Privacy policy

Last updated: April 24, 2026

Plain-language summary: We collect the data we need to run the training platform for your organisation — mostly names, emails, and completion records. We don't sell your data. You can export or delete anything, anytime. We comply with Canadian PIPEDA and European GDPR where applicable.

1. Who we are

TrainingForge is operated by Forge Frameworks Inc., a Canadian company. You can reach us at privacy@trainingforge.ca. Our business mailing address is available on request.

2. What we collect

  • Account info — name, email, password (hashed), job title, timezone, locale.
  • Organisation info — company name, plan tier, billing contact, custom domain (if configured).
  • Training data — course enrolments, lesson completions, quiz attempts, certificates, assignment due dates.
  • Operational data — IP addresses at login, device type, timestamps for audit/security.
  • Payment info — processed by Stripe. We never see your full card number; we only store Stripe's customer ID and metadata.

3. How we use it

  • Run the platform: authentication, showing you your courses, scoring quizzes, issuing certificates.
  • Billing: charging your subscription, sending invoices, tax receipts.
  • Support: responding to your help requests.
  • Compliance: logging completions for your audit trail; retaining consent records per CASL.
  • Product improvements: aggregate, anonymised usage patterns. We never examine individual accounts except for support.

4. Who we share it with

We share personal data only with:

  • Your organisation's admins. Your training records are visible to admins of the tenant you belong to.
  • Sub-processors we rely on — Stripe (billing), AWS/Cloudflare (hosting), Postmark (email), Sentry (error monitoring). Each is bound by data-processing agreements.
  • Legal compliance — if required by valid subpoena or court order. We notify you unless prohibited.

We never sell personal data. We never share it with advertisers.

5. How long we keep it

  • Active accounts: as long as the tenant is active.
  • After tenant cancellation: 90 days, then data is purged unless legal hold requires retention.
  • Certificate verification records: retained indefinitely so public verify URLs keep working (can be suppressed on request).
  • Security/audit logs: 12 months.
  • CASL consent records: per CRTC guidance (currently 3 years from last commercial electronic message).

6. Your rights

You can, at any time:

  • Access — see everything we have on you (use the account export in settings).
  • Correct — edit your profile directly, or ask your admin.
  • Delete — email privacy@trainingforge.ca. We honour GDPR/PIPEDA right-to-erasure within 30 days. Some records (audit logs, invoices) are retained per legal requirement.
  • Port — export your data as CSV or JSON.
  • Complain — contact the Office of the Privacy Commissioner of Canada or your local data-protection authority.

7. Cookies

We use only essential cookies (login session, CSRF token, language preference). Analytics cookies are off by default and gated by the consent banner on your first visit.

8. Data residency

Data is stored in Canada by default. Customers on Business and Enterprise plans can request specific regional residency (US, EU). Backups are geo-redundant within the same region.

9. Children

TrainingForge is not intended for anyone under 16. We do not knowingly collect data about minors. If you believe a minor has signed up, contact privacy@trainingforge.ca and we'll delete the account.

10. Changes to this policy

Material changes: we'll email every account owner at least 30 days before they take effect. Non-material edits (typos, clarifications): posted here with the updated date.

Questions? privacy@trainingforge.ca.