Privacy Policy

This Privacy Policy explains how Smart Unlimited Holding B.V. (trading as AnyForge) ("AnyForge", "we", "us", or "our") collects, uses, and protects personal data in connection with the AnyForge platform, including AnyForge Control, AnyForge Crew, the AnyForge Console, and our websites (together, the "Service"). AnyForge is a business-to-business service intended for use by organizations and their authorized users.

Please also read our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

Smart Unlimited Holding B.V. (trading as AnyForge), registered in the Netherlands under company number 20110743 (Netherlands Chamber of Commerce, KvK), with its registered office in Den Hout, the Netherlands, is responsible for the personal data described in this Policy where we act as a controller.

For any privacy question or to exercise your rights, contact us at privacy@anyforge.ai.

Our role depends on the data in question.

Where we act as a controller. For the personal data we collect to run our business and provide the Service, such as account, billing, website, support, and marketing data, we determine why and how it is processed, and this Policy governs.

Where we act as a processor. When you, as a business customer, submit data through the Service ("Customer Data"), you are the controller of any personal data it contains and we process it on your behalf, under your instructions and our Terms and Data Processing Addendum. Our handling of that data is governed by that agreement, not this Policy. If you are an individual whose personal data has been included in Customer Data by one of our customers, please direct your privacy requests to that customer, who is the controller; we will support them as required.

• Account and profile data: name, business email address, company name, job title, and login credentials.
• Authentication data: sign-in records and, where you use single sign-on, the identifiers your identity provider shares with us.
• Billing and transaction data: company billing details and subscription records. Card payments are processed by our payment processor; we do not store full payment card numbers.
• Usage, log, and device data: IP address, browser and device information, log data, timestamps, feature usage, and product analytics generated when you use the Service.
• Support and communications data: the content of messages, support tickets, and correspondence with us.
• Marketing data: information you provide through forms or when you opt in to communications.
• Cookies and similar technologies: see Section 12.

Provider credentials (BYOK). The Service runs on a "bring your own key" basis. When you connect an AI or other provider, you supply API keys or credentials. We treat these as confidential secrets, store them with protection appropriate to their sensitivity, and use them only to operate the Service for you. We mention them here for transparency; they are generally credentials rather than personal data.

The prompts, content, configurations, and other data you route through the Service may contain personal data for which you are the controller. We process it only to provide, secure, and maintain the Service, in accordance with your instructions and the Data Processing Addendum.

We do not use Customer Data to train our own or any third party's AI models.

Under BYOK, content you send for processing is transmitted to the AI provider you choose, using your own credentials, under your own relationship with that provider. That provider's handling of the data is governed by your agreement with them, not by this Policy.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• To provide and operate the Service, create and manage accounts, and authenticate users: performance of a contract (Article 6(1)(b)).
• To bill, administer accounts, and keep records: performance of a contract and compliance with a legal obligation (Articles 6(1)(b) and 6(1)(c)).
• To secure the Service, prevent fraud and abuse, troubleshoot, analyze usage, and improve and develop our products: our legitimate interests in running and improving a secure, reliable service (Article 6(1)(f)).
• To send marketing communications: your consent, or our legitimate interest where permitted by law. You can opt out at any time.
• To comply with law and respond to lawful requests: compliance with a legal obligation (Article 6(1)(c)).

The Service helps you govern and orchestrate AI agents and workflows. Outputs are generated by the providers you connect under BYOK, not by models we operate. We do not use the Service to make decisions that produce legal or similarly significant effects about individuals. We may create and use aggregated, anonymized, or de-identified data, which does not identify you or any individual, to operate, analyze, and improve the Service.

We share personal data only as described here. We do not sell personal data.

• Service providers and sub-processors who help us run the Service, such as cloud hosting and infrastructure, payment processing, analytics, communications and email, and customer support tools. A current list is available on request from privacy@anyforge.ai. These providers act on our instructions under contract.
• AI and other providers you connect (BYOK): you connect these directly with your own credentials, and data you route is sent to them under your own relationship with them.
• Legal, safety, and compliance: where we reasonably believe disclosure is required by law or legal process, or necessary to protect the rights, property, or safety of AnyForge, our users, or others.
• Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality protections.

We and our service providers may process personal data in countries other than your own, including outside the European Economic Area and the United Kingdom. Where we transfer personal data internationally, we rely on appropriate safeguards, such as a European Commission adequacy decision or the Standard Contractual Clauses (with the UK Addendum where relevant). You may request information about these safeguards using the contact details in Section 1.

We keep personal data only as long as necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Account data is generally retained for the life of the account and a reasonable period afterward. Customer Data is retained and deleted in accordance with the Data Processing Addendum and your instructions. Records of consent and acceptance of our Terms and this Policy are retained as evidence for as long as needed to establish, exercise, or defend legal claims.

We maintain technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, and alteration, including encryption in transit and at rest where appropriate, access controls, and monitoring. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Depending on where you are and applicable law, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent where processing is based on consent. Where the GDPR or UK GDPR applies, you also have the right to lodge a complaint with a supervisory authority, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise your rights regarding data for which we are the controller, contact us at privacy@anyforge.ai. Where we process personal data as a processor on behalf of a business customer, please contact that customer, who is the controller. We may need to verify your identity before acting on a request.

Our websites and the Service use cookies and similar technologies for essential functionality, to remember your preferences, and to understand and improve how the Service is used. You can manage non-essential cookies through the consent controls we provide and through your browser settings. For more detail, contact us at privacy@anyforge.ai.

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

We may update this Policy from time to time. We will post the updated version with a new effective date and, for material changes, provide reasonable notice (for example, by email or in-product notice). Your continued use of the Service after the changes take effect indicates your awareness of the updated Policy.

Smart Unlimited Holding B.V. (trading as AnyForge)
Den Hout, the Netherlands
Privacy enquiries: privacy@anyforge.ai