Data Declaration
This page summarises the main data categories The Forge expects to process for free website builds, Host My HTML review, optional hosting, support, and platform security.
Account
Name, email, password hash, role, session state, verification/reset metadata
Login, account support, security, deletion/anonymisation
Website request
Business details, services, niche, area served, notes, selected template, inspiration links
Build, review, edit, and approve private website previews
Uploads
Logo, hero/gallery images, inspiration files, SVGs, HTML files, ZIP packages, change-request files
Create previews, review safety, optimise images, enforce storage limits
Generated sites
Structured site content, site versions, preview/live paths, expiry dates, cleanup state
Serve private previews, publish live hosted sites, remove expired files
Domain and DNS
Hosted slug, custom-domain notes, DNS instructions, live URL, certificate/hostname checks
Help customers connect domains after hosting is active
Billing
Stripe customer/subscription IDs, payment status, current period, complimentary hosting credits
Activate hosting, unlock live/DNS flow, manage subscription support
Recipient, subject, template, delivery status, payload metadata
Transactional messages and support traceability
Analytics and security
Site events, request metadata, rate-limit buckets, IP-derived security logs, admin audit logs
Understand usage, prevent abuse, investigate issues, prove admin actions
Account deletion
Deletion request, anonymised user/request records, retired site paths, retained audit markers
Remove active access while preserving records needed for security, billing, and audit
Retention
Released previews are visible for 48 hours. Unpaid generated files are retained for a short recovery window, then removed by cleanup jobs. Backups, billing, security, and audit records may remain where needed.
Access
Customers can use account settings or support to request export, correction, deletion, or help with stored files. Admin exports redact password and reset-token fields.
Security
Admin pages require admin login, uploads are type and size limited, rate limits are applied, and secrets/API keys are kept out of public pages and git.