Last updated: 2026-05-13
Plain-English summary: We collect what we need to run the service, store it securely, and never sell it. We share data only with the processors required to make ContactForge work (Stripe for billing, Cloudflare for hosting, your email provider for inbox sync). You can export or delete your data at any time.
To create your account: name, email, password (hashed with argon2id), country. To process subscription payments: billing details (last4, expiry, billing address) held by Stripe, not us. To run the service: every contact, company, deal, activity, task, note, message and document you create or receive through ContactForge.
Automatically collected: IP address, browser user agent, pages visited, timestamps. Used for security (rate limiting, fraud detection) and product analytics (which pages get used). Retained for 90 days unless tied to a specific audit-log event.
To run the service. To send you important account, security, and billing notifications. To offer support when you ask. To compute aggregate product analytics — never identifying you to other users.
We do not: sell your data, use it to train AI models, share your contact lists with third parties, or run advertising trackers inside the dashboard.
We do not have advertising partners. We do not run trackers from Facebook, Google Ads, or LinkedIn on the dashboard.
Primary database: US-East (Virginia), AWS RDS. Files: Cloudflare R2 with global edge cache. Backups: AWS S3 in a separate region, encrypted at rest. We're working on EU residency for European customers; contact privacy\.com if this is required for your business.
Active account: as long as your account exists. Cancelled account: 90-day grace period for export, then purged. Transactional records (invoices, tax filings): 7 years per US tax law. Aggregated, anonymized analytics: indefinite (no longer tied to you).
You can: export all your data (Settings → Data export), delete your account and trigger purge, opt out of pooled-data analytics, request a copy of every audit-log entry tied to your account. EU/UK users have additional GDPR rights (access, rectification, erasure, portability, restriction, objection) — email privacy\.com to exercise them.
Encryption in transit (TLS 1.3) and at rest (AES-256). Password hashing with argon2id. Optional 2FA (TOTP). Audit log on every admin action. Role-based access on team accounts. Regular penetration testing. SOC 2 Type II audit underway for 2026.
We use first-party session cookies to keep you signed in, remember your sidebar-collapsed preference, and prevent cross-site request forgery. We don't run third-party advertising cookies. The contact-facing dashboard pages use a small cookie to attribute A/B-test bucketing — this is cleared when the test ends.
ContactForge is not for users under 16. If you believe a child has created an account, email privacy\.com and we'll investigate within 7 days.
Privacy questions, data requests, GDPR requests: privacy\.com. Security disclosures: security\.com.
This Privacy Policy is a starting template. Before going live with paid customers (especially in the EU/UK), have it reviewed by a privacy attorney.