Privacy Policy
Last updated: June 23, 2026
1. Who we are
2. Information we collect
Information you give us directly:
- Account details: name, email, phone (optional), password (stored hashed, never in plaintext), profile bio, handle, location, website.
- Identity verification (KYC): government-issued ID, selfie, date of birth, address. Provided to Stripe Identity, not stored by us.
- Bank/payout details: for creators receiving funds, handled by Stripe Connect. We store only Stripe's reference IDs.
- Content: campaigns, product listings, messages, comments, media uploads (via Vercel Blob).
- Contact form submissions: name, email, category, message.
- Waitlist signups: email, optional name and role.
Information collected automatically:
- Device / browser metadata: user-agent, referrer URL, viewport, timezone.
- IP address, general geolocation (city/country) derived from IP.
- Session cookies for authentication and CSRF protection.
- Server logs of API requests you make (rate-limiting, abuse detection, audit trail).
Information from third parties:
- OAuth profile from Google or Apple if you sign in that way (email, name, avatar).
- Identity + accreditation verification status from Stripe Identity, iCapital / Parallel Markets, or VerifyInvestor.
- Bad-actor screening results (SEC Rule 503) from our compliance vendor.
3. How we use information
- To operate the platform: account creation, sign-in, campaign hosting, messaging.
- To process payments and payouts via Stripe.
- To verify identity and accreditation as required by SEC Regulation Crowdfunding, Regulation D, and Regulation A+.
- To prevent fraud, abuse, and account takeovers (rate limiting, audit logs, MFA).
- To send transactional email (account changes, security alerts, receipts, campaign updates you follow).
- To send marketing email when you've opted in (waitlist, launch notification). Unsubscribe any time at /email-preferences.
- To improve the service based on aggregate usage patterns (never per-user tracking sold to advertisers — we don't sell).
4. Legal basis (GDPR)
- Contract performance — creating your account, processing payments and payouts, delivering the platform.
- Legal obligation — KYC, AML, SEC/FINRA recordkeeping, tax reporting.
- Legitimate interest — fraud prevention, security, service improvement. We balance this against your rights.
- Consent — marketing email and non-essential analytics cookies. Given via the cookie banner and waitlist signup, and withdrawable any time.
6. Subprocessors
The following subprocessors receive personal data to help us operate the platform. We only work with vendors who commit to protections at least as strong as those in this policy.
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Stripe, Inc. | Payments, payouts, KYC/identity, fraud screening | Payment method, ID docs, transaction data, IP | United States |
| Neon (Databricks) | Managed Postgres — application database | All account and campaign data | United States |
| Vercel, Inc. | Application hosting, edge network, Blob storage | All server-side data, uploaded media | United States, edge worldwide |
| Clerk, Inc. | Authentication, session management | Email, name, avatar, sign-in logs | United States |
| Resend, Inc. | Transactional and marketing email delivery | Recipient email, message body | United States |
| Sanity.io | Content management (marketing pages, blog) | Editorial content — no end-user personal data | United States, EU |
| Upstash, Inc. | Distributed rate limiting (when enabled) | Hashed IP + rate-limit counters | United States, edge |
| Twilio, Inc. | SMS OTP delivery (when phone auth is used) | Phone number, one-time code | United States |
| iCapital / Parallel Markets | Accredited investor verification | Investor identity, accreditation status | United States |
| OpenAI | AI-generated media (if used by creator) | Creator prompts, generated images | United States |
Material changes to this list will be posted here at least 30 days before they take effect. Enterprise customers can request advance notice by contacting privacy@gnosisforge.com.
8. Security
- Passwords hashed with bcrypt (12 rounds). Sessions in HttpOnly, Secure, SameSite=Lax cookies with __Secure- / __Host- prefixes.
- HTTPS enforced site-wide via HSTS preload (max-age 2 years, includeSubDomains).
- Strict Content-Security-Policy on the marketing and platform surfaces; frame-ancestors: none.
- Account lockout after 5 failed sign-in attempts.
- TOTP two-factor authentication available; required for creators receiving funds.
- Signed unsubscribe tokens (HMAC-SHA256, 90-day TTL) — links can't be forged.
- Payment card data never touches our servers — handled by Stripe (PCI-DSS Level 1).
- Audit log of admin and SEC-filing actions retained for at least 7 years.
- Bug bounty and coordinated disclosure via security@gnosisforge.com.
No security control is perfect. If you discover a vulnerability please email us before disclosing publicly — we respond within 72 hours.
9. Data retention
| Category | Retention | Why |
|---|---|---|
| Active account data | For the life of your account | Required to operate the service |
| Financial + KYC records | ≥ 7 years after last activity | SEC / FINRA / IRS recordkeeping |
| Server logs | 90 days | Security investigation window |
| Audit log (admin actions) | ≥ 7 years | Regulatory + compliance |
| Marketing email lists | Until you unsubscribe + 30 days | Suppression list to prevent re-mailing |
| Waitlist signups | Until you unsubscribe + 30 days | Suppression list |
| Deleted account (voluntary) | Erased within 30 days except records above | You control your account |
| Backups | 30 days rolling | Disaster recovery |
To request deletion of non-mandatory records, email privacy@gnosisforge.com. We respond within 30 days.
10. Your rights
- Access the personal data we hold about you.
- Correct data that's inaccurate.
- Delete non-mandatory data.
- Object to processing based on legitimate interest.
- Withdraw consent for marketing email and non-essential cookies.
- Receive a portable copy of your data in a common machine-readable format.
Submit a rights request to privacy@gnosisforge.com from the email on the account. We may verify your identity before responding. Response time: within 30 days (may extend to 60 days with notice for complex requests).
11. California residents (CCPA/CPRA)
- Right to know what personal information we've collected, sources, purposes, and third parties we've shared with in the last 12 months.
- Right to opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising, so there's nothing to opt out of.
- Right to limit use of sensitive personal information — we only use sensitive PI (government ID, financial account info) for the purposes disclosed above.
- Right to non-discrimination — we won't deny service, charge more, or provide degraded service because you exercised a right.
Categories collected (CPRA taxonomy): identifiers, financial info, commercial info (transactions), internet activity, geolocation (approximate), professional info (bios), inferences (creator/backer role), sensitive PI (government ID for KYC).
To exercise a California right, email privacy@gnosisforge.com or write to Gnosis Forge Inc., Las Vegas, NV. If you use an authorized agent, they must provide written permission from you.
12. EU/UK residents (GDPR)
Data Protection Contact: dpo@gnosisforge.com. We do not currently have a formal DPO because we don't meet the scale threshold, but this address routes to our privacy lead.
13. International transfers
- Standard Contractual Clauses (SCCs) with subprocessors located outside adequacy areas.
- UK IDTA / UK Addendum where applicable.
- Contractual requirements that vendors implement technical safeguards (encryption in transit and at rest).
If you'd like a copy of the SCCs with a specific vendor, email privacy@gnosisforge.com.
14. Automated decision-making
Fraud screening uses automated rules (rate limits, IP reputation, KYC vendor risk scores). If our system blocks or holds an account, you can appeal via support@gnosisforge.com and a human will review within 5 business days.
Campaign curation is not automated. Every project decision involves human review by domain experts, as described on /criteria.
We do not use automated profiling for advertising or credit decisions.
15. Data breach notification
If we discover a personal data breach that's likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of confirmation, per GDPR Article 33/34 and applicable state laws.
Notifications describe: what happened, what data was involved, what we're doing, and what you can do. We'll also notify supervisory authorities where required.
16. Children
Gnosis Forge is not directed to children under 18. We do not knowingly collect information from children under 18. If you believe a child has provided us information, please contact privacy@gnosisforge.com and we will delete it.
17. Changes to this policy
Material changes are posted here with an updated "Last updated" date. For substantial changes affecting how we use your data, we'll notify you by email at the address on your account at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance of the updated policy.
18. Contact
Gnosis Forge Inc.
Las Vegas, NV, United States
Privacy: privacy@gnosisforge.com
General: hello@gnosisforge.com
Security: security@gnosisforge.com
EU data protection: dpo@gnosisforge.com