Privacy Policy

Effective Date: March 20, 2026 Last Updated: March 26, 2026

Forma Systems Inc., a Delaware corporation ("Company," "we," "us," or "our") is committed to protecting the privacy of users of the FormaOpt platform ("Service"). This Privacy Policy describes how we collect, use, store, and share your information when you use the Service.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Password (stored as a secure hash by Firebase Authentication — we never have access to your plaintext password)

Billing Information

Payment processing is handled by Stripe. We do not store credit card numbers, bank account details, or other sensitive payment information on our servers. Stripe's privacy policy governs the handling of your payment data. We receive from Stripe: subscription status, billing cycle dates, and a customer identifier.

Project and Design Data

When you use the Service, we store:

  • Project names and configurations
  • Span and load input data
  • Material and mold library entries
  • Optimization results and structural analysis outputs
  • Saved mold geometries and material properties

This data is stored in Google Cloud Firestore and is associated with your user account. It is necessary to provide the Service and is retained as long as your account is active.

Forum Content

If you use the FormaOpt community forum, we store the content of your posts and replies, along with your display name and email address, to provide the forum functionality. Forum content is visible to other authenticated users.

Usage Data

We collect information about how you interact with the Service, including:

  • Features used and actions taken (e.g., optimization runs, report exports)
  • Optimization run frequency and parameters
  • Error logs and performance metrics
  • Browser type, device information, and IP address
  • Timestamps of access and session duration

This data is used to monitor service health, diagnose issues, and improve the Software.

AI-Assisted Features

Certain features of the Service may use third-party AI processing. If such features are introduced, any queries you submit will be processed by the relevant AI provider and will not be used to train their models under their commercial API terms. We will not send your project data to any AI provider unless you explicitly include it in a query.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — run optimizations, store projects, generate reports
  • Manage your account — authenticate access, process subscriptions
  • Improve the Software — analyze usage patterns, fix bugs, develop new features
  • Communicate with you — service updates, billing notifications, support responses
  • Ensure security — detect abuse, prevent unauthorized access, maintain audit logs

We may use aggregated, anonymized data to understand usage trends and improve the Software. Aggregated data cannot be used to identify you or your specific projects.

3. How We Share Your Information

We do not sell your personal information. We share data only with the following service providers, solely to operate the Service:

Service ProviderPurposeData Shared
Google FirebaseAuthentication, database, hostingAccount data, project data
StripePayment processingEmail, subscription details
AnthropicAI-assisted features (when available)Queries only (no project data unless included by you)
RenderBackend computation hostingProject input data (spans, loads, materials), optimization results
VercelFrontend application hostingRequest logs, IP addresses

We may also disclose information:

  • If required by law, court order, or governmental regulation
  • To protect the rights, property, or safety of the Company, our users, or the public
  • In connection with a merger, acquisition, or sale of all or substantially all of the Company's assets — in which case we will notify you by email or through the Service before your personal information is transferred and becomes subject to a different privacy policy

4. Data Storage and Security

  • Your data is stored in Google Cloud Firestore, located in the United States.
  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) by our cloud infrastructure providers.
  • Access to user data is restricted to authorized personnel on a need-to-know basis.
  • Firebase Authentication manages credential security, including secure password hashing (bcrypt/scrypt) and session management.
  • Firestore security rules enforce that users can only access their own project data.

No method of electronic storage or transmission is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

5. Data Retention

  • Active accounts: Your data is retained for as long as your account is active.
  • Cancelled subscriptions: Project data is retained for 90 days after subscription cancellation to allow for reactivation, after which it is permanently deleted.
  • Account deletion: You may request full deletion of your account and all associated data by contacting us. Deletion is completed within 30 days of the request.
  • Billing records: Transaction and billing data may be retained for up to 7 years after your last transaction as required for tax, accounting, and legal compliance purposes.
  • Forum content: Forum posts and replies may be retained after account deletion to preserve community discussion threads, with your display name anonymized.
  • Aggregated data: Anonymized, aggregated data may be retained indefinitely for product improvement purposes.

6. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach, consistent with applicable state notification laws. The notification will describe the nature of the breach, the data affected, and the steps we are taking in response.

7. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and data
  • Export — export your project data in standard formats (CSV, PDF) through the Service
  • Withdraw consent — opt out of non-essential communications at any time

To exercise any of these rights, contact us at privacy@forma-systems.com. We will respond to your request within 30 days.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • No Sale of Personal Information: We do not sell personal information as defined by the CCPA, and have not done so in the preceding 12 months.

To exercise your CCPA rights, contact us at privacy@forma-systems.com or call us at the number provided on our website. We will verify your identity before processing your request.

8. Cookies and Tracking

FormaOpt uses cookies and local storage for functional purposes:

  • Authentication tokens — to keep you logged in (Firebase session)
  • User preferences — unit system selection (metric/imperial), theme preference

We do not use third-party advertising cookies or cross-site tracking. We may use first-party analytics to understand aggregate usage patterns. These tools do not track individual users across other websites.

Do Not Track: The Service does not currently respond to browser "Do Not Track" (DNT) signals. Because we do not engage in cross-site tracking, a DNT signal does not change our data collection or use practices as described in this policy.

9. Children's Privacy

FormaOpt is intended for use by qualified professionals. We do not knowingly collect information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at privacy@forma-systems.com.

10. International Users

The Service is operated from and data is stored in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We are working toward GDPR compliance for European users — see our roadmap for details.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or our data practices, contact us at: