ForgeCrew — Privacy Policy
Last updated: 21 June 2026
This Privacy Policy explains how BuildForgeHQ ("BuildForgeHQ", "we", "us", or "our") collects, uses, stores, shares, and protects your personal information when you use the ForgeCrew mobile application and any related services (together, the "Services").
BuildForgeHQ is the data controller for the personal information described in this policy. We are based in the United Kingdom, and we process personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you do not agree with this policy, please do not use the Services. If you have any questions, contact us at privacy@buildforgehq.com.
Summary of key points
- What we collect. Account details (email and password), your profile (display name, optional rota-match name, home city, optional avatar), the planning data you create (tasks, availability, crews, plans, votes, crew messages, join requests), your approximate location when you ask for nearby events, and limited technical and crash-diagnostic data.
- What we do not collect. We do not collect biometric data, we do not access your phone's contacts, we do not sell your personal data, and we show no advertising.
- Where it lives. Scanned rotas, posters and PDFs and your recommendation preferences stay on your device. When you sign in, your account and planning data are stored in our private cloud database (Supabase) under owner-only access rules.
- Who we share with. Only the service providers needed to run the app (cloud hosting, event listings, scan extraction, crash reporting) and the crew members you choose to plan with. Each is described below.
- Your rights. You can access, correct, export, or delete your data, withdraw consent, and complain to the UK Information Commissioner's Office (ICO).
- Events. Event listings come from third parties. We do not organise, vet, or guarantee any event — see "Events and third-party listings".
1. Who we are and how to contact us
BuildForgeHQ operates ForgeCrew. For any privacy matter — including requests to access, correct, or delete your data — contact:
- Email: privacy@buildforgehq.com
We will respond to data-rights requests within one month, as required by the UK GDPR.
2. What information we collect
2.1 Information you give us
- Account information. Your email address and password when you create an account. Passwords are handled by our authentication provider (Supabase) and stored only in hashed form; we never see your plain-text password.
- Profile information. Your display name, an optional "rota-match name" (used to find your shifts on a scanned rota), your home city, and an optional profile picture (avatar) you select or upload.
- Planning data. Tasks and events you create (titles, descriptions, dates, times, categories, priorities, reminders), availability blocks, and the "scouts"/contacts you add inside the app to plan around (a name and a colour label — this is data you type, not your phone's address book).
- Crew data. Crews you create or join (crew name, description, vibe, type, invite code, emblem), your membership and role, the availability you publish to a crew (including any short notes), plans, your votes on plans, messages you send in crew chat, and join requests.
2.2 Information from your scans
- Scanned imports. When you scan a work rota, poster, or PDF, the app extracts dates and times from it. The raw image or document stays on your device and is not stored on our servers. If you use cloud-assisted extraction, only the image or text needed to read the schedule is sent to our scan provider for processing (see section 4).
2.3 Information collected automatically
- Approximate location. When you ask the app to show nearby events, we use your device location or your home city to search for events near you. Location is used at the time of the request and is not stored on our servers as a location history.
- Technical and usage data. Basic device and app information (such as app version, device type, and operating system) needed to operate the Services and diagnose problems.
- Crash diagnostics. If the app encounters an error, we collect a diagnostic report through our error-monitoring provider (Sentry) to fix bugs. These reports are configured to exclude personal identifiers, and any session replay is masked so your planner and crew content is not captured.
- Usage analytics (only if you opt in). If you accept the analytics prompt, we use Google Firebase Analytics (Google Analytics for Firebase) to collect anonymous usage data — such as which screens you view, which features you use, app version, and device type — to understand how the app is used and improve it. Analytics is off by default and only starts after you opt in. You can turn it off at any time in Settings → Share usage analytics. We do not use it for advertising and do not sell this data.
2.4 What we do not collect
- We do not collect biometric data. The optional biometric lock uses your phone's own security prompt; the app only receives a "pass/fail" result and never receives or stores your fingerprint or face data.
- We do not read your phone's contacts/address book.
- We do not use advertising cookies or trackers, and we do not sell your personal data.
3. How we use your information and our lawful bases
Under the UK GDPR we must have a lawful basis for each use of your personal information. We rely on the following:
| What we do | Why | Lawful basis |
|---|---|---|
| Create and secure your account; sync your data across devices | To provide the core service you signed up for | Contract |
| Store and display your tasks, availability, crews, plans, votes and messages | To let you and your crew coordinate | Contract |
| Extract dates/times from scans you choose to upload | To deliver the scan feature you requested | Contract |
| Show events near you when you ask | To deliver the discovery feature you requested | Consent (location permission) and legitimate interests |
| Diagnose crashes and improve reliability and security | To keep the app working and safe | Legitimate interests |
| Measure feature usage with Firebase Analytics (only if you opt in) | To understand usage and improve the app | Consent (you can withdraw it in Settings) |
| Tailor event suggestions using on-device interest weights | To make suggestions more useful (this happens on your device) | Legitimate interests |
| Respond to your support and data-rights requests | To help you and meet our legal duties | Legal obligation / Contract |
| Report illegal activity where the law requires | Compliance | Legal obligation |
Where we rely on consent (for example, device location or notifications), you can withdraw it at any time in your device settings, without affecting processing carried out before withdrawal.
4. Who we share your information with
We share personal information only with the service providers ("processors") that help us run ForgeCrew, and with the crew members you choose to plan with. We do not sell your data or share it for advertising.
4.1 Other users (crew members)
When you join or create a crew, other members of that crew can see your display name, avatar, the availability you publish, your plans and votes, and the messages you post in crew chat. Only share what you are comfortable with your crew seeing. Crew owners can remove members at any time.
4.2 Service providers
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication and cloud database hosting | Account, profile, and planning data |
| Railway | Hosting our backend service | Requests routed through our server (e.g. scan and event lookups) |
| Google (Gemini API) | Cloud-assisted extraction of dates/times from scans | The scan image or text you submit |
| OpenAI | Alternative scan-extraction provider | The scan image or text you submit |
| Ticketmaster Discovery | Event listings | Your search city/date and approximate location |
| Skiddle | Festival and gig listings | Your approximate location and date |
| Eventbrite | Local event listings | Your approximate location and date |
| Sentry | Crash and error monitoring | Diagnostic data with personal identifiers excluded and content masked |
| Google (Firebase Analytics) | Usage analytics, only if you opt in | Anonymous usage events, screen names, app version, device type |
Each provider processes data on our instructions under a data-processing agreement. We share only the minimum needed for that provider's function.
4.3 Legal and safety
We may disclose information if required by law, to comply with legal process, or to protect the rights, safety, or property of our users, the public, or BuildForgeHQ.
5. International data transfers
Some of our providers (for example, OpenAI, Ticketmaster, Eventbrite, and elements of Google and Railway) are based in or process data in the United States or other countries outside the UK. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or UK adequacy regulations. You can ask us for more detail at privacy@buildforgehq.com.
6. How long we keep your information
- Account, profile and planning data: kept while your account is active. When you delete your account, your cloud planning data — including crews you own, your availability, plans and votes — is deleted.
- Crew messages: retained for the crew while it exists; deleting a crew deletes its messages, plans, requests, and membership records.
- On-device data (scans, preferences, interest weights): stays on your device until you clear the app's data or uninstall it.
- Crash diagnostics: retained for a limited period by our error-monitoring provider, then deleted on a rolling basis.
- Rate-limit / security logs: kept briefly to protect the service from abuse.
7. How we keep your information safe
- Your cloud data is protected by row-level security rules so that, by default, only you (and crew members for data you publish to a crew) can access it.
- Data is encrypted in transit (HTTPS/TLS).
- Passwords are hashed by our authentication provider; we never store plain-text passwords.
- Crash reports exclude personal identifiers and mask content.
- Provider API keys are held on our server and are never embedded in the app.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we take reasonable technical and organisational measures to protect your information.
8. Children
ForgeCrew is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@buildforgehq.com and we will delete it.
9. Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Data portability — receive your data in a usable format;
- Withdraw consent at any time where we rely on consent;
- Complain to a regulator.
You can exercise many of these directly in the app: edit your profile and planning data at any time, and delete your account to remove your cloud data. For any other request, email privacy@buildforgehq.com.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk or 0303 123 1113. We'd appreciate the chance to address your concerns first.
10. Do-Not-Track
The app does not respond to browser "Do-Not-Track" signals, because it does not track you across third-party websites or services for advertising.
11. Events and third-party listings
Event listings shown in ForgeCrew (including in "Suggested") are provided by third parties such as Ticketmaster, Skiddle, and Eventbrite. BuildForgeHQ does not organise, host, endorse, vet, or guarantee any event, and is not responsible for the accuracy, availability, pricing, safety, cancellation, or conduct of any event or its organiser. Any ticket purchase or booking is a transaction between you and the event provider, under that provider's own terms. Your attendance at and interactions with any event are at your own risk. Please see our Terms of Service for the full disclaimer.
12. Changes to this policy
We may update this policy from time to time. When we do, we will change the "Last updated" date above and, where appropriate, notify you in the app. Continued use of the Services after an update means you accept the revised policy.
13. Contact
Questions, concerns, or data-rights requests:
BuildForgeHQ — privacy@buildforgehq.com
This document explains our actual data practices in plain language. It is provided for transparency and is not legal advice; for a regulated launch you should have it reviewed by a qualified data-protection professional.