Privacy Policy

Introduction

Welcome to Forge, operated by CommitShield, Inc. (“CommitShield,” “we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit www.commitshield.com and use the Forge platform, including all associated websites, applications, APIs, and services (collectively, the “Services”).

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not access or use our Services.

This Privacy Policy applies to personal data we process as a data controller. When we process personal data on behalf of an organization that has provided your account (for example, your employer), that organization is the data controller and their own privacy policies govern your data. In such cases, CommitShield acts as a data processor under the terms of a Data Processing Agreement.

Personal Data We Collect

We collect personal data from three sources: directly from you, automatically through your use of the Services, and from third parties.

2.1 Information You Provide

• Account Data: When you register, we collect your username, display name, email address, password (hashed), and, for paid plans, billing and payment information.
• Profile Information: You may choose to add a profile photo, biography, organization affiliation, location, website URL, and social media links.
• Repository Content: Code, files, commits, issues, merge requests, comments, wikis, CI/CD configurations, and any other content you upload, create, or submit through the Services.
• Communications: Information you provide when contacting support, submitting feedback, participating in surveys, or engaging in community forums.
• Payment Data: For paid subscriptions, we collect billing name, address, and payment card details. Payment processing is handled by PCI-compliant third-party processors; we do not store full card numbers.

2.2 Information Collected Automatically

• Usage Data: IP address, browser type and version, operating system, device identifiers, referring/exit URLs, pages and features accessed, clickstream data, timestamps, and session duration.
• Log Data: Server logs recording API calls, authentication events, repository actions (clone, push, pull), and CI/CD pipeline activity.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management, and, where you consent, analytics cookies to understand usage patterns. See Section 6 for details.
• Geolocation: Approximate geographic location inferred from your IP address.

2.3 Information from Third Parties

• Linked Accounts: If you authenticate via a third-party provider (e.g., Google, GitLab, or a SAML identity provider), we receive your name, email, and profile information as permitted by that provider’s settings.
• Organizational Sources: If your employer or educational institution provisions your account, they may provide us with your name, email, and role information.
• Public Sources: We may collect publicly available information associated with your account, such as public repositories and contribution history.

How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery: To create and manage your account, host repositories, enable collaboration features, process transactions, and provide customer support.
• Security and Integrity: To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service, including automated scanning for malware and known vulnerabilities.
• Improvement and Research: To analyze usage trends, diagnose technical issues, develop new features, and improve the overall performance and reliability of the Services.
• Communication: To send transactional messages (account confirmations, security alerts, billing notices) and, with your consent, promotional communications about new features, products, or events.
• Personalization: To tailor your experience, including dashboard layout, repository recommendations, and notification preferences.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service.
• Aggregated Analytics: To produce de-identified, aggregated statistical data for internal reporting, capacity planning, and product strategy. Aggregated data cannot be used to re-identify individual users.

Sharing of Personal Data

We do not sell your personal data. We share personal data only in the following circumstances:

• Service Providers and Subprocessors: We engage vetted third-party vendors for hosting, payment processing, analytics, customer support, and email delivery. These providers are contractually bound to use your data solely as directed by us and to maintain appropriate security safeguards. A current list of subprocessors is available at www.commitshield.com/legal/subprocessors.
• Organization Administrators: If your account is managed by an organization, administrators of that organization may access your usage data, repository activity, and account information in accordance with the organization’s policies.
• Other Users: Information you include in your public profile, public repositories, issues, comments, and other community-facing contributions is visible to other users and the general public.
• Legal and Regulatory Authorities: We may disclose personal data when required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Corporate Transactions: In connection with a merger, acquisition, reorganization, asset sale, or bankruptcy, your personal data may be transferred to a successor entity, subject to the protections described in this Privacy Policy.
• With Your Consent: We may share data with additional third parties when you explicitly authorize us to do so, such as when you install third-party integrations or marketplace extensions.

Repository Data & Confidentiality

5.1 Private Repositories

We treat the content of private repositories as confidential. CommitShield personnel will not access private repository content except:

• For security purposes, including automated scanning for vulnerabilities and malware.
• To assist the repository owner with a support request they have initiated.
• To maintain the integrity and availability of the Services.
• To comply with legal obligations when we have reason to believe content violates applicable law.

5.2 Public Repositories

Content in public repositories is accessible to anyone. Each commit within a Git repository includes the author’s display name, email address, and timestamp. By making a repository public, you acknowledge that this data is available to all users and may be indexed by search engines or other third-party services.

Cookies & Tracking Technologies

6.1 Essential Cookies

We use strictly necessary cookies to authenticate users, maintain session state, enforce security protections, and remember your preferences. These cookies cannot be disabled as they are required for the Services to function.

6.2 Analytics Cookies

With your consent (where required by applicable law), we use analytics cookies and similar technologies to understand how users interact with the Services, measure feature adoption, and identify areas for improvement. You may manage your cookie preferences through our cookie banner or your browser settings at any time.

6.3 Do Not Track

We honor Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, we will not load non-essential cookies or tracking technologies.

Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Multi-factor authentication options for all user accounts.
• Regular vulnerability assessments, penetration testing, and code audits.
• Role-based access controls limiting internal personnel access to production systems.
• Incident response procedures with defined notification timelines.
• SOC 2 Type II compliance (audit reports available upon request to enterprise customers).

While we strive to protect your data, no method of electronic storage or transmission is completely secure. We encourage you to use strong, unique passwords, enable two-factor authentication, and promptly report any suspected security issues to security@commitshield.com.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: Account data and repository content are retained for the duration of your active account.
• Deleted Accounts: When you delete your account, we remove your profile information and personal data from active systems within 30 days. Repository content you own is permanently deleted, though forks and contributions to other users’ repositories remain under those users’ control.
• Backups: Encrypted backups containing your data may persist for up to 90 days after account deletion before being purged.
• Legal Holds: We may retain data beyond standard retention periods when required for ongoing litigation, regulatory investigation, or legal compliance.

International Data Transfers

CommitShield is headquartered in the United States. Your personal data may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing adequate data protection, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU–U.S. Data Privacy Framework, UK Extension, and Swiss–U.S. Data Privacy Framework, where applicable.
• Other lawful transfer mechanisms recognized under applicable data protection legislation.

Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format and transmit it to another service provider.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at privacy@commitshield.com. We will respond within the timeframe required by applicable law (typically 30 days). We may verify your identity before fulfilling your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Lawful Bases for Processing (EEA/UK Users)

For users in the EEA and UK, we process personal data under the following lawful bases:

• Contractual Necessity: Processing required to perform our contract with you (e.g., account creation, repository hosting, payment processing).
• Legitimate Interests: Processing necessary for our legitimate interests, such as service improvement, fraud prevention, and security, provided these interests do not override your data protection rights.
• Legal Obligation: Processing required to comply with applicable EU/UK laws and regulations.
• Consent: Processing based on your explicit, freely given consent, such as for marketing communications and non-essential cookies. You may withdraw consent at any time.

U.S. State-Specific Disclosures

12.1 California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, opt out of any sale or sharing, and not be discriminated against for exercising your rights. CommitShield does not sell personal information. To submit a request, email privacy@commitshield.com or visit www.commitshield.com/privacy/request.

12.2 Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have additional rights, including the right to opt out of targeted advertising and profiling. We honor these rights as required by applicable state laws. Contact privacy@commitshield.com to submit a request.

Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided personal data, we will take prompt steps to delete that data. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@commitshield.com.

Third-Party Integrations

The Services may allow you to connect third-party tools, extensions, or marketplace applications. When you enable such integrations, you may authorize those third parties to access your account data and repository content in accordance with the permissions you grant. CommitShield is not responsible for the privacy practices of third-party providers. We encourage you to review their privacy policies before enabling any integration.

Our website may contain links to external sites not operated by CommitShield. We have no control over the content or privacy practices of those sites and assume no responsibility for them.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised “Effective Date,” and, where required by law, by sending you an email notification.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: