Privacy Policy

Last updated: April 2026

1. Who We Are

Bridge Forge is operated by Stephen Turner, based in the United Kingdom. We are the data controller for personal data collected through this Service. You can contact us at [email protected].

2. Data We Collect

We collect the following personal data when you use the Service:

  • Account data: email address, display name, profile picture
  • Authentication data: password hash (never stored in plain text), OAuth tokens from GitHub, Google, Discord, or Apple
  • Usage data: pages visited, game activity, anonymised analytics
  • Technical data: IP address (for security and rate limiting), browser type, device type

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service
  • Authenticate you and keep your account secure
  • Send transactional emails (account verification, password reset)
  • Monitor and improve the Service
  • Comply with legal obligations

We do not sell your personal data to third parties.

4. Sign in with Apple

If you sign in using Apple, we receive only the information Apple chooses to share (typically your name and email address). We do not share this data with third parties without your consent. You may choose to hide your email address using Apple's private relay feature.

5. Third-Party Services

We use the following third-party services which may process your data:

  • Hetzner — server hosting (Germany, EU)
  • Resend — transactional email delivery
  • Sentry — error tracking (anonymised where possible)
  • Umami — privacy-first analytics (no cookies, no personal data)
  • Cloudflare — DDoS protection, bot detection (Turnstile), CDN
  • MinIO / S3 — file storage (profile pictures, documents)

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, we remove your personal information (name, email, profile picture) within 30 days. Some anonymised data may be retained for analytical purposes.

7. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing of your data
  • Data portability

You can delete your account at any time from your account settings. For other requests, contact us at [email protected].

8. Cookies

We use only essential cookies required for authentication and security (session cookies, CSRF tokens). We do not use advertising or tracking cookies. No cookie consent banner is required.

9. Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords (Argon2), and access controls.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a notice on the Service.

11. Contact

For any privacy-related questions or requests, contact us at [email protected].