← Home
// PRIVACY POLICY

Privacy Policy

Last updated: June 23, 2026

1. Who we are

Gnosis Forge Inc. ("Forge," "we," "us") operates the Gnosis Forge platform at gnosisforge.com. We are a Delaware C-corporation headquartered in Las Vegas, Nevada. For European data protection purposes we are the "data controller" for the personal information described in this policy.

2. Information we collect

Information you give us directly:

  • Account details: name, email, phone (optional), password (stored hashed, never in plaintext), profile bio, handle, location, website.
  • Identity verification (KYC): government-issued ID, selfie, date of birth, address. Provided to Stripe Identity, not stored by us.
  • Bank/payout details: for creators receiving funds, handled by Stripe Connect. We store only Stripe's reference IDs.
  • Content: campaigns, product listings, messages, comments, media uploads (via Vercel Blob).
  • Contact form submissions: name, email, category, message.
  • Waitlist signups: email, optional name and role.

Information collected automatically:

  • Device / browser metadata: user-agent, referrer URL, viewport, timezone.
  • IP address, general geolocation (city/country) derived from IP.
  • Session cookies for authentication and CSRF protection.
  • Server logs of API requests you make (rate-limiting, abuse detection, audit trail).

Information from third parties:

  • OAuth profile from Google or Apple if you sign in that way (email, name, avatar).
  • Identity + accreditation verification status from Stripe Identity, iCapital / Parallel Markets, or VerifyInvestor.
  • Bad-actor screening results (SEC Rule 503) from our compliance vendor.

3. How we use information

  • To operate the platform: account creation, sign-in, campaign hosting, messaging.
  • To process payments and payouts via Stripe.
  • To verify identity and accreditation as required by SEC Regulation Crowdfunding, Regulation D, and Regulation A+.
  • To prevent fraud, abuse, and account takeovers (rate limiting, audit logs, MFA).
  • To send transactional email (account changes, security alerts, receipts, campaign updates you follow).
  • To send marketing email when you've opted in (waitlist, launch notification). Unsubscribe any time at /email-preferences.
  • To improve the service based on aggregate usage patterns (never per-user tracking sold to advertisers — we don't sell).

5. When we share information

We share personal data with:
  • Service providers under written data processing agreements. Full list in section 6.
  • Regulators (SEC, FINRA, IRS, state financial regulators) when required by law or crowdfunding rules.
  • Other users where you make information public — your campaign page, storefront, mentor profile, public comments.
  • Legal requirements — court orders, subpoenas, lawful requests we determine to be valid, or to protect our rights and safety.
  • Business transfers — if we merge, are acquired, or sell substantially all assets, your data may be transferred as part of that transaction. We'll notify you and offer choices where required by law.

We do not sell personal information. We do not share personal data with third-party advertisers.

6. Subprocessors

The following subprocessors receive personal data to help us operate the platform. We only work with vendors who commit to protections at least as strong as those in this policy.

SubprocessorPurposeDataLocation
Stripe, Inc.Payments, payouts, KYC/identity, fraud screeningPayment method, ID docs, transaction data, IPUnited States
Neon (Databricks)Managed Postgres — application databaseAll account and campaign dataUnited States
Vercel, Inc.Application hosting, edge network, Blob storageAll server-side data, uploaded mediaUnited States, edge worldwide
Clerk, Inc.Authentication, session managementEmail, name, avatar, sign-in logsUnited States
Resend, Inc.Transactional and marketing email deliveryRecipient email, message bodyUnited States
Sanity.ioContent management (marketing pages, blog)Editorial content — no end-user personal dataUnited States, EU
Upstash, Inc.Distributed rate limiting (when enabled)Hashed IP + rate-limit countersUnited States, edge
Twilio, Inc.SMS OTP delivery (when phone auth is used)Phone number, one-time codeUnited States
iCapital / Parallel MarketsAccredited investor verificationInvestor identity, accreditation statusUnited States
OpenAIAI-generated media (if used by creator)Creator prompts, generated imagesUnited States

Material changes to this list will be posted here at least 30 days before they take effect. Enterprise customers can request advance notice by contacting privacy@gnosisforge.com.

7. Cookies and tracking

We use cookies and similar technologies. We do not use third-party advertising cookies. Non-essential cookies are only set after you accept them in the banner (or continue browsing after acknowledgement if we later add that pattern — currently we require explicit consent).

CookiePurposeTypeRetention
__session (Clerk)Authentication session tokenStrictly necessarySession or 7 days
__client_uat (Clerk)Session freshness / update-at trackingStrictly necessarySession
__clerk_*Clerk authenticationStrictly necessarySession or 30 days
gf_cookie_consentRecords your consent choiceStrictly necessary1 year
gf-launch-banner-dismissedRemembers you dismissed the launch banner (localStorage, not a cookie)PreferencePersistent, cleared with browser storage

Do Not Track:our servers don't currently respond to browser DNT signals — because our first-party cookies are limited to strictly necessary + consented preferences already, DNT would have no additional effect. If we add third-party analytics we'll honor DNT as an implicit opt-out.

You can withdraw cookie consent at any time by clearing cookies for this domain in your browser.

8. Security

  • Passwords hashed with bcrypt (12 rounds). Sessions in HttpOnly, Secure, SameSite=Lax cookies with __Secure- / __Host- prefixes.
  • HTTPS enforced site-wide via HSTS preload (max-age 2 years, includeSubDomains).
  • Strict Content-Security-Policy on the marketing and platform surfaces; frame-ancestors: none.
  • Account lockout after 5 failed sign-in attempts.
  • TOTP two-factor authentication available; required for creators receiving funds.
  • Signed unsubscribe tokens (HMAC-SHA256, 90-day TTL) — links can't be forged.
  • Payment card data never touches our servers — handled by Stripe (PCI-DSS Level 1).
  • Audit log of admin and SEC-filing actions retained for at least 7 years.
  • Bug bounty and coordinated disclosure via security@gnosisforge.com.

No security control is perfect. If you discover a vulnerability please email us before disclosing publicly — we respond within 72 hours.

9. Data retention

CategoryRetentionWhy
Active account dataFor the life of your accountRequired to operate the service
Financial + KYC records≥ 7 years after last activitySEC / FINRA / IRS recordkeeping
Server logs90 daysSecurity investigation window
Audit log (admin actions)≥ 7 yearsRegulatory + compliance
Marketing email listsUntil you unsubscribe + 30 daysSuppression list to prevent re-mailing
Waitlist signupsUntil you unsubscribe + 30 daysSuppression list
Deleted account (voluntary)Erased within 30 days except records aboveYou control your account
Backups30 days rollingDisaster recovery

To request deletion of non-mandatory records, email privacy@gnosisforge.com. We respond within 30 days.

10. Your rights

Regardless of where you live, you can:
  • Access the personal data we hold about you.
  • Correct data that's inaccurate.
  • Delete non-mandatory data.
  • Object to processing based on legitimate interest.
  • Withdraw consent for marketing email and non-essential cookies.
  • Receive a portable copy of your data in a common machine-readable format.

Submit a rights request to privacy@gnosisforge.com from the email on the account. We may verify your identity before responding. Response time: within 30 days (may extend to 60 days with notice for complex requests).

11. California residents (CCPA/CPRA)

In addition to the rights in section 10, California residents have:
  • Right to know what personal information we've collected, sources, purposes, and third parties we've shared with in the last 12 months.
  • Right to opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising, so there's nothing to opt out of.
  • Right to limit use of sensitive personal information — we only use sensitive PI (government ID, financial account info) for the purposes disclosed above.
  • Right to non-discrimination — we won't deny service, charge more, or provide degraded service because you exercised a right.

Categories collected (CPRA taxonomy): identifiers, financial info, commercial info (transactions), internet activity, geolocation (approximate), professional info (bios), inferences (creator/backer role), sensitive PI (government ID for KYC).

To exercise a California right, email privacy@gnosisforge.com or write to Gnosis Forge Inc., Las Vegas, NV. If you use an authorized agent, they must provide written permission from you.

12. EU/UK residents (GDPR)

In addition to the rights in section 10, you may also lodge a complaint with your local supervisory authority (in the EU, your national DPA; in the UK, the ICO at ico.org.uk).

Data Protection Contact: dpo@gnosisforge.com. We do not currently have a formal DPO because we don't meet the scale threshold, but this address routes to our privacy lead.

13. International transfers

Personal data is processed in the United States. For EU/UK/Swiss transfers we rely on:
  • Standard Contractual Clauses (SCCs) with subprocessors located outside adequacy areas.
  • UK IDTA / UK Addendum where applicable.
  • Contractual requirements that vendors implement technical safeguards (encryption in transit and at rest).

If you'd like a copy of the SCCs with a specific vendor, email privacy@gnosisforge.com.

14. Automated decision-making

Fraud screening uses automated rules (rate limits, IP reputation, KYC vendor risk scores). If our system blocks or holds an account, you can appeal via support@gnosisforge.com and a human will review within 5 business days.

Campaign curation is not automated. Every project decision involves human review by domain experts, as described on /criteria.

We do not use automated profiling for advertising or credit decisions.

15. Data breach notification

If we discover a personal data breach that's likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of confirmation, per GDPR Article 33/34 and applicable state laws.

Notifications describe: what happened, what data was involved, what we're doing, and what you can do. We'll also notify supervisory authorities where required.

16. Children

Gnosis Forge is not directed to children under 18. We do not knowingly collect information from children under 18. If you believe a child has provided us information, please contact privacy@gnosisforge.com and we will delete it.

17. Changes to this policy

Material changes are posted here with an updated "Last updated" date. For substantial changes affecting how we use your data, we'll notify you by email at the address on your account at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance of the updated policy.

18. Contact

Gnosis Forge Inc.
Las Vegas, NV, United States
Privacy: privacy@gnosisforge.com
General: hello@gnosisforge.com
Security: security@gnosisforge.com
EU data protection: dpo@gnosisforge.com