Authentication App Privacy Policy

ForgeStop Authentication App Privacy Policy

ForgeStop Authentication Services

NFC Product Authentication Services — Data Collection, Processing & User Rights

Version: 1.0 Effective: 01/Jan/2026 Classification: Public

Privacy at a Glance

No personal data collected. We don't collect names, emails, phone numbers, or any directly identifying information during authentication.
Session cookie only. One strictly necessary cookie that expires when you close your browser. No tracking or advertising cookies.
IP addresses are not identifying. Mobile networks use shared addresses (CGNAT) — your IP cannot be traced back to you individually.
Location is optional. Approximate location is used by default. Precise location only with your explicit browser permission, which you can revoke anytime.
Your data is never sold. We provide brands with aggregated, anonymized analytics only. No individual user can be identified.
ForgeStop authenticates, then hands off. After product verification, you're directed to the brand's own experience under their own privacy policy.

For the complete details, please read the full policy below.

Introduction
Who We Are
How Authentication Works
Information We Collect
IP Addresses & Mobile Networks
Location Data
Cookies & Similar Technologies
How We Use Information
Post-Authentication Services
Data Sharing & Transfers
Data Retention
Data Security
Your Rights
Children's Privacy
Brand Partner Responsibilities
International Data
Changes to This Policy
Contact Us

1. Introduction

This Privacy Policy describes how ForgeStop Technology Corp ("ForgeStop," "we," "us," or "our") collects, uses, and protects information when you interact with our NFC product authentication technology ("Authentication Services").

ForgeStop provides product authentication technology to brands and manufacturers ("Brand Partners"). When you tap an NFC-enabled product tag with your mobile device, our servers verify the authenticity of the product. This policy governs the data processed during that authentication interaction only.

Important: ForgeStop operates the authentication technology on behalf of the Brand Partner. After product authentication is complete, you are directed to the Brand Partner's own digital experience, governed by their own privacy policy, cookie policy, and terms of service. ForgeStop is not responsible for the data practices of Brand Partners.

This policy complies with applicable data protection regulations worldwide, including the EU General Data Protection Regulation (GDPR), Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), and other applicable privacy laws.

2. Who We Are

ForgeStop Technology Corp is a technology company specializing in NFC and RFID-based product authentication for the pharmaceutical, beverage, and retail industries.

Data Controller: The Brand Partner whose product you are authenticating is the data controller. They determine the purposes and scope of the authentication service.

Data Processor: ForgeStop acts as the data processor, operating the authentication technology on behalf of the Brand Partner. We process data strictly as necessary to deliver the service.

Contact: support@forgestop.com | www.forgestop.com

3. How the Authentication Process Works

Understanding the authentication flow clarifies what data is involved and why:

Step	Action	What Happens
1	You tap the NFC tag	Your mobile device reads the NFC tag embedded in the product packaging, which contains a unique product identifier.
2	Request sent to ForgeStop	Your device opens a URL that reaches ForgeStop's servers. The Brand Partner's domain is displayed in your browser via DNS configuration (CNAME), but ForgeStop processes the request.
3	Product authenticated	ForgeStop verifies the product's authenticity. During this step, certain operational data is automatically collected (see Section 4).
4	Location permission (optional)	You may be prompted to grant location permission for enhanced authentication and localized content. If you decline, approximate location is used.
5	Redirect to Brand	After authentication, you are directed to the Brand Partner's digital experience. From this point, their privacy policy applies.

Domain Transparency: Although ForgeStop's servers process the authentication, the URL in your browser belongs to the Brand Partner (via DNS). This is a standard white-label technology arrangement.

4. Information We Collect

ForgeStop collects a limited set of automatically collected, non-identifying operational data during authentication. This data does not reveal your specific identity.

4.1 Automatically Collected Data

Data Element	Purpose	Legal Basis
Approximate geolocation	Product authentication; localized content	Legitimate interest
Precise geolocation (with permission)	Enhanced authentication; anti-counterfeiting	Consent (browser prompt)
Device type and model	Compatibility; analytics	Legitimate interest
Browser type and version	Compatibility; troubleshooting	Legitimate interest
Operating system	Compatibility; analytics	Legitimate interest
Language preferences	Localized content delivery	Legitimate interest
Scan timestamp	Authentication record; fraud detection	Legitimate interest
Referring URL	Diagnostics and analytics	Legitimate interest
Unique tag identifier	Product authentication (core)	Contractual necessity

4.2 Information We Do NOT Collect

Names, email addresses, or contact information
Phone numbers
Account credentials or passwords
Payment or financial information
Health-related or medical information
Biometric data
Social media identifiers
Any sensitive personal information under GDPR, LFPDPPP, or equivalent regulations

We do not process sensitive personal information. We do not receive information from third parties during authentication.

5. IP Addresses and Mobile Networks

ForgeStop's servers receive IP addresses as part of standard internet communication. Here is how they are handled:

IP addresses are processed transiently for service delivery and standard server operation.
IP addresses are logged in server access logs for security, diagnostics, and reliability.
IP addresses are not stored in personally identifiable form, not shared with Brand Partners, and not used for tracking.
Most authentication interactions come from mobile devices using Carrier-Grade NAT (CGNAT), which assigns one public IP to thousands of subscribers. Mobile IPs do not identify individuals.
Mobile IPs rotate frequently as devices reconnect, further reducing identification value.
ForgeStop does not attempt to resolve or correlate IP addresses to identify users.

In practical terms: the IP address from your mobile device during authentication cannot identify you personally. It is a shared network address used by thousands of other mobile users simultaneously.

6. Location Data

Location data supports product authentication by detecting counterfeit distribution and delivering regionally relevant content.

Approximate Location (default): Derived from network-level data. Provides only a general geographic area (city/region level). Collected automatically as part of standard internet communication.

Precise Location (requires permission): If the Brand Partner has enabled this, your browser displays a location permission prompt. You may accept or decline. If granted, more accurate coordinates enhance authentication and localized content. If declined, the service continues with approximate location.

You can revoke location permissions at any time through your device settings without affecting core authentication functionality.

7. Cookies and Similar Technologies

ForgeStop uses only a strictly necessary session cookie during authentication. No marketing, tracking, or third-party cookies are used.

ForgeStop sets a single, strictly necessary session cookie during the authentication interaction. This cookie is required for the authentication process to function correctly. It expires when you close your browser and does not track you across sites or sessions.
ForgeStop does not use marketing, advertising, or third-party tracking cookies.
ForgeStop does not use third-party analytics tools (such as Google Analytics, Mixpanel, or similar) during the authentication interaction.
No persistent cookies are stored on your device by ForgeStop as part of the authentication process.

After authentication, the Brand Partner may set their own cookies subject to their own cookie policy.

8. How We Use Information

Product Authentication: Verifying the authenticity of the scanned product (core function).
Service Delivery: Ensuring correct rendering on your device, in your language, with relevant content.
Security and Fraud Prevention: Detecting counterfeit activity, tag duplication, or abuse.
Analytics and Reporting: Providing Brand Partners with aggregated, anonymized analytics via a secure dashboard.
Service Improvement: Analyzing aggregated patterns to improve speed, reliability, and experience.
Legal Compliance: Processing data as required by applicable laws.

We do not: sell your data, use it for advertising, create user profiles, track you across websites, or share it except in aggregated, anonymized form with Brand Partners.

9. Post-Authentication Services

Depending on Brand Partner configuration, ForgeStop may continue providing certain services after authentication:

Contextual product metadata injection (product name, batch ID, scan location) into Brand Partner forms or chat.
Interactive features such as scan verification badges or product widgets.
Continued analytics collection on behalf of the Brand Partner.

These services are provided at the Brand Partner's direction. The data is operational product metadata, not personal data. The Brand Partner's privacy policy governs the post-authentication experience.

10. Data Sharing and Transfers

10.1 Brand Partner Dashboard

Aggregated, anonymized scan analytics provided via secure dashboard. Cannot identify individual users.

10.2 Infrastructure

ForgeStop uses Amazon Web Services (AWS) for hosting. AWS maintains SOC 2 Type II, ISO 27001, and GDPR compliance certifications. No other third-party processors are used for authentication.

10.3 Legal Requirements

ForgeStop may disclose information if required by law, regulation, legal process, or to protect rights, property, or safety.

10.4 No Sale of Data

ForgeStop does not sell, rent, or trade any data collected through the Authentication Services.

11. Data Retention

Operational scan data is retained for the duration of the Brand Partner service agreement.

Upon termination: All Brand Partner-associated data deleted upon request, confirmed in writing. Limited anonymized data may be retained for aggregate improvement.

Server logs: Retained for a limited period for security and diagnostics, then automatically purged.

12. Data Security

Data encrypted in transit using TLS.
Data at rest encrypted within AWS infrastructure.
Production access restricted to authorized personnel.
AWS maintains SOC 2 Type II, ISO 27001 certifications.
Internal incident response process; Brand Partners notified per contractual and legal obligations.

13. Your Rights

Depending on your location and applicable laws, you may have rights regarding your data. As ForgeStop is a data processor, requests should generally go to the Brand Partner first. ForgeStop will cooperate to fulfill requests.

Right of Access: Know what data is processed and how.
Right of Rectification: Request correction of inaccurate data.
Right of Erasure / Cancellation: Request deletion of data.
Right of Opposition / Objection: Object to specific uses or automated processing.
Right to Restrict Processing: Request limits on data use.
Right to Data Portability: Receive data in machine-readable format where applicable.
Right to Withdraw Consent: Withdraw consent (e.g., location) via device settings at any time.

Contact the Brand Partner or email support@forgestop.com. We respond within legally required timeframes.

14. Children's Privacy

Authentication Services are general-purpose product verification with no age restriction. ForgeStop does not knowingly collect personally identifiable information from anyone, including children. No parental consent mechanism is required as no personal data is collected.

15. Brand Partner Responsibilities

Each Brand Partner is independently responsible for:

Providing their own privacy, cookie, and terms of service policies for post-authentication experiences.
Ensuring their data collection practices comply with applicable regulations.
Providing appropriate consent mechanisms for additional data collection on their domain.
Informing users that ForgeStop operates the authentication technology, if required by law.

ForgeStop is not responsible for Brand Partner privacy practices. Review their policy when interacting with post-authentication content.

16. International Data Considerations

Authentication servers are hosted on AWS. Data may be processed outside your country of residence. ForgeStop ensures cross-border processing complies with applicable laws, using contractual safeguards (e.g., Standard Contractual Clauses under GDPR) where required.

17. Changes to This Policy

The "Last Updated" date will be revised when changes are made.
Brand Partners will be notified in advance of material changes.
Changes communicated via dashboard and direct notification.
Continued use after changes constitutes acceptance.

18. Contact Us

Questions, concerns, or requests regarding this policy:

ForgeStop Technology Corp
Email: support@forgestop.com
Website: www.forgestop.com
1221 Brickell Ave, Suite 900
Miami, FL 33131

For data subject requests, include sufficient verification information and specify the nature of your request.