the duration of the entitlement plus seven (7) years for tax-record purposes.

10. Your rights

Regardless of where you live in the United States, you may at any time:

(a) Access the data we hold about you by emailing chase@forgeandboom.com from the email address on your account. We will respond within thirty (30) days with a copy of your account record and any racks, entitlements, contact-form messages, and updates signups associated with it.

(b) Correct inaccurate data by editing it in the Service (rack names, fan angles, sequences, etc.) or by emailing the correction to the same address.

(c) Delete racks individually from within the Service, or request full account deletion by emailing the same address. Full account deletion includes the email, all racks, share tokens, and entitlements associated with the account.

(d) Opt out of analytics by clicking "Decline" in the consent banner (or clearing site data to be re-asked), and unsubscribe from update emails using the link in any such email or by emailing us.

If you are a California resident, you have the rights described in the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), including the right to know the categories and specific pieces of personal information we collect, the categories of sources, the business or commercial purpose, and the categories of third parties with which we share it; the right to delete; the right to correct; and the right to limit the use of sensitive personal information. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA (we do not enable advertising features in our analytics), and we do not use sensitive personal information for any purpose other than operating the Service. To exercise these rights, contact us at the email above.

11. Security

We take reasonable technical and organizational measures to protect your information:

  • All traffic between your browser and our servers is encrypted in transit with HTTPS (TLS 1.2 or higher).
  • Database access is protected by Row-Level Security (RLS) policies enforced at the database layer: you can only read or write rows that belong to your account (or, in the case of share tokens, rows explicitly marked as shareable).
  • Authentication uses one-time sign-in links delivered to your email; we never store, transmit, or possess your password (we don't have one).
  • Payment-card details are handled directly by Stripe; they never pass through our systems.

No security system is impenetrable, and no transmission over the internet is fully secure. If we become aware of a security incident that affects your information, we will notify you in accordance with applicable law.

12. International transfers

Our servers and our service providers are located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different privacy protections than your home jurisdiction. By using the Service, you consent to this transfer.

As stated in our Terms of Service, the Service is offered solely to U.S. residents.

13. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no consensus on how DNT should be interpreted, the Service does not respond to DNT signals. In any case, we do not track you across other companies' websites for advertising, and our analytics run only if you accept the consent banner (see Sections 3.2 and 6).

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the version number and effective date above. Material changes will be announced in the Service before they take effect. Continuing to use the Service after the effective date of a change constitutes acceptance of the updated Policy.

A change is "material" if it expands the categories of information we collect, expands the purposes for which we use it, adds a new category of service-provider recipient, or weakens any right you have under this Policy.

15. Contact

If you have questions, requests, or complaints about this Policy or the Service's handling of your information, contact us at:

Forge and Boom LLC
116 Agnes Rd Ste 200
Knoxville, TN 37919
chase@forgeandboom.com