This Privacy Policy explains how Crimson Forge, Inc. ("Crimson Forge," "we," "us," or "our") collects, uses, stores, shares, and protects information across our products:
Collectively these are the "Services." This Policy applies to all of them. Where a practice is specific to one product, we say so.
This Privacy Policy is incorporated by reference into our Terms of Service. By using the Services, you agree to both documents.
| Data Type | What It Is & Why We Collect It |
|---|---|
| Account Information | Name, email address, password (hashed — never stored in plaintext), and role. Required to create and manage your account. |
| Shop Profile (CFP, ForgePilot) | Shop name, address, phone number, bay count, and business details. Required to configure your shop environment and assign permissions. |
| Repair Orders & Tickets (CFP) | Vehicle information, customer names, repair descriptions, technician notes, labor entries, parts, photos, and attachments. The core operational data of CFP. |
| Diagnostic Sessions (ForgePilot) | VIN, year/make/model/engine, DTCs investigated, live PID data streamed from connected scanners, chat messages with Forge Assist, and any files (images, scanner screenshots, PDFs) you attach to a session. |
| Customer Records (CFP, ForgePulse) | Vehicle owner names, contact information, and vehicle history. In CFP, entered by your shop; in ForgePulse, entered by the vehicle owner. Belongs to the entering party. |
| Vehicle Data | VIN numbers, year/make/model, mileage, service history, and DTC codes. Used to power AI diagnostic tools and maintain repair history. |
| Payment Information | Billing details processed through our PCI-compliant payment processor (Stripe). Crimson Forge does not store full credit card numbers. |
| Communications | Emails, support requests, and feedback you send to legal@crimsonforge.pro or any other Crimson Forge inbox. Used to respond to your inquiries and improve the Services. |
When you use the Services, we automatically collect:
We do not use advertising cookies or third-party tracking pixels. We do not use Google Analytics, Facebook Pixel, or similar behavioral tracking services. The Services do not track you across other websites.
If you use ForgePilot's OBD2 scanner integration, ForgePilot may receive live vehicle data including diagnostic trouble codes (DTCs), freeze frame data, live sensor readings, and vehicle identification data via Bluetooth from a compatible scanner (e.g., OBDLink MX+). The scanner is a passthrough device — Crimson Forge does not receive any data from the scanner manufacturer. Data flows scanner → your device → ForgePilot servers and is saved to your diagnostic session.
By transmitting OBD2 data through the Services, you represent that you have obtained the vehicle owner's consent as required by applicable law.
MOTOR Information Systems licenses repair procedures, torque specs, DTC definitions, and diagnostic flowcharts to ForgePilot (and, in the future, CFP). When you look up a vehicle, DTC, or procedure, your query is sent to MOTOR's API and the response is displayed. We do not transmit your personal information to MOTOR.
CARFAX (CFP Pro and Elite tiers) — VIN sent per-query to retrieve vehicle history. No customer or personal data is sent.
QuickBooks Online (Intuit) (CFP Pro and Elite tiers, if connected) — if you connect QuickBooks, we receive an OAuth token and access only the financial data scopes you authorize. See Section 5.5.
| Purpose | Details |
|---|---|
| Providing the Services | Processing repair orders, running AI diagnostic tools, enabling technician messaging, generating reports, hosting your diagnostic sessions, and all core functionality. |
| Account Management | Creating and managing your account, authenticating logins, and managing subscription and billing. |
| AI Processing (Forge Assist) | Sending your chat messages, attached files, and diagnostic context to our AI provider (Anthropic) per-request to generate responses. Anthropic does not retain or train on this data per their commercial API terms. |
| AI Improvement | Anonymized, aggregated, de-identified repair data may be used to train and improve our own AI models. No identifiable shop, customer, or vehicle owner data is included. See Section 4. |
| Service Improvement | Anonymized usage patterns and error data used to fix bugs, improve performance, and develop new features. |
| Customer Support | Responding to support requests, investigating issues, and communicating Service updates. |
| Legal & Security | Detecting fraud, preventing abuse, enforcing our Terms of Service, and complying with applicable law. |
| Billing | Processing subscription payments and sending billing-related communications. |
All data you enter into the Services — including diagnostic sessions, chat messages, attached files, customer records, repair orders, vehicle histories, DTC codes, technician notes, parts records, photos, and any other content ("Your Content") — is and remains your exclusive property (or the property of your shop or organization, as applicable). Crimson Forge makes no ownership claim over Your Content.
You grant Crimson Forge a limited, non-exclusive, worldwide, royalty-free license to access, host, store, process, and transmit Your Content solely as necessary to provide the Services to you. This license ends when you close your account and Your Content is deleted per Section 7.
Data in CFP and ForgePilot is segregated per shop and per user using Supabase row-level security (RLS). Shops cannot access each other's data. Within a shop, technicians can only access their own sessions; owners and advisors can read shop-mates' work as needed for supervision. This isolation is enforced at the database layer, not just in application logic.
Crimson Forge may use aggregated, anonymized repair data to train and improve our own AI diagnostic models, build internal repair databases, and develop industry benchmarks.
Before any repair data is used for our AI training, it is processed to remove all identifiers and aggregated across multiple shops such that no individual shop, customer, or vehicle owner can be identified from the resulting dataset.
The Forge Assist chat feature and other AI-powered features send your messages, attached files, and relevant diagnostic context (VIN, DTCs, vehicle data, MOTOR procedure references) to our AI provider, Anthropic, on a per-request basis. Anthropic processes this only to generate the AI response. Per Anthropic's commercial API terms, your inputs are not used to train Anthropic's models.
If you do not want your anonymized repair data used for our AI training, you may opt out by contacting legal@crimsonforge.pro. Opting out does not affect your ability to use the Services or the AI diagnostic features within them.
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database, Auth, Storage | All data, user credentials (hashed), files — SOC 2 compliant, US-based |
| Railway | Backend hosting | API traffic, server logs — containerized, isolated deployments |
| Anthropic | AI API for Forge Assist and AI features | Chat messages, attached files, vehicle context sent per-request. No retention or training per Anthropic's commercial API terms. |
| MOTOR Information Systems | Licensed diagnostic data (ForgePilot) | Vehicle and DTC queries only. No customer or personal data transmitted. |
| Resend | Transactional email | Email address and message content for account, billing, and service emails |
| Sentry | Crash and error tracking | Crash reports, device identifiers, scrubbed context. No personal data intentionally collected. |
| Stripe | Payment processing for subscriptions | Payment card data processed under PCI-DSS. Crimson Forge never sees full card numbers. |
| Twilio | SMS communications (CFP only) | Customer phone number and message content for shop-to-customer SMS only. Used only when your shop initiates a customer update. |
| QuickBooks Online (Intuit) | Accounting integration (CFP Pro & Elite, if connected) | Invoice data, customer records, payment status — only when explicitly connected by you. Limited to invoice/payment sync scopes. See Section 5.5. |
| CARFAX | Vehicle history (CFP Pro & Elite) | VIN transmitted per-query. No customer data transmitted. |
| Apple, Google | Mobile app distribution and authentication | Required identifiers per platform policies. Used for app delivery and crash reporting only. |
Crimson Forge does not sell, rent, lease, or transfer your identifiable data to any third party for any commercial purpose. This commitment survives termination of your account.
We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect the rights or safety of Crimson Forge or our users, or detect, prevent, or address fraud or security issues.
If Crimson Forge is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you via email at least 30 days before your data is transferred and subject to a different privacy policy, with an option to delete your data before the transfer.
If you connect your QuickBooks Online account (available on CFP Pro and Elite subscription tiers), Crimson Forge accesses your QuickBooks account solely for the following purposes:
Crimson Forge does not access, read, store, or transmit your QuickBooks payroll data, banking or financial account information, tax records, profit and loss reports, or any data outside the invoice and payment sync scope described above.
The QuickBooks connection is optional and entirely initiated by you through Shop Settings. You may disconnect at any time without affecting your CFP data or subscription. QuickBooks data accessed through this integration is processed in real-time pursuant to your authorization and is governed by Intuit's Privacy Statement and QuickBooks Terms of Service.
Crimson Forge staff access user data only when necessary for support, security, debugging, or legal compliance. We do not browse your customer records, repair histories, or chat sessions for any commercial or personal purpose.
No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee that unauthorized third parties will never be able to defeat our security measures. In the event of a data breach, we will notify affected users as required by applicable law.
Your data is retained for as long as your account is active. You can access, export, or request deletion of your data at any time.
When you cancel, your data remains accessible for 60 days so you can export it. After 60 days, your data is permanently deleted from our production databases. We do not charge exit fees or hold your data hostage.
You may request immediate permanent deletion of all your data at any time by contacting legal@crimsonforge.pro. Permanent deletion is irreversible. We will confirm deletion within 10 business days.
You may delete an individual diagnostic session (ForgePilot) or ticket (CFP) at any time within the app, which permanently removes its content and any attached files within 30 days.
Anonymized, de-identified repair data that has already been incorporated into AI model training cannot be individually removed, as it exists only as part of a statistical aggregate with no connection to your account or any identifiable record.
We may retain limited information longer where required by law — for example, financial records for up to 7 years for tax and audit purposes, or fraud-investigation records as required by applicable law.
| Right | What It Means & How to Exercise It |
|---|---|
| Access | Request a copy of all personal data we hold about you. We will provide it within 30 business days at no charge. |
| Correction | Request correction of inaccurate or incomplete personal information. Most data can be corrected directly within the apps. |
| Deletion | Request permanent deletion of your account and all associated data. See Section 7.3. |
| Portability | Request a machine-readable export of your data (JSON or CSV). Contact legal@crimsonforge.pro. |
| Opt-Out of AI Training | Opt out of having your anonymized repair data used in our AI model training. Contact legal@crimsonforge.pro. |
| Withdrawal of Consent | You can revoke consent to optional processing at any time. |
| Complaint | Lodge a complaint with your applicable data protection authority if you believe we have handled your data unlawfully. |
To exercise any of these rights, contact us at legal@crimsonforge.pro with the subject line "Privacy Request." We will respond within 30 business days. We will not retaliate against you for exercising your rights.
In the preceding 12 months, Crimson Forge has collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address); commercial information (subscription and billing records); internet activity (usage logs, error reports); and professional information (shop name, role, repair records).
Crimson Forge does not sell or share personal information as defined under the CCPA/CPRA. You may contact us at legal@crimsonforge.pro to confirm this in writing or to exercise your rights to know, delete, correct, or limit use of sensitive personal information.
We will not discriminate against you for exercising your CCPA rights. Exercising your rights will not result in denial of service, different prices or rates, or a different level of service quality.
If you reside in a state with a comprehensive consumer privacy law, you have substantially similar rights to those described above. Contact legal@crimsonforge.pro to exercise them. We will respond within the timeframe required by your state's law.
The Services are hosted in the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the United States, which may have data-protection laws different from your home country. By using the Services, you consent to this transfer.
If you are in the EU, UK, or another jurisdiction with comprehensive privacy laws (e.g., GDPR), you have additional rights including access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint with a supervisory authority. Contact legal@crimsonforge.pro to exercise them.
The Services are designed for use by automotive professionals (ForgePilot, CFP) and adult vehicle owners (ForgePulse). They are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at legal@crimsonforge.pro and we will delete it promptly.
The Services use a minimal set of cookies and local storage for platform functionality only:
We do not use advertising cookies, third-party tracking pixels, Google Analytics, Facebook Pixel, or any behavioral advertising technology. The Services do not track you across other websites.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by in-app notification, email at your account address, or both, and update the "Last Updated" date at the top of this page. We will provide at least 30 days' notice before material changes take effect. Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy. For material changes, we may also require you to re-accept the updated Policy on next login.
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
Crimson Forge, Inc.
Privacy & data rights: legal@crimsonforge.pro
Security incidents: security@crimsonforge.pro
Billing inquiries: billing@crimsonforge.pro
General inquiries: Admin@crimsonforge.pro
Mail: Crimson Forge, Inc., 2301 E. Pikes Peak Ave., Suite 325, Colorado Springs, CO 80910
For data-rights requests, please use subject line "Privacy Request." We will respond within 30 business days.