Skip to content
Shadow Forge
How it worksFeatures GalleryPricingFAQ
Log in Start free

Privacy Policy

Last updated 16 July 2026 · Back to Shadow Forge

Before launch: this policy describes the architecture as we understand it (Supabase for auth, database and storage; Stripe for payments; Netlify for hosting; client-side geometry). Verify every claim against what the app actually does before publishing — a privacy policy that misdescribes your processing is itself a compliance problem. Add your legal entity, a contact address, and an EU/UK representative if you have users there.

This policy explains what [LEGAL ENTITY NAME] ("Shadow Forge", "we") collects when you use the Shadow Forge website and application, why we collect it, and what control you have over it.

The short version: we collect the minimum needed to run your account. Your photos and geometry are processed in your own browser, not on our servers. We do not sell your data, and we do not run advertising trackers.

Contents

  1. What we collect
  2. Where your geometry is processed
  3. Why we use it
  4. Who we share it with
  5. How long we keep it
  6. Your rights
  7. Security
  8. International transfers
  9. Children
  10. Changes
  11. Contact

1. What we collect

CategoryWhatWhy
AccountEmail address, hashed password, account creation date To create and secure your account and sign you in
ProfileAny name, organisation or address you choose to enter To personalise the app and populate drawing title blocks
Your workTool outlines, drawer layouts, toolbox metadata, uploaded photos To store your library and sync it across your devices
SubscriptionPlan, status, billing period, Stripe customer and subscription ids To give you the access you paid for
PaymentHandled by Stripe. We receive the last four digits and card brand only To show you which card is on file. We never see your full card number
TechnicalIP address, browser type, timestamps in server and auth logs Security, abuse prevention, and debugging

We do not collect location data, contacts, or advertising identifiers, and we do not build behavioural profiles.

2. Where your geometry is processed

This is the part most privacy policies would not tell you, and it matters here.

Every step that produces geometry runs client-side, inside your browser. Separating a tool from the background, tracing its outline, applying kerf offset and fillets, generating the 3D pocket mesh, and writing the DXF, STL and PDF — all of it happens on your own machine. That work does not require sending anything to us, and we do not send it.

What is stored on our servers is the result, if you are signed in: your outlines, drawer layouts and any photos you chose to save, held in your account so you can reach them from another device. You can delete any of it at any time.

If you use the app without an account, nothing leaves your browser at all.

3. Why we use it

We use your information to: operate and secure the Service; authenticate you; store and sync your library; process subscriptions and payments; provide support you ask for; comply with legal obligations; and send you service messages (billing, security, material changes to terms).

We will only send you marketing email if you opt in, and every marketing email has a one-click unsubscribe. Service messages are not marketing and you cannot opt out of them while you hold an account.

Before launch: if you operate in the EU/UK, state your GDPR lawful basis per purpose — contract for account and billing, legitimate interests for security and abuse prevention, consent for marketing.

4. Who we share it with

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We share it only with processors who help us run the Service:

ProcessorPurposeData
SupabaseDatabase, authentication and file storage Account, profile, your work
StripePayments, checkout and subscription management Email, payment details, subscription state
NetlifyWebsite and application hostingTechnical / request logs

We may also disclose information if required by law, to enforce our terms, or to protect the rights and safety of our users — and we will tell you unless legally barred from doing so. If we are ever acquired, your information may transfer as part of that transaction; you will be notified.

Before launch: confirm this processor list is complete and current, including any email-sending service, error tracker or analytics tool that gets added later.

5. How long we keep it

DataRetention
Account and your workFor as long as your account is open
After you delete your accountDeleted from live systems; backups age out on their own cycle
Billing and tax recordsKept as long as tax and accounting law requires, typically 7 years
Server and auth logsA short rolling window for security and debugging

Before launch: replace the vague retention windows with the real numbers once you have confirmed your backup cycle and log retention. "Backups age out on their own cycle" is not a defensible answer to a regulator.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal information, to object to processing, and to withdraw consent. You can do much of this yourself in the app's Settings. For anything else, contact us and we will respond within the time the law allows — 30 days in most cases.

We will not discriminate against you for exercising these rights. If you are in the EEA or UK you may also complain to your local supervisory authority.

7. Security

See our Security page for how we protect your data. In short: encryption in transit and at rest, row-level security so accounts cannot read each other's data, hashed passwords, and secrets held outside the client.

8. International transfers

We are based in [STATE / COUNTRY] and our infrastructure runs in the United States. If you access the Service from elsewhere, your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

Before launch: if you have EEA/UK users, you need a lawful transfer mechanism — Standard Contractual Clauses with your processors — and you should name it here.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has given us information, contact us and we will delete it.

10. Changes

We may update this policy. If a change materially affects your rights, we will notify you by email or in the app before it takes effect. The "last updated" date at the top always reflects the current version.

11. Contact

Questions, requests, or complaints about privacy: contact us.

Before launch: regulators expect a postal address and a named contact (or DPO, if you need one). Add them.

Shadow Forge

Browser-based CNC design for custom foam tool drawers. Trace tools, build drawers, cut shadow boards.

Product

  • Features
  • How it works
  • Gallery
  • Pricing

Resources

  • FAQ
  • Support
  • Security

Company

  • About
  • Contact

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Acceptable Use
  • Refunds
© 2026 Shadow Forge. All rights reserved. Made for people who hate a messy drawer.