Legal

ForgePoint Privacy Policy

Last updated 24 April 2026

This Privacy Policy explains how ForgeWorks Labs collects, uses, stores, and protects your personal data when you use ForgePoint and our associated website and account services. Written to meet the UK GDPR and the Data Protection Act 2018.

1. Introduction

This Privacy Policy explains how ForgeWorks Labs (“we”, “us”, or “our”) collects, uses, stores, and protects personal data when you use the ForgePoint diagnostic and programming software (the “Software”) and the associated website and account services.

This policy is written to meet the requirements of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. It sets out our lawful bases for processing, the rights available to you, and how to exercise them.

2. Who We Are (Data Controller)

For the purposes of UK data protection law, the data controller is ForgeWorks Labs, operating from the United Kingdom.

We have not appointed a Data Protection Officer as we are not legally required to do so. Questions about this policy, requests to exercise your rights, and any other data protection matters should be sent to hello@fwlabs.co.uk.

3. The Personal Data We Collect

3.1 Information you provide when creating an account

  • First name and last name.
  • Email address.
  • A password, which is hashed and stored by our authentication provider (Google Firebase Authentication); we never see or store the plaintext.

3.2 Device and security information (collected automatically)

  • The network MAC address of the machine you sign in from.
  • The Windows Device Unique Identifier (UID) of that machine.
  • Timestamps and IP addresses associated with sign-in events and with calls from the Software to our servers (captured automatically by Google Cloud Logging when our back-end functions run).

These are used solely to prevent account sharing, detect fraud, and keep the Software and your account secure.

3.3 Credit and transaction records

When you purchase Credits or perform a billable operation in the Software, we store:

  • Your current Credit balance, held against your account in our database.
  • A ledger entry for each debit or refund: the action key (e.g. an identifier such as “ipc.vin.write”), the amount, the timestamp, the originating device identifier, and the outcome (success / failed / refunded). These entries are used to bill correctly, detect abuse, and reconcile disputed charges.
  • A Stripe customer identifier and, for each purchase, the Stripe payment/charge identifier, the amount, and limited card metadata (brand and last four digits) returned by Stripe. We do not receive or store full card numbers, CVV codes, or bank account details.

3.4 Support correspondence and voluntarily submitted logs

  • Emails you send us and our replies.
  • Diagnostic log files you choose to attach to a support request. The Software does not automatically transmit vehicle or log data; any transmission is initiated manually by you.

3.5 Anonymous usage analytics

We may collect limited, aggregated technical signals about how the Software is used (for example, which features are opened, and crash reports). Where this data is not linked to your account or device, it is treated as non-personal.

3.6 Vehicle data (processed in transit, not stored)

When you perform operations such as VIN reads/writes or SKC reads/writes, vehicle identifiers pass through the Software on your computer. We do not store vehicle identifiers, VINs, SKCs, seed/key material, or diagnostic trouble codes on our servers. Such values may appear in local log files on your own computer (under your Documents folder); those files never leave your machine unless you choose to send them to us.

3.7 Website cookies

Our website uses only strictly necessary cookies required to keep you signed in to your account and to support payment processing through Stripe. We do not use advertising, profiling, or third-party analytics cookies. Because these cookies are strictly necessary for a service you have requested, your consent is not required under the Privacy and Electronic Communications Regulations (PECR), but you may block them in your browser (the account area will not function without them).

We do not intentionally collect any special-category data (health, ethnicity, religious or political views, biometric data, etc.).

4. How We Use Your Personal Data

  • To create, authenticate, and manage your account.
  • To operate the Software’s licensing, Credit balance, and billing features, including charging for and refunding billable operations.
  • To process payments via Stripe when you purchase Credits.
  • To protect the Software and our customers from fraud, account sharing, and unauthorised use.
  • To respond to support requests and investigate issues you report.
  • To send occasional product announcements to account holders (for example, major new versions or service-affecting notices). You can opt out of these at any time by emailing us; we will continue to send purely transactional messages (receipts, security alerts, policy changes) because they are necessary to operate your account.
  • To meet legal, accounting, and tax obligations.
  • To improve the Software using aggregated, anonymised analytics.

5. Our Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a contract (Art. 6(1)(b)) for account creation, authentication, Credit accounting, payment processing, and delivering the Software’s functionality.
  • Legitimate interests (Art. 6(1)(f)) for fraud prevention, device binding, anti-piracy measures, security logging, product announcements to existing customers, and improving the Software. We have balanced these interests against your rights and consider them proportionate.
  • Legal obligation (Art. 6(1)(c)) for retaining transaction records to meet UK tax and accounting requirements.
  • Consent (Art. 6(1)(a)) where we ask for it explicitly (for example, before sending non-transactional marketing should we introduce it in future). You may withdraw consent at any time.

6. Automated Decisions

Our device-binding checks (MAC address and Windows UID) are applied automatically to prevent account sharing and piracy. These checks can prevent the Software from running on a device that does not match your registered account. We do not consider this to produce legal or similarly significant effects within the meaning of Article 22 of the UK GDPR, and a human review is available on request. Please contact us if you believe the check has blocked you unfairly.

7. How Long We Keep Your Data

  • Account data (name, email, auth record): while your account is active, then deleted within 30 days of account closure.
  • Device identifiers and security logs: 12 months from last activity.
  • Credit ledger and payment records: 6 years from the end of the financial year of the transaction, to meet HMRC record-keeping obligations.
  • Support correspondence: 24 months from the last message.
  • Server-side application logs (including IP addresses in request logs): 90 days.
  • Local log files on your own computer: retained until you delete them; we have no control over or access to these.

Where we are required to keep financial records beyond the lifetime of your account, we restrict access to those records to what is needed for legal compliance.

8. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share the minimum necessary data with the following categories of processors who act on our behalf under written agreements:

  • Google LLC / Google Ireland Limited — provides Firebase Authentication, Cloud Firestore, Cloud Functions, and Cloud Logging, which together host our account system and back-end services.
  • Stripe Payments Europe, Ltd. / Stripe, Inc. — processes Credit purchases. Payment card details are submitted directly to Stripe and are not accessible to us.
  • Email providers used to send transactional and service emails.

We may also disclose data where we are legally required to (for example, to comply with a court order or to respond to a lawful request from a regulator or law-enforcement body).

9. International Transfers

Our Firestore database is hosted in the europe-west2 region (London, United Kingdom). Some of our back-end Cloud Functions currently run in the us-central1 region (United States), which means personal data processed by those functions is transferred to the United States. Authentication data managed by Google is likewise processed in the United States.

Where data leaves the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which Google and Stripe incorporate into their terms with us. Copies of these safeguards are available on request.

10. Security

We use industry-standard technical and organisational measures to protect your data, including:

  • TLS encryption for all traffic between the Software, the website, and our servers.
  • Passwords stored only as hashes by Firebase Authentication.
  • Firestore security rules and server-side validation to prevent unauthorised reads and writes.
  • Principle-of-least-privilege access controls for internal tooling.

No system is perfectly secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected users without undue delay.

11. Your Rights

Under the UK GDPR you have the right to:

  • Be informed about how your data is used (this policy).
  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to our legal retention obligations in Section 7.
  • Restrict processing in certain circumstances.
  • Object to processing based on our legitimate interests, including profiling for product announcements.
  • Data portability — receive your data in a machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects (see Section 6).

To exercise any right, email hello@fwlabs.co.uk. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.

To delete your account and associated personal data, email hello@fwlabs.co.uk from the address on your account. We will confirm deletion by reply. Financial and transaction records will be retained for the period set out in Section 7 where we are legally required to keep them.

12. Complaints

If you are not satisfied with how we have handled your data, you can complain to the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House, Water Lane

Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: https://ico.org.uk

We would, however, appreciate the chance to address your concerns first; please contact us before going to the ICO where possible.

13. Children

The Software is intended for professional use in automotive diagnostics and programming. It is not directed at, and we do not knowingly collect personal data from, anyone under the age of 18. If you believe a child has created an account, please contact us and we will close it and delete the associated data.

15. Changes to This Policy

We may update this policy to reflect changes in our service, the law, or our processing activities. When we make a material change, we will update the “Last Updated” date at the top of this page and notify account holders by email or via a notice in the Software before the change takes effect. Minor clarifications may be made without notification. Your continued use of the Software after a change takes effect constitutes acceptance of the updated policy.

Looking for our terms?

Read them on the Terms & Conditions page.