ForgeShift Advisory Inc.

Privacy Policy

Effective: 2026-06-02 · Corporation Number 1782757-1

1. Introduction

This Privacy Policy explains how ForgeShift Advisory Inc. ("ForgeShift," "we," "us," or "our") — a federal corporation incorporated under the laws of Canada (Corporation Number 1782757-1) — collects, uses, stores, and discloses information about you.

This Policy covers all ForgeShift properties, including:

If you have questions about this Policy, please contact us at forgeshiftadvisory.com/#contact.

2. What Information We Collect

2.1 From the Main Marketing Site (forgeshiftadvisory.com)

The marketing site is a lead-generation site only. The only data we collect comes from the contact form (titled "Request a Discovery Call"), which asks for:

  • Name
  • Company name
  • Email address
  • Revenue range (selected from a preset list)
  • A free-text description of your operational challenge

This form submission is delivered to us via Resend (a transactional email service) and sent to our inbox at [email protected]. The form data is not stored in any external database by this site. The main marketing site uses Cloudflare Web Analytics — a privacy-preserving, cookieless analytics service that measures aggregate page performance (Core Web Vitals) and visit counts without setting cookies, fingerprinting devices, or tracking you across sites. It uses no other analytics tools and sets no tracking cookies. If you arrive via a campaign-tagged link (a URL containing UTM parameters), we record those UTM tags, the landing-page path, and the referring site to measure which channels send us traffic — without cookies and without tracking you across other sites.

Our home page embeds a short marketing video using YouTube's privacy-enhanced mode (youtube-nocookie.com). Nothing from YouTube/Google loads until you click play; if you do, YouTube may then set cookies and process data under Google's privacy policy.

2.2 From Compass (forgeshiftadvisory.com/compass)

Compass collects more information in order to provide its diagnostic and document-generation services. This includes:

Free-text inputs you provide:

  • Your problem statement (the operational challenge you describe)
  • G1 maturity assessment answers — 17 scored questions across five dimensions (Data & Visibility, Technology & Systems, Process & Automation, People & Change Readiness, Strategy & Investment) plus three unscored context questions (company size, sector, country)
  • Practice task answers
  • Equipment confirmation rows
  • Template input form fields (vary by template)
  • Regeneration feedback (if you submit it)

Identity and delivery fields (when purchasing a paid Bundle):

  • Email address (required for delivery)
  • Name (optional)
  • Recipient role (optional, for document personalization)
  • Company name (optional)

Automatically collected data:

  • Session cookie — one session cookie named compass_session, HMAC-signed, with a 30-minute TTL. Used to associate your session data across requests. This cookie is strictly necessary for Compass to function.
  • Derived session ID — a one-way hash of the session cookie used as a join key across session data in our database. This is not a persistent identifier across sessions.
  • Geolocation from edge headers — country, region, and city, derived from Vercel edge headers (with Cloudflare headers as a fallback). No GPS coordinates. No raw IP address is stored — your IP is processed as a salted SHA-256 hash only.
  • UTM parameters and referrer — if you arrive at Compass from a link with UTM tags (e.g., from a campaign URL), those parameters are recorded.
  • Tab visibility events — whether you switch away from and return to the Compass tab, for session quality analytics.
  • Email domain inference — when you provide an email address, we extract the domain and infer the company name from it (for non-free-mail domains). This is stored alongside your session record.

2.3 Email Captures

When you provide an email address anywhere on our Services (contact form or Compass purchase), we store your email address, the email domain, and an inferred company name derived from the domain. This is used to respond to your inquiry, deliver your Bundle, and (where you have not opted out) for occasional follow-up communications related to ForgeShift services.

2.4 Insights Newsletter (forgeshiftadvisory.com/insights)

If you subscribe to the ForgeShift Insights briefings, we collect your email address and the briefing topics you select ("A Different Viewpoint: China" and/or "Factory Technology: IIoT"). This is stored as a contact in Resend, our email provider, and used only to send you a one-time welcome email and the recurring briefings you chose. We do not store newsletter subscribers in any other database, and the briefing emails carry no tracking or analytics. You can unsubscribe at any time via the link in any briefing or through our contact form.

3. How We Use Your Information

We use the information we collect to:

  • Provide the services you request — routing your problem, generating Bundles, and delivering documents;
  • Process payments via Stripe;
  • Deliver Bundles to your email address via Resend;
  • Send the ForgeShift Insights newsletter — the welcome email and the China / IIoT briefings you subscribed to — via Resend;
  • Improve Compass through aggregated, fully de-identified learning (see Section 6 of our Terms of Service for details and opt-out instructions);
  • Respond to inquiries submitted via the contact form;
  • Comply with legal obligations and protect our rights; and
  • Send occasional follow-up communications about ForgeShift services to people who have provided an email address, where permitted by applicable law. You may opt out at any time by emailing us.

We do not sell your personal information to third parties. We do not use your information for targeted advertising.

4. Sub-processors and Third Parties

We use the following third-party services to operate our platform. Each sub-processor receives only the data necessary to perform their function:

ServicePurposeLocation
Supabase (Supabase Inc.)Cloud database for all Compass session data, assessments, generations, and email captures. Data processing agreement in place.United States
Vercel (Vercel Inc.)Web hosting and edge function execution. Also supplies derived geo headers (country, region, city) from request metadata.United States
Cloudflare (Cloudflare, Inc.)Content delivery, TLS, and edge security for forgeshiftadvisory.com. Includes Turnstile, a privacy-preserving bot-detection check shown when a Compass session begins — it analyzes browser and device signals to block automated abuse, may set a strictly-necessary cookie, and does not track you across other sites. Also a fallback source for coarse geo headers (country, region, city). Also provides cookieless Web Analytics (aggregate RUM).United States / global edge
Resend (Resend, Inc.)Email delivery and newsletter contact management — contact-form submissions to our inbox, paid Bundle delivery to customers, and the ForgeShift Insights newsletter (storing subscriber email addresses and selected briefing topics as Resend contacts, and sending the welcome email plus the recurring China / IIoT briefings).United States
Stripe (Stripe, Inc.)Payment processing (PCI-DSS compliant) and sales-tax calculation and collection via Stripe Tax. When you open the embedded checkout, Stripe loads its own fraud- and bot-detection sub-processors — including hCaptcha and HUMAN (formerly PerimeterX) — into your browser, which may collect device data and set their own cookies for fraud prevention. Stripe's privacy policy and published sub-processor list govern this data.United States
Google (Gemini API)AI generation of Bundle content. The problem statement and inputs you provide are sent to and processed by Google's Gemini API (model gemini-2.5-flash) to generate your documents, under Google's API terms and data-use policies.United States
Google FontsFont files (Barlow, Barlow Condensed) loaded at runtime. Standard web font request — no personal data sent.United States
Google LLC (YouTube)Embedded marketing video on the home page (youtube-nocookie.com). Loads only on click-to-play.United States

The main marketing site uses Cloudflare Web Analytics (cookieless, aggregate RUM only — no cookies, no cross-site tracking). ForgeShift does not use any other third-party analytics services (e.g., Google Analytics, Mixpanel, PostHog). All Compass analytics are first-party, stored in our own Supabase database.

The G1 maturity benchmarks cited in Compass outputs are drawn from the 2026 Advanced Manufacturing Outlook survey of 114 Canadian manufacturers. That benchmark data is not derived from Compass user submissions.

5. Data Retention

  • Marketing contact form submissions — retained as long as the email exists in our inbox. No separate database storage on the marketing site.
  • Compass session data (assessments, generations, visitor events) — retained for 12 months from the date of generation, then anonymized or purged.
  • Email captures — retained until you request deletion or 24 months from capture, whichever comes first.
  • Newsletter subscriptions — your email address and selected briefing topics are retained as a contact in Resend until you unsubscribe or request deletion.

You may request deletion of your data at any time by emailing forgeshiftadvisory.com/#contact.

6. Your Rights (PIPEDA + Ontario)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law, you have the right to:

  • Access — request a copy of the personal information we hold about you;
  • Correction — request that we correct inaccurate or incomplete information;
  • Deletion — request that we delete your personal information, subject to legal obligations;
  • Withdrawal of consent — withdraw consent to our collection or use of your information at any time (noting that this may affect our ability to provide services to you);
  • Opt out of aggregated learning — request that your session data not be used for de-identified model improvement (see Section 6.6 of our Terms of Service); and
  • Complaint — lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

We will respond to verified rights requests within thirty (30) days of receipt.

To exercise any of these rights, contact us at forgeshiftadvisory.com/#contact.

7. EU and UK Residents (GDPR / UK GDPR)

ForgeShift's primary market is Canada and, secondarily, the United States. Our services are not specifically targeted at EU or UK residents. However, if you are located in the EU or UK and use our Services, the following applies:

You have the same rights as described in Section 6, plus the right to data portability and the right to object to processing. The Data Controller is ForgeShift Advisory Inc.

The lawful basis for processing your data is:

  • Contract — for providing Compass services and delivering Bundles you have purchased;
  • Legitimate interests — for first-party analytics and aggregated learning; and
  • Consent — for marketing communications.

Your data may be transferred to and processed in the United States (by Supabase, Vercel, Resend, Stripe, Google, and Cloudflare). These transfers are conducted under the EU Standard Contractual Clauses (SCCs) framework or equivalent safeguards.

You may lodge a complaint with your local EU supervisory authority or, for UK residents, the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies and Similar Technologies

Main marketing site: No cookies of any kind, unless you click to play the embedded YouTube video (which may set YouTube cookies).

Compass: One cookie — compass_session — an HMAC-signed session token with a 30-minute TTL. This cookie is strictly necessary for Compass to associate your session data across requests. It does not track you across other websites and contains no personal information in plain text.

During payment and bot checks: When you open the embedded Stripe checkout, Stripe and its fraud-prevention sub-processors (hCaptcha and HUMAN/PerimeterX), and Cloudflare Turnstile at the start of a Compass session, may set their own cookies or use browser storage strictly to process your payment and prevent fraud and automated abuse. These are set by those providers, are limited to the checkout and bot-check flows, and are not used by ForgeShift for tracking or advertising.

We use no third-party analytics or advertising cookies and no cross-site tracking. Apart from the strictly-necessary fraud-prevention and bot-detection cookies described above — which appear only during checkout or a bot check — the only cookie in use is the strictly-necessary compass_session cookie. There is no cookie banner on Compass because all cookies in use are strictly necessary under PIPEDA; we disclose them here for transparency.

9. Children's Privacy

Our Services are intended for business users and are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. Continued use of the Services after a revision is posted constitutes your acceptance of the updated Policy.

For material changes, we will notify customers with active accounts by email before the change takes effect.

11. Contact Us

For privacy-related inquiries, requests to access or delete your data, or to exercise any rights described in this Policy:

ForgeShift Advisory Inc.

Federal Corporation Number: 1782757-1

Registered Office: 1830 Bloor Street West, Toronto, ON M6P 0A2, Canada

Contact: forgeshiftadvisory.com/#contact

Effective: 2026-06-02