FORBIDDANCE
Start Free Trial

Privacy Policy

Last updated: March 20, 2026

Forbiddance ("we", "our", or "us") is committed to protecting your personal information and your right to privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.

1. What Data We Collect

We collect information you provide directly and information generated through your use of the service:

  • Account information — name, work email address, company name, and password (stored as a secure hash via Supabase Auth).
  • Usage data — pages visited, features used, actions taken within the platform, and session metadata such as IP address, browser type, and timestamps.
  • Compliance data — controls, policies, evidence files, gap assessments, and AI-generated content that you create or upload while using Forbiddance.

2. How We Use Your Data

  • Service delivery — to operate, maintain, and improve the Forbiddance platform and provide you with the features you have subscribed to.
  • AI features — your compliance data and chat inputs are sent to our AI provider (Anthropic) to generate gap assessments, policy drafts, and conversational guidance. We do not use your data to train third-party AI models.
  • Analytics — aggregated, de-identified usage data helps us understand how customers use Forbiddance and where we can improve the product.
  • Communications — transactional emails (account setup, billing receipts, security alerts) and, with your consent, product update announcements.

3. Third-Party Services

We rely on trusted sub-processors to operate Forbiddance:

  • Supabase — cloud database hosting and authentication. Your data is stored in Supabase-managed PostgreSQL instances with row-level security enabled.
  • Stripe — payment processing and subscription management. Forbiddance never stores raw credit card numbers; all payment data is handled by Stripe directly.
  • Anthropic— AI inference for gap analysis, policy generation, and the AI assistant. Prompts and responses are transmitted over TLS; Anthropic's data handling is governed by their API usage policy.

4. Data Storage and Security

  • All data is encrypted at rest using AES-256 via Supabase.
  • All data in transit is protected by TLS 1.2 or higher.
  • Tenant data is isolated at the database level through PostgreSQL Row-Level Security (RLS) policies scoped to your organization ID.
  • Access to production infrastructure is restricted to authorized Forbiddance personnel and protected by multi-factor authentication.

5. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Deletion — request that we delete your personal data. You may also delete your account directly from the Settings page.
  • Portability — export your compliance data at any time via the Export feature in the dashboard.
  • Correction — update inaccurate personal data through your account settings.
  • Opt-out— California residents may opt out of the "sale" of personal information. Forbiddance does not sell personal data to third parties.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account deletion, personal data is purged within 30 days. Anonymized usage analytics may be retained indefinitely.

7. Contact Us

If you have questions about this policy or wish to exercise your privacy rights, please contact us at privacy@forbiddance.io.