1. Plain-English summary
Forras Inc. ("Forras", "we", "us") helps creators build a commerce page, collect newsletter subscribers, and accept payments. To do that we need to handle some personal information — yours, and the people who buy from you. Here is what we collect, why, and what you can do about it.
- We collect the minimum we need to run the Service.
- We do not sell your personal information to advertisers.
- We use processors like Stripe and Coinbase to handle payments, but they only see what they need to.
- You can export, correct, or delete your data from Settings.
2. What we collect
We collect three buckets of information:
Account data. The email and password you sign up with, your
display name, your Link handle (e.g. forras.io/yourname), the language
and currency you pick in Settings, and any profile photo or bio you choose to
upload.
Operational data. Products you list, newsletter campaigns you send, subscriber email addresses you collect, sales records, payout history, timestamps, and IP addresses we log for security.
Buyer data. When someone buys from your Link page, we receive the buyer's email, payment method details (handled by our processors — we never see full card numbers), and any shipping or delivery info needed to fulfil the order.
3. How we use it
- Operate your Link page, newsletter, and store integrations.
- Process payments and pay you out via Stripe and Coinbase CDP.
- Send you transactional emails (receipts, payout notifications, security alerts) and product updates you can unsubscribe from at any time.
- Detect fraud, debug issues, and keep the Service running.
- Comply with tax, accounting, and anti-money-laundering rules where they apply.
4. Legal basis (EU / UK / EEA)
If you are in the UK, EU, or EEA, we process your personal information on one of these legal bases:
- Contract: we need it to deliver the Service you signed up for.
- Legitimate interests: security, fraud detection, and improving the product.
- Legal obligation: tax, accounting, and law-enforcement requests.
- Consent: optional marketing emails and non-essential cookies.
5. Who we share with
We share information only with the processors needed to run the Service:
- Stripe for card payments and Stripe Tax handling.
- Coinbase Commerce / CDP for USDC and EURC settlement on Base.
- Resend for transactional and newsletter email delivery.
- Azure for cloud hosting and database storage.
- Connected store partners (Shopify, WooCommerce, Etsy, PrestaShop, Shopware, Tiendanube, Mercado Libre, Hotmart, InstaMojo) — only when you explicitly connect a store to Forras.
Each of these processors has its own privacy commitments and is bound by a data-processing agreement with Forras. We do not sell personal information, and we do not share it with advertisers.
6. Cookies and storage
We use a small number of first-party cookies and localStorage
items to remember your sign-in session, your language and currency choice,
and a CSRF token for security. We do not use third-party advertising cookies
or cross-site trackers. You can clear them at any time from your browser
settings.
7. Your rights
You can, at any time:
- Export everything we have about you as a downloadable JSON file (Settings → Security → Export my data).
- Correct your account details from Settings.
- Delete your account and have your personal data purged within 30 days, subject to legal retention requirements.
- Unsubscribe from any marketing email with one click.
- Object to processing or restrict it, where the applicable law gives you that right.
- Complain to your local data-protection authority if you think we have got something wrong. We would rather you tell us first — see Contact below.
8. How long we keep it
We keep account and operational data for as long as your account is active, plus the period required by tax and accounting law (typically 7 years for payment records). Subscriber lists are kept for as long as the subscriber remains opted in, plus 30 days after unsubscribe so we can honour do-not-contact preferences. Server logs are kept for 90 days.
9. International transfers
Forras is incorporated in Delaware, USA, and our infrastructure is hosted on Azure across multiple regions. When personal data is transferred out of the EU, UK, or EEA, we use Standard Contractual Clauses approved by the European Commission (and the UK addendum where applicable) to protect it.
10. Children
The Service is not directed to anyone under 16. If you believe we have collected information from a minor, please contact us and we will delete it.
11. Security
We protect data in transit with TLS 1.3 and at rest with AES-256. Passwords are hashed with bcrypt. We run least-privilege access controls, audit logs, and routine third-party security testing. No system is perfect — if you believe you have found a vulnerability, please email security@forras.io.
12. Changes
We may update this Policy when the Service changes or the law evolves. Material changes get at least 14 days' notice by email or in-product banner before they take effect.
13. Contact us
Questions, complaints, or data-rights requests: privacy@forras.io. Our EU-GDPR representative is reachable at the same address.