Features Docs Blog Company GitHub
Try Forge →

Privacy Policy

Introduction

Simple Container builds developer tools (Simple Container and Forge). This page describes what we collect when you use our products and how we handle it. We try to keep both lists short.

We are a small, distributed team operating without a physical office; the company is incorporated through Simple Container. For privacy questions, the fastest route is email — see “Contact” at the bottom.

What we collect

When you use forge.simple-container.com or the Forge SPA

  • Account data — your email, the GitHub org/user you signed in with, and the access tokens we need to talk to your repos on your behalf.
  • Session data — the issues, comments, prompts, and AI responses produced inside Forge sessions. This is the substance of what Forge does, and we store it so you can review and resume runs.
  • Usage metering — per-turn token counts, cost estimates, the AI provider that handled the turn, and the worker that executed it. Used to enforce per-org quotas and produce billing.
  • Operational logs — request paths, error traces, and timing. Retained for a short rolling window for debugging and incident response.

When you use forge-cli locally

  • Device-flow tokens stored at ~/.config/forge/token on your machine. We don’t pull these back to our servers.
  • Snapshots you choose to push via forge sync or the auto-hook — same data category as session data above.

When you visit this website

  • Anonymous analytics (page views, referrer, viewport size). No cross-site tracking.
  • No advertising cookies.

What we do with it

  • Operate the products — running pipelines, dispatching cloud jobs, returning results.
  • Enforce limits — per-org token and compute quotas.
  • Protect the platform — abuse detection, rate limiting, security incident response.
  • Improve the products — aggregated metrics, error analysis. Specific session content is not used to train shared models without explicit opt-in.

We do not sell personal data. We do not sell session data.

Sub-processors

Forge routes AI requests through several model providers. Whichever provider handles a given turn sees that turn’s prompt and response. The current set:

  • Anthropic (Claude)
  • OpenAI (GPT)
  • Google (Gemini)
  • Microsoft Azure AI
  • AWS Bedrock

You can pin your org to a subset of these in the Forge SPA. We also use standard infrastructure providers (cloud hosting, transactional email, error tracking). Sub-processor list is available on request.

Your rights

You can:

  • Access the data we hold about you and your sessions.
  • Export your sessions (message logs, snapshots, branch metadata) — forge sync --from-cloud covers this for individual sessions.
  • Delete an org or account, which removes session data subject to a short retention window for backups.
  • Object to specific processing — write to us and we’ll work it out.

Security

Tokens at rest are encrypted. Cloud session data is stored on managed databases with at-rest encryption and access controls. We use TLS for all in-transit traffic. forge-cli writes its credentials with mode 0600 and uses atomic file replacement on rotation.

No system is bullet-proof. We disclose material incidents to affected customers without delay.

Changes

Material changes to this policy will be announced in our changelog and via email to active org admins. The “last updated” date at the bottom always reflects the current version.

Contact

Last Updated: May 2026