Privacy Policy

Data Controller

The data controller responsible for the personal data processed through Forge is:

Jason Stoudt, operating as Stoudt Labs. For all privacy, data subject access, or data protection inquiries, contact jason@stoudtlabs.io.

Children Under 13

Forge is not directed at, and we do not knowingly collect personal information from, children under the age of 13. Users aged 13 or older may use Forge only with the consent and supervision of a parent or legal guardian where required by local law, and in any case must be at least 18 years old to create an account without supervision. If we become aware that a child under 13 has provided personal information, we will delete that information immediately. Parents or guardians who believe their child has provided data to Forge may request deletion by emailing jason@stoudtlabs.io.

Information We Collect

Forge collects the data necessary to operate your paper portfolio simulation. This includes portfolio data (assets, positions, and allocation decisions), agent decisions made by AI agents on your behalf, and simulation results including Monte Carlo analysis outputs and scenario projections.

We do not collect personal financial account information, brokerage credentials, or any data related to real-money investments.

How We Store Data

All portfolio and simulation data is stored in Supabase (PostgreSQL), scoped by your session ID. Each session is isolated — your data is not shared with or visible to other users.

No data collected by Forge is sold, rented, or shared with third parties for advertising or marketing purposes.

Third-Party Data Sources

Forge retrieves market and news data from third-party providers. By using Forge you also agree to the terms of these providers.

• Yahoo Finance — accessed via the yahoo-finance2 npm package. See the Yahoo Terms of Service. Quotes may be delayed by 15+ minutes and are provided for informational purposes only.
• NewsAPI — headline and sentiment data retrieved from NewsAPI Terms of Service.

Market data is delayed and may be incomplete. It must not be relied upon for real-money trading decisions. Forge is a simulation platform only.

Authentication

Forge uses NextAuth.js with a credentials-based login. Access credentials are managed as server-side environment variables — no user accounts or password databases are maintained. Sessions are issued as signed JWTs and stored in encrypted HTTP-only cookies managed by NextAuth.js. These session cookies are required for the application to function and expire after 24 hours of inactivity.

Analytics

Forge uses PostHog (posthog.com) to collect product analytics. PostHog is disabled by default and is only enabled after you explicitly accept analytics cookies via the consent banner. Events tracked include portfolio loads, scenario views, and navigation interactions within the app. PostHog receives your anonymised session identifier and event metadata.

No analytics data is used for advertising or sold to third parties. Data is retained subject to PostHog's data processing agreement. You can withdraw analytics consent at any time:

Cookies We Use

Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you may exercise the following rights regarding your personal data:

• Access (GDPR Art. 15): Request a copy of the personal data we hold about you.
• Rectification (GDPR Art. 16): Ask us to correct inaccurate or incomplete data.
• Erasure / "Right to be Forgotten" (GDPR Art. 17): Request deletion of your data.
• Data Portability (GDPR Art. 20): Receive your data in a structured, machine-readable format.
• Opt-out of Sale (CCPA §1798.120): We do not sell personal data, but you have the right to direct us not to.
• Withdraw consent: Use the Opt out of analytics button above at any time.

To exercise any of these rights, email privacy@stoudtlabs.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Do Not Sell or Share My Personal Information (CCPA)

California residents have the right under the California Consumer Privacy Act (as amended by the CPRA) to direct a business not to sell or share their personal information.

Forge does not sell personal information. Forge does not share personal information for cross-context behavioral advertising. We do not exchange any user data for monetary or other valuable consideration, and we do not participate in targeted advertising networks.

If you still wish to formally exercise your right to opt out of the sale or sharing of your personal information, or submit a verifiable consumer request to know, delete, or correct your data, email jason@stoudtlabs.io with the subject line "CCPA Do Not Sell or Share". We will confirm receipt within 10 business days and respond substantively within 45 days, as required by California law. You may also designate an authorized agent to submit a request on your behalf.

Financial Disclaimer

Forge is a paper trading simulator. No real financial transactions are made through this application. All portfolio values, trades, and performance figures are entirely simulated and do not reflect actual market investments.

Nothing in this application constitutes financial advice. AI agent recommendations are generated for simulation and educational purposes only.

Your Rights

You have the right to access, correct, export, or delete the data Forge holds about your session. To exercise any of these rights, contact jason@stoudtlabs.io with your request. Requests will be fulfilled within 30 days.

Because Forge is a single-user application with credentials managed as server-side environment variables, there are no user account records to export beyond your portfolio simulation data stored in Supabase. You may request a data export or deletion of all portfolio data at any time.

Contact

For privacy-related inquiries, contact privacy@stoudtlabs.io. For general questions, contact jason@stoudtlabs.io.