Privacy Policy
This Privacy Policy describes how Forward, Inc. (“Forward,” “we,” “us,” or “our”) collects, uses, and discloses Personal Information when you use our website, mobile messaging service, web dashboard, and related services (collectively, the “Service”).
Forward is a U.S. business-to-business software service that helps construction field workers retrieve information from their employer’s Procore and Autodesk Construction Cloud accounts via SMS / iMessage. We process Personal Information primarily on behalf of our business customers (general contractors and specialty subcontractors) under written contracts.
- Who we are
- Scope and roles
- Personal information we collect
- Sources of personal information
- How we use personal information
- AI / model training position
- Who we share personal information with
- Your privacy rights and choices
- Sensitive personal information
- Construction-industry-specific disclosures
- Data retention
- Coverage across U.S. states
- Children
- Security
- International data transfers
- Cookies and tracking
- Changes to this Policy
- Do Not Sell or Share · GPC
- Data-breach notification
- Contact us
1. Who we are
Forward, Inc. is a Delaware corporation with operations in the United States. References below to “Forward” mean Forward, Inc.
Our designated point of contact for privacy matters is privacy@getforward.xyz. You may also contact us through any submission method described in Section 8 (“Your privacy rights and choices”).
2. Scope and roles
This Policy applies to Personal Information we collect (a) on our website at getforward.xyz, (b) through the messaging Service when field users text our number, (c) through our web dashboard at app.getforward.xyz, and (d) through our public APIs and integration endpoints.
2.1 Controller vs. service-provider role
For Personal Information we process about a business customer’s employees, contractors, or other authorized end users, the customer is the “business” or “controller” under applicable laws and Forward is the “service provider” or “processor.” We process that information only on the customer’s documented instructions, governed by our Master Services Agreement and Data Processing Addendum.
For Personal Information we collect directly through our marketing website, lead-capture forms, demo requests, account signup, and billing relationships with our business customers’ administrators, Forward is the controller.
2.2 Use of the Service by individuals on behalf of a business
Most individuals interact with Forward in their capacity as employees, agents, or authorized contractors of a Forward business customer. If you are such an individual, your employer or the entity that provisioned your access is the controller of your Personal Information and you should direct any request relating to your information to them in the first instance. Forward will support our customer in honoring your request.
3. Personal information we collect
We collect the categories of Personal Information described below. We do not knowingly collect categories of Personal Information beyond these.
| Category (CCPA §1798.140 reference) | Examples for Forward |
|---|---|
| Identifiers | Name, work email, mobile phone number, employer name, project assignment, job title or trade role, IP address, device or browser identifiers, session identifiers, unique account identifiers. |
| Customer records (Cal. Civ. Code §1798.80(e)) | Account information for our business customers’ administrators, including billing contact and signing-authority records. |
| Commercial information | Records of services purchased, plan tier, billing history, support interactions, demo and lead-form submissions. |
| Internet or other electronic network activity | Logs of dashboard visits and feature use, API request logs, webhook delivery logs, device and browser metadata used for security and abuse prevention. |
| Geolocation | Coarse city- or region-level geolocation inferred from IP. We do not collect precise geolocation. If a photo uploaded by a field user contains EXIF location metadata, that metadata may be present in our copy of the photo unless the customer has disabled it; see Section 10 for our handling. |
| Audio, electronic, visual, or similar information | Photos and other media files sent by field users via MMS or uploaded through the dashboard. |
| Professional or employment-related information | Job title or trade role, employer name, project assignment, role within the project (PM, super, foreman, sub PM, etc.). |
| Inferences | Aggregated, non-identifying inferences used to operate, secure, and improve the Service (e.g., feature-usage patterns). |
| Communications content | The text of SMS / iMessage messages sent to and from the Service, and the content of dashboard messages, drafts, and approvals. Because these messages are addressed to Forward’s business number, Forward is the intended recipient and the contents are not treated as Sensitive Personal Information for purposes of Cal. Civ. Code §1798.140(ae)(1)(C). |
We do not intentionally collect Social Security numbers, driver’s license numbers, financial account numbers, biometric identifiers used for identification, racial or ethnic origin, religion, union membership, genetic data, health information, sexual orientation, or sex life. See Section 9 for our position on Sensitive Personal Information.
4. Sources of personal information
We collect Personal Information from the following categories of sources:
- Directly from you when you visit our website, fill out a lead-capture or demo-request form, sign up for an account, send a message to the Service, or upload a photo or other file.
- From our business customers when an authorized customer administrator provisions your access (for example, a project manager invites you as a field user with your phone number and role).
- From third-party platforms you authorize, including Procore and Autodesk Construction Cloud, when your employer connects those platforms to Forward via OAuth and you appear in the project rosters or document metadata returned by those APIs.
- From automated infrastructure, including server logs, network metadata, session cookies, and security/abuse-prevention systems.
- From service providers that operate Forward’s systems on our behalf (for example, our SMS gateway delivering message metadata; see Section 7).
5. How we use personal information
We use Personal Information for the following business and commercial purposes:
- To deliver the Service, including processing inbound messages, retrieving the answer from connected systems, generating and sending replies, drafting RFIs and observations queued for customer approval, and operating the dashboard.
- To maintain account access and security, including authentication, single sign-on, role-based access control, audit logging, and one-time PIN verification when a field user’s phone number is enrolled.
- To detect and prevent abuse, fraud, security incidents, and spam, including rate limiting, idempotency tracking, deduplication, and bot detection.
- To provide customer support, respond to inquiries, and respond to privacy and data-subject requests.
- To bill our business customers, process payments (via Stripe), and maintain financial records as required by law.
- To operate, maintain, and improve the Service using aggregated and de-identified telemetry. See Section 6 for our position on AI / model training.
- To comply with legal obligations, including responding to lawful subpoenas, court orders, and other legal process, and satisfying tax, accounting, and other recordkeeping requirements.
6. AI / model training position
Forward uses third-party large-language-model inference services (currently Anthropic) to generate replies and drafts. Two commitments:
- We do not use customer data to train Forward’s models.Customer messages, photos, and connected-system content are not used to train any Forward-developed AI model.
- Anthropic does not use commercial-API customer data to train its models. Anthropic’s commercial terms (which govern our use of their API) prohibit Anthropic from using inputs or outputs submitted via their commercial API to train its general-purpose models. We do not submit customer data to any consumer-grade AI interface.
We may use aggregated, de-identified telemetry (such as overall message volume, latency distributions, error rates, and feature-usage counts) to operate, secure, and improve the Service. These signals do not identify any individual or any customer’s confidential project content.
7. Who we share personal information with
We do not sell Personal Information and we do not share Personal Information for cross-context behavioral advertising. We disclose Personal Information only to the following categories of recipients, for the business and commercial purposes described in Section 5:
7.1 Subprocessors and service providers
The following service providers process Personal Information on our behalf under written contracts that restrict their use of the information to providing services to Forward:
| Subprocessor | Function | Data processed | Region |
|---|---|---|---|
| Anthropic, PBC | LLM inference for the messaging assistant | Message bodies, retrieved customer content, inferred project context | United States |
| SendBlue, Inc. | SMS / iMessage gateway | Phone numbers, message bodies, MMS attachments | United States |
| Resend | Transactional email delivery | Recipient email address, system-email content | United States |
| Render Services, Inc. | Application hosting, PostgreSQL database, Redis | All Personal Information persisted by the Service | United States |
| Vercel Inc. | Frontend hosting (marketing site, dashboard) | Web request metadata, dashboard session cookies | United States |
| WorkOS, Inc. | SSO and SCIM (when enabled by the customer) | Administrator email, name, group memberships | United States |
| Stripe, Inc. | Billing and payments (when enabled) | Billing-administrator name and email; payment-method data is held by Stripe and not by Forward | United States |
| Amazon Web Services, Inc. | Object storage for media (when enabled) | Photos and other media uploaded by field users | United States |
Forward’s integrations with Procore and Autodesk Construction Cloud are not subprocessors of Forward in the traditional sense; they are platforms our customer already uses, to which our customer grants Forward access via OAuth. Customer data within those platforms remains owned by the customer and governed by the customer’s agreement with Procore or Autodesk.
7.2 Mobile carriers
SMS / MMS messages traverse mobile carriers (such as T-Mobile, AT&T, and Verizon) which are independent third parties. Carriers may process the message and metadata to deliver it; Forward does not control that processing. Forward will not share or sell mobile information collected through the messaging Service for marketing, promotional, or lead-generation purposes.
7.3 Legal disclosures
We may disclose Personal Information if we believe in good faith that disclosure is necessary to (a) comply with applicable law, court order, lawful subpoena, or regulatory request; (b) enforce our terms; (c) protect the rights, property, or safety of Forward, our customers, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.
7.4 Business transfers
If Forward is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, Personal Information may be transferred as part of that transaction, subject to the terms of this Policy or any successor policy with at least equivalent protections.
7.5 With your direction
We may share Personal Information with other parties at the customer’s direction (for example, when a customer authorizes an outbound webhook delivering events to a third-party system).
8. Your privacy rights and choices
Subject to applicable law and verification of your identity, you may have the following rights with respect to your Personal Information. We honor these rights for residents of every U.S. state with a comprehensive privacy law (see Section 12 for the list).
- Right to know / access — request the categories and specific pieces of Personal Information we have collected about you.
- Right to delete — request that we delete Personal Information we have collected about you, subject to legal exceptions.
- Right to correct — request that we correct inaccurate Personal Information.
- Right to portability — request a copy of your Personal Information in a structured, commonly used, machine-readable format.
- Right to opt out of sale or sharing for cross-context behavioral advertising — Forward does neither, so this right is not currently triggered, but we honor opt-out signals where applicable (see Section 18).
- Right to limit use of sensitive personal information — Forward does not use Sensitive Personal Information beyond the purposes permitted by 11 CCR §7027(m). See Section 9.
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
- Right to opt out of profiling for legal or similarly significant decisions — Forward does not use automated decision-making to make decisions producing legal or similarly significant effects about individuals. AI-generated drafts (such as draft RFIs) are reviewed and approved by a human (your project manager) before any system-of-record write.
- Right to appeal — if we deny your request, you may appeal by replying to the denial email or contacting privacy@getforward.xyz with the words “privacy appeal” in the subject line. We will respond within 60 days of receipt.
8.1 How to exercise your rights
You may submit a request through either of the following methods:
- Email: privacy@getforward.xyz with the subject line “Privacy request — [Access · Delete · Correct · Portability]”.
- Webform: getforward.xyz/contact.
8.2 Verification
To verify your identity before honoring a request, we will ask you to provide information that matches our records (typically the phone number you used with the Service, your name, and your employer’s name; for non-account requests, three pieces of information matched to our records). For requests submitted on your behalf by an authorized agent, we may require written authorization.
8.3 Response timing
We will confirm receipt of your request within 10 business days and will respond substantively within 45 days. If we need more time (up to an additional 45 days), we will tell you why and when to expect our response. There is no charge for these requests.
9. Sensitive personal information
Under California law, “Sensitive Personal Information” includes Social Security number, driver’s license number, account log-in combined with credentials, precise geolocation, racial or ethnic origin, religion, union membership, contents of mail / email / text messages not addressed to the business, genetic data, biometric information processed for the purpose of uniquely identifying an individual, health information, and sex life or sexual orientation.
Forward does not collect or process Sensitive Personal Information for purposes that would require posting a “Limit the Use of My Sensitive Personal Information” link under CCPA / CPRA. Our use of any Personal Information that could be considered sensitive (for example, the content of text messages addressed to our business number) is limited to the purposes permitted by 11 CCR §7027(m), namely: providing the Service requested by you and your employer, ensuring security and integrity, preventing fraud, and other short-term transient uses that do not build a profile of you.
We do not perform face recognition, biometric identification, or any automated profiling of identifiable workers from photos uploaded to the Service.
10. Construction-industry-specific disclosures
10.1 Jobsite photos and incidental capture
Field users may upload photos taken on jobsites. These photos may incidentally capture identifiable workers, third-party visitors, license plates, badge numbers, equipment serial numbers, or other information about persons who are not Forward users. Customers are responsible for compliance with their own employee and visitor privacy notices and with state biometric privacy laws (including, where applicable, the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, and the Washington biometric statute) before submitting media containing identifiable individuals.
10.2 Customer-confidential project information
Drawings, specifications, RFIs, submittals, daily logs, and other documents that Forward retrieves from the customer’s connected systems (Procore, Autodesk Construction Cloud) typically contain customer-confidential information, including the intellectual property of design professionals and material that is sensitive to the owner. Forward treats all such content as Customer Confidential Information under the Master Services Agreement.
10.3 No Federal-CUI / ITAR / classified processing
Forward is not authorized to process Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR) data, classified information, or any data subject to FedRAMP, CMMC, NIST SP 800-171, or DFARS 252.204-7012 obligations. Customers must not upload, send, or otherwise transmit such data through the Service. Forward does not hold FedRAMP authorization.
10.4 No HIPAA
Forward is not a HIPAA Business Associate and does not enter into Business Associate Agreements. Do not transmit Protected Health Information through the Service.
11. Data retention
We retain Personal Information for the periods described below, except where a longer retention period is required by law.
| Category | Retention | Rationale |
|---|---|---|
| Inbound and outbound messages | Duration of the customer’s subscription plus 90 days; longer if the customer’s contract elects extended retention | Operational + audit |
| Audit and security logs | 12 months in active storage; up to 7 years in immutable cold storage where required by customer contract or applicable law | Audit + compliance |
| Account credentials, API keys | Duration of the subscription plus 30 days | Service access |
| Photos and MMS attachments | Duration of the subscription plus 30 days, or until the customer initiates deletion | Operational |
| Billing records | 7 years | Tax, accounting, and other regulatory recordkeeping |
| Marketing and lead-capture data (web) | 24 months from last interaction | Sales follow-up |
| Web analytics cookies | None at this time (we do not use third-party analytics) | n/a |
12. Coverage across U.S. states
California residents have the rights described in Section 8. Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, and Washington have the rights granted by their respective state laws, which are substantially similar. We honor those rights through the same intake process described in Section 8.
Some of these state laws expressly exempt B2B contexts (Personal Information collected from individuals acting in a commercial or employment capacity). California is the principal exception — California’s HR / B2B exemption expired on January 1, 2023. Forward’s practices treat the strictest applicable law (CCPA / CPRA) as the floor.
13. Children
The Service is a workplace tool not directed to, or intended for use by, individuals under the age of 18. We do not knowingly collect Personal Information from anyone under 18. If you believe a minor has provided Personal Information through the Service, please contact privacy@getforward.xyz and we will delete it.
14. Security
We use commercially reasonable technical and organizational measures designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 for database storage; SSE for object storage)
- OAuth-based integration with all platform partners (Procore, Autodesk); we do not store customer credentials for those systems
- Role-based access control (RBAC) with project-level scoping for end users
- Multi-factor authentication required for all Forward employee access to production systems
- Append-only audit logging of every API call, message, and approval
- Idempotency tracking and rate limiting to prevent abuse
- Vendor risk management; our subprocessors include SOC 2 Type II–attested vendors (Anthropic, Render, Vercel, WorkOS)
Forward is currently working toward SOC 2 Type 1 attestation (target: month 6) and SOC 2 Type 2 attestation (target: month 12). We will publish each report at our Trust Center upon completion. No security program can guarantee that information will never be accessed without authorization, and you use the Service at your own risk to that extent.
15. International data transfers
We process and store all customer Personal Information within the United States. We do not currently offer the Service to, or transfer customer Personal Information to, customers in the European Economic Area, the United Kingdom, or Switzerland.
If we begin offering the Service in those jurisdictions, we will (a) appoint an EU / UK representative as required, (b) execute the EU Standard Contractual Clauses (Module 2 or 3, as applicable) and the UK International Data Transfer Addendum, and (c) update this Policy accordingly. In the meantime, residents of those jurisdictions should not use the Service.
16. Cookies and tracking
Forward uses two cookies in the dashboard:
mc_session— strictly necessary, HttpOnly, used for authentication. Set on sign-in; cleared on sign-out.mc_project— functional, used to remember your selected project across page loads.
We do not use third-party analytics, marketing pixels, advertising trackers, Facebook Pixel, Google Analytics, Hotjar, Mixpanel, Segment, Amplitude, PostHog, FullStory, or any other cross-site tracker. We do not embed marketing or tracking pixels in our transactional emails.
17. Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice through an in-product banner in the dashboard and an email to account administrators at least 30 days before the change takes effect. Non-material changes (clarifications, formatting fixes, addition of a new subprocessor) take effect upon posting with an updated effective date. The current effective date is shown at the top of this page.
18. Do Not Sell or Share · GPC
Forward does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. We do not engage in targeted advertising. We have no obligation under California law to post a “Do Not Sell or Share My Personal Information” link.
If your browser sends a Global Privacy Control (GPC) signal, we treat it as a valid request to opt out of any future sale or sharing of Personal Information — even though we do not currently sell or share. If we ever change our practices, that signal will continue to be honored.
19. Data-breach notification
If we experience a Personal Data Breach, we will notify affected customers without undue delay and not later than 72 hours after becoming aware of the breach, consistent with our Data Processing Addendum and industry best practice. Notification will include the nature of the breach, the categories and approximate number of affected data subjects and records, the likely consequences, and the measures we are taking to address it. We will additionally notify affected residents and applicable regulators as required by U.S. state breach-notification laws.
20. Contact us
For questions about this Policy or to exercise your privacy rights:
- Email: privacy@getforward.xyz
- Webform: getforward.xyz/contact
- Postal address: available on request — we are a remote-first company without a public mailing address; we will provide an address for legal-process service to a verified requester.
Effective date: April 24, 2026.