Privacy Policy
Last updated: 10 March 2026 | Version 2.1
This policy explains what personal data ForgedLink collects, why we collect it, and your rights under the UK GDPR and EU GDPR.
1. Who We Are
ForgedLink Ltd ("ForgedLink", "we", "us") is the data controller for personal data collected through the ForgedLink platform at forgedlink.co.uk.
We are registered in England and Wales. For privacy enquiries, contact our privacy team at privacy@forgedlink.co.uk.
This policy applies to all individuals who interact with our platform: Manufacturers, Providers (service providers), Organisation administrators, and visitors to our website.
2. Data We Collect and Why
2.1 Account Registration
When you create an account we collect: name, email address, company name, role (Manufacturer or Provider), country, and a hashed password. We use this to create and manage your account and to identify you on the platform.
Legal basis: Performance of a contract (Art. 6(1)(b) UK/EU GDPR).
2.2 Organisation and Team Data
When you create or join an Organisation, we collect: organisation name, VAT number, billing address, country, and the email addresses of invited team members. We use this to manage team access and generate VAT invoices.
Legal basis: Performance of a contract; Legitimate interests (managing multi-seat accounts).
2.3 Provider Profile and Onboarding Data
Providers submit additional information including: company description, manufacturing capabilities, technology types, materials, geographic coverage, team size, certifications, and profile photographs. This information is displayed publicly or to unlocked Manufacturers on the marketplace.
Providers who complete the Provider Onboarding programme accumulate a VettedTrustScore (0–120 points) based on completed onboarding tasks (e.g. portfolio upload, sandbox job completion, micro-task, job alerts, team access). The score and associated badge tier (Vetted Starter, Vetted Partner, Verified Expert, Fully Vetted) are displayed on the Provider's marketplace profile. Task completion timestamps and metadata are stored in our database.
Legal basis: Performance of a contract; Legitimate interests (enabling Providers to market their services and demonstrating credibility to Manufacturers).
2.4 Job and Procurement Data
Manufacturers post procurement opportunities ("Jobs") which may contain descriptions of parts, materials, quantities, timelines, and budget ranges. Providers submit bids containing pricing and delivery information. Job and bid data is visible to relevant parties on the platform.
Legal basis: Performance of a contract.
2.5 Design Files and Technical Briefings (ITB)
When Manufacturers use the Intelligent Technical Briefing (ITB) feature, they may upload design files (e.g. STEP, STL, 3MF). These files are:
- Stored securely in encrypted cloud storage (AWS S3);
- Sent to OpenAI's API for AI-assisted analysis (see section 6.3);
- Not shared with Providers without the Manufacturer's explicit authorisation.
To the extent design files contain personal data about third parties, the Manufacturer is the data controller and ForgedLink acts as a data processor on their behalf.
Legal basis (ForgedLink as controller): Performance of a contract. As processor: Instructions of the data controller (the Manufacturer).
2.6 NDA Signature Records
When a Manufacturer signs a click-through Non-Disclosure Agreement before unlocking a Provider, we record: the Manufacturer's user ID, the Provider's ID, the NDA version, timestamp, IP address, and browser user agent. This creates a legally admissible record of consent.
Legal basis: Legal obligation; Legitimate interests (maintaining contractual records, dispute resolution).
2.7 Payment and Billing Data
Payment card data is processed directly by Stripe, Inc. — we never see or store raw card numbers. We receive and store: Stripe customer ID, payment session IDs, transaction amounts, currency, and a billing snapshot (company name, VAT number, address) used to generate VAT invoices. Invoices are retained for 7 years to meet UK financial record-keeping obligations.
Legal basis: Performance of a contract; Legal obligation (financial records).
2.8 Provider Certifications
Providers may upload quality certification documents (e.g. ISO 9001 PDFs). These are stored in AWS S3 and are accessible to ForgedLink administrators for verification and (once verified) displayed on the Provider's profile.
Legal basis: Performance of a contract; Legitimate interests (enabling trust and verification on the marketplace).
2.9 Usage Data and Logs
We automatically collect: IP address, browser type, pages visited, timestamps, and error logs. This data is used for security monitoring, debugging, rate-limiting, and platform analytics. Error data may be sent to Sentry (see section 6.4).
Legal basis: Legitimate interests (platform security and performance).
2.10 Communications
When you contact us or when the platform sends you transactional emails, we process your email address and the content of those communications. Transactional notifications include: invite notifications, bid alerts (bid submitted, bid accepted, bid rejected), job lifecycle updates (job confirmed by provider, job marked as delivered, delivery confirmed), credit top-up confirmations, subscription receipts, subscription payment warnings and failures, certification expiry warnings, monthly performance reports (Pro/Enterprise providers), and onboarding nudges.
Legal basis: Performance of a contract; Legitimate interests (customer support, platform notifications).
2.11 Platform Activity and Analytics Data
We record key platform activity events associated with your account, including: logins, provider profile unlocks, provider saves (bookmarks), job postings, bid submissions, bid acceptances, and job lifecycle state changes. For Manufacturers, we use this data to calculate engagement metrics used to surface retention nudges (e.g. re-engagement emails, low-credit alerts). For Providers, bid and job interaction data contributes to analytics dashboards (available to Pro and Enterprise tier subscribers).
Manufacturers who subscribe to paid tiers have their monthly connection and RFQ usage tracked against plan limits. This usage data resets monthly and is stored for up to 13 months for billing and dispute purposes.
Legal basis: Performance of a contract; Legitimate interests (platform personalisation, retention management, subscription limit enforcement).
3. Cookies and Tracking
We use a single session cookie (forgelink_session) to maintain your login state. This is a strictly necessary cookie — no consent is required. We do not use advertising cookies, third-party tracking pixels, or analytics services that set cookies (such as Google Analytics).
The session cookie is set with HttpOnly, Secure, and SameSite=Strict flags. It expires when you close your browser or after a configurable inactivity period (default: 2 hours).
4. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account + 30 days after closure |
| Organisation & team data | Duration of account + 30 days after closure |
| Job and bid data | Duration of account + 90 days after closure |
| Design files (ITB uploads) | 12 months from upload, or until deleted by Manufacturer |
| NDA signature records | 3 years (NDA term) + 2 years (dispute window) |
| Payment / invoice records | 7 years (UK Companies Act financial records) |
| Provider certifications | Duration of account; expired certs retained 2 years |
| Platform activity / KPI events | 13 months (subscription billing cycle alignment) |
| Manufacturer subscription usage | 13 months from each monthly reset |
| Server logs / error logs | 90 days rolling |
| Email communication records | 2 years |
When an account is closed, personal data is deleted or anonymised within the stated periods, unless we are required to retain it by law.
5. Who We Share Your Data With
We do not sell your personal data. We share data only in the following circumstances:
5.1 Other Platform Users
Provider profile information (name, company, capabilities, verified certifications) is visible to authenticated Manufacturer users. Full contact details are only revealed after a Manufacturer has spent credits to unlock the Provider and signed the NDA. Job details are visible to Providers on the platform.
5.2 Service Providers (Sub-processors)
We use the following sub-processors who may process personal data on our behalf:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | USA (SCCs / UK adequacy) |
| Amazon Web Services | Secure file storage (S3) and email (SES) | EU / UK regions available |
| OpenAI, Inc. | AI analysis of ITB design briefs | USA (SCCs) |
| Sentry, Inc. | Error monitoring and crash reporting | USA (SCCs) |
We maintain Data Processing Agreements with all sub-processors and require them to process personal data only on our instructions and in accordance with applicable data protection law.
5.3 Legal Disclosure
We may disclose personal data where required by law, court order, or regulatory authority, or where necessary to protect our legal rights, detect fraud, or ensure platform security.
5.4 Business Transfers
If ForgedLink Ltd is acquired, merged, or transfers its assets, personal data may be transferred as part of that transaction. We will notify affected users and provide choices where required by law.
6. International Data Transfers
ForgedLink Ltd is based in the UK. Some of our sub-processors are based outside the UK/EEA. Where we transfer personal data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — for transfers to the USA (Stripe, OpenAI, Sentry);
- UK International Data Transfer Agreements (IDTAs) — where required for UK GDPR compliance;
- AWS EU/UK regions — we configure AWS S3 and SES to use EU or UK data centres where possible to minimise transfers.
You may request details of the safeguards applicable to any specific transfer by emailing privacy@forgedlink.co.uk.
7. Your Rights Under UK/EU GDPR
Subject to applicable law, you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | Obtain a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. You can update most profile data directly in account settings. |
| Erasure (Art. 17) | Request deletion of your data where we no longer have a lawful basis to retain it. |
| Restriction (Art. 18) | Ask us to restrict processing while a dispute is resolved. |
| Portability (Art. 20) | Receive your data in a machine-readable format (applies to data processed on the basis of consent or contract). |
| Object (Art. 21) | Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds. |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. |
To exercise any of these rights, email privacy@forgedlink.co.uk with the subject line "Data Subject Request". We will respond within 30 days. We may ask you to verify your identity before processing requests.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your local supervisory authority (the lead authority for cross-border complaints is typically in your country of residence).
8. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These include:
- TLS encryption for all data in transit (HTTPS enforced with HSTS);
- Encrypted storage of passwords (bcrypt);
- AWS S3 server-side encryption for stored files;
- Time-limited signed URLs for file access (no permanent public links);
- CSRF protection on all state-changing requests;
- Rate limiting on authentication endpoints;
- Session cookies set with
HttpOnly,Secure, andSameSite=Strict; - Error monitoring via Sentry with data scrubbing for sensitive fields.
No security measure is 100% infallible. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by Art. 33–34 UK GDPR.
9. Children's Privacy
The ForgedLink platform is a B2B service intended exclusively for professionals and businesses. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us at privacy@forgedlink.co.uk and we will delete it promptly.
10. Automated Decision-Making
We use AI (OpenAI GPT-4o) to analyse ITB briefs and generate manufacturability assessments, risk flags, and provider-matching suggestions. These outputs are not used for fully automated decisions that produce legal or similarly significant effects — a human (the Manufacturer) reviews and acts on all AI outputs. Providers are ranked by subscription tier and relevance criteria, not solely by automated means.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and display a notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.
12. Contact and Complaints
For all privacy enquiries, data subject requests, or complaints:
- privacy@forgedlink.co.uk
- ForgedLink Ltd, England and Wales
We aim to respond to all enquiries within 5 business days and to complete formal data subject requests within 30 calendar days.