ForgeShift Advisory Inc.
Privacy Policy
Effective: 2026-05-27 · Corporation Number 1782757-1
1. Introduction
This Privacy Policy explains how ForgeShift Advisory Inc. ("ForgeShift," "we," "us," or "our") — a federal corporation incorporated under the laws of Canada (Corporation Number 1782757-1) — collects, uses, stores, and discloses information about you.
This Policy covers all ForgeShift properties, including:
- The main marketing website at forgeshiftadvisory.com
- The Forge Compass application at forgeshiftadvisory.com/compass
If you have questions about this Policy, please contact us at forgeshiftadvisory.com/#contact.
2. What Information We Collect
2.1 From the Main Marketing Site (forgeshiftadvisory.com)
The marketing site is a lead-generation site only. The only data we collect comes from the contact form (titled "Request a Discovery Call"), which asks for:
- Name
- Company name
- Email address
- Revenue range (selected from a preset list)
- A free-text description of your operational challenge
This form submission is delivered to us via Resend (a transactional email service) and sent to our inbox at [email protected]. The form data is not stored in any external database by this site. The main marketing site uses no analytics tools, no cookies, and no visitor tracking.
2.2 From Compass (forgeshiftadvisory.com/compass)
Compass collects more information in order to provide its diagnostic and document-generation services. This includes:
Free-text inputs you provide:
- Your problem statement (the operational challenge you describe)
- G1 maturity assessment answers — 17 scored questions across five dimensions (Data & Visibility, Technology & Systems, Process & Automation, People & Change Readiness, Strategy & Investment) plus three unscored context questions (company size, sector, country)
- Practice task answers
- Equipment confirmation rows
- Template input form fields (vary by template)
- Regeneration feedback (if you submit it)
Identity and delivery fields (when purchasing a paid Bundle):
- Email address (required for delivery)
- Name (optional)
- Recipient role (optional, for document personalization)
- Company name (optional)
Automatically collected data:
- Session cookie — one session cookie named
compass_session, HMAC-signed, with a 30-minute TTL. Used to associate your session data across requests. This cookie is strictly necessary for Compass to function. - Derived session ID — a one-way hash of the session cookie used as a join key across session data in our database. This is not a persistent identifier across sessions.
- Geolocation from edge headers — country, region, and city, derived from Vercel edge headers (with Cloudflare headers as a fallback). No GPS coordinates. No raw IP address is stored — your IP is processed as a salted SHA-256 hash only.
- UTM parameters and referrer — if you arrive at Compass from a link with UTM tags (e.g., from a campaign URL), those parameters are recorded.
- Tab visibility events — whether you switch away from and return to the Compass tab, for session quality analytics.
- Email domain inference — when you provide an email address, we extract the domain and infer the company name from it (for non-free-mail domains). This is stored alongside your session record.
2.3 Email Captures
When you provide an email address anywhere on our Services (contact form or Compass purchase), we store your email address, the email domain, and an inferred company name derived from the domain. This is used to respond to your inquiry, deliver your Bundle, and (where you have not opted out) for occasional follow-up communications related to ForgeShift services.
3. How We Use Your Information
We use the information we collect to:
- Provide the services you request — routing your problem, generating Bundles, and delivering documents;
- Process payments via Stripe;
- Deliver Bundles to your email address via Resend;
- Improve Compass through aggregated, fully de-identified learning (see Section 6 of our Terms of Service for details and opt-out instructions);
- Respond to inquiries submitted via the contact form;
- Comply with legal obligations and protect our rights; and
- Send occasional follow-up communications about ForgeShift services to people who have provided an email address, where permitted by applicable law. You may opt out at any time by emailing us.
We do not sell your personal information to third parties. We do not use your information for targeted advertising.
4. Sub-processors and Third Parties
We use the following third-party services to operate our platform. Each sub-processor receives only the data necessary to perform their function:
| Service | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Cloud database for all Compass session data, assessments, generations, and email captures. Data processing agreement in place. | United States |
| Vercel (Vercel Inc.) | Web hosting and edge function execution. Also supplies derived geo headers (country, region, city) from request metadata. | United States |
| Cloudflare | Fallback source for geo headers only (country, region, city). ForgeShift reads Cloudflare-supplied headers if present. | United States |
| Resend (Resend, Inc.) | Transactional email delivery — contact form submissions to our inbox and paid Bundle delivery to customers. | United States |
| Stripe (Stripe, Inc.) | Payment processing. PCI-DSS compliant. Stripe also calculates and collects applicable sales tax via Stripe Tax. Stripe's privacy policy governs payment data. | United States |
| Google (Gemini API) | AI generation of Bundle content — planned for a future release; not currently active. When activated, your problem statement and inputs will be processed by Google's API under Google's API terms. Until activated, all generation runs on ForgeShift's own self-hosted infrastructure. | United States (planned) |
| Google Fonts | Font files (Barlow, Barlow Condensed) loaded at runtime. Standard web font request — no personal data sent. | United States |
ForgeShift does not use any third-party analytics services (e.g., Google Analytics, Mixpanel, PostHog). All Compass analytics are first-party, stored in our own Supabase database.
The G1 maturity benchmarks cited in Compass outputs are drawn from the 2026 Advanced Manufacturing Outlook survey of 114 Canadian manufacturers. That benchmark data is not derived from Compass user submissions.
5. Data Retention
- Marketing contact form submissions — retained as long as the email exists in our inbox. No separate database storage on the marketing site.
- Compass session data (assessments, generations, visitor events) — retained for 12 months from the date of generation, then anonymized or purged.
- Email captures — retained until you request deletion or 24 months from capture, whichever comes first.
You may request deletion of your data at any time by emailing forgeshiftadvisory.com/#contact.
6. Your Rights (PIPEDA + Ontario)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law, you have the right to:
- Access — request a copy of the personal information we hold about you;
- Correction — request that we correct inaccurate or incomplete information;
- Deletion — request that we delete your personal information, subject to legal obligations;
- Withdrawal of consent — withdraw consent to our collection or use of your information at any time (noting that this may affect our ability to provide services to you);
- Opt out of aggregated learning — request that your session data not be used for de-identified model improvement (see Section 6.6 of our Terms of Service); and
- Complaint — lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
We will respond to verified rights requests within thirty (30) days of receipt.
To exercise any of these rights, contact us at forgeshiftadvisory.com/#contact.
7. EU and UK Residents (GDPR / UK GDPR)
ForgeShift's primary market is Canada and, secondarily, the United States. Our services are not specifically targeted at EU or UK residents. However, if you are located in the EU or UK and use our Services, the following applies:
You have the same rights as described in Section 6, plus the right to data portability and the right to object to processing. The Data Controller is ForgeShift Advisory Inc.
The lawful basis for processing your data is:
- Contract — for providing Compass services and delivering Bundles you have purchased;
- Legitimate interests — for first-party analytics and aggregated learning; and
- Consent — for marketing communications.
Your data may be transferred to and processed in the United States (by Supabase, Vercel, Resend, and Stripe). These transfers are conducted under the EU Standard Contractual Clauses (SCCs) framework or equivalent safeguards.
You may lodge a complaint with your local EU supervisory authority or, for UK residents, the Information Commissioner's Office (ICO) at ico.org.uk.
9. Children's Privacy
Our Services are intended for business users and are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. Continued use of the Services after a revision is posted constitutes your acceptance of the updated Policy.
For material changes, we will notify customers with active accounts by email before the change takes effect.
11. Contact Us
For privacy-related inquiries, requests to access or delete your data, or to exercise any rights described in this Policy:
- Website: forgeshiftadvisory.com/#contact
- Postal: ForgeShift Advisory Inc., 1830 Bloor Street West, Toronto, ON M6P 0A2, Canada
ForgeShift Advisory Inc.
Federal Corporation Number: 1782757-1
Registered Office: 1830 Bloor Street West, Toronto, ON M6P 0A2, Canada
Contact: forgeshiftadvisory.com/#contact
Effective: 2026-05-27