Privacy Policy

Overview

ForgeTools is a Chrome Manifest V3 extension plus a companion service (forgetools.top) that provides launch tooling, multi-wallet orchestration, sniping, and market-making for the Pump.fun / PumpSwap ecosystem on Solana. This policy describes what data the Extension and companion collect, how it is stored, and how to request deletion.

Data We Collect

• Install ID — a random UUID generated client-side on first install. Used to deduplicate support requests, route per-tenant command queues, and link your session to a license. Not derived from any device identifier.
• Solana wallet public keys — public addresses for any wallet you create or import. These are visible on the blockchain by design.
• Encrypted wallet private keys (escrow flow) — when you opt in to escrow during onboarding (/v1/extension/escrow/register), the Extension uploads private keys already encrypted on your device (AES-256-GCM, PBKDF2 600k iterations, HKDF per-tenant derivation). The companion never sees your passphrase or unencrypted key material. The ciphertext is wrapped again with a server master key (dual-envelope) so that database compromise alone cannot decrypt your keys. If you decline escrow, no key material leaves your device.
• Trade history — signatures, mint, side, SOL amounts, token amounts, service fees, Jito tips, priority fees, the wallet/tenant.
• Referral relationships and earnings — your code, your tier, who referred you, accrued earnings, claim history.
• Telemetry — extension version, install timestamp, aggregate per-session command counts (no per-action timestamps). Used for crash analysis and update banner.

Data We Do NOT Collect

• Browsing history outside our declared content-script origins (pump.fun, dexscreener.com, photon-sol.tinyastro.io, x.com, twitter.com).
• Tweet contents beyond exactly the text you submit through the tweet-deploy workflow.
• Keystrokes, form data, or passwords from any site.
• IP address — the reverse proxy retains it for rate-limiting (7-day rotation) but it is never linked to your install ID or wallet.
• Personally identifiable information — we hold no name, phone, or email unless you give one for support.
• Third-party analytics. No Google Analytics, Mixpanel, Segment, or similar SDKs are loaded.
• Cookies for cross-site tracking.

Storage & Security

• All transport encrypted with TLS 1.2+. All client-server communication is over HTTPS.
• Private key encryption: AES-256-GCM (authenticated), PBKDF2 with 600,000 SHA-256 iterations, HKDF for per-tenant key separation.
• Escrowed private keys are dual-enveloped (your client encryption + a server master key held in a separate KMS). No employee can decrypt your wallets without compromising both your passphrase and the KMS-held master key.

Data Sharing

We do not sell, share, or transmit your data to any third party for marketing, profiling, or advertising. The companion sends transactions to Solana RPC providers (Helius, Triton, or your configured RPC) and Jito Block Engine — these are essential to executing your trades. RPC providers receive only the public transaction bytes you sign; they do not receive your encrypted private keys. We will disclose data only when compelled by a valid legal order and, where lawfully possible, we will notify you first.

Retention

• Trade history is retained indefinitely for audit, accounting, and referral payout reconciliation.
• Escrowed encrypted private keys are retained until you request account deletion. Uninstalling the Extension does not remove the escrowed copy. You must explicitly request deletion.
• Local encrypted keys are cleared when you uninstall the Extension or clear site data.
• Referral relationships are retained while the referred tenant exists.
• Telemetry / server logs are kept for 7 days then rotated out.

Your Rights

Regardless of where you live, you may request the following by emailing support@forgetools.top:

• Access — a copy of all server-side data tied to your install ID and tenant. We will respond within 30 days.
• Deletion — removal of your escrowed encrypted private keys, referral records, and telemetry. Trade history is retained per the Retention section; ask if you want it pseudonymized.
• Correction / portability — export and re-import of your wallet metadata.

EU/UK users have additional rights under GDPR/UK-GDPR (right to object, restrict processing, lodge complaints with your supervisory authority). California residents have CCPA rights (right to know, delete, opt-out of sale; we do not sell data, so opt-out is moot). Brazilian users have LGPD rights. These rights are exercised the same way: email us.

Children's Privacy

The Extension is not directed at users under 13 and we do not knowingly collect data from minors. If you believe we have data from a minor, email us and we will delete it.

Changes to This Policy

Material changes will be announced via the Extension's update banner and in the ForgeTools changelog. The “Effective” date above will always reflect the most recent revision.