Privacy Policy

Last updated: March 13, 2026

This privacy policy explains how Novus Enterprises AG ("we", "us", "our"), operating under the brand ForgeFlow, collects, uses, and protects your personal data when you use our website (forge-flow.app), our browser extension, and related services (collectively, the "Service").

We are based in Liechtenstein (EEA member) and comply with the General Data Protection Regulation (GDPR) and the Liechtenstein Data Protection Act (Datenschutzgesetz, DSG).

1. Data Controller

Novus Enterprises AG
Grabenackerweg 3
9491 Ruggell, Liechtenstein
Email: privacy@forge-flow.app

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address
• Full name
• Company name (optional)
• Phone number (optional)
• Password (stored hashed, never in plaintext)

2.2 Subscription & Payment Data

When you subscribe to a plan, we collect:

• Subscription plan and billing period
• Payment status (active, cancelled, past due)

We do NOT store credit card numbers, bank details, or full payment information. All payments are processed by a PCI DSS Level 1 certified third-party payment processor. We never have access to your full credit card details.

2.3 Usage Data

When you use the Service, we automatically collect:

• Word count per translation (aggregated, not individual messages)
• Voice message count (aggregated)
• License key activation status
• Extension version

2.4 Chat Messages (Translation Processing)

To provide the translation service, chat messages are temporarily processed through our servers. Important details:

• Messages are sent to our API server for translation only
• Messages are processed in real-time and NOT stored permanently
• We use third-party AI providers for translation processing. These providers do not use API data for model training.
• We do not read, analyze, or sell chat message content
• Voice transcripts are stored only when voice messages are generated, linked to conversation IDs (not fan identities)

2.5 Voice Data

When you use the voice cloning feature, we process:

• Voice samples: Audio recordings you upload to create a voice clone. Stored in encrypted cloud storage.
• Voice clone model: A synthetic voice model created from your samples by our voice synthesis provider. Stored as a private model.
• Voice consent confirmation: A record that the account holder confirmed having rights to clone the voice (timestamp and account ID).
• Generated audio: Voice messages generated from text. Processed in real-time and NOT stored on our servers (audio is sent directly to the user's browser).

Important: Voice samples contain biometric data (voice patterns). Under GDPR, this is considered special category data when used for identification. We process voice data solely for the purpose of generating synthetic voice messages as requested by you, and we rely on your explicit consent (GDPR Art. 9(2)(a)) for this processing. You may request deletion of all voice data at any time.

2.6 Technical Data

Our hosting and database providers may collect:

• IP addresses (in server logs, auto-deleted after 30 days)
• Browser type and version
• Operating system
• Referring URLs

3. How We Use Your Data

Purpose	Legal Basis (GDPR Art. 6)
Provide translation and voice services	Art. 6(1)(b) - Contract performance
Manage your account and subscription	Art. 6(1)(b) - Contract performance
Process payments	Art. 6(1)(b) - Contract performance
Track usage for billing and fair use limits	Art. 6(1)(b) - Contract performance
Send service-related emails (e.g., subscription status)	Art. 6(1)(f) - Legitimate interest
Improve service quality and fix bugs	Art. 6(1)(f) - Legitimate interest
Prevent fraud and abuse	Art. 6(1)(f) - Legitimate interest
Comply with legal obligations	Art. 6(1)(c) - Legal obligation

4. Data Sharing

We share data only with the following categories of processors:

• Cloud hosting & database provider - stores account data and usage statistics. Primary servers in the EU.
• AI translation provider - processes chat text for translation only. No data retention for model training.
• Voice synthesis provider - processes text for voice message generation. Used only when voice feature is active.
• Payment processor - processes payment data. PCI DSS Level 1 certified.

Specific processor details are available upon request by contacting privacy@forge-flow.app.

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

5. International Data Transfers

Some of our processors are based in the United States. These transfers are protected by:

• EU-U.S. Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) approved by the European Commission

6. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Chat messages: NOT stored. Processed in real-time and discarded immediately after translation.
• Voice transcripts: Retained for the duration of the subscription for conversation continuity. Deleted within 30 days of account deletion.
• Usage statistics: Aggregated data retained for billing purposes. Anonymized after 12 months.
• Server logs: Auto-deleted after 30 days.
• Payment records: Retained as required by tax law (typically 7-10 years for Liechtenstein).

7. Your Rights (GDPR)

As a data subject in the EEA, you have the right to:

• Access - Request a copy of your personal data (Art. 15)
• Rectification - Correct inaccurate personal data (Art. 16)
• Erasure - Request deletion of your data ("right to be forgotten") (Art. 17)
• Restriction - Restrict processing of your data (Art. 18)
• Data portability - Receive your data in a machine-readable format (Art. 20)
• Objection - Object to processing based on legitimate interest (Art. 21)
• Withdraw consent - Where processing is based on consent (Art. 7(3))

To exercise any of these rights, contact us at privacy@forge-flow.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Datenschutzstelle Liechtenstein (Liechtenstein Data Protection Authority).

8. Browser Extension Permissions

The ForgeFlow browser extension requests the following permissions:

• storage - To save your license key and settings locally in your browser
• activeTab - To detect which OnlyFans model page you are currently on
• scripting - To inject translation overlays into the OnlyFans chat interface
• Host access (onlyfans.com) - To read and translate chat messages on OnlyFans only

The extension does NOT access any other websites, does not track browsing history, and does not collect data outside of OnlyFans chat pages.

9. Cookies

Our website uses only essential cookies required for authentication (session token). We do NOT use tracking cookies, analytics cookies, or advertising cookies.

No cookie consent banner is required because we only use strictly necessary cookies (exempt under GDPR Art. 5(3) of the ePrivacy Directive).

10. Children's Privacy

Our Service is intended for business use by adults (18+). We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@forge-flow.app.

11. Security

We protect your data through:

• Encryption in transit (TLS 1.3) for all communications
• Encryption at rest for database storage
• Server-side API key storage (never exposed to the browser extension)
• Row Level Security (RLS) policies in our database
• Regular security audits

12. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top will reflect the most recent version. For significant changes, we will notify you via email or through the Service.

13. Contact

For privacy-related questions or to exercise your rights:
Novus Enterprises AG
Email: privacy@forge-flow.app
Address: Grabenackerweg 3, 9491 Ruggell, Liechtenstein