Privacy Policy

The short version

Forge OS has no server. Everything — your conversations, memory, files, API keys, and workspace — lives on your device and nowhere else. We do not collect, transmit, or store any of it.

What stays on your device

• Conversation history — stored locally in the app's private storage.
• Memory (working, daily, long-term) — stored locally, including semantic embeddings.
• Workspace files — stored in the app's sandboxed file area.
• API keys — stored in Android's EncryptedSharedPreferences. Never transmitted to us.
• Companion mode data — episodes, facts, and session logs stored locally. You can delete individual items or wipe everything from the Companion Memory screen.
• Alarm and cron logs — stored locally in workspace/alarms/sessions.json.
• Browser cookies and history — stored locally inside the sandbox.

What leaves your device

The only data that leaves your device is what you explicitly send to external services:

• LLM provider calls — prompts and conversation context are sent directly from your device to the provider you configured (OpenAI, Anthropic, Groq, Gemini, etc.). This traffic goes to that provider, not to us. Each provider has its own privacy policy.
• Headless browser requests — when the agent browses the web, requests go directly to those websites.
• MCP servers — if you connect an MCP server in Settings, data may be sent to that server. You control which servers you connect to.
• Git operations — if you use git_push or git_clone, data goes to the remote repository you specified.
• Plugins — plugins you install may make network requests. Review a plugin's code before installing it.

We have no visibility into any of the above. We are not a party to those requests.

Android permissions

Forge OS declares the following permissions in its manifest. Each is used only for the feature noted:

• INTERNET — LLM provider calls, headless browser, web automation.
• ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, CHANGE_WIFI_STATE — Wi-Fi tools (scan, read SSID, request fresh scan).
• ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION — required by Android to read Wi-Fi SSID on API 26+ and scan results on API 28+. Not used for tracking.
• BLUETOOTH, BLUETOOTH_ADMIN (API ≤ 30) / BLUETOOTH_CONNECT, BLUETOOTH_SCAN (API 31+) — Bluetooth tools.
• READ_EXTERNAL_STORAGE (API ≤ 32) / READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_AUDIO (API 33+) — workspace file manager and device-to-workspace uploads.
• FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC — cron jobs running while the screen is off.
• POST_NOTIFICATIONS — alarm and cron job notifications.
• WAKE_LOCK — keeps scheduled tasks running.
• SCHEDULE_EXACT_ALARM, USE_EXACT_ALARM — Alarms feature.
• RECEIVE_BOOT_COMPLETED — reschedules alarms and cron jobs after reboot.
• QUERY_ALL_PACKAGES — Android Controller tool (enumerate installed apps).

All permissions are declared in the manifest. Runtime permissions are requested only when you use the relevant feature and can be revoked in Android Settings → Apps → Forge OS → Permissions.

Deleting your data

All data is local, so you are always in control:

• Clear individual memory entries from the Memory screen or Companion Memory screen.
• Delete workspace files from the Workspace screen.
• Wipe all app data via Android Settings → Apps → Forge OS → Clear Data.
• Uninstalling the app removes everything.

Children

Forge OS is not directed at children under 13. We do not knowingly collect information from children.

Changes to this policy

If we make material changes, we will update this page and note the new effective date. Continued use after a change constitutes acceptance.

Contact

Questions or concerns? Open an issue on GitHub.