Privacy Policy

1. Who's the data controller

Forge Workflow Holdings ([to be set before deploy]), registered company [to be set before deploy], address [to be set before deploy]. Privacy contact: privacy@clientnest365.com.

2. What we collect

2.1 Account data

• Your name, email, and password (hashed) when you sign up.
• Your billing details (handled by our PCI-compliant payment processor; we never see your card number).
• Optional: company name, VAT ID, phone number.

2.2 Workspace content

• The files, messages, invoices, and approval objects you create in the portal.
• Metadata about your activity in the workspace (audit log: who did what, when).

2.3 Technical data

• IP address, browser, and device for security and abuse prevention.
• Server logs (kept 14 days) for incident response.

2.4 What we don't collect

• We don't run an analytics tracker on the site by default.
• We don't fingerprint browsers.
• We don't use your content to train AI models.

3. Why we collect it (legal bases under GDPR)

• Contract (Art. 6(1)(b)) for everything required to operate your account and deliver the service.
• Legitimate interest (Art. 6(1)(f)) for security logging and fraud prevention.
• Consent (Art. 6(1)(a)) for any optional analytics or marketing, where applicable. At present we don't run either.

4. Where your data lives

Database and authenticated session data are hosted in the EU (Supabase, Frankfurt or Dublin region depending on workspace creation date). Files are stored in Cloudflare R2, EU jurisdiction. Email delivery is handled by Resend (US-based; see sub-processors). Payment processing is handled by a PCI-compliant payment processor (named below).

5. Sub-processors (third parties we share data with to operate the service)

• Supabase: database and authenticated sessions (EU).
• Cloudflare R2: file storage (EU jurisdiction).
• Payment processor: PCI-compliant card processing. Provider confirmed before launch and listed here. Card numbers never touch our systems.
• Resend: transactional email delivery (US, with appropriate transfer safeguards).
• Kie.ai / Anthropic: AI inference for the in-portal concierge. Content passed to the model isn't used to train future models.

We update this list whenever we add or change a sub-processor. Account owners are emailed at least 30 days before a new sub-processor goes live.

6. International transfers

Where data leaves the EU (e.g. when the payment processor or Resend processes your data in the US), we rely on Standard Contractual Clauses (SCCs) and Data Processing Agreements with each sub-processor.

7. Your rights

You can ask us to:

• Show you what data we hold about you.
• Correct anything that's wrong.
• Delete your workspace and the personal data in it (right to erasure).
• Export your data in a portable format.
• Object to or restrict processing in certain circumstances.

Most of these you can do from your workspace settings. For anything else, email privacy@clientnest365.com. We reply within 30 days.

8. CCPA notice (California residents)

We don't sell personal information. You have the same data-access and deletion rights described in section 7 under the CCPA. Email privacy@clientnest365.com for a CCPA request.

9. Retention

• Active workspace data: kept while your account is open.
• Closed workspaces: permanently deleted 30 days after closure, except where retention is required by law.
• Server logs: 14 days.
• Billing records: 7 years (tax / accounting requirements).

10. Security

Files are stored privately behind short-lived signed download URLs. Database access is row-level locked per workspace. Connections are TLS-encrypted in transit. Files are encrypted at rest by R2 server-side encryption.

11. Children

ClientNest365 isn't intended for anyone under 18.

12. Changes

If we update this policy in a way that materially affects you, we'll email account holders before it takes effect.

13. Contact

Privacy questions: privacy@clientnest365.com. Postal: [to be set before deploy].